- Linux-stable-mirror - lists.linaro.org

[PATCH 6.1.y] jfs: reject on-disk inodes of an unsupported type

by Aditya Dutt

From: Dmitry Antipov <dmantipov(a)yandex.ru> [ Upstream commit 8c3f9a70d2d4dd6c640afe294b05c6a0a45434d9 ] Syzbot has reported the following BUG: kernel BUG at fs/inode.c:668! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:clear_inode+0x168/0x190 Code: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 7c c1 4c 89 f7 e8 90 ff e5 ff eb b7 0b e8 01 5d 7f ff 90 0f 0b e8 f9 5c 7f ff 90 0f 0b e8 f1 5c 7f RSP: 0018:ffffc900027dfae8 EFLAGS: 00010093 RAX: ffffffff82157a87 RBX: 0000000000000001 RCX: ffff888104d4b980 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc900027dfc90 R08: ffffffff82157977 R09: fffff520004fbf38 R10: dffffc0000000000 R11: fffff520004fbf38 R12: dffffc0000000000 R13: ffff88811315bc00 R14: ffff88811315bda8 R15: ffff88811315bb80 FS: 0000000000000000(0000) GS:ffff888135f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005565222e0578 CR3: 0000000026ef0000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die_body+0x5f/0xb0 ? die+0x9e/0xc0 ? do_trap+0x15a/0x3a0 ? clear_inode+0x168/0x190 ? do_error_trap+0x1dc/0x2c0 ? clear_inode+0x168/0x190 ? __pfx_do_error_trap+0x10/0x10 ? report_bug+0x3cd/0x500 ? handle_invalid_op+0x34/0x40 ? clear_inode+0x168/0x190 ? exc_invalid_op+0x38/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? clear_inode+0x57/0x190 ? clear_inode+0x167/0x190 ? clear_inode+0x168/0x190 ? clear_inode+0x167/0x190 jfs_evict_inode+0xb5/0x440 ? __pfx_jfs_evict_inode+0x10/0x10 evict+0x4ea/0x9b0 ? __pfx_evict+0x10/0x10 ? iput+0x713/0xa50 txUpdateMap+0x931/0xb10 ? __pfx_txUpdateMap+0x10/0x10 jfs_lazycommit+0x49a/0xb80 ? _raw_spin_unlock_irqrestore+0x8f/0x140 ? lockdep_hardirqs_on+0x99/0x150 ? __pfx_jfs_lazycommit+0x10/0x10 ? __pfx_default_wake_function+0x10/0x10 ? __kthread_parkme+0x169/0x1d0 ? __pfx_jfs_lazycommit+0x10/0x10 kthread+0x2f2/0x390 ? __pfx_jfs_lazycommit+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x4d/0x80 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> This happens when 'clear_inode()' makes an attempt to finalize an underlying JFS inode of unknown type. According to JFS layout description from https://jfs.sourceforge.net/project/pub/jfslayout.pdf, inode types from 5 to 15 are reserved for future extensions and should not be encountered on a valid filesystem. So add an extra check for valid inode type in 'copy_from_dinode()'. Reported-by: syzbot+ac2116e48989e84a2893(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ac2116e48989e84a2893 Fixes: 79ac5a46c5c1 ("jfs_lookup(): don't bother with . or ..") Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Aditya Dutt <duttaditya18(a)gmail.com> --- As per: https://lore.kernel.org/all/CAODzB9roW_ObEa8K8kowbfQ4bL3w4R78v2b_yBU4BQL4bp… this commit is not backported to any of the stable kernels (other than 6.15.y) I have already sent an email for: 6.12.y: https://lore.kernel.org/stable/20250727095111.527745-1-duttaditya18@gmail.c… 6.6.y: https://lore.kernel.org/stable/20250727095645.530309-1-duttaditya18@gmail.c… I will be sending separate email for 5.15.y fs/jfs/jfs_imap.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index 9adb29e7862c..1f2e452a7676 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -3029,14 +3029,23 @@ static void duplicateIXtree(struct super_block *sb, s64 blkno, * * RETURN VALUES: * 0 - success - * -ENOMEM - insufficient memory + * -EINVAL - unexpected inode type */ static int copy_from_dinode(struct dinode * dip, struct inode *ip) { struct jfs_inode_info *jfs_ip = JFS_IP(ip); struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb); + int fileset = le32_to_cpu(dip->di_fileset); + + switch (fileset) { + case AGGR_RESERVED_I: case AGGREGATE_I: case BMAP_I: + case LOG_I: case BADBLOCK_I: case FILESYSTEM_I: + break; + default: + return -EINVAL; + } - jfs_ip->fileset = le32_to_cpu(dip->di_fileset); + jfs_ip->fileset = fileset; jfs_ip->mode2 = le32_to_cpu(dip->di_mode); jfs_set_inode_flags(ip); -- 2.34.1

1 month, 2 weeks

2
1
0 0

[PATCH 0/5] TSA 5.10 backport

by Borislav Petkov

From: "Borislav Petkov (AMD)" <bp(a)alien8.de> Hi, this is a 5.10 backport of the AMD TSA mitigation. It has been tested with the corresponding *upstream* qemu patches here: https://lore.kernel.org/r/12881b2c03fa351316057ddc5f39c011074b4549.17521767… Thx. Borislav Petkov (AMD) (4): x86/bugs: Rename MDS machinery to something more generic x86/bugs: Add a Transient Scheduler Attacks mitigation KVM: SVM: Advertise TSA CPUID bits to guests x86/process: Move the buffer clearing before MONITOR Paolo Bonzini (1): KVM: x86: add support for CPUID leaf 0x80000021 .../ABI/testing/sysfs-devices-system-cpu | 1 + .../hw-vuln/processor_mmio_stale_data.rst | 4 +- .../admin-guide/kernel-parameters.txt | 13 ++ arch/x86/Kconfig | 9 ++ arch/x86/entry/entry.S | 8 +- arch/x86/include/asm/cpu.h | 13 ++ arch/x86/include/asm/cpufeature.h | 5 +- arch/x86/include/asm/cpufeatures.h | 8 +- arch/x86/include/asm/disabled-features.h | 2 +- arch/x86/include/asm/irqflags.h | 4 +- arch/x86/include/asm/mwait.h | 19 ++- arch/x86/include/asm/nospec-branch.h | 39 ++--- arch/x86/include/asm/required-features.h | 2 +- arch/x86/kernel/cpu/amd.c | 58 ++++++++ arch/x86/kernel/cpu/bugs.c | 133 +++++++++++++++++- arch/x86/kernel/cpu/common.c | 14 +- arch/x86/kernel/process.c | 15 +- arch/x86/kvm/cpuid.c | 31 +++- arch/x86/kvm/cpuid.h | 1 + arch/x86/kvm/svm/vmenter.S | 3 + arch/x86/kvm/vmx/vmx.c | 2 +- drivers/base/cpu.c | 2 + include/linux/cpu.h | 1 + 23 files changed, 339 insertions(+), 48 deletions(-) -- 2.43.0

1 month, 2 weeks

4
10
0 0

[PATCH v2 1/1] Mark xe driver as BROKEN if kernel page size is not 4kB

by Simon Richter

This driver, for the time being, assumes that the kernel page size is 4kB, so it fails on loong64 and aarch64 with 16kB pages, and ppc64el with 64kB pages. Signed-off-by: Simon Richter <Simon.Richter(a)hogyros.de> Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/xe/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/Kconfig b/drivers/gpu/drm/xe/Kconfig index 2bb2bc052120..7c9f1de7b35f 100644 --- a/drivers/gpu/drm/xe/Kconfig +++ b/drivers/gpu/drm/xe/Kconfig @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0-only config DRM_XE tristate "Intel Xe2 Graphics" - depends on DRM && PCI + depends on DRM && PCI && (PAGE_SIZE_4KB || BROKEN) depends on KUNIT || !KUNIT depends on INTEL_VSEC || !INTEL_VSEC depends on X86_PLATFORM_DEVICES || !(X86 && ACPI) -- 2.47.2

1 month, 2 weeks

1
0
0 0

[PATCH 0/1] Mark xe driver as BROKEN until fixed

by Simon Richter

Hi, until either of - https://patchwork.freedesktop.org/series/150230/ or the (same but rebased) - https://patchwork.freedesktop.org/series/151983/ goes in, the xe module will Oops on insmod when kernel page size is not 4kB. This disables the module for the time being, and should be reverted for fixed versions. This should probably also be added to the stable kernel series which will likely not receive the fix. Simon Richter (1): Mark xe driver as BROKEN if kernel page size is not 4kB drivers/gpu/drm/xe/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.47.2

1 month, 2 weeks

2
2
0 0

[PATCH 5/5] net: ti: icss-iep: fix device and OF node leaks at probe

by Johan Hovold

Make sure to drop the references to the IEP OF node and device taken by of_parse_phandle() and of_find_device_by_node() when looking up IEP devices during probe. Drop the bogus additional reference taken on successful lookup so that the device is released correctly by icss_iep_put(). Fixes: c1e0230eeaab ("net: ti: icss-iep: Add IEP driver") Cc: stable(a)vger.kernel.org # 6.6 Cc: Roger Quadros <rogerq(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/net/ethernet/ti/icssg/icss_iep.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/net/ethernet/ti/icssg/icss_iep.c b/drivers/net/ethernet/ti/icssg/icss_iep.c index 2a1c43316f46..50bfbc2779e4 100644 --- a/drivers/net/ethernet/ti/icssg/icss_iep.c +++ b/drivers/net/ethernet/ti/icssg/icss_iep.c @@ -685,11 +685,17 @@ struct icss_iep *icss_iep_get_idx(struct device_node *np, int idx) struct platform_device *pdev; struct device_node *iep_np; struct icss_iep *iep; + int ret; iep_np = of_parse_phandle(np, "ti,iep", idx); - if (!iep_np || !of_device_is_available(iep_np)) + if (!iep_np) return ERR_PTR(-ENODEV); + if (!of_device_is_available(iep_np)) { + of_node_put(iep_np); + return ERR_PTR(-ENODEV); + } + pdev = of_find_device_by_node(iep_np); of_node_put(iep_np); @@ -698,21 +704,28 @@ struct icss_iep *icss_iep_get_idx(struct device_node *np, int idx) return ERR_PTR(-EPROBE_DEFER); iep = platform_get_drvdata(pdev); - if (!iep) - return ERR_PTR(-EPROBE_DEFER); + if (!iep) { + ret = -EPROBE_DEFER; + goto err_put_pdev; + } device_lock(iep->dev); if (iep->client_np) { device_unlock(iep->dev); dev_err(iep->dev, "IEP is already acquired by %s", iep->client_np->name); - return ERR_PTR(-EBUSY); + ret = -EBUSY; + goto err_put_pdev; } iep->client_np = np; device_unlock(iep->dev); - get_device(iep->dev); return iep; + +err_put_pdev: + put_device(&pdev->dev); + + return ERR_PTR(ret); } EXPORT_SYMBOL_GPL(icss_iep_get_idx); -- 2.49.1

1 month, 2 weeks

2
1
0 0

[PATCH 4/5] net: mtk_eth_soc: fix device leak at probe

by Johan Hovold

The reference count to the WED devices has already been incremented when looking them up using of_find_device_by_node() so drop the bogus additional reference taken during probe. Fixes: 804775dfc288 ("net: ethernet: mtk_eth_soc: add support for Wireless Ethernet Dispatch (WED)") Cc: stable(a)vger.kernel.org # 5.19 Cc: Felix Fietkau <nbd(a)nbd.name> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/net/ethernet/mediatek/mtk_wed.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/ethernet/mediatek/mtk_wed.c b/drivers/net/ethernet/mediatek/mtk_wed.c index 351dd152f4f3..4f3014fc389b 100644 --- a/drivers/net/ethernet/mediatek/mtk_wed.c +++ b/drivers/net/ethernet/mediatek/mtk_wed.c @@ -2794,7 +2794,6 @@ void mtk_wed_add_hw(struct device_node *np, struct mtk_eth *eth, if (!pdev) goto err_of_node_put; - get_device(&pdev->dev); irq = platform_get_irq(pdev, 0); if (irq < 0) goto err_put_device; -- 2.49.1

1 month, 2 weeks

2
1
0 0

[PATCH 3/5] net: gianfar: fix device leak when querying time stamp info

by Johan Hovold

Make sure to drop the reference to the ptp device taken by of_find_device_by_node() when querying the time stamping capabilities. Note that holding a reference to the ptp device does not prevent its driver data from going away. Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata") Cc: stable(a)vger.kernel.org # 4.18 Cc: Yangbo Lu <yangbo.lu(a)nxp.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/freescale/gianfar_ethtool.c b/drivers/net/ethernet/freescale/gianfar_ethtool.c index 781d92e703cb..c9992ed4e301 100644 --- a/drivers/net/ethernet/freescale/gianfar_ethtool.c +++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c @@ -1466,8 +1466,10 @@ static int gfar_get_ts_info(struct net_device *dev, if (ptp_node) { ptp_dev = of_find_device_by_node(ptp_node); of_node_put(ptp_node); - if (ptp_dev) + if (ptp_dev) { ptp = platform_get_drvdata(ptp_dev); + put_device(&ptp_dev->dev); + } } if (ptp) -- 2.49.1

1 month, 2 weeks

2
1
0 0

[PATCH 2/5] net: enetc: fix device and OF node leak at probe

by Johan Hovold

Make sure to drop the references to the IERB OF node and platform device taken by of_parse_phandle() and of_find_device_by_node() during probe. Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block") Cc: stable(a)vger.kernel.org # 5.13 Cc: Vladimir Oltean <vladimir.oltean(a)nxp.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/freescale/enetc/enetc_pf.c b/drivers/net/ethernet/freescale/enetc/enetc_pf.c index f63a29e2e031..de0fb272c847 100644 --- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c +++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c @@ -829,19 +829,29 @@ static int enetc_pf_register_with_ierb(struct pci_dev *pdev) { struct platform_device *ierb_pdev; struct device_node *ierb_node; + int ret; ierb_node = of_find_compatible_node(NULL, NULL, "fsl,ls1028a-enetc-ierb"); - if (!ierb_node || !of_device_is_available(ierb_node)) + if (!ierb_node) return -ENODEV; + if (!of_device_is_available(ierb_node)) { + of_node_put(ierb_node); + return -ENODEV; + } + ierb_pdev = of_find_device_by_node(ierb_node); of_node_put(ierb_node); if (!ierb_pdev) return -EPROBE_DEFER; - return enetc_ierb_register_pf(ierb_pdev, pdev); + ret = enetc_ierb_register_pf(ierb_pdev, pdev); + + put_device(&ierb_pdev->dev); + + return ret; } static const struct enetc_si_ops enetc_psi_ops = { -- 2.49.1

1 month, 2 weeks

2
1
0 0

[PATCH 1/5] net: dpaa: fix device leak when querying time stamp info

by Johan Hovold

Make sure to drop the reference to the ptp device taken by of_find_device_by_node() when querying the time stamping capabilities. Note that holding a reference to the ptp device does not prevent its driver data from going away. Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool") Cc: stable(a)vger.kernel.org # 4.19 Cc: Yangbo Lu <yangbo.lu(a)nxp.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c index 9986f6e1f587..7fc01baef280 100644 --- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c @@ -401,8 +401,10 @@ static int dpaa_get_ts_info(struct net_device *net_dev, of_node_put(ptp_node); } - if (ptp_dev) + if (ptp_dev) { ptp = platform_get_drvdata(ptp_dev); + put_device(&ptp_dev->dev); + } if (ptp) info->phc_index = ptp->phc_index; -- 2.49.1

1 month, 2 weeks

2
1
0 0

[PATCH net] phy: dp83869: fix interrupts issue when using with an optical fiber sfp. to correctly clear the interrupts both status registers must be read.

by chalianis1＠gmail.com

From: Anis Chali <chalianis1(a)gmail.com> from datasheet of dp83869hm 7.3.6 Interrupt The DP83869HM can be configured to generate an interrupt when changes of internal status occur. The interrupt allows a MAC to act upon the status in the PHY without polling the PHY registers. The interrupt source can be selected through the interrupt registers, MICR (12h) and FIBER_INT_EN (C18h). The interrupt status can be read from ISR (13h) and FIBER_INT_STTS (C19h) registers. Some interrupts are enabled by default and can be disabled through register access. Both the interrupt status registers must be read in order to clear pending interrupts. Until the pending interrupts are cleared, new interrupts may not be routed to the interrupt pin. Fixes: 01db923e8377 ("net: phy: dp83869: Add TI dp83869 phy") Cc: stable(a)vger.kernel.org Signed-off-by: Anis Chali <chalianis1(a)gmail.com> --- drivers/net/phy/dp83869.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c index a62cd838a9ea..1e8c20f387b8 100644 --- a/drivers/net/phy/dp83869.c +++ b/drivers/net/phy/dp83869.c @@ -41,6 +41,7 @@ #define DP83869_IO_MUX_CFG 0x0170 #define DP83869_OP_MODE 0x01df #define DP83869_FX_CTRL 0x0c00 +#define DP83869_FX_INT_STS 0x0c19 #define DP83869_SW_RESET BIT(15) #define DP83869_SW_RESTART BIT(14) @@ -195,6 +196,12 @@ static int dp83869_ack_interrupt(struct phy_device *phydev) if (err < 0) return err; + if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, phydev->supported)) { + err = phy_read_mmd(phydev, DP83869_DEVADDR, DP83869_FX_INT_STS); + if (err < 0) + return err; + } + return 0; } -- 2.49.0

1 month, 2 weeks

4
3
0 0

[PATCH 6.15 000/187] 6.15.8-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.15.8 release. There are 187 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 24 Jul 2025 13:43:10 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.8-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.15.8-rc1 Stefan Metzmacher <metze(a)samba.org> smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data Matthew Brost <matthew.brost(a)intel.com> drm/xe: Move page fault init after topology init Balasubramani Vivekanandan <balasubramani.vivekanandan(a)intel.com> drm/xe/mocs: Initialize MOCS index early Breno Leitao <leitao(a)debian.org> sched/ext: Prevent update_locked_rq() calls with NULL rq Chen Ridong <chenridong(a)huawei.com> sched,freezer: Remove unnecessary warning in __thaw_task David Howells <dhowells(a)redhat.com> cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code David Howells <dhowells(a)redhat.com> cifs: Fix the smbd_response slab to allow usercopy Stefan Metzmacher <metze(a)samba.org> smb: client: make use of common smbdirect_socket_parameters Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: introduce smbdirect_socket_parameters Stefan Metzmacher <metze(a)samba.org> smb: client: make use of common smbdirect_socket Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: add smbdirect_socket.h Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: add smbdirect.h with public structures Stefan Metzmacher <metze(a)samba.org> smb: client: make use of common smbdirect_pdu.h Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: add smbdirect_pdu.h with protocol definitions Miguel Ojeda <ojeda(a)kernel.org> rust: use `#[used(compiler)]` to fix build and `modpost` with Rust >= 1.89.0 Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix multicast packets received count Krishna Kurapati <krishna.kurapati(a)oss.qualcomm.com> usb: dwc3: qcom: Don't leave BCR asserted Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Don't try to recover devices lost during warm reset. Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Fix flushing of delayed work used for post resume purposes Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: fix detection of high tier USB3 devices behind suspended hubs Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> sched: Change nr_uninterruptible type to unsigned long Breno Leitao <leitao(a)debian.org> efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths Andrii Nakryiko <andrii(a)kernel.org> libbpf: Fix handling of BPF arena relocations Icenowy Zheng <uwu(a)icenowy.me> drm/mediatek: only announce AFBC if really supported Jason-JH Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add wait_event_timeout when disabling plane Chen Ridong <chenridong(a)huawei.com> Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" David Howells <dhowells(a)redhat.com> rxrpc: Fix to use conn aborts for conn-wide failures David Howells <dhowells(a)redhat.com> rxrpc: Fix transmission of an abort in response to an abort David Howells <dhowells(a)redhat.com> rxrpc: Fix notification vs call-release vs recvmsg David Howells <dhowells(a)redhat.com> rxrpc: Fix recv-recv race of completed call David Howells <dhowells(a)redhat.com> rxrpc: Fix irq-disabled in local_bh_enable() William Liu <will(a)willsroot.io> net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Joseph Huang <Joseph.Huang(a)garmin.com> net: bridge: Do not offload IGMP/MLD messages Dong Chenchen <dongchenchen2(a)huawei.com> net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Jakub Kicinski <kuba(a)kernel.org> tls: always refresh the queue when reading sock Zigit Zo <zuozhijie(a)bytedance.com> virtio-net: fix recursived rtnl_lock() during probe() Li Tian <litian(a)redhat.com> hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Resend PF provisioning after GT reset Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Prepare to stop SR-IOV support prior GT reset Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Dont skip TLB invalidations on VF Florian Westphal <fw(a)strlen.de> netfilter: nf_conntrack: fix crash due to removal of uninitialised entry Felix Fietkau <nbd(a)nbd.name> net: fix segmentation after TCP/UDP fraglist GRO Yue Haibing <yuehaibing(a)huawei.com> ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Alok Tiwari <alok.a.tiwari(a)oracle.com> net: airoha: fix potential use-after-free in airoha_npu_get() Christoph Paasch <cpaasch(a)openai.com> net/mlx5: Correctly set gso_size when LRO is used Zijun Hu <zijun.hu(a)oss.qualcomm.com> Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID Christian Eggers <ceggers(a)arri.de> Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap Christian Eggers <ceggers(a)arri.de> Bluetooth: hci_core: add missing braces when using macro parameters Christian Eggers <ceggers(a)arri.de> Bluetooth: hci_core: fix typos in macros Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: If an unallowed command is received consider it a failure Alessandro Gasbarroni <alex.gasbarroni(a)gmail.com> Bluetooth: hci_sync: fix connectable extended advertising when using static random address Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Andreas Schwab <schwab(a)suse.de> riscv: traps_misaligned: properly sign extend value in misaligned load handler Nam Cao <namcao(a)linutronix.de> riscv: Enable interrupt during exception handling Ming Lei <ming.lei(a)redhat.com> loop: use kiocb helpers to fix lockdep warning Oliver Neukum <oneukum(a)suse.com> usb: net: sierra: check for no status endpoint Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> ice: check correct pointer in fwlog debugfs Dave Ertman <david.m.ertman(a)intel.com> ice: add NULL check in eswitch lag check Marius Zachmann <mail(a)mariuszachmann.de> hwmon: (corsair-cpro) Validate the size of the received input buffer Paolo Abeni <pabeni(a)redhat.com> selftests: net: increase inter-packet timeout in udpgro.sh Brett Werling <brett.werling(a)garmin.com> can: tcan4x5x: fix reset gpio usage during probe Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: remove scan request n_channels counted_by Maurizio Lombardi <mlombard(a)redhat.com> nvmet-tcp: fix callback lock for TLS handshake Yu Kuai <yukuai3(a)huawei.com> nvme: fix misaccounting of nvme-mpath inflight I/O Christoph Hellwig <hch(a)lst.de> nvme: revert the cross-controller atomic write size validation Sean Anderson <sean.anderson(a)linux.dev> net: phy: Don't register LEDs for genphy Kuniyuki Iwashima <kuniyu(a)google.com> smc: Fix various oops due to inet_sock type confusion. John Garry <john.g.garry(a)oracle.com> nvme: fix endianness of command word prints in nvme_log_err_passthru() Zheng Qixing <zhengqixing(a)huawei.com> nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() Al Viro <viro(a)zeniv.linux.org.uk> fix a leak in fcntl_dirnotify() Wang Zhaolong <wangzhaolong(a)huaweicloud.com> smb: client: fix use-after-free in cifs_oplock_break Kuniyuki Iwashima <kuniyu(a)google.com> rpl: Fix use-after-free in rpl_do_srh_inline(). Xiang Mei <xmei5(a)asu.edu> net/sched: sch_qfq: Fix race condition on qfq_aggregate Ming Lei <ming.lei(a)redhat.com> block: fix kobject leak in blk_unregister_queue Alok Tiwari <alok.a.tiwari(a)oracle.com> net: emaclite: Fix missing pointer increment in aligned_read() Arnd Bergmann <arnd(a)arndb.de> ALSA: compress_offload: tighten ioctl command number checks Zizhi Wo <wozizhi(a)huawei.com> cachefiles: Fix the incorrect return value in __cachefiles_write() Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu(a)intel.com> wifi: iwlwifi: mask reserved bits in chan_state_active_bitmap Andrea Righi <arighi(a)nvidia.com> selftests/sched_ext: Fix exit selftest hang on UP Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Reject %p% format string in bprintf-like helpers Richard Zhu <hongxing.zhu(a)nxp.com> arm64: dts: imx95: Correct the DMA interrupter number of pcie0_ep Wei Fang <wei.fang(a)nxp.com> arm64: dts: imx95-15x15-evk: fix the overshoot issue of NETC Wei Fang <wei.fang(a)nxp.com> arm64: dts: imx95-19x19-evk: fix the overshoot issue of NETC Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> soundwire: amd: fix for clearing command status register Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> phy: use per-PHY lockdep keys Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> soundwire: amd: fix for handling slave alerts after link is down Andy Yan <andyshrk(a)163.com> arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi 4B Andy Yan <andyshrk(a)163.com> arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi CM5 Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix initialization of data for instructions that write to subdevice Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix use of uninitialized data in insn_rw_emulate_bits() Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix some signed shift left operations Ian Abbott <abbotti(a)mev.co.uk> comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large Ian Abbott <abbotti(a)mev.co.uk> comedi: comedi_test: Fix possible deletion of uninitialized timers Ian Abbott <abbotti(a)mev.co.uk> comedi: das6402: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: das16m1: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: aio_iiro_16: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: pcl812: Fix bit shift out of bounds Maud Spierings <maudspierings(a)gocontroll.com> iio: common: st_sensors: Fix use of uninitialize device structs Markus Burri <markus.burri(a)mt.com> iio: backend: fix out-of-bound write Chen Ni <nichen(a)iscas.ac.cn> iio: adc: stm32-adc: Fix race in installing chained IRQ handler Fabio Estevam <festevam(a)denx.de> iio: adc: max1363: Reorder mode_list[] entries Fabio Estevam <festevam(a)denx.de> iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] Chen-Yu Tsai <wens(a)csie.org> iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps David Lechner <dlechner(a)baylibre.com> iio: adc: adi-axi-adc: fix ad7606_bus_reg_read() David Lechner <dlechner(a)baylibre.com> iio: adc: ad7380: fix adi,gain-milli property parsing Sean Nyekjaer <sean(a)geanix.com> iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush Christoph Hellwig <hch(a)lst.de> xfs: don't allocate the xfs_extent_busy structure for zoned RTGs Amit Pundir <amit.pundir(a)linaro.org> soundwire: Revert "soundwire: qcom: Add set_channel_map api support" Andrew Jeffery <andrew(a)codeconstruct.com.au> soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Andrew Jeffery <andrew(a)codeconstruct.com.au> soc: aspeed: lpc-snoop: Cleanup resources in stack-order Wang Zhaolong <wangzhaolong(a)huaweicloud.com> smb: client: fix use-after-free in crypt_message when using async crypto Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Maulik Shah <maulik.shah(a)oss.qualcomm.com> pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: properly reset Rx ring descriptor Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix the using of Rx buffer DMA Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: remove duplicate page_pool_put_full_page() Markus Blöchl <markus(a)blochl.de> net: stmmac: intel: populate entire system_counterval_t in get_time_fn() callback Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Workaround for Errata i2312 Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Thomas Fourier <fourier.thomas(a)gmail.com> mmc: bcm2835: Fix dma_unmap_sg() nents value Nathan Chancellor <nathan(a)kernel.org> memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Jan Kara <jack(a)suse.cz> isofs: Verify inode mode when loading from disk Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: nbpfaxi: Fix memory corruption in probe() Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Daniel Lezcano <daniel.lezcano(a)linaro.org> cpuidle: psci: Fix cpuhotplug routine with PREEMPT_RT=y Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type Yun Lu <luyun(a)kylinos.cn> af_packet: fix soft lockup issue caused by tpacket_snd() Yun Lu <luyun(a)kylinos.cn> af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() Jakob Unterwurzacher <jakob.unterwurzacher(a)cherry.de> arm64: dts: rockchip: use cs-gpios for spi1 on ringneck Alexey Charkov <alchark(a)gmail.com> arm64: dts: rockchip: list all CPU supplies on ArmSoM Sige5 Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw73xx: fix TPM SPI frequency Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw72xx: fix TPM SPI frequency Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency Francesco Dolcini <francesco.dolcini(a)toradex.com> arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on Meng Li <Meng.Li(a)windriver.com> arm64: dts: add big-endian property back into watchdog node Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Nathan Chancellor <nathan(a)kernel.org> phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() Paolo Abeni <pabeni(a)redhat.com> mptcp: reset fallback status gracefully at disconnect() time Paolo Abeni <pabeni(a)redhat.com> mptcp: plug races between subflow fail and subflow creation Paolo Abeni <pabeni(a)redhat.com> mptcp: make fallback action and fallback decision atomic Steve French <stfrench(a)microsoft.com> Fix SMB311 posix special file creation to servers which do not advertise reparse support Pavel Begunkov <asml.silence(a)gmail.com> io_uring/poll: fix POLLERR handling Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Fix mute LED for HP Victus 16-r0xxx David Howells <dhowells(a)redhat.com> netfs: Fix race between cache write completion and ALL_QUEUED being set David Howells <dhowells(a)redhat.com> netfs: Fix copy-to-cache so that it performs collection with ceph+fscache Clayton King <clayton.king(a)amd.com> drm/amd/display: Free memory allocation Melissa Wen <mwen(a)igalia.com> drm/amd/display: Disable CRTC degamma LUT for DCN401 Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Increase reset counter only on success Philipp Stanner <phasta(a)kernel.org> drm/panfrost: Fix scheduler workqueue bug Eeli Haapalainen <eeli.haapalainen(a)protonmail.com> drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume Miguel Ojeda <ojeda(a)kernel.org> objtool/rust: add one more `noreturn` Rust function for Rust 1.89.0 Janne Grunau <j(a)jannau.net> rust: init: Fix generics in *_init! macros Tomas Glozar <tglozar(a)redhat.com> tracing/osnoise: Fix crash in timerlat_dump_stack() Steven Rostedt <rostedt(a)goodmis.org> tracing: Add down_write(trace_event_sem) when adding trace event Nathan Chancellor <nathan(a)kernel.org> tracing/probes: Avoid using params uninitialized in parse_btf_arg() Benjamin Tissoires <bentiss(a)kernel.org> HID: core: do not bypass hid_hw_raw_request Benjamin Tissoires <bentiss(a)kernel.org> HID: core: ensure __hid_request reserves the report ID as the first byte Benjamin Tissoires <bentiss(a)kernel.org> HID: core: ensure the allocated report buffer can contain the reserved report ID Sheng Yong <shengyong1(a)xiaomi.com> dm-bufio: fix sched in atomic context Naman Jain <namjain(a)linux.microsoft.com> tools/hv: fcopy: Fix irregularities with size of ring buffer Cheng Ming Lin <chengminglin(a)mxic.com.tw> spi: Add check for 8-bit transfer with 8 IO mode support Thomas Fourier <fourier.thomas(a)gmail.com> pch_uart: Fix dma_sync_sg_for_device() nents value Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - set correct controller type for Acer NGR200 Michael C. Pratt <mcpratt(a)pm.me> nvmem: layouts: u-boot-env: remove crc32 endianness conversion Steffen Bätz <steffen(a)innosonix.de> nvmem: imx-ocotp: fix MAC address byte length Stefan Wahren <wahrenst(a)gmx.net> Revert "staging: vchiq_arm: Create keep-alive thread during probe" Stefan Wahren <wahrenst(a)gmx.net> Revert "staging: vchiq_arm: Improve initial VCHIQ connect" Alok Tiwari <alok.a.tiwari(a)oracle.com> thunderbolt: Fix bit masking in tb_dp_port_set_hops() Mario Limonciello <mario.limonciello(a)amd.com> thunderbolt: Fix wake on connect at runtime Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: omap: Fix an error handling path in omap_i2c_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: omap: Handle omap_i2c_init() errors in omap_i2c_probe() Clément Le Goffic <clement.legoffic(a)foss.st.com> i2c: stm32f7: unmap DMA mapped buffer Clément Le Goffic <clement.legoffic(a)foss.st.com> i2c: stm32: fix the device used for the DMA map Xinyu Liu <1171169449(a)qq.com> usb: gadget: configfs: Fix OOB read on empty string write Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY Drew Hamilton <drew.hamilton(a)zetier.com> usb: musb: fix gadget state on disconnect Ryan Mann (NDI) <rmann(a)ndigital.com> USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add Foxconn T99W640 Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Haotien Hsu <haotienh(a)nvidia.com> phy: tegra: xusb: Disable periodic tracking on Tegra234 Wayne Chang <waynec(a)nvidia.com> phy: tegra: xusb: Decouple CYA_TRK_CODE_UPDATE_ON_IDLE from trk_hw_mode Wayne Chang <waynec(a)nvidia.com> phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 3 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 + .../boot/dts/freescale/imx8mp-venice-gw71xx.dtsi | 2 +- .../boot/dts/freescale/imx8mp-venice-gw72xx.dtsi | 2 +- .../boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 +- .../boot/dts/freescale/imx8mp-venice-gw74xx.dts | 2 +- arch/arm64/boot/dts/freescale/imx95-15x15-evk.dts | 20 +- arch/arm64/boot/dts/freescale/imx95-19x19-evk.dts | 12 +- arch/arm64/boot/dts/freescale/imx95.dtsi | 2 +- arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 23 + .../boot/dts/rockchip/rk3576-armsom-sige5.dts | 28 ++ .../arm64/boot/dts/rockchip/rk3588-coolpi-cm5.dtsi | 1 + arch/arm64/boot/dts/rockchip/rk3588s-coolpi-4b.dts | 1 + arch/riscv/kernel/traps.c | 10 +- arch/riscv/kernel/traps_misaligned.c | 2 +- arch/s390/net/bpf_jit_comp.c | 10 +- block/blk-sysfs.c | 1 + drivers/block/loop.c | 5 +- drivers/bluetooth/bfusb.c | 2 +- drivers/bluetooth/bpa10x.c | 2 +- drivers/bluetooth/btbcm.c | 8 +- drivers/bluetooth/btintel.c | 30 +- drivers/bluetooth/btintel_pcie.c | 8 +- drivers/bluetooth/btmtksdio.c | 4 +- drivers/bluetooth/btmtkuart.c | 2 +- drivers/bluetooth/btnxpuart.c | 2 +- drivers/bluetooth/btqca.c | 2 +- drivers/bluetooth/btqcomsmd.c | 2 +- drivers/bluetooth/btrtl.c | 10 +- drivers/bluetooth/btsdio.c | 2 +- drivers/bluetooth/btusb.c | 148 +++--- drivers/bluetooth/hci_aml.c | 2 +- drivers/bluetooth/hci_bcm.c | 4 +- drivers/bluetooth/hci_bcm4377.c | 10 +- drivers/bluetooth/hci_intel.c | 2 +- drivers/bluetooth/hci_ldisc.c | 6 +- drivers/bluetooth/hci_ll.c | 4 +- drivers/bluetooth/hci_nokia.c | 2 +- drivers/bluetooth/hci_qca.c | 14 +- drivers/bluetooth/hci_serdev.c | 8 +- drivers/bluetooth/hci_vhci.c | 8 +- drivers/bluetooth/virtio_bt.c | 10 +- drivers/comedi/comedi_fops.c | 30 +- drivers/comedi/drivers.c | 17 +- drivers/comedi/drivers/aio_iiro_16.c | 3 +- drivers/comedi/drivers/comedi_test.c | 2 +- drivers/comedi/drivers/das16m1.c | 3 +- drivers/comedi/drivers/das6402.c | 3 +- drivers/comedi/drivers/pcl812.c | 3 +- drivers/cpuidle/cpuidle-psci.c | 23 +- drivers/dma/mediatek/mtk-cqdma.c | 4 +- drivers/dma/nbpfaxi.c | 11 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 9 +- drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 1 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 11 +- .../amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c | 3 +- drivers/gpu/drm/mediatek/mtk_crtc.c | 36 +- drivers/gpu/drm/mediatek/mtk_crtc.h | 1 + drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 1 + drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 9 + drivers/gpu/drm/mediatek/mtk_disp_drv.h | 1 + drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 7 + drivers/gpu/drm/mediatek/mtk_plane.c | 12 +- drivers/gpu/drm/mediatek/mtk_plane.h | 3 +- drivers/gpu/drm/panfrost/panfrost_job.c | 2 +- drivers/gpu/drm/xe/xe_gt.c | 15 +- drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 19 + drivers/gpu/drm/xe/xe_gt_sriov_pf.h | 5 + drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 27 + drivers/gpu/drm/xe/xe_ring_ops.c | 22 +- drivers/hid/hid-core.c | 21 +- drivers/hwmon/corsair-cpro.c | 5 + drivers/i2c/busses/i2c-omap.c | 7 +- drivers/i2c/busses/i2c-stm32.c | 8 +- drivers/i2c/busses/i2c-stm32f7.c | 24 +- drivers/iio/accel/fxls8962af-core.c | 2 + drivers/iio/accel/st_accel_core.c | 10 +- drivers/iio/adc/ad7380.c | 5 +- drivers/iio/adc/adi-axi-adc.c | 6 +- drivers/iio/adc/axp20x_adc.c | 1 + drivers/iio/adc/max1363.c | 43 +- drivers/iio/adc/stm32-adc-core.c | 7 +- drivers/iio/common/st_sensors/st_sensors_core.c | 36 +- drivers/iio/common/st_sensors/st_sensors_trigger.c | 20 +- drivers/iio/industrialio-backend.c | 5 +- drivers/input/joystick/xpad.c | 2 +- drivers/md/dm-bufio.c | 6 +- drivers/memstick/core/memstick.c | 2 +- drivers/mmc/host/bcm2835.c | 3 +- drivers/mmc/host/sdhci-pci-core.c | 3 +- drivers/mmc/host/sdhci_am654.c | 9 +- drivers/net/can/m_can/tcan4x5x-core.c | 61 ++- drivers/net/ethernet/airoha/airoha_npu.c | 3 +- drivers/net/ethernet/intel/ice/ice_debugfs.c | 2 +- drivers/net/ethernet/intel/ice/ice_lag.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 8 +- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 9 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 20 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 - drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +- drivers/net/hyperv/netvsc_drv.c | 5 +- drivers/net/phy/phy_device.c | 6 +- drivers/net/usb/sierra_net.c | 4 + drivers/net/virtio_net.c | 2 +- .../net/wireless/intel/iwlwifi/fw/api/nvm-reg.h | 5 +- drivers/net/wireless/intel/iwlwifi/fw/regulatory.c | 1 + .../net/wireless/intel/iwlwifi/mld/regulatory.c | 4 +- drivers/nvme/host/core.c | 27 +- drivers/nvme/target/tcp.c | 4 +- drivers/nvmem/imx-ocotp-ele.c | 5 +- drivers/nvmem/imx-ocotp.c | 5 +- drivers/nvmem/layouts/u-boot-env.c | 6 +- drivers/phy/phy-core.c | 5 +- drivers/phy/tegra/xusb-tegra186.c | 77 +-- drivers/phy/tegra/xusb.h | 1 + drivers/pmdomain/governor.c | 18 +- drivers/soc/aspeed/aspeed-lpc-snoop.c | 13 +- drivers/soundwire/amd_manager.c | 4 +- drivers/soundwire/qcom.c | 26 - drivers/spi/spi.c | 14 +- .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 95 ++-- .../vc04_services/interface/vchiq_arm/vchiq_core.c | 1 - .../vc04_services/interface/vchiq_arm/vchiq_core.h | 2 - drivers/thunderbolt/switch.c | 10 +- drivers/thunderbolt/tb.h | 2 +- drivers/thunderbolt/usb4.c | 12 +- drivers/tty/serial/pch_uart.c | 2 +- drivers/usb/core/hub.c | 36 +- drivers/usb/core/hub.h | 1 + drivers/usb/dwc2/gadget.c | 40 +- drivers/usb/dwc3/dwc3-qcom.c | 8 +- drivers/usb/gadget/configfs.c | 4 + drivers/usb/musb/musb_gadget.c | 2 + drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 3 + drivers/usb/serial/option.c | 5 + fs/cachefiles/io.c | 2 - fs/cachefiles/ondemand.c | 4 +- fs/efivarfs/super.c | 6 + fs/isofs/inode.c | 9 +- fs/netfs/read_pgpriv2.c | 5 + fs/notify/dnotify/dnotify.c | 8 +- fs/smb/client/cifs_debug.c | 23 +- fs/smb/client/file.c | 10 +- fs/smb/client/smb2inode.c | 3 +- fs/smb/client/smb2ops.c | 24 +- fs/smb/client/smbdirect.c | 544 ++++++++++----------- fs/smb/client/smbdirect.h | 62 +-- fs/smb/common/smbdirect/smbdirect.h | 37 ++ fs/smb/common/smbdirect/smbdirect_pdu.h | 55 +++ fs/smb/common/smbdirect/smbdirect_socket.h | 43 ++ fs/xfs/libxfs/xfs_group.c | 14 +- fs/xfs/xfs_extent_busy.h | 8 + include/linux/phy/phy.h | 2 + include/net/bluetooth/hci.h | 2 + include/net/bluetooth/hci_core.h | 50 +- include/net/cfg80211.h | 2 +- include/net/netfilter/nf_conntrack.h | 15 +- include/trace/events/netfs.h | 30 ++ include/trace/events/rxrpc.h | 6 +- io_uring/net.c | 12 +- io_uring/poll.c | 2 - kernel/bpf/helpers.c | 11 +- kernel/cgroup/legacy_freezer.c | 8 +- kernel/freezer.c | 15 +- kernel/sched/ext.c | 12 +- kernel/sched/loadavg.c | 2 +- kernel/sched/sched.h | 2 +- kernel/trace/trace_events.c | 5 + kernel/trace/trace_osnoise.c | 2 +- kernel/trace/trace_probe.c | 2 +- net/8021q/vlan.c | 42 +- net/8021q/vlan.h | 1 + net/bluetooth/hci_core.c | 4 +- net/bluetooth/hci_debugfs.c | 8 +- net/bluetooth/hci_event.c | 19 +- net/bluetooth/hci_sync.c | 63 ++- net/bluetooth/l2cap_core.c | 26 +- net/bluetooth/l2cap_sock.c | 3 + net/bluetooth/mgmt.c | 38 +- net/bluetooth/msft.c | 2 +- net/bluetooth/smp.c | 21 +- net/bluetooth/smp.h | 1 + net/bridge/br_switchdev.c | 3 + net/ipv4/tcp_offload.c | 1 + net/ipv4/udp_offload.c | 1 + net/ipv6/mcast.c | 2 +- net/ipv6/rpl_iptunnel.c | 8 +- net/mptcp/options.c | 3 +- net/mptcp/pm.c | 8 +- net/mptcp/protocol.c | 56 ++- net/mptcp/protocol.h | 29 +- net/mptcp/subflow.c | 30 +- net/netfilter/nf_conntrack_core.c | 26 +- net/packet/af_packet.c | 27 +- net/phonet/pep.c | 2 +- net/rxrpc/ar-internal.h | 4 + net/rxrpc/call_accept.c | 14 +- net/rxrpc/call_object.c | 28 +- net/rxrpc/io_thread.c | 14 + net/rxrpc/output.c | 22 +- net/rxrpc/peer_object.c | 6 +- net/rxrpc/recvmsg.c | 23 +- net/rxrpc/security.c | 8 +- net/sched/sch_htb.c | 4 +- net/sched/sch_qfq.c | 30 +- net/smc/af_smc.c | 14 + net/smc/smc.h | 8 +- net/tls/tls_strp.c | 3 +- rust/Makefile | 1 + rust/kernel/firmware.rs | 2 +- rust/kernel/init.rs | 8 +- rust/kernel/kunit.rs | 2 +- rust/kernel/lib.rs | 2 + rust/macros/module.rs | 10 +- scripts/Makefile.build | 2 +- sound/core/compress_offload.c | 48 +- sound/pci/hda/patch_realtek.c | 2 + tools/hv/hv_fcopy_uio_daemon.c | 91 +++- tools/lib/bpf/libbpf.c | 20 +- tools/objtool/check.c | 1 + tools/testing/selftests/net/udpgro.sh | 8 +- tools/testing/selftests/sched_ext/exit.c | 8 + 226 files changed, 2116 insertions(+), 1239 deletions(-)

1 month, 2 weeks

18
205
0 0

[PATCH 6.1 00/79] 6.1.147-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.147 release. There are 79 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 24 Jul 2025 13:43:10 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.147-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.147-rc1 Michael C. Pratt <mcpratt(a)pm.me> nvmem: layouts: u-boot-env: remove crc32 endianness conversion Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Christian Eggers <ceggers(a)arri.de> Bluetooth: HCI: Set extended advertising data synchronously Arun Raghavan <arun(a)asymptotic.io> ASoC: fsl_sai: Force a software reset when starting in consumer mode Krishna Kurapati <krishna.kurapati(a)oss.qualcomm.com> usb: dwc3: qcom: Don't leave BCR asserted Drew Hamilton <drew.hamilton(a)zetier.com> usb: musb: fix gadget state on disconnect Paul Cercueil <paul(a)crapouillou.net> usb: musb: Add and use inline functions musb_{get,set}_state Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Don't try to recover devices lost during warm reset. Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Fix flushing of delayed work used for post resume purposes Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: fix detection of high tier USB3 devices behind suspended hubs Al Viro <viro(a)zeniv.linux.org.uk> clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns Hamish Martin <hamish.martin(a)alliedtelesis.co.nz> HID: mcp2221: Set driver data before I2C adapter add Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> sched: Change nr_uninterruptible type to unsigned long Chen Ridong <chenridong(a)huawei.com> Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" William Liu <will(a)willsroot.io> net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Joseph Huang <Joseph.Huang(a)garmin.com> net: bridge: Do not offload IGMP/MLD messages Dong Chenchen <dongchenchen2(a)huawei.com> net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Jakub Kicinski <kuba(a)kernel.org> tls: always refresh the queue when reading sock Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Florian Westphal <fw(a)strlen.de> netfilter: nf_conntrack: fix crash due to removal of uninitialised entry Yue Haibing <yuehaibing(a)huawei.com> ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Christoph Paasch <cpaasch(a)openai.com> net/mlx5: Correctly set gso_size when LRO is used Zijun Hu <zijun.hu(a)oss.qualcomm.com> Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: If an unallowed command is received consider it a failure Alessandro Gasbarroni <alex.gasbarroni(a)gmail.com> Bluetooth: hci_sync: fix connectable extended advertising when using static random address Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Oliver Neukum <oneukum(a)suse.com> usb: net: sierra: check for no status endpoint Marius Zachmann <mail(a)mariuszachmann.de> hwmon: (corsair-cpro) Validate the size of the received input buffer Paolo Abeni <pabeni(a)redhat.com> selftests: net: increase inter-packet timeout in udpgro.sh Yu Kuai <yukuai3(a)huawei.com> nvme: fix misaccounting of nvme-mpath inflight I/O Wang Zhaolong <wangzhaolong(a)huaweicloud.com> smb: client: fix use-after-free in cifs_oplock_break Kuniyuki Iwashima <kuniyu(a)google.com> rpl: Fix use-after-free in rpl_do_srh_inline(). Xiang Mei <xmei5(a)asu.edu> net/sched: sch_qfq: Fix race condition on qfq_aggregate Alok Tiwari <alok.a.tiwari(a)oracle.com> net: emaclite: Fix missing pointer increment in aligned_read() Zizhi Wo <wozizhi(a)huawei.com> cachefiles: Fix the incorrect return value in __cachefiles_write() Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Reject %p% format string in bprintf-like helpers Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix initialization of data for instructions that write to subdevice Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix use of uninitialized data in insn_rw_emulate_bits() Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix some signed shift left operations Ian Abbott <abbotti(a)mev.co.uk> comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large Ian Abbott <abbotti(a)mev.co.uk> comedi: das6402: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: das16m1: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: aio_iiro_16: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: pcl812: Fix bit shift out of bounds Chen Ni <nichen(a)iscas.ac.cn> iio: adc: stm32-adc: Fix race in installing chained IRQ handler Fabio Estevam <festevam(a)denx.de> iio: adc: max1363: Reorder mode_list[] entries Fabio Estevam <festevam(a)denx.de> iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] Sean Nyekjaer <sean(a)geanix.com> iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush Andrew Jeffery <andrew(a)codeconstruct.com.au> soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Andrew Jeffery <andrew(a)codeconstruct.com.au> soc: aspeed: lpc-snoop: Cleanup resources in stack-order Wang Zhaolong <wangzhaolong(a)huaweicloud.com> smb: client: fix use-after-free in crypt_message when using async crypto Maulik Shah <maulik.shah(a)oss.qualcomm.com> pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Workaround for Errata i2312 Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Thomas Fourier <fourier.thomas(a)gmail.com> mmc: bcm2835: Fix dma_unmap_sg() nents value Nathan Chancellor <nathan(a)kernel.org> memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Jan Kara <jack(a)suse.cz> isofs: Verify inode mode when loading from disk Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: nbpfaxi: Fix memory corruption in probe() Yun Lu <luyun(a)kylinos.cn> af_packet: fix soft lockup issue caused by tpacket_snd() Yun Lu <luyun(a)kylinos.cn> af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() Francesco Dolcini <francesco.dolcini(a)toradex.com> arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Nathan Chancellor <nathan(a)kernel.org> phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() Pavel Begunkov <asml.silence(a)gmail.com> io_uring/poll: fix POLLERR handling Steven Rostedt <rostedt(a)goodmis.org> tracing: Add down_write(trace_event_sem) when adding trace event Benjamin Tissoires <bentiss(a)kernel.org> HID: core: do not bypass hid_hw_raw_request Benjamin Tissoires <bentiss(a)kernel.org> HID: core: ensure __hid_request reserves the report ID as the first byte Benjamin Tissoires <bentiss(a)kernel.org> HID: core: ensure the allocated report buffer can contain the reserved report ID Thomas Fourier <fourier.thomas(a)gmail.com> pch_uart: Fix dma_sync_sg_for_device() nents value Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - set correct controller type for Acer NGR200 Alok Tiwari <alok.a.tiwari(a)oracle.com> thunderbolt: Fix bit masking in tb_dp_port_set_hops() Clément Le Goffic <clement.legoffic(a)foss.st.com> i2c: stm32: fix the device used for the DMA map Xinyu Liu <1171169449(a)qq.com> usb: gadget: configfs: Fix OOB read on empty string write Ryan Mann (NDI) <rmann(a)ndigital.com> USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add Foxconn T99W640 Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Wayne Chang <waynec(a)nvidia.com> phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 + drivers/base/power/domain_governor.c | 18 +- drivers/bluetooth/btusb.c | 78 ++++---- drivers/comedi/comedi_fops.c | 30 +++- drivers/comedi/drivers.c | 17 +- drivers/comedi/drivers/aio_iiro_16.c | 3 +- drivers/comedi/drivers/das16m1.c | 3 +- drivers/comedi/drivers/das6402.c | 3 +- drivers/comedi/drivers/pcl812.c | 3 +- drivers/dma/nbpfaxi.c | 11 +- drivers/hid/hid-core.c | 21 ++- drivers/hid/hid-mcp2221.c | 2 +- drivers/hwmon/corsair-cpro.c | 5 + drivers/i2c/busses/i2c-stm32.c | 8 +- drivers/i2c/busses/i2c-stm32f7.c | 4 +- drivers/iio/accel/fxls8962af-core.c | 2 + drivers/iio/adc/max1363.c | 43 +++-- drivers/iio/adc/stm32-adc-core.c | 7 +- drivers/input/joystick/xpad.c | 2 +- drivers/memstick/core/memstick.c | 2 +- drivers/mmc/host/bcm2835.c | 3 +- drivers/mmc/host/sdhci-pci-core.c | 3 +- drivers/mmc/host/sdhci_am654.c | 9 +- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +- drivers/net/usb/sierra_net.c | 4 + drivers/nvme/host/core.c | 4 + drivers/nvmem/u-boot-env.c | 2 +- drivers/phy/tegra/xusb-tegra186.c | 61 ++++--- drivers/soc/aspeed/aspeed-lpc-snoop.c | 13 +- drivers/thunderbolt/switch.c | 2 +- drivers/tty/serial/pch_uart.c | 2 +- drivers/usb/core/hub.c | 36 +++- drivers/usb/core/hub.h | 1 + drivers/usb/dwc3/dwc3-qcom.c | 7 +- drivers/usb/gadget/configfs.c | 2 + drivers/usb/musb/musb_core.c | 62 +++---- drivers/usb/musb/musb_core.h | 11 ++ drivers/usb/musb/musb_debugfs.c | 6 +- drivers/usb/musb/musb_gadget.c | 30 ++-- drivers/usb/musb/musb_host.c | 6 +- drivers/usb/musb/musb_virthub.c | 18 +- drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 3 + drivers/usb/serial/option.c | 5 + fs/cachefiles/io.c | 2 - fs/cachefiles/ondemand.c | 4 +- fs/isofs/inode.c | 9 +- fs/namespace.c | 5 + fs/smb/client/file.c | 10 +- fs/smb/client/smb2ops.c | 7 +- include/net/netfilter/nf_conntrack.h | 15 +- io_uring/net.c | 12 +- io_uring/poll.c | 2 - kernel/bpf/helpers.c | 11 +- kernel/cgroup/legacy_freezer.c | 8 +- kernel/sched/loadavg.c | 2 +- kernel/sched/sched.h | 2 +- kernel/trace/trace_events.c | 5 + mm/vmalloc.c | 22 ++- net/8021q/vlan.c | 42 ++++- net/8021q/vlan.h | 1 + net/bluetooth/hci_event.c | 36 ---- net/bluetooth/hci_sync.c | 217 ++++++++++++++--------- net/bluetooth/l2cap_core.c | 26 ++- net/bluetooth/l2cap_sock.c | 3 + net/bluetooth/smp.c | 21 ++- net/bluetooth/smp.h | 1 + net/bridge/br_switchdev.c | 3 + net/ipv6/mcast.c | 2 +- net/ipv6/rpl_iptunnel.c | 8 +- net/netfilter/nf_conntrack_core.c | 26 ++- net/packet/af_packet.c | 27 ++- net/phonet/pep.c | 2 +- net/sched/sch_htb.c | 4 +- net/sched/sch_qfq.c | 30 +++- net/tls/tls_strp.c | 3 +- sound/soc/fsl/fsl_sai.c | 14 +- tools/testing/selftests/net/udpgro.sh | 8 +- 81 files changed, 744 insertions(+), 420 deletions(-)

1 month, 2 weeks

12
90
0 0

[PATCH] asm-generic/io.h: Skip trace helpers if rwmmio events are disabled

by Varad Gautam

With `CONFIG_TRACE_MMIO_ACCESS=y`, the `{read,write}{b,w,l,q}{_relaxed}()` mmio accessors unconditionally call `log_{post_}{read,write}_mmio()` helpers, which in turn call the ftrace ops for `rwmmio` trace events This adds a performance penalty per mmio accessor call, even when `rwmmio` events are disabled at runtime (~80% overhead on local measurement). Guard these with `tracepoint_enabled()`. Signed-off-by: Varad Gautam <varadgautam(a)google.com> Fixes: 210031971cdd ("asm-generic/io: Add logging support for MMIO accessors") Cc: <stable(a)vger.kernel.org> --- include/asm-generic/io.h | 98 +++++++++++++++++++++++++++------------- 1 file changed, 66 insertions(+), 32 deletions(-) diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h index 3c61c29ff6ab..a9b5da547523 100644 --- a/include/asm-generic/io.h +++ b/include/asm-generic/io.h @@ -75,6 +75,7 @@ #if IS_ENABLED(CONFIG_TRACE_MMIO_ACCESS) && !(defined(__DISABLE_TRACE_MMIO__)) #include <linux/tracepoint-defs.h> +#define rwmmio_tracepoint_enabled(tracepoint) tracepoint_enabled(tracepoint) DECLARE_TRACEPOINT(rwmmio_write); DECLARE_TRACEPOINT(rwmmio_post_write); DECLARE_TRACEPOINT(rwmmio_read); @@ -91,6 +92,7 @@ void log_post_read_mmio(u64 val, u8 width, const volatile void __iomem *addr, #else +#define rwmmio_tracepoint_enabled(tracepoint) false static inline void log_write_mmio(u64 val, u8 width, volatile void __iomem *addr, unsigned long caller_addr, unsigned long caller_addr0) {} static inline void log_post_write_mmio(u64 val, u8 width, volatile void __iomem *addr, @@ -189,11 +191,13 @@ static inline u8 readb(const volatile void __iomem *addr) { u8 val; - log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __raw_readb(addr); __io_ar(val); - log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -204,11 +208,13 @@ static inline u16 readw(const volatile void __iomem *addr) { u16 val; - log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le16_to_cpu((__le16 __force)__raw_readw(addr)); __io_ar(val); - log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -219,11 +225,13 @@ static inline u32 readl(const volatile void __iomem *addr) { u32 val; - log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le32_to_cpu((__le32 __force)__raw_readl(addr)); __io_ar(val); - log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -235,11 +243,13 @@ static inline u64 readq(const volatile void __iomem *addr) { u64 val; - log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le64_to_cpu((__le64 __force)__raw_readq(addr)); __io_ar(val); - log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -249,11 +259,13 @@ static inline u64 readq(const volatile void __iomem *addr) #define writeb writeb static inline void writeb(u8 value, volatile void __iomem *addr) { - log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writeb(value, addr); __io_aw(); - log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); } #endif @@ -261,11 +273,13 @@ static inline void writeb(u8 value, volatile void __iomem *addr) #define writew writew static inline void writew(u16 value, volatile void __iomem *addr) { - log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writew((u16 __force)cpu_to_le16(value), addr); __io_aw(); - log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); } #endif @@ -273,11 +287,13 @@ static inline void writew(u16 value, volatile void __iomem *addr) #define writel writel static inline void writel(u32 value, volatile void __iomem *addr) { - log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writel((u32 __force)__cpu_to_le32(value), addr); __io_aw(); - log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); } #endif @@ -286,11 +302,13 @@ static inline void writel(u32 value, volatile void __iomem *addr) #define writeq writeq static inline void writeq(u64 value, volatile void __iomem *addr) { - log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writeq((u64 __force)__cpu_to_le64(value), addr); __io_aw(); - log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); } #endif #endif /* CONFIG_64BIT */ @@ -306,9 +324,11 @@ static inline u8 readb_relaxed(const volatile void __iomem *addr) { u8 val; - log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); val = __raw_readb(addr); - log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -319,9 +339,11 @@ static inline u16 readw_relaxed(const volatile void __iomem *addr) { u16 val; - log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); val = __le16_to_cpu((__le16 __force)__raw_readw(addr)); - log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -332,9 +354,11 @@ static inline u32 readl_relaxed(const volatile void __iomem *addr) { u32 val; - log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); val = __le32_to_cpu((__le32 __force)__raw_readl(addr)); - log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -345,9 +369,11 @@ static inline u64 readq_relaxed(const volatile void __iomem *addr) { u64 val; - log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); val = __le64_to_cpu((__le64 __force)__raw_readq(addr)); - log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -356,9 +382,11 @@ static inline u64 readq_relaxed(const volatile void __iomem *addr) #define writeb_relaxed writeb_relaxed static inline void writeb_relaxed(u8 value, volatile void __iomem *addr) { - log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); __raw_writeb(value, addr); - log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); } #endif @@ -366,9 +394,11 @@ static inline void writeb_relaxed(u8 value, volatile void __iomem *addr) #define writew_relaxed writew_relaxed static inline void writew_relaxed(u16 value, volatile void __iomem *addr) { - log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); __raw_writew((u16 __force)cpu_to_le16(value), addr); - log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); } #endif @@ -376,9 +406,11 @@ static inline void writew_relaxed(u16 value, volatile void __iomem *addr) #define writel_relaxed writel_relaxed static inline void writel_relaxed(u32 value, volatile void __iomem *addr) { - log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); __raw_writel((u32 __force)__cpu_to_le32(value), addr); - log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); } #endif @@ -386,9 +418,11 @@ static inline void writel_relaxed(u32 value, volatile void __iomem *addr) #define writeq_relaxed writeq_relaxed static inline void writeq_relaxed(u64 value, volatile void __iomem *addr) { - log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); __raw_writeq((u64 __force)__cpu_to_le64(value), addr); - log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); } #endif -- 2.49.0.472.ge94155a9ec-goog

1 month, 2 weeks

2
5
0 0

FAILED: patch "[PATCH] ksmbd: fix use-after-free in __smb2_lease_break_noti()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 21a4e47578d44c6b37c4fc4aba8ed7cc8dbb13de # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042109-embroider-consoling-20d9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 21a4e47578d44c6b37c4fc4aba8ed7cc8dbb13de Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Fri, 11 Apr 2025 15:19:46 +0900 Subject: [PATCH] ksmbd: fix use-after-free in __smb2_lease_break_noti() Move tcp_transport free to ksmbd_conn_free. If ksmbd connection is referenced when ksmbd server thread terminates, It will not be freed, but conn->tcp_transport is freed. __smb2_lease_break_noti can be performed asynchronously when the connection is disconnected. __smb2_lease_break_noti calls ksmbd_conn_write, which can cause use-after-free when conn->ksmbd_transport is already freed. Cc: stable(a)vger.kernel.org Reported-by: Norbert Szetei <norbert(a)doyensec.com> Tested-by: Norbert Szetei <norbert(a)doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index c1f22c129111..83764c230e9d 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -39,8 +39,10 @@ void ksmbd_conn_free(struct ksmbd_conn *conn) xa_destroy(&conn->sessions); kvfree(conn->request_buf); kfree(conn->preauth_info); - if (atomic_dec_and_test(&conn->refcnt)) + if (atomic_dec_and_test(&conn->refcnt)) { + ksmbd_free_transport(conn->transport); kfree(conn); + } } /** diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c index 7f38a3c3f5bd..abedf510899a 100644 --- a/fs/smb/server/transport_tcp.c +++ b/fs/smb/server/transport_tcp.c @@ -93,15 +93,19 @@ static struct tcp_transport *alloc_transport(struct socket *client_sk) return t; } +void ksmbd_free_transport(struct ksmbd_transport *kt) +{ + struct tcp_transport *t = TCP_TRANS(kt); + + sock_release(t->sock); + kfree(t->iov); + kfree(t); +} + static void free_transport(struct tcp_transport *t) { kernel_sock_shutdown(t->sock, SHUT_RDWR); - sock_release(t->sock); - t->sock = NULL; - ksmbd_conn_free(KSMBD_TRANS(t)->conn); - kfree(t->iov); - kfree(t); } /** diff --git a/fs/smb/server/transport_tcp.h b/fs/smb/server/transport_tcp.h index 8c9aa624cfe3..1e51675ee1b2 100644 --- a/fs/smb/server/transport_tcp.h +++ b/fs/smb/server/transport_tcp.h @@ -8,6 +8,7 @@ int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz); struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name); +void ksmbd_free_transport(struct ksmbd_transport *kt); int ksmbd_tcp_init(void); void ksmbd_tcp_destroy(void);

1 month, 2 weeks

2
1
0 0

[PATCH] staging: fbtft: add support for a device tree of backlight.

by chalianis1＠gmail.com

From: Chali Anis <chalianis1(a)gmail.com> Support the of backlight from device tree and keep compatibility for the legacy gpio backlight. Cc: stable(a)vger.kernel.org Signed-off-by: Chali Anis <chalianis1(a)gmail.com> --- drivers/staging/fbtft/fbtft-core.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c index da9c64152a60..5f0220dbe397 100644 --- a/drivers/staging/fbtft/fbtft-core.c +++ b/drivers/staging/fbtft/fbtft-core.c @@ -170,6 +170,18 @@ void fbtft_register_backlight(struct fbtft_par *par) struct backlight_device *bd; struct backlight_properties bl_props = { 0, }; + bd = devm_of_find_backlight(par->info->device); + if (IS_ERR(bd)) { + dev_warn(par->info->device, + "cannot find of backlight device (%ld), trying legacy\n", + PTR_ERR(bd)); + } + + if (bd) { + par->info->bl_dev = bd; + return; + } + if (!par->gpio.led[0]) { fbtft_par_dbg(DEBUG_BACKLIGHT, par, "%s(): led pin not set, exiting.\n", __func__); -- 2.34.1

1 month, 2 weeks

2
1
0 0

[PATCH net v2] net: phy: realtek: Reset after clock enable

by Sebastian Reichel

On Radxa ROCK 4D boards we are seeing some issues with PHY detection and stability (e.g. link loss or not capable of transceiving packages) after new board revisions switched from a dedicated crystal to providing the 25 MHz PHY input clock from the SoC instead. This board is using a RTL8211F PHY, which is connected to an always-on regulator. Unfortunately the datasheet does not explicitly mention the power-up sequence regarding the clock, but it seems to assume that the clock is always-on (i.e. dedicated crystal). By doing an explicit reset after enabling the clock, the issue on the boards could no longer be observed. Note, that the RK3576 SoC used by the ROCK 4D board does not yet support system level PM, so the resume path has not been tested. Cc: stable(a)vger.kernel.org Fixes: 7300c9b574cc ("net: phy: realtek: Add optional external PHY clock") Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> --- Changes in v2: - Switch to PHY_RST_AFTER_CLK_EN + phy_reset_after_clk_enable(); the API is so far only used by the freescale/NXP MAC driver and does not seem to be written for usage from within the PHY driver, but I also don't see a good reason not to use it. - Also reset after re-enabling the clock in rtl821x_resume() - Link to v1: https://lore.kernel.org/r/20250704-phy-realtek-clock-fix-v1-1-63b33d204537@… --- drivers/net/phy/realtek/realtek_main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/phy/realtek/realtek_main.c b/drivers/net/phy/realtek/realtek_main.c index c3dcb62574303374666b46a454cd4e10de455d24..cf128af0ec0c778262d70d6dc4524d06cbfccf1f 100644 --- a/drivers/net/phy/realtek/realtek_main.c +++ b/drivers/net/phy/realtek/realtek_main.c @@ -230,6 +230,7 @@ static int rtl821x_probe(struct phy_device *phydev) if (IS_ERR(priv->clk)) return dev_err_probe(dev, PTR_ERR(priv->clk), "failed to get phy clock\n"); + phy_reset_after_clk_enable(phydev); ret = phy_read_paged(phydev, RTL8211F_PHYCR_PAGE, RTL8211F_PHYCR1); if (ret < 0) @@ -627,8 +628,10 @@ static int rtl821x_resume(struct phy_device *phydev) struct rtl821x_priv *priv = phydev->priv; int ret; - if (!phydev->wol_enabled) + if (!phydev->wol_enabled) { clk_prepare_enable(priv->clk); + phy_reset_after_clk_enable(phydev); + } ret = genphy_resume(phydev); if (ret < 0) @@ -1617,7 +1620,7 @@ static struct phy_driver realtek_drvs[] = { .resume = rtl821x_resume, .read_page = rtl821x_read_page, .write_page = rtl821x_write_page, - .flags = PHY_ALWAYS_CALL_SUSPEND, + .flags = PHY_ALWAYS_CALL_SUSPEND | PHY_RST_AFTER_CLK_EN, .led_hw_is_supported = rtl8211x_led_hw_is_supported, .led_hw_control_get = rtl8211f_led_hw_control_get, .led_hw_control_set = rtl8211f_led_hw_control_set, --- base-commit: 89be9a83ccf1f88522317ce02f854f30d6115c41 change-id: 20250704-phy-realtek-clock-fix-6cd393e8cb2a Best regards, -- Sebastian Reichel <sre(a)kernel.org>

1 month, 2 weeks

4
5
0 0

FAILED: patch "[PATCH] crypto: qat - add shutdown handler to qat_dh895xcc" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2c4e8b228733bfbcaf49408fdf94d220f6eb78fc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062004-setting-ruined-8212@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c4e8b228733bfbcaf49408fdf94d220f6eb78fc Mon Sep 17 00:00:00 2001 From: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Date: Wed, 26 Mar 2025 15:59:49 +0000 Subject: [PATCH] crypto: qat - add shutdown handler to qat_dh895xcc During a warm reset via kexec, the system bypasses the driver removal sequence, meaning that the remove() callback is not invoked. If a QAT device is not shutdown properly, the device driver will fail to load in a newly rebooted kernel. This might result in output like the following after the kexec reboot: QAT: AE0 is inactive!! QAT: failed to get device out of reset dh895xcc 0000:3f:00.0: qat_hal_clr_reset error dh895xcc 0000:3f:00.0: Failed to init the AEs dh895xcc 0000:3f:00.0: Failed to initialise Acceleration Engine dh895xcc 0000:3f:00.0: Resetting device qat_dev0 dh895xcc 0000:3f:00.0: probe with driver dh895xcc failed with error -14 Implement the shutdown() handler that hooks into the reboot notifier list. This brings down the QAT device and ensures it is shut down properly. Cc: <stable(a)vger.kernel.org> Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator") Reviewed-by: Ahsan Atta <ahsan.atta(a)intel.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c b/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c index 730147404ceb..b59e0cc49e52 100644 --- a/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c +++ b/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c @@ -209,6 +209,13 @@ static void adf_remove(struct pci_dev *pdev) kfree(accel_dev); } +static void adf_shutdown(struct pci_dev *pdev) +{ + struct adf_accel_dev *accel_dev = adf_devmgr_pci_to_accel_dev(pdev); + + adf_dev_down(accel_dev); +} + static const struct pci_device_id adf_pci_tbl[] = { { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_QAT_DH895XCC) }, { } @@ -220,6 +227,7 @@ static struct pci_driver adf_driver = { .name = ADF_DH895XCC_DEVICE_NAME, .probe = adf_probe, .remove = adf_remove, + .shutdown = adf_shutdown, .sriov_configure = adf_sriov_configure, .err_handler = &adf_err_handler, };

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] btrfs: fix qgroup reservation leak on failure to allocate" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1f2889f5594a2bc4c6a52634c4a51b93e785def5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062054-unhappily-kebab-e7e5@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1f2889f5594a2bc4c6a52634c4a51b93e785def5 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 7 May 2025 13:05:36 +0100 Subject: [PATCH] btrfs: fix qgroup reservation leak on failure to allocate ordered extent If we fail to allocate an ordered extent for a COW write we end up leaking a qgroup data reservation since we called btrfs_qgroup_release_data() but we didn't call btrfs_qgroup_free_refroot() (which would happen when running the respective data delayed ref created by ordered extent completion or when finishing the ordered extent in case an error happened). So make sure we call btrfs_qgroup_free_refroot() if we fail to allocate an ordered extent for a COW write. Fixes: 7dbeaad0af7d ("btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Boris Burkov <boris(a)bur.io> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c index ae49f87b27e8..e44d3dd17caf 100644 --- a/fs/btrfs/ordered-data.c +++ b/fs/btrfs/ordered-data.c @@ -153,9 +153,10 @@ static struct btrfs_ordered_extent *alloc_ordered_extent( struct btrfs_ordered_extent *entry; int ret; u64 qgroup_rsv = 0; + const bool is_nocow = (flags & + ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC))); - if (flags & - ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC))) { + if (is_nocow) { /* For nocow write, we can release the qgroup rsv right now */ ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv); if (ret < 0) @@ -170,8 +171,13 @@ static struct btrfs_ordered_extent *alloc_ordered_extent( return ERR_PTR(ret); } entry = kmem_cache_zalloc(btrfs_ordered_extent_cache, GFP_NOFS); - if (!entry) + if (!entry) { + if (!is_nocow) + btrfs_qgroup_free_refroot(inode->root->fs_info, + btrfs_root_id(inode->root), + qgroup_rsv, BTRFS_QGROUP_RSV_DATA); return ERR_PTR(-ENOMEM); + } entry->file_offset = file_offset; entry->num_bytes = num_bytes;

1 month, 2 weeks

2
1
0 0

[PATCH 5.10.y] comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large

by Ian Abbott

[ Upstream commit 08ae4b20f5e82101d77326ecab9089e110f224cc ] The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set this to the same value as `MAX_SAMPLES` (65536), which is the maximum allowed sum of the values of the member `n` in the array of `struct comedi_insn`, and sensible comedi instructions will have an `n` of at least 1. Reported-by: syzbot+d6995b62e5ac7d79557a(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d6995b62e5ac7d79557a Fixes: ed9eccbe8970 ("Staging: add comedi core") Tested-by: Ian Abbott <abbotti(a)mev.co.uk> Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250704120405.83028-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/comedi_fops.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 8f896e6208a8..5aa6a84d1fa6 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -1584,6 +1584,16 @@ static int do_insnlist_ioctl(struct comedi_device *dev, return i; } +#define MAX_INSNS MAX_SAMPLES +static int check_insnlist_len(struct comedi_device *dev, unsigned int n_insns) +{ + if (n_insns > MAX_INSNS) { + dev_dbg(dev->class_dev, "insnlist length too large\n"); + return -EINVAL; + } + return 0; +} + /* * COMEDI_INSN ioctl * synchronous instruction @@ -2234,6 +2244,9 @@ static long comedi_unlocked_ioctl(struct file *file, unsigned int cmd, rc = -EFAULT; break; } + rc = check_insnlist_len(dev, insnlist.n_insns); + if (rc) + break; insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL); if (!insns) { rc = -ENOMEM; @@ -3085,6 +3098,9 @@ static int compat_insnlist(struct file *file, unsigned long arg) if (copy_from_user(&insnlist32, compat_ptr(arg), sizeof(insnlist32))) return -EFAULT; + rc = check_insnlist_len(dev, insnlist32.n_insns); + if (rc) + return rc; insns = kcalloc(insnlist32.n_insns, sizeof(*insns), GFP_KERNEL); if (!insns) return -ENOMEM; -- 2.47.2

1 month, 2 weeks

2
17
0 0

[PATCH 5.10.y] comedi: pcl812: Fix bit shift out of bounds

by Ian Abbott

[ Upstream commit b14b076ce593f72585412fc7fd3747e03a5e3632 ] When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Reported-by: syzbot+32de323b0addb9e114ff(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707133429.73202-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers/pcl812.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/pcl812.c b/drivers/staging/comedi/drivers/pcl812.c index b87ab3840eee..fc06f284ba74 100644 --- a/drivers/staging/comedi/drivers/pcl812.c +++ b/drivers/staging/comedi/drivers/pcl812.c @@ -1151,7 +1151,8 @@ static int pcl812_attach(struct comedi_device *dev, struct comedi_devconfig *it) if (!dev->pacer) return -ENOMEM; - if ((1 << it->options[1]) & board->irq_bits) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & board->irq_bits) { ret = request_irq(it->options[1], pcl812_interrupt, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 6.1.y] KVM: arm64: silence -Wuninitialized-const-pointer warning

by Justin Stitt

A new warning in Clang 22 [1] complains that @clidr passed to get_clidr_el1() is an uninitialized const pointer. get_clidr_el1() doesn't really care since it casts away the const-ness anyways. Silence the warning by initializing the struct. This patch won't apply to anything past v6.1 as this code section was reworked in Commit 7af0c2534f4c ("KVM: arm64: Normalize cache configuration"). Cc: stable(a)vger.kernel.org Fixes: 7c8c5e6a9101e ("arm64: KVM: system register handling") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Signed-off-by: Justin Stitt <justinstitt(a)google.com> --- arch/arm64/kvm/sys_regs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index f4a7c5abcbca..d7ebd7387221 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -2948,7 +2948,7 @@ int kvm_sys_reg_table_init(void) { bool valid = true; unsigned int i; - struct sys_reg_desc clidr; + struct sys_reg_desc clidr = {0}; /* Make sure tables are unique and in order. */ valid &= check_sysreg_table(sys_reg_descs, ARRAY_SIZE(sys_reg_descs), false); --- base-commit: 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 change-id: 20250724-b4-clidr-unint-const-ptr-7edb960bc3bd Best regards, -- Justin Stitt <justinstitt(a)google.com>

1 month, 2 weeks

5
8
0 0

[PATCH 5.4.y] comedi: Fix use of uninitialized data in insn_rw_emulate_bits()

by Ian Abbott

[ Upstream commit e9cb26291d009243a4478a7ffb37b3a9175bfce9 ] For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case. Reported-by: syzbot+cb96ec476fb4914445c9(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cb96ec476fb4914445c9 Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707153355.82474-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c index 6bb7b8a1e75d..ced660663f0d 100644 --- a/drivers/staging/comedi/drivers.c +++ b/drivers/staging/comedi/drivers.c @@ -615,6 +615,9 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, unsigned int _data[2]; int ret; + if (insn->n == 0) + return 0; + memset(_data, 0, sizeof(_data)); memset(&_insn, 0, sizeof(_insn)); _insn.insn = INSN_BITS; -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.4.y] comedi: comedi_test: Fix possible deletion of uninitialized timers

by Ian Abbott

[ Upstream commit 1b98304c09a0192598d0767f1eb8c83d7e793091 ] In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [ changed timer_delete_sync() to del_timer_sync() ] Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- drivers/staging/comedi/drivers/comedi_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/comedi_test.c b/drivers/staging/comedi/drivers/comedi_test.c index 9e60d2a0edc1..7397495de4d6 100644 --- a/drivers/staging/comedi/drivers/comedi_test.c +++ b/drivers/staging/comedi/drivers/comedi_test.c @@ -790,7 +790,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { del_timer_sync(&devpriv->ai_timer); del_timer_sync(&devpriv->ao_timer); } -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 6.6.y v2 1/1] block: Fix bounce check logic in blk_queue_may_bounce()

by Hardeep Sharma

Buffer bouncing is needed only when memory exists above the lowmem region, i.e., when max_low_pfn < max_pfn. The previous check (max_low_pfn >= max_pfn) was inverted and prevented bouncing when it could actually be required. Note that bouncing depends on CONFIG_HIGHMEM, which is typically enabled on 32-bit ARM where not all memory is permanently mapped into the kernel’s lowmem region. Fixes: 9bb33f24abbd0 ("block: refactor the bounce buffering code") Cc: stable(a)vger.kernel.org Signed-off-by: Hardeep Sharma <quic_hardshar(a)quicinc.com> --- Changelog v1..v2: * Updated subject line block/blk.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/blk.h b/block/blk.h index 67915b04b3c1..f8a1d64be5a2 100644 --- a/block/blk.h +++ b/block/blk.h @@ -383,7 +383,7 @@ static inline bool blk_queue_may_bounce(struct request_queue *q) { return IS_ENABLED(CONFIG_BOUNCE) && q->limits.bounce == BLK_BOUNCE_HIGH && - max_low_pfn >= max_pfn; + max_low_pfn < max_pfn; } static inline struct bio *blk_queue_bounce(struct bio *bio, -- 2.25.1

1 month, 2 weeks

3
2
0 0

[PATCH 5.4.y] comedi: aio_iiro_16: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707134622.75403-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers/aio_iiro_16.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/aio_iiro_16.c b/drivers/staging/comedi/drivers/aio_iiro_16.c index 41c9c56816ef..68be0ab0b80b 100644 --- a/drivers/staging/comedi/drivers/aio_iiro_16.c +++ b/drivers/staging/comedi/drivers/aio_iiro_16.c @@ -178,7 +178,8 @@ static int aio_iiro_16_attach(struct comedi_device *dev, * Digital input change of state interrupts are optionally supported * using IRQ 2-7, 10-12, 14, or 15. */ - if ((1 << it->options[1]) & 0xdcfc) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & 0xdcfc) { ret = request_irq(it->options[1], aio_iiro_16_cos, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.10.y] comedi: Fix use of uninitialized data in insn_rw_emulate_bits()

by Ian Abbott

[ Upstream commit e9cb26291d009243a4478a7ffb37b3a9175bfce9 ] For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case. Reported-by: syzbot+cb96ec476fb4914445c9(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cb96ec476fb4914445c9 Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707153355.82474-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c index 6bb7b8a1e75d..ced660663f0d 100644 --- a/drivers/staging/comedi/drivers.c +++ b/drivers/staging/comedi/drivers.c @@ -615,6 +615,9 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, unsigned int _data[2]; int ret; + if (insn->n == 0) + return 0; + memset(_data, 0, sizeof(_data)); memset(&_insn, 0, sizeof(_insn)); _insn.insn = INSN_BITS; -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.10.y] comedi: aio_iiro_16: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707134622.75403-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers/aio_iiro_16.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/aio_iiro_16.c b/drivers/staging/comedi/drivers/aio_iiro_16.c index fe3876235075..60c9c683906b 100644 --- a/drivers/staging/comedi/drivers/aio_iiro_16.c +++ b/drivers/staging/comedi/drivers/aio_iiro_16.c @@ -178,7 +178,8 @@ static int aio_iiro_16_attach(struct comedi_device *dev, * Digital input change of state interrupts are optionally supported * using IRQ 2-7, 10-12, 14, or 15. */ - if ((1 << it->options[1]) & 0xdcfc) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & 0xdcfc) { ret = request_irq(it->options[1], aio_iiro_16_cos, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.4.y] comedi: das6402: Fix bit shift out of bounds

by Ian Abbott

[ Upstream commit 70f2b28b5243df557f51c054c20058ae207baaac ] When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Fixes: 79e5e6addbb1 ("staging: comedi: das6402: rewrite broken driver") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707135737.77448-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers/das6402.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/das6402.c b/drivers/staging/comedi/drivers/das6402.c index 0034005bdf8f..0cd5d1b1ffde 100644 --- a/drivers/staging/comedi/drivers/das6402.c +++ b/drivers/staging/comedi/drivers/das6402.c @@ -569,7 +569,8 @@ static int das6402_attach(struct comedi_device *dev, das6402_reset(dev); /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ - if ((1 << it->options[1]) & 0x8cec) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & 0x8cec) { ret = request_irq(it->options[1], das6402_interrupt, 0, dev->board_name, dev); if (ret == 0) { -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.10.y] comedi: Fix some signed shift left operations

by Ian Abbott

[ Upstream commit ab705c8c35e18652abc6239c07cf3441f03e2cda ] Correct some left shifts of the signed integer constant 1 by some unsigned number less than 32. Change the constant to 1U to avoid shifting a 1 into the sign bit. The corrected functions are comedi_dio_insn_config(), comedi_dio_update_state(), and __comedi_device_postconfig(). Fixes: e523c6c86232 ("staging: comedi: drivers: introduce comedi_dio_insn_config()") Fixes: 05e60b13a36b ("staging: comedi: drivers: introduce comedi_dio_update_state()") Fixes: 09567cb4373e ("staging: comedi: initialize subdevice s->io_bits in postconfig") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707121555.65424-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c index 750a6ff3c03c..6bb7b8a1e75d 100644 --- a/drivers/staging/comedi/drivers.c +++ b/drivers/staging/comedi/drivers.c @@ -339,10 +339,10 @@ int comedi_dio_insn_config(struct comedi_device *dev, unsigned int *data, unsigned int mask) { - unsigned int chan_mask = 1 << CR_CHAN(insn->chanspec); + unsigned int chan = CR_CHAN(insn->chanspec); - if (!mask) - mask = chan_mask; + if (!mask && chan < 32) + mask = 1U << chan; switch (data[0]) { case INSN_CONFIG_DIO_INPUT: @@ -382,7 +382,7 @@ EXPORT_SYMBOL_GPL(comedi_dio_insn_config); unsigned int comedi_dio_update_state(struct comedi_subdevice *s, unsigned int *data) { - unsigned int chanmask = (s->n_chan < 32) ? ((1 << s->n_chan) - 1) + unsigned int chanmask = (s->n_chan < 32) ? ((1U << s->n_chan) - 1) : 0xffffffff; unsigned int mask = data[0] & chanmask; unsigned int bits = data[1]; @@ -625,8 +625,8 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, if (insn->insn == INSN_WRITE) { if (!(s->subdev_flags & SDF_WRITABLE)) return -EINVAL; - _data[0] = 1 << (chan - base_chan); /* mask */ - _data[1] = data[0] ? (1 << (chan - base_chan)) : 0; /* bits */ + _data[0] = 1U << (chan - base_chan); /* mask */ + _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */ } ret = s->insn_bits(dev, s, &_insn, _data); @@ -709,7 +709,7 @@ static int __comedi_device_postconfig(struct comedi_device *dev) if (s->type == COMEDI_SUBD_DO) { if (s->n_chan < 32) - s->io_bits = (1 << s->n_chan) - 1; + s->io_bits = (1U << s->n_chan) - 1; else s->io_bits = 0xffffffff; } -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH net] phy: dp83869: fix interrupts issue when using with an optical fiber sfp. to correctly clear the interrupts both status registers must be read.

by chalianis1＠gmail.com

From: Anis Chali <chalianis1(a)gmail.com> from datasheet of dp83869hm 7.3.6 Interrupt The DP83869HM can be configured to generate an interrupt when changes of internal status occur. The interrupt allows a MAC to act upon the status in the PHY without polling the PHY registers. The interrupt source can be selected through the interrupt registers, MICR (12h) and FIBER_INT_EN (C18h). The interrupt status can be read from ISR (13h) and FIBER_INT_STTS (C19h) registers. Some interrupts are enabled by default and can be disabled through register access. Both the interrupt status registers must be read in order to clear pending interrupts. Until the pending interrupts are cleared, new interrupts may not be routed to the interrupt pin. Fixes: 0eaf8ccf2047 ("net: phy: dp83869: Set opmode from straps") Cc: stable(a)vger.kernel.org Signed-off-by: Anis Chali <chalianis1(a)gmail.com> --- drivers/net/phy/dp83869.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c index a62cd838a9ea..1e8c20f387b8 100644 --- a/drivers/net/phy/dp83869.c +++ b/drivers/net/phy/dp83869.c @@ -41,6 +41,7 @@ #define DP83869_IO_MUX_CFG 0x0170 #define DP83869_OP_MODE 0x01df #define DP83869_FX_CTRL 0x0c00 +#define DP83869_FX_INT_STS 0x0c19 #define DP83869_SW_RESET BIT(15) #define DP83869_SW_RESTART BIT(14) @@ -195,6 +196,12 @@ static int dp83869_ack_interrupt(struct phy_device *phydev) if (err < 0) return err; + if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, phydev->supported)) { + err = phy_read_mmd(phydev, DP83869_DEVADDR, DP83869_FX_INT_STS); + if (err < 0) + return err; + } + return 0; } -- 2.49.0

1 month, 2 weeks

1
0
0 0

[PATCH 5.4.y] comedi: das16m1: Fix bit shift out of bounds

by Ian Abbott

[ Upstream commit ed93c6f68a3be06e4e0c331c6e751f462dee3932 ] When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Reported-by: syzbot+c52293513298e0fd9a94(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c52293513298e0fd9a94 Fixes: 729988507680 ("staging: comedi: das16m1: tidy up the irq support in das16m1_attach()") Tested-by: syzbot+c52293513298e0fd9a94(a)syzkaller.appspotmail.com Suggested-by: "Enju, Kohei" <enjuk(a)amazon.co.jp> Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707130908.70758-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers/das16m1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/das16m1.c b/drivers/staging/comedi/drivers/das16m1.c index 4e36377b592a..16e4c1637d0b 100644 --- a/drivers/staging/comedi/drivers/das16m1.c +++ b/drivers/staging/comedi/drivers/das16m1.c @@ -523,7 +523,8 @@ static int das16m1_attach(struct comedi_device *dev, devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE; /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ - if ((1 << it->options[1]) & 0xdcfc) { + if (it->options[1] >= 2 && it->options[1] <= 15 && + (1 << it->options[1]) & 0xdcfc) { ret = request_irq(it->options[1], das16m1_interrupt, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.4.y] comedi: Fix some signed shift left operations

by Ian Abbott

[ Upstream commit ab705c8c35e18652abc6239c07cf3441f03e2cda ] Correct some left shifts of the signed integer constant 1 by some unsigned number less than 32. Change the constant to 1U to avoid shifting a 1 into the sign bit. The corrected functions are comedi_dio_insn_config(), comedi_dio_update_state(), and __comedi_device_postconfig(). Fixes: e523c6c86232 ("staging: comedi: drivers: introduce comedi_dio_insn_config()") Fixes: 05e60b13a36b ("staging: comedi: drivers: introduce comedi_dio_update_state()") Fixes: 09567cb4373e ("staging: comedi: initialize subdevice s->io_bits in postconfig") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707121555.65424-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c index 750a6ff3c03c..6bb7b8a1e75d 100644 --- a/drivers/staging/comedi/drivers.c +++ b/drivers/staging/comedi/drivers.c @@ -339,10 +339,10 @@ int comedi_dio_insn_config(struct comedi_device *dev, unsigned int *data, unsigned int mask) { - unsigned int chan_mask = 1 << CR_CHAN(insn->chanspec); + unsigned int chan = CR_CHAN(insn->chanspec); - if (!mask) - mask = chan_mask; + if (!mask && chan < 32) + mask = 1U << chan; switch (data[0]) { case INSN_CONFIG_DIO_INPUT: @@ -382,7 +382,7 @@ EXPORT_SYMBOL_GPL(comedi_dio_insn_config); unsigned int comedi_dio_update_state(struct comedi_subdevice *s, unsigned int *data) { - unsigned int chanmask = (s->n_chan < 32) ? ((1 << s->n_chan) - 1) + unsigned int chanmask = (s->n_chan < 32) ? ((1U << s->n_chan) - 1) : 0xffffffff; unsigned int mask = data[0] & chanmask; unsigned int bits = data[1]; @@ -625,8 +625,8 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, if (insn->insn == INSN_WRITE) { if (!(s->subdev_flags & SDF_WRITABLE)) return -EINVAL; - _data[0] = 1 << (chan - base_chan); /* mask */ - _data[1] = data[0] ? (1 << (chan - base_chan)) : 0; /* bits */ + _data[0] = 1U << (chan - base_chan); /* mask */ + _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */ } ret = s->insn_bits(dev, s, &_insn, _data); @@ -709,7 +709,7 @@ static int __comedi_device_postconfig(struct comedi_device *dev) if (s->type == COMEDI_SUBD_DO) { if (s->n_chan < 32) - s->io_bits = (1 << s->n_chan) - 1; + s->io_bits = (1U << s->n_chan) - 1; else s->io_bits = 0xffffffff; } -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 6.1] net: add netdev_lockdep_set_classes() to virtual drivers

by Sumanth Gavini

commit 0bef512012b1cd8820f0c9ec80e5f8ceb43fdd59 upstream. Based on a syzbot report, it appears many virtual drivers do not yet use netdev_lockdep_set_classes(), triggerring lockdep false positives. WARNING: possible recursive locking detected 6.8.0-rc4-next-20240212-syzkaller #0 Not tainted syz-executor.0/19016 is trying to acquire lock: ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline] ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340 but task is already holding lock: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline] ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(_xmit_ETHER#2); lock(_xmit_ETHER#2); *** DEADLOCK *** May be due to missing lock nesting notation 9 locks held by syz-executor.0/19016: #0: ffffffff8f385208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8f385208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6603 #1: ffffc90000a08c00 ((&in_dev->mr_ifc_timer)){+.-.}-{0:0}, at: call_timer_fn+0xc0/0x600 kernel/time/timer.c:1697 #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1360 net/ipv4/ip_output.c:228 #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline] #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline] #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2c4/0x3b10 net/core/dev.c:4284 #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline] #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline] #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3771 [inline] #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1262/0x3b10 net/core/dev.c:4325 #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline] #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340 #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1360 net/ipv4/ip_output.c:228 #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline] #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline] #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2c4/0x3b10 net/core/dev.c:4284 #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline] #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline] #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3771 [inline] #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1262/0x3b10 net/core/dev.c:4325 stack backtrace: CPU: 1 PID: 19016 Comm: syz-executor.0 Not tainted 6.8.0-rc4-next-20240212-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 check_deadlock kernel/locking/lockdep.c:3062 [inline] validate_chain+0x15c1/0x58e0 kernel/locking/lockdep.c:3856 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __netif_tx_lock include/linux/netdevice.h:4452 [inline] sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340 __dev_xmit_skb net/core/dev.c:3784 [inline] __dev_queue_xmit+0x1912/0x3b10 net/core/dev.c:4325 neigh_output include/net/neighbour.h:542 [inline] ip_finish_output2+0xe66/0x1360 net/ipv4/ip_output.c:235 iptunnel_xmit+0x540/0x9b0 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x20ee/0x2960 net/ipv4/ip_tunnel.c:831 erspan_xmit+0x9de/0x1460 net/ipv4/ip_gre.c:720 __netdev_start_xmit include/linux/netdevice.h:4989 [inline] netdev_start_xmit include/linux/netdevice.h:5003 [inline] xmit_one net/core/dev.c:3555 [inline] dev_hard_start_xmit+0x242/0x770 net/core/dev.c:3571 sch_direct_xmit+0x2b6/0x5f0 net/sched/sch_generic.c:342 __dev_xmit_skb net/core/dev.c:3784 [inline] __dev_queue_xmit+0x1912/0x3b10 net/core/dev.c:4325 neigh_output include/net/neighbour.h:542 [inline] ip_finish_output2+0xe66/0x1360 net/ipv4/ip_output.c:235 igmpv3_send_cr net/ipv4/igmp.c:723 [inline] igmp_ifc_timer_expire+0xb71/0xd90 net/ipv4/igmp.c:813 call_timer_fn+0x17e/0x600 kernel/time/timer.c:1700 expire_timers kernel/time/timer.c:1751 [inline] __run_timers+0x621/0x830 kernel/time/timer.c:2038 run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2051 __do_softirq+0x2bc/0x943 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1076 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1076 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:resched_offsets_ok kernel/sched/core.c:10127 [inline] RIP: 0010:__might_resched+0x16f/0x780 kernel/sched/core.c:10142 Code: 00 4c 89 e8 48 c1 e8 03 48 ba 00 00 00 00 00 fc ff df 48 89 44 24 38 0f b6 04 10 84 c0 0f 85 87 04 00 00 41 8b 45 00 c1 e0 08 <01> d8 44 39 e0 0f 85 d6 00 00 00 44 89 64 24 1c 48 8d bc 24 a0 00 RSP: 0018:ffffc9000ee069e0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880296a9e00 RDX: dffffc0000000000 RSI: ffff8880296a9e00 RDI: ffffffff8bfe8fa0 RBP: ffffc9000ee06b00 R08: ffffffff82326877 R09: 1ffff11002b5ad1b R10: dffffc0000000000 R11: ffffed1002b5ad1c R12: 0000000000000000 R13: ffff8880296aa23c R14: 000000000000062a R15: 1ffff92001dc0d44 down_write+0x19/0x50 kernel/locking/rwsem.c:1578 kernfs_activate fs/kernfs/dir.c:1403 [inline] kernfs_add_one+0x4af/0x8b0 fs/kernfs/dir.c:819 __kernfs_create_file+0x22e/0x2e0 fs/kernfs/file.c:1056 sysfs_add_file_mode_ns+0x24a/0x310 fs/sysfs/file.c:307 create_files fs/sysfs/group.c:64 [inline] internal_create_group+0x4f4/0xf20 fs/sysfs/group.c:152 internal_create_groups fs/sysfs/group.c:192 [inline] sysfs_create_groups+0x56/0x120 fs/sysfs/group.c:218 create_dir lib/kobject.c:78 [inline] kobject_add_internal+0x472/0x8d0 lib/kobject.c:240 kobject_add_varg lib/kobject.c:374 [inline] kobject_init_and_add+0x124/0x190 lib/kobject.c:457 netdev_queue_add_kobject net/core/net-sysfs.c:1706 [inline] netdev_queue_update_kobjects+0x1f3/0x480 net/core/net-sysfs.c:1758 register_queue_kobjects net/core/net-sysfs.c:1819 [inline] netdev_register_kobject+0x265/0x310 net/core/net-sysfs.c:2059 register_netdevice+0x1191/0x19c0 net/core/dev.c:10298 bond_newlink+0x3b/0x90 drivers/net/bonding/bond_netlink.c:576 rtnl_newlink_create net/core/rtnetlink.c:3506 [inline] __rtnl_newlink net/core/rtnetlink.c:3726 [inline] rtnl_newlink+0x158f/0x20a0 net/core/rtnetlink.c:3739 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6606 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3c/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 __sys_sendto+0x3a4/0x4f0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2199 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7fc3fa87fa9c Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20240212140700.2795436-4-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sumanth Gavini <sumanth.gavini(a)yahoo.com> --- drivers/net/dummy.c | 1 + drivers/net/geneve.c | 2 ++ drivers/net/loopback.c | 2 ++ drivers/net/veth.c | 1 + drivers/net/vxlan/vxlan_core.c | 1 + net/ipv4/ip_tunnel.c | 1 + net/ipv6/ip6_gre.c | 2 ++ net/ipv6/ip6_tunnel.c | 1 + net/ipv6/ip6_vti.c | 1 + net/ipv6/sit.c | 1 + 10 files changed, 13 insertions(+) diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c index aa0fc00faecb..f05d4194eb09 100644 --- a/drivers/net/dummy.c +++ b/drivers/net/dummy.c @@ -71,6 +71,7 @@ static int dummy_dev_init(struct net_device *dev) if (!dev->lstats) return -ENOMEM; + netdev_lockdep_set_classes(dev); return 0; } diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c index f393e454f45c..d2fbd1cd0ce3 100644 --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c @@ -335,6 +335,8 @@ static int geneve_init(struct net_device *dev) gro_cells_destroy(&geneve->gro_cells); return err; } + + netdev_lockdep_set_classes(dev); return 0; } diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c index 2e9742952c4e..ab5264ddd765 100644 --- a/drivers/net/loopback.c +++ b/drivers/net/loopback.c @@ -144,6 +144,8 @@ static int loopback_dev_init(struct net_device *dev) dev->lstats = netdev_alloc_pcpu_stats(struct pcpu_lstats); if (!dev->lstats) return -ENOMEM; + + netdev_lockdep_set_classes(dev); return 0; } diff --git a/drivers/net/veth.c b/drivers/net/veth.c index 09682ea3354e..00ad39dc297e 100644 --- a/drivers/net/veth.c +++ b/drivers/net/veth.c @@ -1391,6 +1391,7 @@ static void veth_free_queues(struct net_device *dev) { struct veth_priv *priv = netdev_priv(dev); + netdev_lockdep_set_classes(dev); kfree(priv->rq); } diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c index 6ab669dcd1c6..a233ae4bf61f 100644 --- a/drivers/net/vxlan/vxlan_core.c +++ b/drivers/net/vxlan/vxlan_core.c @@ -2926,6 +2926,7 @@ static int vxlan_init(struct net_device *dev) return err; } + netdev_lockdep_set_classes(dev); return 0; } diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 019f3b0839c5..20e35fdb373d 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -1253,6 +1253,7 @@ int ip_tunnel_init(struct net_device *dev) if (tunnel->collect_md) netif_keep_dst(dev); + netdev_lockdep_set_classes(dev); return 0; } EXPORT_SYMBOL_GPL(ip_tunnel_init); diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index c035a96fba3a..419e94e9bd62 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -1530,6 +1530,7 @@ static int ip6gre_tunnel_init_common(struct net_device *dev) ip6gre_tnl_init_features(dev); netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL); + netdev_lockdep_set_classes(dev); return 0; cleanup_dst_cache_init: @@ -1922,6 +1923,7 @@ static int ip6erspan_tap_init(struct net_device *dev) ip6erspan_tnl_link_config(tunnel, 1); netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL); + netdev_lockdep_set_classes(dev); return 0; cleanup_dst_cache_init: diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 2fb4c6ad7243..96030f29df9b 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -1885,6 +1885,7 @@ ip6_tnl_dev_init_gen(struct net_device *dev) dev->max_mtu = IP6_MAX_MTU - dev->hard_header_len; netdev_hold(dev, &t->dev_tracker, GFP_KERNEL); + netdev_lockdep_set_classes(dev); return 0; destroy_dst: diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index 151337d7f67b..f6a2c55a4dcb 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -937,6 +937,7 @@ static inline int vti6_dev_init_gen(struct net_device *dev) if (!dev->tstats) return -ENOMEM; netdev_hold(dev, &t->dev_tracker, GFP_KERNEL); + netdev_lockdep_set_classes(dev); return 0; } diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 5703d3cbea9b..c2bf8eb81a58 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -1458,6 +1458,7 @@ static int ipip6_tunnel_init(struct net_device *dev) return err; } netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL); + netdev_lockdep_set_classes(dev); return 0; } -- 2.43.0

1 month, 2 weeks

2
3
0 0

[PATCH 5.10.y] comedi: das16m1: Fix bit shift out of bounds

by Ian Abbott

[ Upstream commit ed93c6f68a3be06e4e0c331c6e751f462dee3932 ] When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Reported-by: syzbot+c52293513298e0fd9a94(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c52293513298e0fd9a94 Fixes: 729988507680 ("staging: comedi: das16m1: tidy up the irq support in das16m1_attach()") Tested-by: syzbot+c52293513298e0fd9a94(a)syzkaller.appspotmail.com Suggested-by: "Enju, Kohei" <enjuk(a)amazon.co.jp> Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707130908.70758-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers/das16m1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/das16m1.c b/drivers/staging/comedi/drivers/das16m1.c index 75f3dbbe97ac..0d54387a1c26 100644 --- a/drivers/staging/comedi/drivers/das16m1.c +++ b/drivers/staging/comedi/drivers/das16m1.c @@ -523,7 +523,8 @@ static int das16m1_attach(struct comedi_device *dev, devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE; /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ - if ((1 << it->options[1]) & 0xdcfc) { + if (it->options[1] >= 2 && it->options[1] <= 15 && + (1 << it->options[1]) & 0xdcfc) { ret = request_irq(it->options[1], das16m1_interrupt, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.10.y] comedi: das6402: Fix bit shift out of bounds

by Ian Abbott

[ Upstream commit 70f2b28b5243df557f51c054c20058ae207baaac ] When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Fixes: 79e5e6addbb1 ("staging: comedi: das6402: rewrite broken driver") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707135737.77448-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers/das6402.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/das6402.c b/drivers/staging/comedi/drivers/das6402.c index 96f4107b8054..927d4b832ecc 100644 --- a/drivers/staging/comedi/drivers/das6402.c +++ b/drivers/staging/comedi/drivers/das6402.c @@ -569,7 +569,8 @@ static int das6402_attach(struct comedi_device *dev, das6402_reset(dev); /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ - if ((1 << it->options[1]) & 0x8cec) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & 0x8cec) { ret = request_irq(it->options[1], das6402_interrupt, 0, dev->board_name, dev); if (ret == 0) { -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.10.y] comedi: Fix initialization of data for instructions that write to subdevice

by Ian Abbott

[ Upstream commit 46d8c744136ce2454aa4c35c138cc06817f92b8e ] Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first `insn->n` data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first `MIN_SAMPLES` elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For `do_insnlist_ioctl()`, the same data buffer elements are used for handling a list of instructions, so ensure the first `MIN_SAMPLES` elements are initialized for each instruction that writes to the subdevice. Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707161439.88385-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/comedi_fops.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 5aa6a84d1fa6..96d68cc8f449 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -1551,21 +1551,27 @@ static int do_insnlist_ioctl(struct comedi_device *dev, } for (i = 0; i < n_insns; ++i) { + unsigned int n = insns[i].n; + if (insns[i].insn & INSN_MASK_WRITE) { if (copy_from_user(data, insns[i].data, - insns[i].n * sizeof(unsigned int))) { + n * sizeof(unsigned int))) { dev_dbg(dev->class_dev, "copy_from_user failed\n"); ret = -EFAULT; goto error; } + if (n < MIN_SAMPLES) { + memset(&data[n], 0, (MIN_SAMPLES - n) * + sizeof(unsigned int)); + } } ret = parse_insn(dev, insns + i, data, file); if (ret < 0) goto error; if (insns[i].insn & INSN_MASK_READ) { if (copy_to_user(insns[i].data, data, - insns[i].n * sizeof(unsigned int))) { + n * sizeof(unsigned int))) { dev_dbg(dev->class_dev, "copy_to_user failed\n"); ret = -EFAULT; @@ -1638,6 +1644,10 @@ static int do_insn_ioctl(struct comedi_device *dev, ret = -EFAULT; goto error; } + if (insn->n < MIN_SAMPLES) { + memset(&data[insn->n], 0, + (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); + } } ret = parse_insn(dev, insn, data, file); if (ret < 0) -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.10.y] comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large

by Ian Abbott

[ Upstream commit 08ae4b20f5e82101d77326ecab9089e110f224cc ] The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set this to the same value as `MAX_SAMPLES` (65536), which is the maximum allowed sum of the values of the member `n` in the array of `struct comedi_insn`, and sensible comedi instructions will have an `n` of at least 1. Reported-by: syzbot+d6995b62e5ac7d79557a(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d6995b62e5ac7d79557a Fixes: ed9eccbe8970 ("Staging: add comedi core") Tested-by: Ian Abbott <abbotti(a)mev.co.uk> Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250704120405.83028-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/comedi_fops.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 8f896e6208a8..5aa6a84d1fa6 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -1584,6 +1584,16 @@ static int do_insnlist_ioctl(struct comedi_device *dev, return i; } +#define MAX_INSNS MAX_SAMPLES +static int check_insnlist_len(struct comedi_device *dev, unsigned int n_insns) +{ + if (n_insns > MAX_INSNS) { + dev_dbg(dev->class_dev, "insnlist length too large\n"); + return -EINVAL; + } + return 0; +} + /* * COMEDI_INSN ioctl * synchronous instruction @@ -2234,6 +2244,9 @@ static long comedi_unlocked_ioctl(struct file *file, unsigned int cmd, rc = -EFAULT; break; } + rc = check_insnlist_len(dev, insnlist.n_insns); + if (rc) + break; insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL); if (!insns) { rc = -ENOMEM; @@ -3085,6 +3098,9 @@ static int compat_insnlist(struct file *file, unsigned long arg) if (copy_from_user(&insnlist32, compat_ptr(arg), sizeof(insnlist32))) return -EFAULT; + rc = check_insnlist_len(dev, insnlist32.n_insns); + if (rc) + return rc; insns = kcalloc(insnlist32.n_insns, sizeof(*insns), GFP_KERNEL); if (!insns) return -ENOMEM; -- 2.47.2

1 month, 2 weeks

2
2
0 0

[PATCH 5.10.y] comedi: comedi_test: Fix possible deletion of uninitialized timers

by Ian Abbott

[ Upstream commit 1b98304c09a0192598d0767f1eb8c83d7e793091 ] In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [ changed timer_delete_sync() to del_timer_sync() ] Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- drivers/staging/comedi/drivers/comedi_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/comedi_test.c b/drivers/staging/comedi/drivers/comedi_test.c index bea9a3adf08c..f5199474c0e9 100644 --- a/drivers/staging/comedi/drivers/comedi_test.c +++ b/drivers/staging/comedi/drivers/comedi_test.c @@ -790,7 +790,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { del_timer_sync(&devpriv->ai_timer); del_timer_sync(&devpriv->ao_timer); } -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH 5.4.y] comedi: pcl812: Fix bit shift out of bounds

by Ian Abbott

[ Upstream commit b14b076ce593f72585412fc7fd3747e03a5e3632 ] When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Reported-by: syzbot+32de323b0addb9e114ff(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707133429.73202-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/comedi/drivers/pcl812.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/pcl812.c b/drivers/staging/comedi/drivers/pcl812.c index aefc1b849cf7..98112c79e2d7 100644 --- a/drivers/staging/comedi/drivers/pcl812.c +++ b/drivers/staging/comedi/drivers/pcl812.c @@ -1151,7 +1151,8 @@ static int pcl812_attach(struct comedi_device *dev, struct comedi_devconfig *it) if (!dev->pacer) return -ENOMEM; - if ((1 << it->options[1]) & board->irq_bits) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & board->irq_bits) { ret = request_irq(it->options[1], pcl812_interrupt, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

1 month, 2 weeks

2
1
0 0

[PATCH net] net: phy: micrel: fix KSZ8081/KSZ8091 cable test

by Florian Larysch

Commit 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 phy") introduced cable_test support for the LAN8814 that reuses parts of the KSZ886x logic and introduced the cable_diag_reg and pair_mask parameters to account for differences between those chips. However, it did not update the ksz8081_type struct, so those members are now 0, causing no pairs to be tested in ksz886x_cable_test_get_status and ksz886x_cable_test_wait_for_completion to poll the wrong register for the affected PHYs (Basic Control/Reset, which is 0 in normal operation) and exit immediately. Fix this by setting both struct members accordingly. Fixes: 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 phy") Cc: stable(a)vger.kernel.org Signed-off-by: Florian Larysch <fl(a)n621.de> --- drivers/net/phy/micrel.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c index 64aa03aed770..50c6a4e8cfa1 100644 --- a/drivers/net/phy/micrel.c +++ b/drivers/net/phy/micrel.c @@ -472,6 +472,8 @@ static const struct kszphy_type ksz8051_type = { static const struct kszphy_type ksz8081_type = { .led_mode_reg = MII_KSZPHY_CTRL_2, + .cable_diag_reg = KSZ8081_LMD, + .pair_mask = KSZPHY_WIRE_PAIR_MASK, .has_broadcast_disable = true, .has_nand_tree_disable = true, .has_rmii_ref_clk_sel = true, -- 2.50.1

1 month, 2 weeks

2
1
0 0

[PATCH net-next] net: ipv4: allow directed broadcast routes to use dst hint

by Oscar Maes

Currently, ip_extract_route_hint uses RTN_BROADCAST to decide whether to use the route dst hint mechanism. This check is too strict, as it prevents directed broadcast routes from using the hint, resulting in poor performance during bursts of directed broadcast traffic. Fix this in ip_extract_route_hint and modify ip_route_use_hint to preserve the intended behaviour. Signed-off-by: Oscar Maes <oscmaes92(a)gmail.com> --- net/ipv4/ip_input.c | 6 ++++-- net/ipv4/route.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index fc323994b..1581b98bc 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -589,8 +589,10 @@ static void ip_sublist_rcv_finish(struct list_head *head) static struct sk_buff *ip_extract_route_hint(const struct net *net, struct sk_buff *skb, int rt_type) { - if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST || - IPCB(skb)->flags & IPSKB_MULTIPATH) + const struct iphdr *iph = ip_hdr(skb); + + if (fib4_has_custom_rules(net) || ipv4_is_lbcast(iph->daddr) || + (iph->daddr == 0 && iph->saddr == 0) || IPCB(skb)->flags & IPSKB_MULTIPATH) return NULL; return skb; diff --git a/net/ipv4/route.c b/net/ipv4/route.c index f639a2ae8..1f212b2ce 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2210,7 +2210,7 @@ ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, goto martian_source; } - if (rt->rt_type != RTN_LOCAL) + if (!(rt->rt_flags & RTCF_LOCAL)) goto skip_validate_source; reason = fib_validate_source_reason(skb, saddr, daddr, dscp, 0, dev, -- 2.39.5

1 month, 2 weeks

3
2
0 0

[PATCH v2 2/4] riscv: use lw when reading int cpu in asm_per_cpu

by Radim Krčmář

REG_L is wrong, because thread_info.cpu is 32-bit, not xlen-bit wide. The struct currently has a hole after cpu, so little endian accesses seemed fine. Fixes: be97d0db5f44 ("riscv: VMAP_STACK overflow detection thread-safe") Cc: <stable(a)vger.kernel.org> Reviewed-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> Signed-off-by: Radim Krčmář <rkrcmar(a)ventanamicro.com> --- v2: split for stable [Alex] --- arch/riscv/include/asm/asm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/asm.h b/arch/riscv/include/asm/asm.h index a8a2af6dfe9d..2a16e88e13de 100644 --- a/arch/riscv/include/asm/asm.h +++ b/arch/riscv/include/asm/asm.h @@ -91,7 +91,7 @@ #endif .macro asm_per_cpu dst sym tmp - REG_L \tmp, TASK_TI_CPU_NUM(tp) + lw \tmp, TASK_TI_CPU_NUM(tp) slli \tmp, \tmp, PER_CPU_OFFSET_SHIFT la \dst, __per_cpu_offset add \dst, \dst, \tmp -- 2.50.0

1 month, 2 weeks

1
0
0 0

[PATCH v2 1/4] riscv: use lw when reading int cpu in new_vmalloc_check

by Radim Krčmář

REG_L is wrong, because thread_info.cpu is 32-bit, not xlen-bit wide. The struct currently has a hole after cpu, so little endian accesses seemed fine. Fixes: 503638e0babf ("riscv: Stop emitting preventive sfence.vma for new vmalloc mappings") Cc: <stable(a)vger.kernel.org> Reviewed-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> Signed-off-by: Radim Krčmář <rkrcmar(a)ventanamicro.com> --- v2: split for stable [Alex] --- arch/riscv/kernel/entry.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S index 75656afa2d6b..4fdf187a62bf 100644 --- a/arch/riscv/kernel/entry.S +++ b/arch/riscv/kernel/entry.S @@ -46,7 +46,7 @@ * a0 = &new_vmalloc[BIT_WORD(cpu)] * a1 = BIT_MASK(cpu) */ - REG_L a2, TASK_TI_CPU(tp) + lw a2, TASK_TI_CPU(tp) /* * Compute the new_vmalloc element position: * (cpu / 64) * 8 = (cpu >> 6) << 3 -- 2.50.0

1 month, 2 weeks

1
0
0 0

[PATCH] ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx

by edip＠medip.dev

From: Edip Hazuri <edip(a)medip.dev> The mute led on this laptop is using ALC245 but requires a quirk to work This patch enables the existing quirk for the device. Tested on Victus 16-r1xxx Laptop. The LED behaviour works as intended. v2: - adapt the HD-audio code changes and rebase on for-next branch of tiwai/sound.git - link to v1: https://lore.kernel.org/linux-sound/20250724210756.61453-2-edip@medip.dev/ Cc: <stable(a)vger.kernel.org> Signed-off-by: Edip Hazuri <edip(a)medip.dev> --- sound/hda/codecs/realtek/alc269.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c index 05019fa73..33ef08d25 100644 --- a/sound/hda/codecs/realtek/alc269.c +++ b/sound/hda/codecs/realtek/alc269.c @@ -6580,6 +6580,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8c91, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8c96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), SND_PCI_QUIRK(0x103c, 0x8c97, "HP ZBook", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8c99, "HP Victus 16-r1xxx (MB 8C99)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8c9c, "HP Victus 16-s1xxx (MB 8C9C)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8ca1, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), -- 2.50.1

1 month, 2 weeks

2
1
0 0

[PATCH] ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx

by edip＠medip.dev

From: Edip Hazuri <edip(a)medip.dev> The mute led on this laptop is using ALC245 but requires a quirk to work This patch enables the existing quirk for the device. Tested on Victus 16-r1xxx Laptop. The LED behaviour works as intended. Cc: <stable(a)vger.kernel.org> Signed-off-by: Edip Hazuri <edip(a)medip.dev> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 2627e2f49..9656e6ebb 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10874,6 +10874,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8c91, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8c96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), SND_PCI_QUIRK(0x103c, 0x8c97, "HP ZBook", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8c99, "HP Victus 16-r1xxx (MB 8C99)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8c9c, "HP Victus 16-s1xxx (MB 8C9C)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8ca1, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), -- 2.50.1

1 month, 2 weeks

3
2
0 0

[PATCH] comedi: Make insn_rw_emulate_bits() do insn->n samples

by Ian Abbott

The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction handling with a constructed `INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE` instructions are supposed to be able read or write multiple samples, indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently only handles a single sample. For `INSN_READ`, the comedi core will copy `insn->n` samples back to user-space. (That triggered KASAN kernel-infoleak errors when `insn->n` was greater than 1, but that is being fixed more generally elsewhere in the comedi core.) Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return an error, to conform to the general expectation for `INSN_READ` and `INSN_WRITE` handlers. Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- For 5.4.y and 5.10.y, this patch conflicts with submitted patches for upstream commit e9cb26291d00 ("comedi: Fix use of uninitialized data in insn_rw_emulate_bits()"). --- drivers/comedi/drivers.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/drivers/comedi/drivers.c b/drivers/comedi/drivers.c index f1dc854928c1..c9ebaadc5e82 100644 --- a/drivers/comedi/drivers.c +++ b/drivers/comedi/drivers.c @@ -620,11 +620,9 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, unsigned int chan = CR_CHAN(insn->chanspec); unsigned int base_chan = (chan < 32) ? 0 : chan; unsigned int _data[2]; + unsigned int i; int ret; - if (insn->n == 0) - return 0; - memset(_data, 0, sizeof(_data)); memset(&_insn, 0, sizeof(_insn)); _insn.insn = INSN_BITS; @@ -635,18 +633,21 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, if (insn->insn == INSN_WRITE) { if (!(s->subdev_flags & SDF_WRITABLE)) return -EINVAL; - _data[0] = 1U << (chan - base_chan); /* mask */ - _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */ + _data[0] = 1U << (chan - base_chan); /* mask */ } + for (i = 0; i < insn->n; i++) { + if (insn->insn == INSN_WRITE) + _data[1] = data[i] ? _data[0] : 0; /* bits */ - ret = s->insn_bits(dev, s, &_insn, _data); - if (ret < 0) - return ret; + ret = s->insn_bits(dev, s, &_insn, _data); + if (ret < 0) + return ret; - if (insn->insn == INSN_READ) - data[0] = (_data[1] >> (chan - base_chan)) & 1; + if (insn->insn == INSN_READ) + data[i] = (_data[1] >> (chan - base_chan)) & 1; + } - return 1; + return insn->n; } static int __comedi_device_postconfig_async(struct comedi_device *dev, -- 2.47.2

1 month, 2 weeks

1
0
0 0

[PATCH] scsi: fill in DMA padding bytes in scsi_alloc_sgtables

by Petr Vaganov

During fuzz testing, the following issue was discovered: BUG: KMSAN: uninit-value in __dma_map_sg_attrs+0x217/0x310 __dma_map_sg_attrs+0x217/0x310 dma_map_sg_attrs+0x4a/0x70 ata_qc_issue+0x9f8/0x1420 __ata_scsi_queuecmd+0x1657/0x1740 ata_scsi_queuecmd+0x79a/0x920 scsi_queue_rq+0x4472/0x4f40 blk_mq_dispatch_rq_list+0x1cca/0x3ee0 __blk_mq_sched_dispatch_requests+0x458/0x630 blk_mq_sched_dispatch_requests+0x15b/0x340 __blk_mq_run_hw_queue+0xe5/0x250 __blk_mq_delay_run_hw_queue+0x138/0x780 blk_mq_run_hw_queue+0x4bb/0x7e0 blk_mq_sched_insert_request+0x2a7/0x4c0 blk_execute_rq+0x497/0x8a0 sg_io+0xbe0/0xe20 scsi_ioctl+0x2b36/0x3c60 sr_block_ioctl+0x319/0x440 blkdev_ioctl+0x80f/0xd70 __se_sys_ioctl+0x219/0x420 __x64_sys_ioctl+0x93/0xe0 x64_sys_call+0x1d6c/0x3ad0 do_syscall_64+0x4c/0xa0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Uninit was created at: __alloc_pages+0x5c0/0xc80 alloc_pages+0xe0e/0x1050 blk_rq_map_user_iov+0x2b77/0x6100 blk_rq_map_user_io+0x2fa/0x4d0 sg_io+0xad6/0xe20 scsi_ioctl+0x2b36/0x3c60 sr_block_ioctl+0x319/0x440 blkdev_ioctl+0x80f/0xd70 __se_sys_ioctl+0x219/0x420 __x64_sys_ioctl+0x93/0xe0 x64_sys_call+0x1d6c/0x3ad0 do_syscall_64+0x4c/0xa0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Bytes 14-15 of 16 are uninitialized Memory access of size 16 starts at ffff88800cbdb000 When processing the last unaligned element of the scatterlist, it is supplemented with missing bytes in the amount of pad_len. These bytes remain uninitialized, which leads to a problem. Add zeroing pad_len bytes of padding by pad_offset offset before increasing its length. This ensures that the DMA does not receive uninitialized data and eliminates the KMSAN warning. In this case, the pages are not located in highmem, but in the general case they might be, so kmap_local_page() is used for mapping. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 40b01b9bbdf5 ("block: update bio according to DMA alignment padding") Co-developed-by: Boris Tonofa <b.tonofa(a)ideco.ru> Signed-off-by: Boris Tonofa <b.tonofa(a)ideco.ru> Signed-off-by: Petr Vaganov <p.vaganov(a)ideco.ru> --- drivers/scsi/scsi_lib.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 144c72f0737a..d287e24b6013 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1153,6 +1153,11 @@ blk_status_t scsi_alloc_sgtables(struct scsi_cmnd *cmd) if (blk_rq_bytes(rq) & rq->q->limits.dma_pad_mask) { unsigned int pad_len = (rq->q->limits.dma_pad_mask & ~blk_rq_bytes(rq)) + 1; + unsigned int pad_offset = last_sg->offset + last_sg->length; + void *vaddr = kmap_local_page(sg_page(last_sg)); + + memset(vaddr + pad_offset, 0, pad_len); + kunmap_local(vaddr); last_sg->length += pad_len; cmd->extra_len += pad_len; -- 2.50.1

1 month, 2 weeks

2
2
0 0

[PATCH v5] riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot

by Jingwei Wang

The hwprobe vDSO data for some keys, like MISALIGNED_VECTOR_PERF, is determined by an asynchronous kthread. This can create a race condition where the kthread finishes after the vDSO data has already been populated, causing userspace to read stale values. To fix this, a completion-based framework is introduced to robustly synchronize the async probes with the vDSO data population. The waiting function, init_hwprobe_vdso_data(), now blocks on wait_for_completion() until all probes signal they are done. Furthermore, to prevent this potential blocking from impacting boot performance, the initialization is deferred to late_initcall. This is safe as the data is only required by userspace (which starts much later) and moves the synchronization delay off the critical boot path. Reported-by: Tsukasa OI <research_trasio(a)irq.a4lg.com> Closes: https://lore.kernel.org/linux-riscv/760d637b-b13b-4518-b6bf-883d55d44e7f@ir… Fixes: e7c9d66e313b ("RISC-V: Report vector unaligned access speed hwprobe") Cc: Palmer Dabbelt <palmer(a)dabbelt.com> Cc: Alexandre Ghiti <alexghiti(a)rivosinc.com> Cc: Olof Johansson <olof(a)lixom.net> Cc: stable(a)vger.kernel.org Signed-off-by: Jingwei Wang <wangjingwei(a)iscas.ac.cn> --- Changes in v5: - Reworked the synchronization logic to a robust "sentinel-count" pattern based on feedback from Alexandre. - Fixed a "multiple definition" linker error for nommu builds by changing the header-file stub functions to `static inline`, as pointed out by Olof. - Updated the commit message to better explain the rationale for moving the vDSO initialization to `late_initcall`. Changes in v4: - Reworked the synchronization mechanism based on feedback from Palmer and Alexandre. - Instead of a post-hoc refresh, this version introduces a robust completion-based framework using an atomic counter to ensure async probes are finished before populating the vDSO. - Moved the vdso data initialization to a late_initcall to avoid impacting boot time. Changes in v3: - Retained existing blank line. Changes in v2: - Addressed feedback from Yixun's regarding #ifdef CONFIG_MMU usage. - Updated commit message to provide a high-level summary. - Added Fixes tag for commit e7c9d66e313b. v1: https://lore.kernel.org/linux-riscv/20250521052754.185231-1-wangjingwei@isc… arch/riscv/include/asm/hwprobe.h | 8 +++++++- arch/riscv/kernel/sys_hwprobe.c | 20 +++++++++++++++++++- arch/riscv/kernel/unaligned_access_speed.c | 9 +++++++-- 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/arch/riscv/include/asm/hwprobe.h b/arch/riscv/include/asm/hwprobe.h index 7fe0a379474ae2c6..3b2888126e659ea1 100644 --- a/arch/riscv/include/asm/hwprobe.h +++ b/arch/riscv/include/asm/hwprobe.h @@ -40,5 +40,11 @@ static inline bool riscv_hwprobe_pair_cmp(struct riscv_hwprobe *pair, return pair->value == other_pair->value; } - +#ifdef CONFIG_MMU +void riscv_hwprobe_register_async_probe(void); +void riscv_hwprobe_complete_async_probe(void); +#else +static inline void riscv_hwprobe_register_async_probe(void) {} +static inline void riscv_hwprobe_complete_async_probe(void) {} +#endif #endif diff --git a/arch/riscv/kernel/sys_hwprobe.c b/arch/riscv/kernel/sys_hwprobe.c index 0b170e18a2beba57..ee02aeb03e7bd3d8 100644 --- a/arch/riscv/kernel/sys_hwprobe.c +++ b/arch/riscv/kernel/sys_hwprobe.c @@ -5,6 +5,8 @@ * more details. */ #include <linux/syscalls.h> +#include <linux/completion.h> +#include <linux/atomic.h> #include <asm/cacheflush.h> #include <asm/cpufeature.h> #include <asm/hwprobe.h> @@ -467,6 +469,20 @@ static int do_riscv_hwprobe(struct riscv_hwprobe __user *pairs, #ifdef CONFIG_MMU +static DECLARE_COMPLETION(boot_probes_done); +static atomic_t pending_boot_probes = ATOMIC_INIT(1); + +void riscv_hwprobe_register_async_probe(void) +{ + atomic_inc(&pending_boot_probes); +} + +void riscv_hwprobe_complete_async_probe(void) +{ + if (atomic_dec_and_test(&pending_boot_probes)) + complete(&boot_probes_done); +} + static int __init init_hwprobe_vdso_data(void) { struct vdso_arch_data *avd = vdso_k_arch_data; @@ -474,6 +490,8 @@ static int __init init_hwprobe_vdso_data(void) struct riscv_hwprobe pair; int key; + if (unlikely(!atomic_dec_and_test(&pending_boot_probes))) + wait_for_completion(&boot_probes_done); /* * Initialize vDSO data with the answers for the "all CPUs" case, to * save a syscall in the common case. @@ -504,7 +522,7 @@ static int __init init_hwprobe_vdso_data(void) return 0; } -arch_initcall_sync(init_hwprobe_vdso_data); +late_initcall(init_hwprobe_vdso_data); #endif /* CONFIG_MMU */ diff --git a/arch/riscv/kernel/unaligned_access_speed.c b/arch/riscv/kernel/unaligned_access_speed.c index ae2068425fbcd207..4b8ad2673b0f7470 100644 --- a/arch/riscv/kernel/unaligned_access_speed.c +++ b/arch/riscv/kernel/unaligned_access_speed.c @@ -379,6 +379,7 @@ static void check_vector_unaligned_access(struct work_struct *work __always_unus static int __init vec_check_unaligned_access_speed_all_cpus(void *unused __always_unused) { schedule_on_each_cpu(check_vector_unaligned_access); + riscv_hwprobe_complete_async_probe(); return 0; } @@ -473,8 +474,12 @@ static int __init check_unaligned_access_all_cpus(void) per_cpu(vector_misaligned_access, cpu) = unaligned_vector_speed_param; } else if (!check_vector_unaligned_access_emulated_all_cpus() && IS_ENABLED(CONFIG_RISCV_PROBE_VECTOR_UNALIGNED_ACCESS)) { - kthread_run(vec_check_unaligned_access_speed_all_cpus, - NULL, "vec_check_unaligned_access_speed_all_cpus"); + riscv_hwprobe_register_async_probe(); + if (IS_ERR(kthread_run(vec_check_unaligned_access_speed_all_cpus, + NULL, "vec_check_unaligned_access_speed_all_cpus"))) { + pr_warn("Failed to create vec_unalign_check kthread\n"); + riscv_hwprobe_complete_async_probe(); + } } /* -- 2.50.0

1 month, 2 weeks

2
3
0 0

[PATCH] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()

by Ian Abbott

syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer. Fixes: ed9eccbe8970 ("Staging: add comedi core") Reported-by: syzbot+a5e45f768aab5892da5d(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a5e45f768aab5892da5d Reported-by: syzbot+fb4362a104d45ab09cf9(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fb4362a104d45ab09cf9 Cc: <stable(a)vger.kernel.org> #5.13+ Cc: Arnaud Lecomte <contact(a)arnaud-lcm.com> Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Cherry picks to fix this for 5.4.y and 5.10.y not yet available. --- drivers/comedi/comedi_fops.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 23b7178522ae..7e2f2b1a1c36 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -1587,6 +1587,9 @@ static int do_insnlist_ioctl(struct comedi_device *dev, memset(&data[n], 0, (MIN_SAMPLES - n) * sizeof(unsigned int)); } + } else { + memset(data, 0, max_t(unsigned int, n, MIN_SAMPLES) * + sizeof(unsigned int)); } ret = parse_insn(dev, insns + i, data, file); if (ret < 0) @@ -1670,6 +1673,8 @@ static int do_insn_ioctl(struct comedi_device *dev, memset(&data[insn->n], 0, (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); } + } else { + memset(data, 0, n_data * sizeof(unsigned int)); } ret = parse_insn(dev, insn, data, file); if (ret < 0) -- 2.47.2

1 month, 2 weeks

1
0
0 0

[stable backport request] x86/ioremap: Use is_ioremap_addr() in iounmap() for 5.15.y

by Arin Sun

Dear Stable Kernel Team and Maintainers, I am writing to request a backport of the following commit from the mainline kernel to the 5.15.y stable branch: Commit: x86/ioremap: Use is_ioremap_addr() in iounmap() ID: 50c6dbdfd16e312382842198a7919341ad480e05 Author: Max Ramanouski Merged in: Linux 6.11-rc1 (approximately August 2024) This commit fixes a bug in the iounmap() function for x86 architectures in kernel versions 5.x. Specifically, the original code uses a check against high_memory: if ((void __force *)addr <= high_memory) return; This can lead to memory leaks on certain x86 servers where ioremap() returns addresses that are not guaranteed to be greater than high_memory, causing the function to return early without properly unmapping the memory. The fix replaces this with is_ioremap_addr(), making the check more reliable: if (WARN_ON_ONCE(!is_ioremap_addr((void __force *)addr))) return; I have checked the 5.15.y branch logs and did not find this backport. This issue affects production environments, particularly on customer machines where we cannot easily deploy custom kernels. Backporting this to 5.15.y (and possibly other LTS branches like 5.10.y if applicable) would help resolve the memory leak without requiring users to upgrade to 6.x series. Do you have plans to backport this commit? If not, could you please consider it for inclusion in the stable releases? Thank you for your time and efforts in maintaining the stable kernels. Best regards, xin.sun

1 month, 2 weeks

2
1
0 0

[PATCH 6.6.y] arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register

by Roy, Patrick

From: Nianyao Tang <tangnianyao(a)huawei.com> [ upstream commit e8cde32f111f7f5681a7bad3ec747e9e697569a9 ] Enable ECBHB bits in ID_AA64MMFR1 register as per ARM DDI 0487K.a specification. When guest OS read ID_AA64MMFR1_EL1, kvm emulate this reg using ftr_id_aa64mmfr1 and always return ID_AA64MMFR1_EL1.ECBHB=0 to guest. It results in guest syscall jump to tramp ventry, which is not needed in implementation with ID_AA64MMFR1_EL1.ECBHB=1. Let's make the guest syscall process the same as the host. This fixes performance regressions introduced by commit 4117975672c4 ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") for guests running on neoverse v2 hardware, which supports ECBHB. Signed-off-by: Nianyao Tang <tangnianyao(a)huawei.com> Link: https://lore.kernel.org/r/20240611122049.2758600-1-tangnianyao@huawei.com Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Patrick Roy <roypat(a)amazon.co.uk> --- arch/arm64/kernel/cpufeature.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index b6d381f743f3..2ce9ef9d924a 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -364,6 +364,7 @@ static const struct arm64_ftr_bits ftr_id_aa64mmfr0[] = { }; static const struct arm64_ftr_bits ftr_id_aa64mmfr1[] = { + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_ECBHB_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_TIDCP1_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_AFP_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_HCX_SHIFT, 4, 0), -- 2.50.1

1 month, 2 weeks

1
0
0 0

[PATCH] block: Fix bounce check logic in blk_queue_may_bounce()

by Hardeep Sharma

Buffer bouncing is needed only when memory exists above the lowmem region, i.e., when max_low_pfn < max_pfn. The previous check (max_low_pfn >= max_pfn) was inverted and prevented bouncing when it could actually be required. Note that bouncing depends on CONFIG_HIGHMEM, which is typically enabled on 32-bit ARM where not all memory is permanently mapped into the kernel’s lowmem region. Fixes: 9bb33f24abbd0 ("block: refactor the bounce buffering code") Cc: stable(a)vger.kernel.org Signed-off-by: Hardeep Sharma <quic_hardshar(a)quicinc.com> --- block/blk.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/blk.h b/block/blk.h index 67915b04b3c1..f8a1d64be5a2 100644 --- a/block/blk.h +++ b/block/blk.h @@ -383,7 +383,7 @@ static inline bool blk_queue_may_bounce(struct request_queue *q) { return IS_ENABLED(CONFIG_BOUNCE) && q->limits.bounce == BLK_BOUNCE_HIGH && - max_low_pfn >= max_pfn; + max_low_pfn < max_pfn; } static inline struct bio *blk_queue_bounce(struct bio *bio, -- 2.25.1

1 month, 2 weeks

1
0
0 0

[PATCH] sprintf.h requires stdarg.h

by Suchit Karunakaran

From: Stephen Rothwell <sfr(a)canb.auug.org.au> In file included from drivers/crypto/intel/qat/qat_common/adf_pm_dbgfs_utils.c:4: include/linux/sprintf.h:11:54: error: unknown type name 'va_list' 11 | __printf(2, 0) int vsprintf(char *buf, const char *, va_list); | ^~~~~~~ include/linux/sprintf.h:1:1: note: 'va_list' is defined in header '<stdarg.h>'; this is probably fixable by adding '#include <stdarg.h>' Link: https://lkml.kernel.org/r/20250721173754.42865913@canb.auug.org.au Fixes: 39ced19b9e60 ("lib/vsprintf: split out sprintf() and friends") Signed-off-by: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Andriy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: Petr Mladek <pmladek(a)suse.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Rasmus Villemoes <linux(a)rasmusvillemoes.dk> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Suchit Karunakaran <suchitkarunakaran(a)gmail.com> --- include/linux/sprintf.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/sprintf.h b/include/linux/sprintf.h index 51cab2def9ec..876130091384 100644 --- a/include/linux/sprintf.h +++ b/include/linux/sprintf.h @@ -4,6 +4,7 @@ #include <linux/compiler_attributes.h> #include <linux/types.h> +#include <linux/stdarg.h> int num_to_str(char *buf, int size, unsigned long long num, unsigned int width); -- 2.39.5

1 month, 2 weeks

1
0
0 0

[PATCH v5 1/8] mm/shmem, swap: improve cached mTHP handling and fix potential hung

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> The current swap-in code assumes that, when a swap entry in shmem mapping is order 0, its cached folios (if present) must be order 0 too, which turns out not always correct. The problem is shmem_split_large_entry is called before verifying the folio will eventually be swapped in, one possible race is: CPU1 CPU2 shmem_swapin_folio /* swap in of order > 0 swap entry S1 */ folio = swap_cache_get_folio /* folio = NULL */ order = xa_get_order /* order > 0 */ folio = shmem_swap_alloc_folio /* mTHP alloc failure, folio = NULL */ <... Interrupted ...> shmem_swapin_folio /* S1 is swapped in */ shmem_writeout /* S1 is swapped out, folio cached */ shmem_split_large_entry(..., S1) /* S1 is split, but the folio covering it has order > 0 now */ Now any following swapin of S1 will hang: `xa_get_order` returns 0, and folio lookup will return a folio with order > 0. The `xa_get_order(&mapping->i_pages, index) != folio_order(folio)` will always return false causing swap-in to return -EEXIST. And this looks fragile. So fix this up by allowing seeing a larger folio in swap cache, and check the whole shmem mapping range covered by the swapin have the right swap value upon inserting the folio. And drop the redundant tree walks before the insertion. This will actually improve performance, as it avoids two redundant Xarray tree walks in the hot path, and the only side effect is that in the failure path, shmem may redundantly reallocate a few folios causing temporary slight memory pressure. And worth noting, it may seems the order and value check before inserting might help reducing the lock contention, which is not true. The swap cache layer ensures raced swapin will either see a swap cache folio or failed to do a swapin (we have SWAP_HAS_CACHE bit even if swap cache is bypassed), so holding the folio lock and checking the folio flag is already good enough for avoiding the lock contention. The chance that a folio passes the swap entry value check but the shmem mapping slot has changed should be very low. Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Tested-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: <stable(a)vger.kernel.org> --- mm/shmem.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/mm/shmem.c b/mm/shmem.c index 334b7b4a61a0..e3c9a1365ff4 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -884,7 +884,9 @@ static int shmem_add_to_page_cache(struct folio *folio, pgoff_t index, void *expected, gfp_t gfp) { XA_STATE_ORDER(xas, &mapping->i_pages, index, folio_order(folio)); - long nr = folio_nr_pages(folio); + unsigned long nr = folio_nr_pages(folio); + swp_entry_t iter, swap; + void *entry; VM_BUG_ON_FOLIO(index != round_down(index, nr), folio); VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); @@ -896,14 +898,24 @@ static int shmem_add_to_page_cache(struct folio *folio, gfp &= GFP_RECLAIM_MASK; folio_throttle_swaprate(folio, gfp); + swap = iter = radix_to_swp_entry(expected); do { xas_lock_irq(&xas); - if (expected != xas_find_conflict(&xas)) { - xas_set_err(&xas, -EEXIST); - goto unlock; + xas_for_each_conflict(&xas, entry) { + /* + * The range must either be empty, or filled with + * expected swap entries. Shmem swap entries are never + * partially freed without split of both entry and + * folio, so there shouldn't be any holes. + */ + if (!expected || entry != swp_to_radix_entry(iter)) { + xas_set_err(&xas, -EEXIST); + goto unlock; + } + iter.val += 1 << xas_get_order(&xas); } - if (expected && xas_find_conflict(&xas)) { + if (expected && iter.val - nr != swap.val) { xas_set_err(&xas, -EEXIST); goto unlock; } @@ -2323,7 +2335,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, error = -ENOMEM; goto failed; } - } else if (order != folio_order(folio)) { + } else if (order > folio_order(folio)) { /* * Swap readahead may swap in order 0 folios into swapcache * asynchronously, while the shmem mapping can still stores @@ -2348,15 +2360,15 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, swap = swp_entry(swp_type(swap), swp_offset(swap) + offset); } + } else if (order < folio_order(folio)) { + swap.val = round_down(swap.val, 1 << folio_order(folio)); } alloced: /* We have to do this with folio locked to prevent races */ folio_lock(folio); if ((!skip_swapcache && !folio_test_swapcache(folio)) || - folio->swap.val != swap.val || - !shmem_confirm_swap(mapping, index, swap) || - xa_get_order(&mapping->i_pages, index) != folio_order(folio)) { + folio->swap.val != swap.val) { error = -EEXIST; goto unlock; } -- 2.50.0

1 month, 2 weeks

2
4
0 0

[merged mm-stable] mm-damon-ops-common-ignore-migration-request-to-invalid-nodes.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/ops-common: ignore migration request to invalid nodes has been removed from the -mm tree. Its filename was mm-damon-ops-common-ignore-migration-request-to-invalid-nodes.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/ops-common: ignore migration request to invalid nodes Date: Sun, 20 Jul 2025 11:58:22 -0700 damon_migrate_pages() tries migration even if the target node is invalid. If users mistakenly make such invalid requests via DAMOS_MIGRATE_{HOT,COLD} action, the below kernel BUG can happen. [ 7831.883495] BUG: unable to handle page fault for address: 0000000000001f48 [ 7831.884160] #PF: supervisor read access in kernel mode [ 7831.884681] #PF: error_code(0x0000) - not-present page [ 7831.885203] PGD 0 P4D 0 [ 7831.885468] Oops: Oops: 0000 [#1] SMP PTI [ 7831.885852] CPU: 31 UID: 0 PID: 94202 Comm: kdamond.0 Not tainted 6.16.0-rc5-mm-new-damon+ #93 PREEMPT(voluntary) [ 7831.886913] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.el9 04/01/2014 [ 7831.887777] RIP: 0010:__alloc_frozen_pages_noprof (include/linux/mmzone.h:1724 include/linux/mmzone.h:1750 mm/page_alloc.c:4936 mm/page_alloc.c:5137) [...] [ 7831.895953] Call Trace: [ 7831.896195] <TASK> [ 7831.896397] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192) [ 7831.896787] migrate_pages_batch (mm/migrate.c:1189 mm/migrate.c:1851) [ 7831.897228] ? __pfx_alloc_migration_target (mm/migrate.c:2137) [ 7831.897735] migrate_pages (mm/migrate.c:2078) [ 7831.898141] ? __pfx_alloc_migration_target (mm/migrate.c:2137) [ 7831.898664] damon_migrate_folio_list (mm/damon/ops-common.c:321 mm/damon/ops-common.c:354) [ 7831.899140] damon_migrate_pages (mm/damon/ops-common.c:405) [...] Add a target node validity check in damon_migrate_pages(). The validity check is stolen from that of do_pages_move(), which is being used for the move_pages() system call. Link: https://lkml.kernel.org/r/20250720185822.1451-1-sj@kernel.org Fixes: b51820ebea65 ("mm/damon/paddr: introduce DAMOS_MIGRATE_COLD action for demotion") [6.11.x] Signed-off-by: SeongJae Park <sj(a)kernel.org> Reviewed-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: Honggyu Kim <honggyu.kim(a)sk.com> Cc: Hyeongtak Ji <hyeongtak.ji(a)sk.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/ops-common.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/mm/damon/ops-common.c~mm-damon-ops-common-ignore-migration-request-to-invalid-nodes +++ a/mm/damon/ops-common.c @@ -383,6 +383,10 @@ unsigned long damon_migrate_pages(struct if (list_empty(folio_list)) return nr_migrated; + if (target_nid < 0 || target_nid >= MAX_NUMNODES || + !node_state(target_nid, N_MEMORY)) + return nr_migrated; + noreclaim_flag = memalloc_noreclaim_save(); nid = folio_nid(lru_to_folio(folio_list)); _ Patches currently in -mm which might be from sj(a)kernel.org are selftests-damon-sysfspy-stop-damon-for-dumping-failures.patch selftests-damon-_damon_sysfs-support-damos-watermarks-setup.patch selftests-damon-_damon_sysfs-support-damos-filters-setup.patch selftests-damon-_damon_sysfs-support-monitoring-intervals-goal-setup.patch selftests-damon-_damon_sysfs-support-damos-quota-weights-setup.patch selftests-damon-_damon_sysfs-support-damos-quota-goal-nid-setup.patch selftests-damon-_damon_sysfs-support-damos-action-dests-setup.patch selftests-damon-_damon_sysfs-support-damos-target_nid-setup.patch selftests-damon-_damon_sysfs-use-232-1-as-max-nr_accesses-and-age.patch selftests-damon-drgn_dump_damon_status-dump-damos-migrate_dests.patch selftests-damon-drgn_dump_damon_status-dump-ctx-opsid.patch selftests-damon-drgn_dump_damon_status-dump-damos-filters.patch selftests-damon-sysfspy-generalize-damos-watermarks-commit-assertion.patch selftests-damon-sysfspy-generalize-damosquota-commit-assertion.patch selftests-damon-sysfspy-test-quota-goal-commitment.patch selftests-damon-sysfspy-test-damos-destinations-commitment.patch selftests-damon-sysfspy-generalize-damos-scheme-commit-assertion.patch selftests-damon-sysfspy-test-damos-filters-commitment.patch selftests-damon-sysfspy-generalize-damos-schemes-commit-assertion.patch selftests-damon-sysfspy-generalize-monitoring-attributes-commit-assertion.patch selftests-damon-sysfspy-generalize-damon-context-commit-assertion.patch selftests-damon-sysfspy-test-non-default-parameters-runtime-commit.patch selftests-damon-sysfspy-test-runtime-reduction-of-damon-parameters.patch

1 month, 2 weeks

1
0
0 0

[merged mm-stable] mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: swap: fix potential buffer overflow in setup_clusters() has been removed from the -mm tree. Its filename was mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: fix potential buffer overflow in setup_clusters() Date: Thu, 22 May 2025 20:25:53 +0800 In setup_swap_map(), we only ensure badpages are in range (0, last_page]. As maxpages might be < last_page, setup_clusters() will encounter a buffer overflow when a badpage is >= maxpages. Only call inc_cluster_info_page() for badpage which is < maxpages to fix the issue. Link: https://lkml.kernel.org/r/20250522122554.12209-4-shikemeng@huaweicloud.com Fixes: b843786b0bd0 ("mm: swapfile: fix SSD detection with swapfile on btrfs") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kairui Song <kasong(a)tencent.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/mm/swapfile.c~mm-swap-fix-potensial-buffer-overflow-in-setup_clusters +++ a/mm/swapfile.c @@ -3208,9 +3208,13 @@ static struct swap_cluster_info *setup_c * and the EOF part of the last cluster. */ inc_cluster_info_page(si, cluster_info, 0); - for (i = 0; i < swap_header->info.nr_badpages; i++) - inc_cluster_info_page(si, cluster_info, - swap_header->info.badpages[i]); + for (i = 0; i < swap_header->info.nr_badpages; i++) { + unsigned int page_nr = swap_header->info.badpages[i]; + + if (page_nr >= maxpages) + continue; + inc_cluster_info_page(si, cluster_info, page_nr); + } for (i = maxpages; i < round_up(maxpages, SWAPFILE_CLUSTER); i++) inc_cluster_info_page(si, cluster_info, i); _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are

1 month, 2 weeks

1
0
0 0

[merged mm-stable] mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop has been removed from the -mm tree. Its filename was mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop Date: Thu, 22 May 2025 20:25:52 +0800 We use maxpages from read_swap_header() to initialize swap_info_struct, however the maxpages might be reduced in setup_swap_extents() and the si->max is assigned with the reduced maxpages from the setup_swap_extents(). Obviously, this could lead to memory waste as we allocated memory based on larger maxpages, besides, this could lead to a potential deadloop as following: 1) When calling setup_clusters() with larger maxpages, unavailable pages within range [si->max, larger maxpages) are not accounted with inc_cluster_info_page(). As a result, these pages are assumed available but can not be allocated. The cluster contains these pages can be moved to frag_clusters list after it's all available pages were allocated. 2) When the cluster mentioned in 1) is the only cluster in frag_clusters list, cluster_alloc_swap_entry() assume order 0 allocation will never failed and will enter a deadloop by keep trying to allocate page from the only cluster in frag_clusters which contains no actually available page. Call setup_swap_extents() to get the final maxpages before swap_info_struct initialization to fix the issue. After this change, span will include badblocks and will become large value which I think is correct value: In summary, there are two kinds of swapfile_activate operations. 1. Filesystem style: Treat all blocks logical continuity and find usable physical extents in logical range. In this way, si->pages will be actual usable physical blocks and span will be "1 + highest_block - lowest_block". 2. Block device style: Treat all blocks physically continue and only one single extent is added. In this way, si->pages will be si->max and span will be "si->pages - 1". Actually, si->pages and si->max is only used in block device style and span value is set with si->pages. As a result, span value in block device style will become a larger value as you mentioned. I think larger value is correct based on: 1. Span value in filesystem style is "1 + highest_block - lowest_block" which is the range cover all possible phisical blocks including the badblocks. 2. For block device style, si->pages is the actual usable block number and is already in pr_info. The original span value before this patch is also refer to usable block number which is redundant in pr_info. [shikemeng(a)huaweicloud.com: ensure si->pages == si->max - 1 after setup_swap_extents()] Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com Link: https://lkml.kernel.org/r/20250718065139.61989-1-shikemeng@huaweicloud.com Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com Fixes: 661383c6111a ("mm: swap: relaim the cached parts that got scanned") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kairui Song <kasong(a)tencent.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 53 +++++++++++++++++++++++------------------------- 1 file changed, 26 insertions(+), 27 deletions(-) --- a/mm/swapfile.c~mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop +++ a/mm/swapfile.c @@ -3141,43 +3141,30 @@ static unsigned long read_swap_header(st return maxpages; } -static int setup_swap_map_and_extents(struct swap_info_struct *si, - union swap_header *swap_header, - unsigned char *swap_map, - unsigned long maxpages, - sector_t *span) +static int setup_swap_map(struct swap_info_struct *si, + union swap_header *swap_header, + unsigned char *swap_map, + unsigned long maxpages) { - unsigned int nr_good_pages; unsigned long i; - int nr_extents; - - nr_good_pages = maxpages - 1; /* omit header page */ + swap_map[0] = SWAP_MAP_BAD; /* omit header page */ for (i = 0; i < swap_header->info.nr_badpages; i++) { unsigned int page_nr = swap_header->info.badpages[i]; if (page_nr == 0 || page_nr > swap_header->info.last_page) return -EINVAL; if (page_nr < maxpages) { swap_map[page_nr] = SWAP_MAP_BAD; - nr_good_pages--; + si->pages--; } } - if (nr_good_pages) { - swap_map[0] = SWAP_MAP_BAD; - si->max = maxpages; - si->pages = nr_good_pages; - nr_extents = setup_swap_extents(si, span); - if (nr_extents < 0) - return nr_extents; - nr_good_pages = si->pages; - } - if (!nr_good_pages) { + if (!si->pages) { pr_warn("Empty swap-file\n"); return -EINVAL; } - return nr_extents; + return 0; } #define SWAP_CLUSTER_INFO_COLS \ @@ -3217,7 +3204,7 @@ static struct swap_cluster_info *setup_c * Mark unusable pages as unavailable. The clusters aren't * marked free yet, so no list operations are involved yet. * - * See setup_swap_map_and_extents(): header page, bad pages, + * See setup_swap_map(): header page, bad pages, * and the EOF part of the last cluster. */ inc_cluster_info_page(si, cluster_info, 0); @@ -3363,6 +3350,21 @@ SYSCALL_DEFINE2(swapon, const char __use goto bad_swap_unlock_inode; } + si->max = maxpages; + si->pages = maxpages - 1; + nr_extents = setup_swap_extents(si, &span); + if (nr_extents < 0) { + error = nr_extents; + goto bad_swap_unlock_inode; + } + if (si->pages != si->max - 1) { + pr_err("swap:%u != (max:%u - 1)\n", si->pages, si->max); + error = -EINVAL; + goto bad_swap_unlock_inode; + } + + maxpages = si->max; + /* OK, set up the swap map and apply the bad block list */ swap_map = vzalloc(maxpages); if (!swap_map) { @@ -3374,12 +3376,9 @@ SYSCALL_DEFINE2(swapon, const char __use if (error) goto bad_swap_unlock_inode; - nr_extents = setup_swap_map_and_extents(si, swap_header, swap_map, - maxpages, &span); - if (unlikely(nr_extents < 0)) { - error = nr_extents; + error = setup_swap_map(si, swap_header, swap_map, maxpages); + if (error) goto bad_swap_unlock_inode; - } /* * Use kvmalloc_array instead of bitmap_zalloc as the allocation order might _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are

1 month, 2 weeks

1
0
0 0

[merged mm-stable] mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc() has been removed from the -mm tree. Its filename was mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc() Date: Thu, 22 May 2025 20:25:51 +0800 Patch series "Some randome fixes and cleanups to swapfile". Patch 0-3 are some random fixes. Patch 4 is a cleanup. More details can be found in respective patches. This patch (of 4): When folio_alloc_swap() encounters a failure in either mem_cgroup_try_charge_swap() or add_to_swap_cache(), nr_swap_pages counter is not decremented for allocated entry. However, the following put_swap_folio() will increase nr_swap_pages counter unpairly and lead to an imbalance. Move nr_swap_pages decrement from folio_alloc_swap() to swap_range_alloc() to pair the nr_swap_pages counting. Link: https://lkml.kernel.org/r/20250522122554.12209-1-shikemeng@huaweicloud.com Link: https://lkml.kernel.org/r/20250522122554.12209-2-shikemeng@huaweicloud.com Fixes: 0ff67f990bd4 ("mm, swap: remove swap slot cache") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/swapfile.c~mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc +++ a/mm/swapfile.c @@ -1115,6 +1115,7 @@ static void swap_range_alloc(struct swap if (vm_swap_full()) schedule_work(&si->reclaim_work); } + atomic_long_sub(nr_entries, &nr_swap_pages); } static void swap_range_free(struct swap_info_struct *si, unsigned long offset, @@ -1313,7 +1314,6 @@ int folio_alloc_swap(struct folio *folio if (add_to_swap_cache(folio, entry, gfp | __GFP_NOMEMALLOC, NULL)) goto out_free; - atomic_long_sub(size, &nr_swap_pages); return 0; out_free: _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are

1 month, 2 weeks

1
0
0 0

[PATCH v3 mm-hotfixes 3/5] x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()

by Harry Yoo

Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). It is inteneded to synchronize page tables via pgd_pouplate_kernel() when 5-level paging is in use and via p4d_pouplate_kernel() when 4-level paging is used. This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 <TASK> vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...] Cc: stable(a)vger.kernel.org Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Closes: https://lore.kernel.org/linux-mm/20250311114420.240341-1-gwan-gyeong.mun@in… [1] Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- arch/x86/include/asm/pgtable_64_types.h | 3 +++ arch/x86/mm/init_64.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 4604f924d8b8..7eb61ef6a185 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -36,6 +36,9 @@ static inline bool pgtable_l5_enabled(void) #define pgtable_l5_enabled() cpu_feature_enabled(X86_FEATURE_LA57) #endif /* USE_EARLY_PGTABLE_L5 */ +#define ARCH_PAGE_TABLE_SYNC_MASK \ + (pgtable_l5_enabled() ? PGTBL_PGD_MODIFIED : PGTBL_P4D_MODIFIED) + extern unsigned int pgdir_shift; extern unsigned int ptrs_per_p4d; diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index fdb6cab524f0..3800479022e4 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -223,6 +223,11 @@ static void sync_global_pgds(unsigned long start, unsigned long end) sync_global_pgds_l4(start, end); } +void arch_sync_kernel_mappings(unsigned long start, unsigned long end) +{ + sync_global_pgds(start, end); +} + /* * NOTE: This function is marked __ref because it calls __init function * (alloc_bootmem_pages). It's safe to do it ONLY when after_bootmem == 0. -- 2.43.0

1 month, 2 weeks

1
0
0 0

[PATCH v3 mm-hotfixes 1/5] mm: move page table sync declarations to linux/pgtable.h

by Harry Yoo

Move ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to linux/pgtable.h so that they can be used outside of vmalloc and ioremap. Cc: stable(a)vger.kernel.org Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- include/linux/pgtable.h | 17 +++++++++++++++++ include/linux/vmalloc.h | 16 ---------------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index 0b6e1f781d86..e564f338c758 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1329,6 +1329,23 @@ static inline void ptep_modify_prot_commit(struct vm_area_struct *vma, __ptep_modify_prot_commit(vma, addr, ptep, pte); } #endif /* __HAVE_ARCH_PTEP_MODIFY_PROT_TRANSACTION */ + +/* + * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values + * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() + * needs to be called. + */ +#ifndef ARCH_PAGE_TABLE_SYNC_MASK +#define ARCH_PAGE_TABLE_SYNC_MASK 0 +#endif + +/* + * There is no default implementation for arch_sync_kernel_mappings(). It is + * relied upon the compiler to optimize calls out if ARCH_PAGE_TABLE_SYNC_MASK + * is 0. + */ +void arch_sync_kernel_mappings(unsigned long start, unsigned long end); + #endif /* CONFIG_MMU */ /* diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h index fdc9aeb74a44..2759dac6be44 100644 --- a/include/linux/vmalloc.h +++ b/include/linux/vmalloc.h @@ -219,22 +219,6 @@ extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr, int vmap_pages_range(unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, unsigned int page_shift); -/* - * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. - */ -#ifndef ARCH_PAGE_TABLE_SYNC_MASK -#define ARCH_PAGE_TABLE_SYNC_MASK 0 -#endif - -/* - * There is no default implementation for arch_sync_kernel_mappings(). It is - * relied upon the compiler to optimize calls out if ARCH_PAGE_TABLE_SYNC_MASK - * is 0. - */ -void arch_sync_kernel_mappings(unsigned long start, unsigned long end); - /* * Lowlevel-APIs (not for driver use!) */ -- 2.43.0

1 month, 2 weeks

1
0
0 0

[folded-merged] mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop-fix.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop has been removed from the -mm tree. Its filename was mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop-fix.patch This patch was dropped because it was folded into mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop Date: Fri, 18 Jul 2025 14:51:39 +0800 ensure si->pages == si->max - 1 after setup_swap_extents() Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com Link: https://lkml.kernel.org/r/20250718065139.61989-1-shikemeng@huaweicloud.com Fixes: 661383c6111a ("mm: swap: relaim the cached parts that got scanned") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kairui Song <kasong(a)tencent.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/mm/swapfile.c~mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop-fix +++ a/mm/swapfile.c @@ -3357,6 +3357,12 @@ SYSCALL_DEFINE2(swapon, const char __use error = nr_extents; goto bad_swap_unlock_inode; } + if (si->pages != si->max - 1) { + pr_err("swap:%u != (max:%u - 1)\n", si->pages, si->max); + error = -EINVAL; + goto bad_swap_unlock_inode; + } + maxpages = si->max; /* OK, set up the swap map and apply the bad block list */ _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch mm-swap-remove-stale-comment-stale-comment-in-cluster_alloc_swap_entry.patch

1 month, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] sprintfh-requires-stdargh.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: sprintf.h requires stdarg.h has been removed from the -mm tree. Its filename was sprintfh-requires-stdargh.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Stephen Rothwell <sfr(a)canb.auug.org.au> Subject: sprintf.h requires stdarg.h Date: Mon, 21 Jul 2025 16:15:57 +1000 In file included from drivers/crypto/intel/qat/qat_common/adf_pm_dbgfs_utils.c:4: include/linux/sprintf.h:11:54: error: unknown type name 'va_list' 11 | __printf(2, 0) int vsprintf(char *buf, const char *, va_list); | ^~~~~~~ include/linux/sprintf.h:1:1: note: 'va_list' is defined in header '<stdarg.h>'; this is probably fixable by adding '#include <stdarg.h>' Link: https://lkml.kernel.org/r/20250721173754.42865913@canb.auug.org.au Fixes: 39ced19b9e60 ("lib/vsprintf: split out sprintf() and friends") Signed-off-by: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Andriy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: Petr Mladek <pmladek(a)suse.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Rasmus Villemoes <linux(a)rasmusvillemoes.dk> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/sprintf.h | 1 + 1 file changed, 1 insertion(+) --- a/include/linux/sprintf.h~sprintfh-requires-stdargh +++ a/include/linux/sprintf.h @@ -4,6 +4,7 @@ #include <linux/compiler_attributes.h> #include <linux/types.h> +#include <linux/stdarg.h> int num_to_str(char *buf, int size, unsigned long long num, unsigned int width); _ Patches currently in -mm which might be from sfr(a)canb.auug.org.au are

1 month, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] resource-fix-false-warning-in-__request_region.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: resource: fix false warning in __request_region() has been removed from the -mm tree. Its filename was resource-fix-false-warning-in-__request_region.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Akinobu Mita <akinobu.mita(a)gmail.com> Subject: resource: fix false warning in __request_region() Date: Sat, 19 Jul 2025 20:26:04 +0900 A warning is raised when __request_region() detects a conflict with a resource whose resource.desc is IORES_DESC_DEVICE_PRIVATE_MEMORY. But this warning is only valid for iomem_resources. The hmem device resource uses resource.desc as the numa node id, which can cause spurious warnings. This warning appeared on a machine with multiple cxl memory expanders. One of the NUMA node id is 6, which is the same as the value of IORES_DESC_DEVICE_PRIVATE_MEMORY. In this environment it was just a spurious warning, but when I saw the warning I suspected a real problem so it's better to fix it. This change fixes this by restricting the warning to only iomem_resource. This also adds a missing new line to the warning message. Link: https://lkml.kernel.org/r/20250719112604.25500-1-akinobu.mita@gmail.com Fixes: 7dab174e2e27 ("dax/hmem: Move hmem device registration to dax_hmem.ko") Signed-off-by: Akinobu Mita <akinobu.mita(a)gmail.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/resource.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/kernel/resource.c~resource-fix-false-warning-in-__request_region +++ a/kernel/resource.c @@ -1279,8 +1279,9 @@ static int __request_region_locked(struc * become unavailable to other users. Conflicts are * not expected. Warn to aid debugging if encountered. */ - if (conflict->desc == IORES_DESC_DEVICE_PRIVATE_MEMORY) { - pr_warn("Unaddressable device %s %pR conflicts with %pR", + if (parent == &iomem_resource && + conflict->desc == IORES_DESC_DEVICE_PRIVATE_MEMORY) { + pr_warn("Unaddressable device %s %pR conflicts with %pR\n", conflict->name, conflict, res); } if (conflict != parent) { _ Patches currently in -mm which might be from akinobu.mita(a)gmail.com are

1 month, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-commit-damos_quota_goal-nid.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: commit damos_quota_goal->nid has been removed from the -mm tree. Its filename was mm-damon-core-commit-damos_quota_goal-nid.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: commit damos_quota_goal->nid Date: Sat, 19 Jul 2025 11:19:32 -0700 DAMOS quota goal uses 'nid' field when the metric is DAMOS_QUOTA_NODE_MEM_{USED,FREE}_BP. But the goal commit function is not updating the goal's nid field. Fix it. Link: https://lkml.kernel.org/r/20250719181932.72944-1-sj@kernel.org Fixes: 0e1c773b501f ("mm/damon/core: introduce damos quota goal metrics for memory node utilization") [6.16.x] Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) --- a/mm/damon/core.c~mm-damon-core-commit-damos_quota_goal-nid +++ a/mm/damon/core.c @@ -754,6 +754,19 @@ static struct damos_quota_goal *damos_nt return NULL; } +static void damos_commit_quota_goal_union( + struct damos_quota_goal *dst, struct damos_quota_goal *src) +{ + switch (dst->metric) { + case DAMOS_QUOTA_NODE_MEM_USED_BP: + case DAMOS_QUOTA_NODE_MEM_FREE_BP: + dst->nid = src->nid; + break; + default: + break; + } +} + static void damos_commit_quota_goal( struct damos_quota_goal *dst, struct damos_quota_goal *src) { @@ -762,6 +775,7 @@ static void damos_commit_quota_goal( if (dst->metric == DAMOS_QUOTA_USER_INPUT) dst->current_value = src->current_value; /* keep last_psi_total as is, since it will be updated in next cycle */ + damos_commit_quota_goal_union(dst, src); } /** @@ -795,6 +809,7 @@ int damos_commit_quota_goals(struct damo src_goal->metric, src_goal->target_value); if (!new_goal) return -ENOMEM; + damos_commit_quota_goal_union(new_goal, src_goal); damos_add_quota_goal(dst, new_goal); } return 0; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-sysfs-implement-refresh_ms-file-under-kdamond-directory.patch mm-damon-sysfs-implement-refresh_ms-file-internal-work.patch docs-admin-guide-mm-damon-usage-document-refresh_ms-file.patch docs-abi-damon-update-for-refresh_ms.patch mm-damon-ops-common-ignore-migration-request-to-invalid-nodes.patch selftests-damon-sysfspy-stop-damon-for-dumping-failures.patch selftests-damon-_damon_sysfs-support-damos-watermarks-setup.patch selftests-damon-_damon_sysfs-support-damos-filters-setup.patch selftests-damon-_damon_sysfs-support-monitoring-intervals-goal-setup.patch selftests-damon-_damon_sysfs-support-damos-quota-weights-setup.patch selftests-damon-_damon_sysfs-support-damos-quota-goal-nid-setup.patch selftests-damon-_damon_sysfs-support-damos-action-dests-setup.patch selftests-damon-_damon_sysfs-support-damos-target_nid-setup.patch selftests-damon-_damon_sysfs-use-232-1-as-max-nr_accesses-and-age.patch selftests-damon-drgn_dump_damon_status-dump-damos-migrate_dests.patch selftests-damon-drgn_dump_damon_status-dump-ctx-opsid.patch selftests-damon-drgn_dump_damon_status-dump-damos-filters.patch selftests-damon-sysfspy-generalize-damos-watermarks-commit-assertion.patch selftests-damon-sysfspy-generalize-damosquota-commit-assertion.patch selftests-damon-sysfspy-test-quota-goal-commitment.patch selftests-damon-sysfspy-test-damos-destinations-commitment.patch selftests-damon-sysfspy-generalize-damos-scheme-commit-assertion.patch selftests-damon-sysfspy-test-damos-filters-commitment.patch selftests-damon-sysfspy-generalize-damos-schemes-commit-assertion.patch selftests-damon-sysfspy-generalize-monitoring-attributes-commit-assertion.patch selftests-damon-sysfspy-generalize-damon-context-commit-assertion.patch selftests-damon-sysfspy-test-non-default-parameters-runtime-commit.patch selftests-damon-sysfspy-test-runtime-reduction-of-damon-parameters.patch

1 month, 2 weeks

1
0
0 0

[PATCH v2] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()

by Nathan Chancellor

After a recent change in clang to expose uninitialized warnings from const variables [1], there is a warning in cxacru_heavy_init(): drivers/usb/atm/cxacru.c:1104:6: error: variable 'bp' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 1104 | if (instance->modem_type->boot_rom_patch) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/usb/atm/cxacru.c:1113:39: note: uninitialized use occurs here 1113 | cxacru_upload_firmware(instance, fw, bp); | ^~ drivers/usb/atm/cxacru.c:1104:2: note: remove the 'if' if its condition is always true 1104 | if (instance->modem_type->boot_rom_patch) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/usb/atm/cxacru.c:1095:32: note: initialize the variable 'bp' to silence this warning 1095 | const struct firmware *fw, *bp; | ^ | = NULL While the warning is technically correct that bp is conditionally passed uninitialized to cxacru_upload_firmware(), it is ultimately a false positive warning on the uninitialized use of bp because the same condition that initializes bp, instance->modem_type->boot_rom_patch, is the same one that gates the use of bp within cxacru_upload_firmware(). As this warning occurs in clang's frontend before inlining occurs, it cannot know that these conditions are indentical to avoid the warning. Manually inline cxacru_upload_firmware() into cxacru_heavy_init(), as that is its only callsite, so that clang can see that bp is initialized and used under the same condition, clearing up the warning without any functional changes to the code (LLVM was already doing this inlining later). Cc: stable(a)vger.kernel.org Fixes: 1b0e61465234 ("[PATCH] USB ATM: driver for the Conexant AccessRunner chipset cxacru") Closes: https://github.com/ClangBuiltLinux/linux/issues/2102 Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- Changes in v2: - Rather than initialize bp to NULL, manually inline cxacru_upload_firmware() into cxacru_heavy_init() so that clang can see the matching conditions for bp's initialization and use (based on feedback from Greg). - Drop accessrunner-general(a)lists.sourceforge.net, as I got bounces when sending to it unsubscribed. - Link to v1: https://lore.kernel.org/r/20250715-usb-cxacru-fix-clang-21-uninit-warning-v… --- drivers/usb/atm/cxacru.c | 106 ++++++++++++++++++++++------------------------- 1 file changed, 49 insertions(+), 57 deletions(-) diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c index a12ab90b3db75b230dcf319a949e6d10dbac0363..68a8e9de8b4fe95be31b561f7f5df7e3c59142ae 100644 --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c @@ -980,25 +980,60 @@ static int cxacru_fw(struct usb_device *usb_dev, enum cxacru_fw_request fw, return ret; } -static void cxacru_upload_firmware(struct cxacru_data *instance, - const struct firmware *fw, - const struct firmware *bp) + +static int cxacru_find_firmware(struct cxacru_data *instance, + char *phase, const struct firmware **fw_p) { - int ret; + struct usbatm_data *usbatm = instance->usbatm; + struct device *dev = &usbatm->usb_intf->dev; + char buf[16]; + + sprintf(buf, "cxacru-%s.bin", phase); + usb_dbg(usbatm, "cxacru_find_firmware: looking for %s\n", buf); + + if (request_firmware(fw_p, buf, dev)) { + usb_dbg(usbatm, "no stage %s firmware found\n", phase); + return -ENOENT; + } + + usb_info(usbatm, "found firmware %s\n", buf); + + return 0; +} + +static int cxacru_heavy_init(struct usbatm_data *usbatm_instance, + struct usb_interface *usb_intf) +{ + const struct firmware *fw, *bp; + struct cxacru_data *instance = usbatm_instance->driver_data; struct usbatm_data *usbatm = instance->usbatm; struct usb_device *usb_dev = usbatm->usb_dev; __le16 signature[] = { usb_dev->descriptor.idVendor, usb_dev->descriptor.idProduct }; __le32 val; + int ret; - usb_dbg(usbatm, "%s\n", __func__); + ret = cxacru_find_firmware(instance, "fw", &fw); + if (ret) { + usb_warn(usbatm_instance, "firmware (cxacru-fw.bin) unavailable (system misconfigured?)\n"); + return ret; + } + + if (instance->modem_type->boot_rom_patch) { + ret = cxacru_find_firmware(instance, "bp", &bp); + if (ret) { + usb_warn(usbatm_instance, "boot ROM patch (cxacru-bp.bin) unavailable (system misconfigured?)\n"); + release_firmware(fw); + return ret; + } + } /* FirmwarePllFClkValue */ val = cpu_to_le32(instance->modem_type->pll_f_clk); ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, PLLFCLK_ADDR, (u8 *) &val, 4); if (ret) { usb_err(usbatm, "FirmwarePllFClkValue failed: %d\n", ret); - return; + goto done; } /* FirmwarePllBClkValue */ @@ -1006,7 +1041,7 @@ static void cxacru_upload_firmware(struct cxacru_data *instance, ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, PLLBCLK_ADDR, (u8 *) &val, 4); if (ret) { usb_err(usbatm, "FirmwarePllBClkValue failed: %d\n", ret); - return; + goto done; } /* Enable SDRAM */ @@ -1014,7 +1049,7 @@ static void cxacru_upload_firmware(struct cxacru_data *instance, ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, SDRAMEN_ADDR, (u8 *) &val, 4); if (ret) { usb_err(usbatm, "Enable SDRAM failed: %d\n", ret); - return; + goto done; } /* Firmware */ @@ -1022,7 +1057,7 @@ static void cxacru_upload_firmware(struct cxacru_data *instance, ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, FW_ADDR, fw->data, fw->size); if (ret) { usb_err(usbatm, "Firmware upload failed: %d\n", ret); - return; + goto done; } /* Boot ROM patch */ @@ -1031,7 +1066,7 @@ static void cxacru_upload_firmware(struct cxacru_data *instance, ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, BR_ADDR, bp->data, bp->size); if (ret) { usb_err(usbatm, "Boot ROM patching failed: %d\n", ret); - return; + goto done; } } @@ -1039,7 +1074,7 @@ static void cxacru_upload_firmware(struct cxacru_data *instance, ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, SIG_ADDR, (u8 *) signature, 4); if (ret) { usb_err(usbatm, "Signature storing failed: %d\n", ret); - return; + goto done; } usb_info(usbatm, "starting device\n"); @@ -1051,7 +1086,7 @@ static void cxacru_upload_firmware(struct cxacru_data *instance, } if (ret) { usb_err(usbatm, "Passing control to firmware failed: %d\n", ret); - return; + goto done; } /* Delay to allow firmware to start up. */ @@ -1065,53 +1100,10 @@ static void cxacru_upload_firmware(struct cxacru_data *instance, ret = cxacru_cm(instance, CM_REQUEST_CARD_GET_STATUS, NULL, 0, NULL, 0); if (ret < 0) { usb_err(usbatm, "modem failed to initialize: %d\n", ret); - return; - } -} - -static int cxacru_find_firmware(struct cxacru_data *instance, - char *phase, const struct firmware **fw_p) -{ - struct usbatm_data *usbatm = instance->usbatm; - struct device *dev = &usbatm->usb_intf->dev; - char buf[16]; - - sprintf(buf, "cxacru-%s.bin", phase); - usb_dbg(usbatm, "cxacru_find_firmware: looking for %s\n", buf); - - if (request_firmware(fw_p, buf, dev)) { - usb_dbg(usbatm, "no stage %s firmware found\n", phase); - return -ENOENT; - } - - usb_info(usbatm, "found firmware %s\n", buf); - - return 0; -} - -static int cxacru_heavy_init(struct usbatm_data *usbatm_instance, - struct usb_interface *usb_intf) -{ - const struct firmware *fw, *bp; - struct cxacru_data *instance = usbatm_instance->driver_data; - int ret = cxacru_find_firmware(instance, "fw", &fw); - - if (ret) { - usb_warn(usbatm_instance, "firmware (cxacru-fw.bin) unavailable (system misconfigured?)\n"); - return ret; + goto done; } - if (instance->modem_type->boot_rom_patch) { - ret = cxacru_find_firmware(instance, "bp", &bp); - if (ret) { - usb_warn(usbatm_instance, "boot ROM patch (cxacru-bp.bin) unavailable (system misconfigured?)\n"); - release_firmware(fw); - return ret; - } - } - - cxacru_upload_firmware(instance, fw, bp); - +done: if (instance->modem_type->boot_rom_patch) release_firmware(bp); release_firmware(fw); --- base-commit: fdfa018c6962c86d2faa183187669569be4d513f change-id: 20250715-usb-cxacru-fix-clang-21-uninit-warning-9430d96c6bc1 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 month, 2 weeks

2
2
0 0

[PATCH 2/5] usb: dwc3: meson-g12a: fix device leaks at unbind

by Johan Hovold

Make sure to drop the references taken to the child devices by of_find_device_by_node() during probe on driver unbind. Fixes: c99993376f72 ("usb: dwc3: Add Amlogic G12A DWC3 glue") Cc: stable(a)vger.kernel.org # 5.2 Cc: Neil Armstrong <neil.armstrong(a)linaro.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/dwc3/dwc3-meson-g12a.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/dwc3/dwc3-meson-g12a.c b/drivers/usb/dwc3/dwc3-meson-g12a.c index 7d80bf7b18b0..55e144ba8cfc 100644 --- a/drivers/usb/dwc3/dwc3-meson-g12a.c +++ b/drivers/usb/dwc3/dwc3-meson-g12a.c @@ -837,6 +837,9 @@ static void dwc3_meson_g12a_remove(struct platform_device *pdev) usb_role_switch_unregister(priv->role_switch); + put_device(priv->switch_desc.udc); + put_device(priv->switch_desc.usb2_port); + of_platform_depopulate(dev); for (i = 0 ; i < PHY_COUNT ; ++i) { -- 2.49.1

1 month, 2 weeks

2
1
0 0

Industrial Edge Computing Gateway

by Catherine

Dear. We have released a report on the latest Industrial Edge Computing Gateway market research. Pls feel free to contact Abby(a)vicmarketresearch.com if you are interested in it. A sample report will be sent to you. The following manufacturers are covered in this report: DELL HPE Cisco Huawei ABB Advantech Fujitsu Eurotech Sierra Wireless AAEON Hirschmann ADLINK Technology Digi International Beijing InHand Networks Technology …… Best regards / Mit freundlichen Grüßen / 此致敬意, Abby

1 month, 2 weeks

1
0
0 0

[PATCH v4] x86: Clear feature bits disabled at compile-time

by Maciej Wieczor-Retman

If some config options are disabled during compile time, they still are enumerated in macros that use the x86_capability bitmask - cpu_has() or this_cpu_has(). The features are also visible in /proc/cpuinfo even though they are not enabled - which is contrary to what the documentation states about the file. Examples of such feature flags are lam, fred, sgx, ibrs_enhanced, split_lock_detect, user_shstk, avx_vnni and enqcmd. Add a DISABLED_MASK_INITIALIZER macro that creates an initializer list filled with DISABLED_MASKx bitmasks. Initialize the cpu_caps_cleared array with the autogenerated disabled bitmask. Fixes: ea4e3bef4c94 ("Documentation/x86: Add documentation for /proc/cpuinfo feature flags") Reported-by: Farrah Chen <farrah.chen(a)intel.com> Signed-off-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Cc: <stable(a)vger.kernel.org> --- Changelog v4: - Fix macro name to match with the patch message. - Add Peter's SoB. Changelog v3: - Remove Fixes: tags, keep only one at the point where the documentation changed and promised feature bits wouldn't show up if they're not enabled. - Don't use a helper to initialize cpu_caps_cleared, just statically initialize it. - Remove changes to cpu_caps_set. - Rewrite patch message to account for changes. Changelog v2: - Redo the patch to utilize a more generic solution, not just fix the LAM and FRED feature bits. - Note more feature flags that shouldn't be present. - Add fixes and cc tags. arch/x86/kernel/cpu/common.c | 3 ++- arch/x86/tools/cpufeaturemasks.awk | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 77afca95cced..a9040038ad9d 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -704,7 +704,8 @@ static const char *table_lookup_model(struct cpuinfo_x86 *c) } /* Aligned to unsigned long to avoid split lock in atomic bitmap ops */ -__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)); +__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)) = + DISABLED_MASK_INITIALIZER; __u32 cpu_caps_set[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)); #ifdef CONFIG_X86_32 diff --git a/arch/x86/tools/cpufeaturemasks.awk b/arch/x86/tools/cpufeaturemasks.awk index 173d5bf2d999..1eabbc69f50d 100755 --- a/arch/x86/tools/cpufeaturemasks.awk +++ b/arch/x86/tools/cpufeaturemasks.awk @@ -84,5 +84,11 @@ END { printf "\t) & (1U << ((x) & 31)))\n\n"; } + printf "\n#define DISABLED_MASK_INITIALIZER\t\t\t\\"; + printf "\n\t{\t\t\t\t\t\t\\"; + for (i = 0; i < ncapints; i++) + printf "\n\t\tDISABLED_MASK%d,\t\t\t\\", i; + printf "\n\t}\n\n"; + printf "#endif /* _ASM_X86_CPUFEATUREMASKS_H */\n"; } -- 2.49.0

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] f2fs: fix to do sanity check on ino and xnid" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 061cf3a84bde038708eb0f1d065b31b7c2456533 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062047-modular-police-cff2@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 061cf3a84bde038708eb0f1d065b31b7c2456533 Mon Sep 17 00:00:00 2001 From: Chao Yu <chao(a)kernel.org> Date: Mon, 24 Mar 2025 13:33:39 +0800 Subject: [PATCH] f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: <TASK> context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid. Cc: stable(a)vger.kernel.org Reported-by: syzbot+cc448dcdc7ae0b4e4ffa(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index fa5097da7c88..f5991e8751b9 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -288,6 +288,12 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) return false; } + if (ino_of_node(node_page) == fi->i_xattr_nid) { + f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.", + __func__, inode->i_ino, fi->i_xattr_nid); + return false; + } + if (f2fs_has_extra_attr(inode)) { if (!f2fs_sb_has_extra_attr(sbi)) { f2fs_warn(sbi, "%s: inode (ino=%lx) is with extra_attr, but extra_attr feature is off",

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] f2fs: fix to do sanity check on ino and xnid" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 061cf3a84bde038708eb0f1d065b31b7c2456533 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062023-frequent-thousand-f5c6@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 061cf3a84bde038708eb0f1d065b31b7c2456533 Mon Sep 17 00:00:00 2001 From: Chao Yu <chao(a)kernel.org> Date: Mon, 24 Mar 2025 13:33:39 +0800 Subject: [PATCH] f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: <TASK> context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid. Cc: stable(a)vger.kernel.org Reported-by: syzbot+cc448dcdc7ae0b4e4ffa(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index fa5097da7c88..f5991e8751b9 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -288,6 +288,12 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) return false; } + if (ino_of_node(node_page) == fi->i_xattr_nid) { + f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.", + __func__, inode->i_ino, fi->i_xattr_nid); + return false; + } + if (f2fs_has_extra_attr(inode)) { if (!f2fs_sb_has_extra_attr(sbi)) { f2fs_warn(sbi, "%s: inode (ino=%lx) is with extra_attr, but extra_attr feature is off",

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] f2fs: fix to do sanity check on ino and xnid" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 061cf3a84bde038708eb0f1d065b31b7c2456533 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062013-uncertain-flyable-d3b8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 061cf3a84bde038708eb0f1d065b31b7c2456533 Mon Sep 17 00:00:00 2001 From: Chao Yu <chao(a)kernel.org> Date: Mon, 24 Mar 2025 13:33:39 +0800 Subject: [PATCH] f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: <TASK> context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid. Cc: stable(a)vger.kernel.org Reported-by: syzbot+cc448dcdc7ae0b4e4ffa(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index fa5097da7c88..f5991e8751b9 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -288,6 +288,12 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) return false; } + if (ino_of_node(node_page) == fi->i_xattr_nid) { + f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.", + __func__, inode->i_ino, fi->i_xattr_nid); + return false; + } + if (f2fs_has_extra_attr(inode)) { if (!f2fs_sb_has_extra_attr(sbi)) { f2fs_warn(sbi, "%s: inode (ino=%lx) is with extra_attr, but extra_attr feature is off",

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] f2fs: fix to do sanity check on ino and xnid" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 061cf3a84bde038708eb0f1d065b31b7c2456533 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062012-stride-reliance-60ad@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 061cf3a84bde038708eb0f1d065b31b7c2456533 Mon Sep 17 00:00:00 2001 From: Chao Yu <chao(a)kernel.org> Date: Mon, 24 Mar 2025 13:33:39 +0800 Subject: [PATCH] f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: <TASK> context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid. Cc: stable(a)vger.kernel.org Reported-by: syzbot+cc448dcdc7ae0b4e4ffa(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index fa5097da7c88..f5991e8751b9 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -288,6 +288,12 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) return false; } + if (ino_of_node(node_page) == fi->i_xattr_nid) { + f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.", + __func__, inode->i_ino, fi->i_xattr_nid); + return false; + } + if (f2fs_has_extra_attr(inode)) { if (!f2fs_sb_has_extra_attr(sbi)) { f2fs_warn(sbi, "%s: inode (ino=%lx) is with extra_attr, but extra_attr feature is off",

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 79dabbd505210e41c88060806c92c052496dd61c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051218-levitator-october-5d50@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 79dabbd505210e41c88060806c92c052496dd61c Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:22 +0800 Subject: [PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation The OFFSET calculation in the prox_read_raw() was incorrectly using the unit exponent, which is intended for SCALE calculations. Remove the incorrect OFFSET calculation and set it to a fixed value of 0. Cc: stable(a)vger.kernel.org Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 941508e58286..4c65b32d34ce 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -124,8 +124,7 @@ static int prox_read_raw(struct iio_dev *indio_dev, ret_type = prox_state->scale_precision[chan->scan_index]; break; case IIO_CHAN_INFO_OFFSET: - *val = hid_sensor_convert_exponent( - prox_state->prox_attr[chan->scan_index].unit_expo); + *val = 0; ret_type = IIO_VAL_INT; break; case IIO_CHAN_INFO_SAMP_FREQ:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 79dabbd505210e41c88060806c92c052496dd61c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051218-opponent-tarmac-061d@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 79dabbd505210e41c88060806c92c052496dd61c Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:22 +0800 Subject: [PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation The OFFSET calculation in the prox_read_raw() was incorrectly using the unit exponent, which is intended for SCALE calculations. Remove the incorrect OFFSET calculation and set it to a fixed value of 0. Cc: stable(a)vger.kernel.org Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 941508e58286..4c65b32d34ce 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -124,8 +124,7 @@ static int prox_read_raw(struct iio_dev *indio_dev, ret_type = prox_state->scale_precision[chan->scan_index]; break; case IIO_CHAN_INFO_OFFSET: - *val = hid_sensor_convert_exponent( - prox_state->prox_attr[chan->scan_index].unit_expo); + *val = 0; ret_type = IIO_VAL_INT; break; case IIO_CHAN_INFO_SAMP_FREQ:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Restore lost scale assignments" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 83ded7cfaccccd2f4041769c313b58b4c9e265ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051230-facility-envision-71f1@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 83ded7cfaccccd2f4041769c313b58b4c9e265ad Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:20 +0800 Subject: [PATCH] iio: hid-sensor-prox: Restore lost scale assignments The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision` were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not correct issue"), but due to a merge conflict in commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"), these assignments were lost. Add back lost assignments and replace `st->prox_attr` with `st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add support for more channels") changed `prox_attr` to an array. Cc: stable(a)vger.kernel.org # 5.13+ Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 76b76d12b388..1dc6fb7cf614 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -257,6 +257,11 @@ static int prox_parse_report(struct platform_device *pdev, st->num_channels = index; + st->scale_precision = hid_sensor_format_scale(hsdev->usage, + &st->prox_attr[0], + &st->scale_pre_decml, + &st->scale_post_decml); + return 0; }

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 79dabbd505210e41c88060806c92c052496dd61c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051217-celestial-untimed-062b@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 79dabbd505210e41c88060806c92c052496dd61c Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:22 +0800 Subject: [PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation The OFFSET calculation in the prox_read_raw() was incorrectly using the unit exponent, which is intended for SCALE calculations. Remove the incorrect OFFSET calculation and set it to a fixed value of 0. Cc: stable(a)vger.kernel.org Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 941508e58286..4c65b32d34ce 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -124,8 +124,7 @@ static int prox_read_raw(struct iio_dev *indio_dev, ret_type = prox_state->scale_precision[chan->scan_index]; break; case IIO_CHAN_INFO_OFFSET: - *val = hid_sensor_convert_exponent( - prox_state->prox_attr[chan->scan_index].unit_expo); + *val = 0; ret_type = IIO_VAL_INT; break; case IIO_CHAN_INFO_SAMP_FREQ:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Restore lost scale assignments" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 83ded7cfaccccd2f4041769c313b58b4c9e265ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051230-unfold-exonerate-3e6d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 83ded7cfaccccd2f4041769c313b58b4c9e265ad Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:20 +0800 Subject: [PATCH] iio: hid-sensor-prox: Restore lost scale assignments The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision` were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not correct issue"), but due to a merge conflict in commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"), these assignments were lost. Add back lost assignments and replace `st->prox_attr` with `st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add support for more channels") changed `prox_attr` to an array. Cc: stable(a)vger.kernel.org # 5.13+ Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 76b76d12b388..1dc6fb7cf614 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -257,6 +257,11 @@ static int prox_parse_report(struct platform_device *pdev, st->num_channels = index; + st->scale_precision = hid_sensor_format_scale(hsdev->usage, + &st->prox_attr[0], + &st->scale_pre_decml, + &st->scale_post_decml); + return 0; }

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x fa787ac07b3ceb56dd88a62d1866038498e96230 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071240-phoney-deniable-545a@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fa787ac07b3ceb56dd88a62d1866038498e96230 Mon Sep 17 00:00:00 2001 From: Manuel Andreas <manuel.andreas(a)tum.de> Date: Wed, 25 Jun 2025 15:53:19 +0200 Subject: [PATCH] KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption, and manual testing on Azure confirms "real" Hyper-V interprets the specification in the same way. Skip non-canonical GVAs when processing the list of address to avoid tripping the INVVPID failure. Alternatively, KVM could filter out "bad" GVAs before inserting into the FIFO, but practically speaking the only downside of pushing validation to the final processing is that doing so is suboptimal for the guest, and no well-behaved guest will request TLB flushes for non-canonical addresses. Fixes: 260970862c88 ("KVM: x86: hyper-v: Handle HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST{,EX} calls gently") Cc: stable(a)vger.kernel.org Signed-off-by: Manuel Andreas <manuel.andreas(a)tum.de> Suggested-by: Vitaly Kuznetsov <vkuznets(a)redhat.com> Link: https://lore.kernel.org/r/c090efb3-ef82-499f-a5e0-360fc8420fb7@tum.de Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index 75221a11e15e..ee27064dd72f 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -1979,6 +1979,9 @@ int kvm_hv_vcpu_flush_tlb(struct kvm_vcpu *vcpu) if (entries[i] == KVM_HV_TLB_FLUSHALL_ENTRY) goto out_flush_all; + if (is_noncanonical_invlpg_address(entries[i], vcpu)) + continue; + /* * Lower 12 bits of 'address' encode the number of additional * pages to flush.

1 month, 2 weeks

3
10
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 79dabbd505210e41c88060806c92c052496dd61c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051216-banister-canned-57e2@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 79dabbd505210e41c88060806c92c052496dd61c Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:22 +0800 Subject: [PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation The OFFSET calculation in the prox_read_raw() was incorrectly using the unit exponent, which is intended for SCALE calculations. Remove the incorrect OFFSET calculation and set it to a fixed value of 0. Cc: stable(a)vger.kernel.org Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 941508e58286..4c65b32d34ce 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -124,8 +124,7 @@ static int prox_read_raw(struct iio_dev *indio_dev, ret_type = prox_state->scale_precision[chan->scan_index]; break; case IIO_CHAN_INFO_OFFSET: - *val = hid_sensor_convert_exponent( - prox_state->prox_attr[chan->scan_index].unit_expo); + *val = 0; ret_type = IIO_VAL_INT; break; case IIO_CHAN_INFO_SAMP_FREQ:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Restore lost scale assignments" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 83ded7cfaccccd2f4041769c313b58b4c9e265ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051229-viewable-moonlight-630a@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 83ded7cfaccccd2f4041769c313b58b4c9e265ad Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:20 +0800 Subject: [PATCH] iio: hid-sensor-prox: Restore lost scale assignments The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision` were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not correct issue"), but due to a merge conflict in commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"), these assignments were lost. Add back lost assignments and replace `st->prox_attr` with `st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add support for more channels") changed `prox_attr` to an array. Cc: stable(a)vger.kernel.org # 5.13+ Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 76b76d12b388..1dc6fb7cf614 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -257,6 +257,11 @@ static int prox_parse_report(struct platform_device *pdev, st->num_channels = index; + st->scale_precision = hid_sensor_format_scale(hsdev->usage, + &st->prox_attr[0], + &st->scale_pre_decml, + &st->scale_post_decml); + return 0; }

1 month, 2 weeks

2
1
0 0

[PATCH v3] x86: Clear feature bits disabled at compile-time

by Maciej Wieczor-Retman

If some config options are disabled during compile time, they still are enumerated in macros that use the x86_capability bitmask - cpu_has() or this_cpu_has(). The features are also visible in /proc/cpuinfo even though they are not enabled - which is contrary to what the documentation states about the file. Examples of such feature flags are lam, fred, sgx, ibrs_enhanced, split_lock_detect, user_shstk, avx_vnni and enqcmd. Add a DISABLED_MASK_INITIALIZER() macro that creates an initializer list filled with DISABLED_MASKx bitmasks. Initialize the cpu_caps_cleared array with the autogenerated disabled bitmask. Fixes: ea4e3bef4c94 ("Documentation/x86: Add documentation for /proc/cpuinfo feature flags") Reported-by: Farrah Chen <farrah.chen(a)intel.com> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Cc: <stable(a)vger.kernel.org> --- Changelog v3: - Remove Fixes: tags, keep only one at the point where the documentation changed and promised feature bits wouldn't show up if they're not enabled. - Don't use a helper to initialize cpu_caps_cleared, just statically initialize it. - Remove changes to cpu_caps_set. - Rewrite patch message to account for changes. Changelog v2: - Redo the patch to utilize a more generic solution, not just fix the LAM and FRED feature bits. - Note more feature flags that shouldn't be present. - Add fixes and cc tags. arch/x86/kernel/cpu/common.c | 3 ++- arch/x86/tools/cpufeaturemasks.awk | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 77afca95cced..061e91922725 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -704,7 +704,8 @@ static const char *table_lookup_model(struct cpuinfo_x86 *c) } /* Aligned to unsigned long to avoid split lock in atomic bitmap ops */ -__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)); +__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)) = + DISABLED_MASK_INIT_VALUES; __u32 cpu_caps_set[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)); #ifdef CONFIG_X86_32 diff --git a/arch/x86/tools/cpufeaturemasks.awk b/arch/x86/tools/cpufeaturemasks.awk index 173d5bf2d999..6ebaa27f1275 100755 --- a/arch/x86/tools/cpufeaturemasks.awk +++ b/arch/x86/tools/cpufeaturemasks.awk @@ -84,5 +84,11 @@ END { printf "\t) & (1U << ((x) & 31)))\n\n"; } + printf "\n#define DISABLED_MASK_INIT_VALUES\t\t\t\\"; + printf "\n\t{\t\t\t\t\t\t\\"; + for (i = 0; i < ncapints; i++) + printf "\n\t\tDISABLED_MASK%d,\t\t\t\\", i; + printf "\n\t}\n\n"; + printf "#endif /* _ASM_X86_CPUFEATUREMASKS_H */\n"; } -- 2.49.0

1 month, 2 weeks

3
7
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 79dabbd505210e41c88060806c92c052496dd61c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051216-fantasy-preschool-858d@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 79dabbd505210e41c88060806c92c052496dd61c Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:22 +0800 Subject: [PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation The OFFSET calculation in the prox_read_raw() was incorrectly using the unit exponent, which is intended for SCALE calculations. Remove the incorrect OFFSET calculation and set it to a fixed value of 0. Cc: stable(a)vger.kernel.org Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 941508e58286..4c65b32d34ce 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -124,8 +124,7 @@ static int prox_read_raw(struct iio_dev *indio_dev, ret_type = prox_state->scale_precision[chan->scan_index]; break; case IIO_CHAN_INFO_OFFSET: - *val = hid_sensor_convert_exponent( - prox_state->prox_attr[chan->scan_index].unit_expo); + *val = 0; ret_type = IIO_VAL_INT; break; case IIO_CHAN_INFO_SAMP_FREQ:

1 month, 2 weeks

2
1
0 0

[PATCH 5.10] drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags

by Daniil Dulov

From: Alex Hung <alex.hung(a)amd.com> commit 5559598742fb4538e4c51c48ef70563c49c2af23 upstream. [WHAT & HOW] "dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it cannot be a null pointer. Let's pass a valid pointer to avoid null dereference. This fixes 2 FORWARD_NULL issues reported by Coverity. Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Signed-off-by: Jerry Zuo <jerry.zuo(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [ Daniil: Changes to dcn21_fast_validate_bw() were dropped since the function is not inplemented in 5.10.y. Also dcn20 and dcn21 were moved from drivers/gpu/drm/amd/display/dc to drivers/gpu/drm/amd/display/dc/resource since commit 8b8eed05a1c6 ("drm/amd/display: Refactor resource into component directory"). The path is changed accordingly to apply the patch on 5.10.y ] Signed-off-by: Daniil Dulov <d.dulov(a)aladdin.ru> --- Backport fix for CVE-2024-49923 drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c index b4bff3b3d842..029aba780d83 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c @@ -2847,6 +2847,7 @@ bool dcn20_fast_validate_bw( { bool out = false; int split[MAX_PIPES] = { 0 }; + bool merge[MAX_PIPES] = { false }; int pipe_cnt, i, pipe_idx, vlevel; ASSERT(pipes); @@ -2869,7 +2870,7 @@ bool dcn20_fast_validate_bw( if (vlevel > context->bw_ctx.dml.soc.num_states) goto validate_fail; - vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, NULL); + vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, merge); /*initialize pipe_just_split_from to invalid idx*/ for (i = 0; i < MAX_PIPES; i++) -- 2.34.1

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 79dabbd505210e41c88060806c92c052496dd61c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051217-job-sleek-cd29@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 79dabbd505210e41c88060806c92c052496dd61c Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:22 +0800 Subject: [PATCH] iio: hid-sensor-prox: Fix incorrect OFFSET calculation The OFFSET calculation in the prox_read_raw() was incorrectly using the unit exponent, which is intended for SCALE calculations. Remove the incorrect OFFSET calculation and set it to a fixed value of 0. Cc: stable(a)vger.kernel.org Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 941508e58286..4c65b32d34ce 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -124,8 +124,7 @@ static int prox_read_raw(struct iio_dev *indio_dev, ret_type = prox_state->scale_precision[chan->scan_index]; break; case IIO_CHAN_INFO_OFFSET: - *val = hid_sensor_convert_exponent( - prox_state->prox_attr[chan->scan_index].unit_expo); + *val = 0; ret_type = IIO_VAL_INT; break; case IIO_CHAN_INFO_SAMP_FREQ:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] iio: hid-sensor-prox: Restore lost scale assignments" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 83ded7cfaccccd2f4041769c313b58b4c9e265ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051228-tactile-preppy-668b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 83ded7cfaccccd2f4041769c313b58b4c9e265ad Mon Sep 17 00:00:00 2001 From: Zhang Lixu <lixu.zhang(a)intel.com> Date: Mon, 31 Mar 2025 13:50:20 +0800 Subject: [PATCH] iio: hid-sensor-prox: Restore lost scale assignments The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision` were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not correct issue"), but due to a merge conflict in commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"), these assignments were lost. Add back lost assignments and replace `st->prox_attr` with `st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add support for more channels") changed `prox_attr` to an array. Cc: stable(a)vger.kernel.org # 5.13+ Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next") Signed-off-by: Zhang Lixu <lixu.zhang(a)intel.com> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c index 76b76d12b388..1dc6fb7cf614 100644 --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -257,6 +257,11 @@ static int prox_parse_report(struct platform_device *pdev, st->num_channels = index; + st->scale_precision = hid_sensor_format_scale(hsdev->usage, + &st->prox_attr[0], + &st->scale_pre_decml, + &st->scale_post_decml); + return 0; }

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] wifi: mt76: mt7925: adjust rm BSS flow to prevent next" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 0ebb60da8416c1d8e84c7e511a5687ce76a9467a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041743-unwoven-sizzle-ba8b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0ebb60da8416c1d8e84c7e511a5687ce76a9467a Mon Sep 17 00:00:00 2001 From: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> Date: Tue, 4 Mar 2025 16:08:49 -0800 Subject: [PATCH] wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure Removing BSS without removing STAREC first will cause firmware abnormal and next connection fail. Fixes: 816161051a03 ("wifi: mt76: mt7925: Cleanup MLO settings post-disconnection") Cc: stable(a)vger.kernel.org Co-developed-by: Sean Wang <sean.wang(a)mediatek.com> Signed-off-by: Sean Wang <sean.wang(a)mediatek.com> Tested-by: Caleb Jorden <cjorden(a)gmail.com> Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> Link: https://patch.msgid.link/20250305000851.493671-4-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd(a)nbd.name> diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c index dd886b39f550..2f6c687d0a05 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1155,7 +1155,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_dev *mdev, struct mt792x_bss_conf *mconf; mconf = mt792x_link_conf_to_mconf(link_conf); - mt792x_mac_link_bss_remove(dev, mconf, mlink); + + if (ieee80211_vif_is_mld(vif)) + mt792x_mac_link_bss_remove(dev, mconf, mlink); + else + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, + link_sta, false); } spin_lock_bh(&mdev->sta_poll_lock); @@ -1175,6 +1180,31 @@ mt7925_mac_sta_remove_links(struct mt792x_dev *dev, struct ieee80211_vif *vif, struct mt76_wcid *wcid; unsigned int link_id; + /* clean up bss before starec */ + for_each_set_bit(link_id, &old_links, IEEE80211_MLD_MAX_NUM_LINKS) { + struct ieee80211_link_sta *link_sta; + struct ieee80211_bss_conf *link_conf; + struct mt792x_bss_conf *mconf; + struct mt792x_link_sta *mlink; + + link_sta = mt792x_sta_to_link_sta(vif, sta, link_id); + if (!link_sta) + continue; + + mlink = mt792x_sta_to_link(msta, link_id); + if (!mlink) + continue; + + link_conf = mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) + continue; + + mconf = mt792x_link_conf_to_mconf(link_conf); + + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, + link_sta, false); + } + for_each_set_bit(link_id, &old_links, IEEE80211_MLD_MAX_NUM_LINKS) { struct ieee80211_link_sta *link_sta; struct mt792x_link_sta *mlink; @@ -1212,44 +1242,14 @@ void mt7925_mac_sta_remove(struct mt76_dev *mdev, struct ieee80211_vif *vif, { struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev, mt76); struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv; - struct { - struct { - u8 omac_idx; - u8 band_idx; - __le16 pad; - } __packed hdr; - struct req_tlv { - __le16 tag; - __le16 len; - u8 active; - u8 link_idx; /* hw link idx */ - u8 omac_addr[ETH_ALEN]; - } __packed tlv; - } dev_req = { - .hdr = { - .omac_idx = 0, - .band_idx = 0, - }, - .tlv = { - .tag = cpu_to_le16(DEV_INFO_ACTIVE), - .len = cpu_to_le16(sizeof(struct req_tlv)), - .active = true, - }, - }; unsigned long rem; rem = ieee80211_vif_is_mld(vif) ? msta->valid_links : BIT(0); mt7925_mac_sta_remove_links(dev, vif, sta, rem); - if (ieee80211_vif_is_mld(vif)) { - mt7925_mcu_set_dbdc(&dev->mphy, false); - - /* recovery omac address for the legacy interface */ - memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN); - mt76_mcu_send_msg(mdev, MCU_UNI_CMD(DEV_INFO_UPDATE), - &dev_req, sizeof(dev_req), true); - } + if (ieee80211_vif_is_mld(vif)) + mt7925_mcu_del_dev(mdev, vif); if (vif->type == NL80211_IFTYPE_STATION) { struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv; diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index ebe7cc30aaf9..d970243d64ff 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -2634,6 +2634,62 @@ int mt7925_mcu_set_timing(struct mt792x_phy *phy, MCU_UNI_CMD(BSS_INFO_UPDATE), true); } +void mt7925_mcu_del_dev(struct mt76_dev *mdev, + struct ieee80211_vif *vif) +{ + struct mt76_vif_link *mvif = (struct mt76_vif_link *)vif->drv_priv; + struct { + struct { + u8 omac_idx; + u8 band_idx; + __le16 pad; + } __packed hdr; + struct req_tlv { + __le16 tag; + __le16 len; + u8 active; + u8 link_idx; /* hw link idx */ + u8 omac_addr[ETH_ALEN]; + } __packed tlv; + } dev_req = { + .tlv = { + .tag = cpu_to_le16(DEV_INFO_ACTIVE), + .len = cpu_to_le16(sizeof(struct req_tlv)), + .active = true, + }, + }; + struct { + struct { + u8 bss_idx; + u8 pad[3]; + } __packed hdr; + struct mt76_connac_bss_basic_tlv basic; + } basic_req = { + .basic = { + .tag = cpu_to_le16(UNI_BSS_INFO_BASIC), + .len = cpu_to_le16(sizeof(struct mt76_connac_bss_basic_tlv)), + .active = true, + .conn_state = 1, + }, + }; + + dev_req.hdr.omac_idx = mvif->omac_idx; + dev_req.hdr.band_idx = mvif->band_idx; + + basic_req.hdr.bss_idx = mvif->idx; + basic_req.basic.omac_idx = mvif->omac_idx; + basic_req.basic.band_idx = mvif->band_idx; + basic_req.basic.link_idx = mvif->link_idx; + + mt76_mcu_send_msg(mdev, MCU_UNI_CMD(BSS_INFO_UPDATE), + &basic_req, sizeof(basic_req), true); + + /* recovery omac address for the legacy interface */ + memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN); + mt76_mcu_send_msg(mdev, MCU_UNI_CMD(DEV_INFO_UPDATE), + &dev_req, sizeof(dev_req), true); +} + int mt7925_mcu_add_bss_info(struct mt792x_phy *phy, struct ieee80211_chanctx_conf *ctx, struct ieee80211_bss_conf *link_conf, diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h index 6bf1623e542e..8ac43feb26d6 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h @@ -627,6 +627,8 @@ int mt7925_mcu_sched_scan_req(struct mt76_phy *phy, int mt7925_mcu_sched_scan_enable(struct mt76_phy *phy, struct ieee80211_vif *vif, bool enable); +void mt7925_mcu_del_dev(struct mt76_dev *mdev, + struct ieee80211_vif *vif); int mt7925_mcu_add_bss_info(struct mt792x_phy *phy, struct ieee80211_chanctx_conf *ctx, struct ieee80211_bss_conf *link_conf,

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 766ea2cf5a398c7eed519b12c6c6cf1631143ea2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041745-undusted-quickness-e1d6@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 766ea2cf5a398c7eed519b12c6c6cf1631143ea2 Mon Sep 17 00:00:00 2001 From: Sean Wang <sean.wang(a)mediatek.com> Date: Tue, 4 Mar 2025 16:08:46 -0800 Subject: [PATCH] Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO" For MLO, mac80211 will send the BA action for each link to the driver, so the driver does not need to handle it itself. Therefore, revert this patch. Fixes: eb2a9a12c609 ("wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO") Cc: stable(a)vger.kernel.org Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> Tested-by: Caleb Jorden <cjorden(a)gmail.com> Signed-off-by: Sean Wang <sean.wang(a)mediatek.com> Link: https://patch.msgid.link/20250305000851.493671-1-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd(a)nbd.name> diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c index ad47a4b153da..47a6040381a0 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1289,22 +1289,22 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, case IEEE80211_AMPDU_RX_START: mt76_rx_aggr_start(&dev->mt76, &msta->deflink.wcid, tid, ssn, params->buf_size); - mt7925_mcu_uni_rx_ba(dev, vif, params, true); + mt7925_mcu_uni_rx_ba(dev, params, true); break; case IEEE80211_AMPDU_RX_STOP: mt76_rx_aggr_stop(&dev->mt76, &msta->deflink.wcid, tid); - mt7925_mcu_uni_rx_ba(dev, vif, params, false); + mt7925_mcu_uni_rx_ba(dev, params, false); break; case IEEE80211_AMPDU_TX_OPERATIONAL: mtxq->aggr = true; mtxq->send_bar = false; - mt7925_mcu_uni_tx_ba(dev, vif, params, true); + mt7925_mcu_uni_tx_ba(dev, params, true); break; case IEEE80211_AMPDU_TX_STOP_FLUSH: case IEEE80211_AMPDU_TX_STOP_FLUSH_CONT: mtxq->aggr = false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - mt7925_mcu_uni_tx_ba(dev, vif, params, false); + mt7925_mcu_uni_tx_ba(dev, params, false); break; case IEEE80211_AMPDU_TX_START: set_bit(tid, &msta->deflink.wcid.ampdu_state); @@ -1313,7 +1313,7 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, case IEEE80211_AMPDU_TX_STOP_CONT: mtxq->aggr = false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - mt7925_mcu_uni_tx_ba(dev, vif, params, false); + mt7925_mcu_uni_tx_ba(dev, params, false); ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); break; } diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index 7885d71b7a77..ebe7cc30aaf9 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -572,10 +572,10 @@ void mt7925_mcu_rx_event(struct mt792x_dev *dev, struct sk_buff *skb) static int mt7925_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif_link *mvif, - struct mt76_wcid *wcid, struct ieee80211_ampdu_params *params, bool enable, bool tx) { + struct mt76_wcid *wcid = (struct mt76_wcid *)params->sta->drv_priv; struct sta_rec_ba_uni *ba; struct sk_buff *skb; struct tlv *tlv; @@ -603,60 +603,28 @@ mt7925_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif_link *mvif, /** starec & wtbl **/ int mt7925_mcu_uni_tx_ba(struct mt792x_dev *dev, - struct ieee80211_vif *vif, struct ieee80211_ampdu_params *params, bool enable) { struct mt792x_sta *msta = (struct mt792x_sta *)params->sta->drv_priv; - struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv; - struct mt792x_link_sta *mlink; - struct mt792x_bss_conf *mconf; - unsigned long usable_links = ieee80211_vif_usable_links(vif); - struct mt76_wcid *wcid; - u8 link_id, ret; + struct mt792x_vif *mvif = msta->vif; - for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) { - mconf = mt792x_vif_to_link(mvif, link_id); - mlink = mt792x_sta_to_link(msta, link_id); - wcid = &mlink->wcid; + if (enable && !params->amsdu) + msta->deflink.wcid.amsdu = false; - if (enable && !params->amsdu) - mlink->wcid.amsdu = false; - - ret = mt7925_mcu_sta_ba(&dev->mt76, &mconf->mt76, wcid, params, - enable, true); - if (ret < 0) - break; - } - - return ret; + return mt7925_mcu_sta_ba(&dev->mt76, &mvif->bss_conf.mt76, params, + enable, true); } int mt7925_mcu_uni_rx_ba(struct mt792x_dev *dev, - struct ieee80211_vif *vif, struct ieee80211_ampdu_params *params, bool enable) { struct mt792x_sta *msta = (struct mt792x_sta *)params->sta->drv_priv; - struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv; - struct mt792x_link_sta *mlink; - struct mt792x_bss_conf *mconf; - unsigned long usable_links = ieee80211_vif_usable_links(vif); - struct mt76_wcid *wcid; - u8 link_id, ret; + struct mt792x_vif *mvif = msta->vif; - for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) { - mconf = mt792x_vif_to_link(mvif, link_id); - mlink = mt792x_sta_to_link(msta, link_id); - wcid = &mlink->wcid; - - ret = mt7925_mcu_sta_ba(&dev->mt76, &mconf->mt76, wcid, params, - enable, false); - if (ret < 0) - break; - } - - return ret; + return mt7925_mcu_sta_ba(&dev->mt76, &mvif->bss_conf.mt76, params, + enable, false); } static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h index 8707b5d04743..fd5f9d4ea4a7 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h @@ -263,11 +263,9 @@ int mt7925_mcu_set_beacon_filter(struct mt792x_dev *dev, struct ieee80211_vif *vif, bool enable); int mt7925_mcu_uni_tx_ba(struct mt792x_dev *dev, - struct ieee80211_vif *vif, struct ieee80211_ampdu_params *params, bool enable); int mt7925_mcu_uni_rx_ba(struct mt792x_dev *dev, - struct ieee80211_vif *vif, struct ieee80211_ampdu_params *params, bool enable); void mt7925_scan_work(struct work_struct *work);

1 month, 2 weeks

2
1
0 0

[PATCH v2 1/1] gpio: virtio: Fix config space reading.

by Harald Mommer

Quote from the virtio specification chapter 4.2.2.2: "For the device-specific configuration space, the driver MUST use 8 bit wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and 64 bit wide fields." Signed-off-by: Harald Mommer <harald.mommer(a)oss.qualcomm.com> Cc: stable(a)vger.kernel.org Fixes: 3a29355a22c0 ("gpio: Add virtio-gpio driver") Acked-by: Viresh Kumar <viresh.kumar(a)linaro.org> --- drivers/gpio/gpio-virtio.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpio/gpio-virtio.c b/drivers/gpio/gpio-virtio.c index 92b456475d89..07552611da98 100644 --- a/drivers/gpio/gpio-virtio.c +++ b/drivers/gpio/gpio-virtio.c @@ -527,7 +527,6 @@ static const char **virtio_gpio_get_names(struct virtio_gpio *vgpio, static int virtio_gpio_probe(struct virtio_device *vdev) { - struct virtio_gpio_config config; struct device *dev = &vdev->dev; struct virtio_gpio *vgpio; struct irq_chip *gpio_irq_chip; @@ -540,9 +539,11 @@ static int virtio_gpio_probe(struct virtio_device *vdev) return -ENOMEM; /* Read configuration */ - virtio_cread_bytes(vdev, 0, &config, sizeof(config)); - gpio_names_size = le32_to_cpu(config.gpio_names_size); - ngpio = le16_to_cpu(config.ngpio); + gpio_names_size = + virtio_cread32(vdev, offsetof(struct virtio_gpio_config, + gpio_names_size)); + ngpio = virtio_cread16(vdev, offsetof(struct virtio_gpio_config, + ngpio)); if (!ngpio) { dev_err(dev, "Number of GPIOs can't be zero\n"); return -EINVAL; -- 2.43.0

1 month, 2 weeks

1
0
0 0

[PATCH v2 1/1] gpio: virtio: Fix config space reading.

by Harald Mommer

Quote from the virtio specification chapter 4.2.2.2: "For the device-specific configuration space, the driver MUST use 8 bit wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and 64 bit wide fields." Signed-off-by: Harald Mommer <harald.mommer(a)oss.qualcomm.com> Cc: stable(a)vger.kernel.org Fixes: 3a29355a22c0 ("gpio: Add virtio-gpio driver") Acked-by: Viresh Kumar <viresh.kumar(a)linaro.org> --- drivers/gpio/gpio-virtio.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpio/gpio-virtio.c b/drivers/gpio/gpio-virtio.c index 92b456475d89..07552611da98 100644 --- a/drivers/gpio/gpio-virtio.c +++ b/drivers/gpio/gpio-virtio.c @@ -527,7 +527,6 @@ static const char **virtio_gpio_get_names(struct virtio_gpio *vgpio, static int virtio_gpio_probe(struct virtio_device *vdev) { - struct virtio_gpio_config config; struct device *dev = &vdev->dev; struct virtio_gpio *vgpio; struct irq_chip *gpio_irq_chip; @@ -540,9 +539,11 @@ static int virtio_gpio_probe(struct virtio_device *vdev) return -ENOMEM; /* Read configuration */ - virtio_cread_bytes(vdev, 0, &config, sizeof(config)); - gpio_names_size = le32_to_cpu(config.gpio_names_size); - ngpio = le16_to_cpu(config.ngpio); + gpio_names_size = + virtio_cread32(vdev, offsetof(struct virtio_gpio_config, + gpio_names_size)); + ngpio = virtio_cread16(vdev, offsetof(struct virtio_gpio_config, + ngpio)); if (!ngpio) { dev_err(dev, "Number of GPIOs can't be zero\n"); return -EINVAL; -- 2.43.0

1 month, 2 weeks

1
0
0 0

[PATCH v2] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

by Nikunj A Dadhania

Require a minimum GHCB version of 2 when starting SEV-SNP guests through KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an incompatible GHCB version (less than 2), reject the request early rather than allowing the guest kernel to start with an incorrect protocol version and fail later with GHCB_SNP_UNSUPPORTED guest termination. Hypervisor logs the guest termination with GHCB_SNP_UNSUPPORTED error code: kvm_amd: SEV-ES guest requested termination: 0x0:0x2 SNP guest fails with the below error message: KVM: unknown exit reason 24 EAX=00000000 EBX=00000000 ECX=00000000 EDX=00a00f11 ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000 EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 00000000 0000ffff 00009300 CS =f000 ffff0000 0000ffff 00009b00 SS =0000 00000000 0000ffff 00009300 DS =0000 00000000 0000ffff 00009300 FS =0000 00000000 0000ffff 00009300 GS =0000 00000000 0000ffff 00009300 LDT=0000 00000000 0000ffff 00008200 TR =0000 00000000 0000ffff 00008b00 GDT= 00000000 0000ffff IDT= 00000000 0000ffff CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000000 Fixes: 4af663c2f64a ("KVM: SEV: Allow per-guest configuration of GHCB protocol version") Cc: Thomas Lendacky <thomas.lendacky(a)amd.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Michael Roth <michael.roth(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Nikunj A Dadhania <nikunj(a)amd.com> --- Changes since v1: * Add failure logs in the commit and drop @stable tag (Sean) --- arch/x86/kvm/svm/sev.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 95668e84ab86..fdc1309c68cb 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -406,6 +406,7 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp, struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct sev_platform_init_args init_args = {0}; bool es_active = vm_type != KVM_X86_SEV_VM; + bool snp_active = vm_type == KVM_X86_SNP_VM; u64 valid_vmsa_features = es_active ? sev_supported_vmsa_features : 0; int ret; @@ -424,6 +425,9 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp, if (unlikely(sev->active)) return -EINVAL; + if (snp_active && data->ghcb_version && data->ghcb_version < 2) + return -EINVAL; + sev->active = true; sev->es_active = es_active; sev->vmsa_features = data->vmsa_features; @@ -437,7 +441,7 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp, if (sev->es_active && !sev->ghcb_version) sev->ghcb_version = GHCB_VERSION_DEFAULT; - if (vm_type == KVM_X86_SNP_VM) + if (snp_active) sev->vmsa_features |= SVM_SEV_FEAT_SNP_ACTIVE; ret = sev_asid_new(sev); @@ -455,7 +459,7 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp, } /* This needs to happen after SEV/SNP firmware initialization. */ - if (vm_type == KVM_X86_SNP_VM) { + if (snp_active) { ret = snp_guest_req_init(kvm); if (ret) goto e_free; base-commit: 772d50d9b87bec08b56ecee0a880d6b2ee5c7da5 -- 2.43.0

1 month, 2 weeks

3
4
0 0

FAILED: patch "[PATCH] arm64: dts: qcom: x1-crd: Fix vreg_l2j_1p2 voltage" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 5ce920e6a8db40e4b094c0d863cbd19fdcfbbb7a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025060236-resale-proactive-e484@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5ce920e6a8db40e4b094c0d863cbd19fdcfbbb7a Mon Sep 17 00:00:00 2001 From: Stephan Gerhold <stephan.gerhold(a)linaro.org> Date: Wed, 23 Apr 2025 09:30:07 +0200 Subject: [PATCH] arm64: dts: qcom: x1-crd: Fix vreg_l2j_1p2 voltage In the ACPI DSDT table, PPP_RESOURCE_ID_LDO2_J is configured with 1256000 uV instead of the 1200000 uV we have currently in the device tree. Use the same for consistency and correctness. Cc: stable(a)vger.kernel.org Fixes: bd50b1f5b6f3 ("arm64: dts: qcom: x1e80100: Add Compute Reference Device") Signed-off-by: Stephan Gerhold <stephan.gerhold(a)linaro.org> Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Abel Vesa <abel.vesa(a)linaro.org> Reviewed-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Link: https://lore.kernel.org/r/20250423-x1e-vreg-l2j-voltage-v1-1-24b6a2043025@l… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> diff --git a/arch/arm64/boot/dts/qcom/x1-crd.dtsi b/arch/arm64/boot/dts/qcom/x1-crd.dtsi index f73f053a46a0..dbdf542c7ce5 100644 --- a/arch/arm64/boot/dts/qcom/x1-crd.dtsi +++ b/arch/arm64/boot/dts/qcom/x1-crd.dtsi @@ -846,8 +846,8 @@ vreg_l1j_0p8: ldo1 { vreg_l2j_1p2: ldo2 { regulator-name = "vreg_l2j_1p2"; - regulator-min-microvolt = <1200000>; - regulator-max-microvolt = <1200000>; + regulator-min-microvolt = <1256000>; + regulator-max-microvolt = <1256000>; regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>; };

1 month, 2 weeks

2
1
0 0

+ sprintfh-requires-stdargh.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: sprintf.h requires stdarg.h has been added to the -mm mm-hotfixes-unstable branch. Its filename is sprintfh-requires-stdargh.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Stephen Rothwell <sfr(a)canb.auug.org.au> Subject: sprintf.h requires stdarg.h Date: Mon, 21 Jul 2025 16:15:57 +1000 In file included from drivers/crypto/intel/qat/qat_common/adf_pm_dbgfs_utils.c:4: include/linux/sprintf.h:11:54: error: unknown type name 'va_list' 11 | __printf(2, 0) int vsprintf(char *buf, const char *, va_list); | ^~~~~~~ include/linux/sprintf.h:1:1: note: 'va_list' is defined in header '<stdarg.h>'; this is probably fixable by adding '#include <stdarg.h>' Link: https://lkml.kernel.org/r/20250721173754.42865913@canb.auug.org.au Fixes: 39ced19b9e60 ("lib/vsprintf: split out sprintf() and friends") Signed-off-by: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Andriy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: Petr Mladek <pmladek(a)suse.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Rasmus Villemoes <linux(a)rasmusvillemoes.dk> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/sprintf.h | 1 + 1 file changed, 1 insertion(+) --- a/include/linux/sprintf.h~sprintfh-requires-stdargh +++ a/include/linux/sprintf.h @@ -4,6 +4,7 @@ #include <linux/compiler_attributes.h> #include <linux/types.h> +#include <linux/stdarg.h> int num_to_str(char *buf, int size, unsigned long long num, unsigned int width); _ Patches currently in -mm which might be from sfr(a)canb.auug.org.au are sprintfh-requires-stdargh.patch

1 month, 2 weeks

3
5
0 0

[PATCH 3/3] phy: ti-pipe3: fix device leak at unbind

by Johan Hovold

Make sure to drop the reference to the control device taken by of_find_device_by_node() during probe when the driver is unbound. Fixes: 918ee0d21ba4 ("usb: phy: omap-usb3: Don't use omap_get_control_dev()") Cc: stable(a)vger.kernel.org # 3.13 Cc: Roger Quadros <rogerq(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/phy/ti/phy-ti-pipe3.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/phy/ti/phy-ti-pipe3.c b/drivers/phy/ti/phy-ti-pipe3.c index da2cbacb982c..ae764d6524c9 100644 --- a/drivers/phy/ti/phy-ti-pipe3.c +++ b/drivers/phy/ti/phy-ti-pipe3.c @@ -667,12 +667,20 @@ static int ti_pipe3_get_clk(struct ti_pipe3 *phy) return 0; } +static void ti_pipe3_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int ti_pipe3_get_sysctrl(struct ti_pipe3 *phy) { struct device *dev = phy->dev; struct device_node *node = dev->of_node; struct device_node *control_node; struct platform_device *control_pdev; + int ret; phy->phy_power_syscon = syscon_regmap_lookup_by_phandle(node, "syscon-phy-power"); @@ -704,6 +712,11 @@ static int ti_pipe3_get_sysctrl(struct ti_pipe3 *phy) } phy->control_dev = &control_pdev->dev; + + ret = devm_add_action_or_reset(dev, ti_pipe3_put_device, + phy->control_dev); + if (ret) + return ret; } if (phy->mode == PIPE3_MODE_PCIE) { -- 2.49.1

1 month, 2 weeks

1
0
0 0

[PATCH 2/3] phy: ti: omap-usb2: fix device leak at unbind

by Johan Hovold

Make sure to drop the reference to the control device taken by of_find_device_by_node() during probe when the driver is unbound. Fixes: 478b6c7436c2 ("usb: phy: omap-usb2: Don't use omap_get_control_dev()") Cc: stable(a)vger.kernel.org # 3.13 Cc: Roger Quadros <rogerq(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/phy/ti/phy-omap-usb2.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/phy/ti/phy-omap-usb2.c b/drivers/phy/ti/phy-omap-usb2.c index c1a0ef979142..c444bb2530ca 100644 --- a/drivers/phy/ti/phy-omap-usb2.c +++ b/drivers/phy/ti/phy-omap-usb2.c @@ -363,6 +363,13 @@ static void omap_usb2_init_errata(struct omap_usb *phy) phy->flags |= OMAP_USB2_DISABLE_CHRG_DET; } +static void omap_usb2_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int omap_usb2_probe(struct platform_device *pdev) { struct omap_usb *phy; @@ -373,6 +380,7 @@ static int omap_usb2_probe(struct platform_device *pdev) struct device_node *control_node; struct platform_device *control_pdev; const struct usb_phy_data *phy_data; + int ret; phy_data = device_get_match_data(&pdev->dev); if (!phy_data) @@ -423,6 +431,11 @@ static int omap_usb2_probe(struct platform_device *pdev) return -EINVAL; } phy->control_dev = &control_pdev->dev; + + ret = devm_add_action_or_reset(&pdev->dev, omap_usb2_put_device, + phy->control_dev); + if (ret) + return ret; } else { if (of_property_read_u32_index(node, "syscon-phy-power", 1, -- 2.49.1

1 month, 2 weeks

1
0
0 0

[RESEND PATCH v3] x86: Clear feature bits disabled at compile-time

by Maciej Wieczor-Retman

If some config options are disabled during compile time, they still are enumerated in macros that use the x86_capability bitmask - cpu_has() or this_cpu_has(). The features are also visible in /proc/cpuinfo even though they are not enabled - which is contrary to what the documentation states about the file. Examples of such feature flags are lam, fred, sgx, ibrs_enhanced, split_lock_detect, user_shstk, avx_vnni and enqcmd. Add a DISABLED_MASK_INITIALIZER macro that creates an initializer list filled with DISABLED_MASKx bitmasks. Initialize the cpu_caps_cleared array with the autogenerated disabled bitmask. Fixes: ea4e3bef4c94 ("Documentation/x86: Add documentation for /proc/cpuinfo feature flags") Reported-by: Farrah Chen <farrah.chen(a)intel.com> Signed-off-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Cc: <stable(a)vger.kernel.org> --- Resend: - Fix macro name to match with the patch message. - Add Peter's SoB. Changelog v3: - Remove Fixes: tags, keep only one at the point where the documentation changed and promised feature bits wouldn't show up if they're not enabled. - Don't use a helper to initialize cpu_caps_cleared, just statically initialize it. - Remove changes to cpu_caps_set. - Rewrite patch message to account for changes. Changelog v2: - Redo the patch to utilize a more generic solution, not just fix the LAM and FRED feature bits. - Note more feature flags that shouldn't be present. - Add fixes and cc tags. arch/x86/kernel/cpu/common.c | 3 ++- arch/x86/tools/cpufeaturemasks.awk | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 77afca95cced..a9040038ad9d 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -704,7 +704,8 @@ static const char *table_lookup_model(struct cpuinfo_x86 *c) } /* Aligned to unsigned long to avoid split lock in atomic bitmap ops */ -__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)); +__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)) = + DISABLED_MASK_INITIALIZER; __u32 cpu_caps_set[NCAPINTS + NBUGINTS] __aligned(sizeof(unsigned long)); #ifdef CONFIG_X86_32 diff --git a/arch/x86/tools/cpufeaturemasks.awk b/arch/x86/tools/cpufeaturemasks.awk index 173d5bf2d999..1eabbc69f50d 100755 --- a/arch/x86/tools/cpufeaturemasks.awk +++ b/arch/x86/tools/cpufeaturemasks.awk @@ -84,5 +84,11 @@ END { printf "\t) & (1U << ((x) & 31)))\n\n"; } + printf "\n#define DISABLED_MASK_INITIALIZER\t\t\t\\"; + printf "\n\t{\t\t\t\t\t\t\\"; + for (i = 0; i < ncapints; i++) + printf "\n\t\tDISABLED_MASK%d,\t\t\t\\", i; + printf "\n\t}\n\n"; + printf "#endif /* _ASM_X86_CPUFEATUREMASKS_H */\n"; } -- 2.49.0

1 month, 2 weeks

2
3
0 0

[PATCH V3 REPOST] comedi: pcl726: Prevent invalid irq number

by Ian Abbott

From: Edward Adam Davis <eadavis(a)qq.com> The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options[1]` value to 30 or lower, or using `1U << it->options[1]`. The old code would just not attempt to request the IRQ if the `options[1]` value were invalid. And it would still configure the device without interrupts even if the call to `request_irq` returned an error. So it would be better to combine this test with the test below. Fixes: fff46207245c ("staging: comedi: pcl726: enable the interrupt support code") Cc: <stable(a)vger.kernel.org> # 5.13+ Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Reported-by: syzbot+5cd373521edd68bebcb3(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=5cd373521edd68bebcb3 Tested-by: syzbot+5cd373521edd68bebcb3(a)syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Reviewed-by: Ian Abbott <abbotti(a)mev.co.uk> --- drivers/comedi/drivers/pcl726.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/pcl726.c b/drivers/comedi/drivers/pcl726.c index 0430630e6ebb..b542896fa0e4 100644 --- a/drivers/comedi/drivers/pcl726.c +++ b/drivers/comedi/drivers/pcl726.c @@ -328,7 +328,8 @@ static int pcl726_attach(struct comedi_device *dev, * Hook up the external trigger source interrupt only if the * user config option is valid and the board supports interrupts. */ - if (it->options[1] && (board->irq_mask & (1 << it->options[1]))) { + if (it->options[1] > 0 && it->options[1] < 16 && + (board->irq_mask & (1U << it->options[1]))) { ret = request_irq(it->options[1], pcl726_interrupt, 0, dev->board_name, dev); if (ret == 0) { -- 2.47.2

1 month, 2 weeks

1
1
0 0

[STABLE 5.15+] f2fs: sysfs: add encoding_flags entry

by Lee Jones

On Wed, 16 Apr 2025, Chao Yu wrote: > This patch adds a new sysfs entry /sys/fs/f2fs/<disk>/encoding_flags, > it is a read-only entry to show the value of sb.s_encoding_flags, the > value is hexadecimal. > > =========================== ========== > Flag_Name Flag_Value > =========================== ========== > SB_ENC_STRICT_MODE_FL 0x00000001 > SB_ENC_NO_COMPAT_FALLBACK_FL 0x00000002 > =========================== ========== > > case#1 > mkfs.f2fs -f -O casefold -C utf8:strict /dev/vda > mount /dev/vda /mnt/f2fs > cat /sys/fs/f2fs/vda/encoding_flags > 1 > > case#2 > mkfs.f2fs -f -O casefold -C utf8 /dev/vda > fsck.f2fs --nolinear-lookup=1 /dev/vda > mount /dev/vda /mnt/f2fs > cat /sys/fs/f2fs/vda/encoding_flags > 2 > > Signed-off-by: Chao Yu <chao(a)kernel.org> > --- > Documentation/ABI/testing/sysfs-fs-f2fs | 13 +++++++++++++ > fs/f2fs/sysfs.c | 9 +++++++++ > 2 files changed, 22 insertions(+) This patch, commit 617e0491abe4 ("f2fs: sysfs: export linear_lookup in features directory") upstream, needs to find its way into all Stable branches containing upstream commit 91b587ba79e1 ("f2fs: Introduce linear search for dentries"), which is essentially linux-5.15.y and newer. stable/linux-5.4.y: MISSING: f2fs: Introduce linear search for dentries MISSING: f2fs: sysfs: export linear_lookup in features directory stable/linux-5.10.y: MISSING: f2fs: Introduce linear search for dentries MISSING: f2fs: sysfs: export linear_lookup in features directory stable/linux-5.15.y: b0938ffd39ae f2fs: Introduce linear search for dentries [5.15.179] MISSING: f2fs: sysfs: export linear_lookup in features directory stable/linux-6.1.y: de605097eb17 f2fs: Introduce linear search for dentries [6.1.129] MISSING: f2fs: sysfs: export linear_lookup in features directory stable/linux-6.6.y: 0bf2adad03e1 f2fs: Introduce linear search for dentries [6.6.76] MISSING: f2fs: sysfs: export linear_lookup in features directory stable/linux-6.12.y: 00d1943fe46d f2fs: Introduce linear search for dentries [6.12.13] MISSING: f2fs: sysfs: export linear_lookup in features directory mainline: 91b587ba79e1 f2fs: Introduce linear search for dentries 617e0491abe4 f2fs: sysfs: export linear_lookup in features directory > diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs > b/Documentation/ABI/testing/sysfs-fs-f2fs index > 59adb7dc6f9e..0dbe6813b709 100644 --- > a/Documentation/ABI/testing/sysfs-fs-f2fs +++ > b/Documentation/ABI/testing/sysfs-fs-f2fs @@ -846,3 +846,16 @@ > Description: For several zoned storage devices, vendors will provide > extra space reserved_blocks. However, it is not enough, since this > extra space should not be shown to users. So, with this new sysfs > node, we can hide the space by substracting reserved_blocks from total > bytes. + +What: /sys/fs/f2fs/<disk>/encoding_flags > +Date: April 2025 +Contact: "Chao Yu" > <chao(a)kernel.org> +Description: This is a read-only entry to > show the value of sb.s_encoding_flags, the + value is > hexadecimal. + + =========================== > ========== + Flag_Name Flag_Value + > =========================== ========== + > SB_ENC_STRICT_MODE_FL 0x00000001 + > SB_ENC_NO_COMPAT_FALLBACK_FL 0x00000002 + > =========================== ========== diff --git > a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c index 3a3485622691..cf98c5cbb98a > 100644 --- a/fs/f2fs/sysfs.c +++ b/fs/f2fs/sysfs.c @@ -274,6 +274,13 > @@ static ssize_t encoding_show(struct f2fs_attr *a, return > sysfs_emit(buf, "(none)\n"); } > > +static ssize_t encoding_flags_show(struct f2fs_attr *a, + > struct f2fs_sb_info *sbi, char *buf) +{ + return sysfs_emit(buf, > "%x\n", + > le16_to_cpu(F2FS_RAW_SUPER(sbi)->s_encoding_flags)); +} + static > ssize_t mounted_time_sec_show(struct f2fs_attr *a, struct f2fs_sb_info > *sbi, char *buf) { @@ -1158,6 +1165,7 @@ > F2FS_GENERAL_RO_ATTR(features); > F2FS_GENERAL_RO_ATTR(current_reserved_blocks); > F2FS_GENERAL_RO_ATTR(unusable); F2FS_GENERAL_RO_ATTR(encoding); > +F2FS_GENERAL_RO_ATTR(encoding_flags); > F2FS_GENERAL_RO_ATTR(mounted_time_sec); > F2FS_GENERAL_RO_ATTR(main_blkaddr); > F2FS_GENERAL_RO_ATTR(pending_discard); @@ -1270,6 +1278,7 @@ static > struct attribute *f2fs_attrs[] = { ATTR_LIST(reserved_blocks), > ATTR_LIST(current_reserved_blocks), ATTR_LIST(encoding), + > ATTR_LIST(encoding_flags), ATTR_LIST(mounted_time_sec), #ifdef > CONFIG_F2FS_STAT_FS ATTR_LIST(cp_foreground_calls), -- 2.49.0 > -- Lee Jones [李琼斯]

1 month, 3 weeks

2
4
0 0

[PATCH 3/5] usb: gadget: udc: renesas_usb3: fix device leak at unbind

by Johan Hovold

Make sure to drop the reference to the companion device taken during probe when the driver is unbound. Fixes: 39facfa01c9f ("usb: gadget: udc: renesas_usb3: Add register of usb role switch") Cc: stable(a)vger.kernel.org # 4.19 Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/gadget/udc/renesas_usb3.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c index 3e4d56457597..d23b1762e0e4 100644 --- a/drivers/usb/gadget/udc/renesas_usb3.c +++ b/drivers/usb/gadget/udc/renesas_usb3.c @@ -2657,6 +2657,7 @@ static void renesas_usb3_remove(struct platform_device *pdev) struct renesas_usb3 *usb3 = platform_get_drvdata(pdev); debugfs_remove_recursive(usb3->dentry); + put_device(usb3->host_dev); device_remove_file(&pdev->dev, &dev_attr_role); cancel_work_sync(&usb3->role_work); -- 2.49.1

1 month, 3 weeks

1
0
0 0

[PATCH 1/5] usb: dwc3: imx8mp: fix device leak at unbind

by Johan Hovold

Make sure to drop the reference to the dwc3 device taken by of_find_device_by_node() on probe errors and on driver unbind. Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver") Cc: stable(a)vger.kernel.org # 5.12 Cc: Li Jun <jun.li(a)nxp.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/dwc3/dwc3-imx8mp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/dwc3-imx8mp.c b/drivers/usb/dwc3/dwc3-imx8mp.c index 3edc5aca76f9..bce6af82f54c 100644 --- a/drivers/usb/dwc3/dwc3-imx8mp.c +++ b/drivers/usb/dwc3/dwc3-imx8mp.c @@ -244,7 +244,7 @@ static int dwc3_imx8mp_probe(struct platform_device *pdev) IRQF_ONESHOT, dev_name(dev), dwc3_imx); if (err) { dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err); - goto depopulate; + goto put_dwc3; } device_set_wakeup_capable(dev, true); @@ -252,6 +252,8 @@ static int dwc3_imx8mp_probe(struct platform_device *pdev) return 0; +put_dwc3: + put_device(&dwc3_imx->dwc3->dev); depopulate: of_platform_depopulate(dev); remove_swnode: @@ -265,8 +267,11 @@ static int dwc3_imx8mp_probe(struct platform_device *pdev) static void dwc3_imx8mp_remove(struct platform_device *pdev) { + struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev); struct device *dev = &pdev->dev; + put_device(&dwc3_imx->dwc3->dev); + pm_runtime_get_sync(dev); of_platform_depopulate(dev); device_remove_software_node(dev); -- 2.49.1

1 month, 3 weeks

1
0
0 0

Linux 6.15.8

by Greg Kroah-Hartman

I'm announcing the release of the 6.15.8 kernel. All users of the 6.15 kernel series must upgrade. The updated 6.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 3 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 arch/arm64/boot/dts/freescale/imx8mp-venice-gw71xx.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts | 2 arch/arm64/boot/dts/freescale/imx95-15x15-evk.dts | 20 arch/arm64/boot/dts/freescale/imx95-19x19-evk.dts | 12 arch/arm64/boot/dts/freescale/imx95.dtsi | 2 arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 23 arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts | 28 arch/arm64/boot/dts/rockchip/rk3588-coolpi-cm5.dtsi | 1 arch/arm64/boot/dts/rockchip/rk3588s-coolpi-4b.dts | 1 arch/riscv/kernel/traps.c | 10 arch/riscv/kernel/traps_misaligned.c | 2 arch/s390/net/bpf_jit_comp.c | 10 arch/x86/kvm/xen.c | 2 block/blk-sysfs.c | 1 drivers/block/loop.c | 5 drivers/bluetooth/bfusb.c | 2 drivers/bluetooth/bpa10x.c | 2 drivers/bluetooth/btbcm.c | 8 drivers/bluetooth/btintel.c | 30 drivers/bluetooth/btintel_pcie.c | 8 drivers/bluetooth/btmtksdio.c | 4 drivers/bluetooth/btmtkuart.c | 2 drivers/bluetooth/btnxpuart.c | 2 drivers/bluetooth/btqca.c | 2 drivers/bluetooth/btqcomsmd.c | 2 drivers/bluetooth/btrtl.c | 10 drivers/bluetooth/btsdio.c | 2 drivers/bluetooth/btusb.c | 148 +- drivers/bluetooth/hci_aml.c | 2 drivers/bluetooth/hci_bcm.c | 4 drivers/bluetooth/hci_bcm4377.c | 10 drivers/bluetooth/hci_intel.c | 2 drivers/bluetooth/hci_ldisc.c | 6 drivers/bluetooth/hci_ll.c | 4 drivers/bluetooth/hci_nokia.c | 2 drivers/bluetooth/hci_qca.c | 14 drivers/bluetooth/hci_serdev.c | 8 drivers/bluetooth/hci_vhci.c | 8 drivers/bluetooth/virtio_bt.c | 10 drivers/comedi/comedi_fops.c | 30 drivers/comedi/drivers.c | 17 drivers/comedi/drivers/aio_iiro_16.c | 3 drivers/comedi/drivers/comedi_test.c | 2 drivers/comedi/drivers/das16m1.c | 3 drivers/comedi/drivers/das6402.c | 3 drivers/comedi/drivers/pcl812.c | 3 drivers/cpuidle/cpuidle-psci.c | 23 drivers/dma/mediatek/mtk-cqdma.c | 4 drivers/dma/nbpfaxi.c | 11 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 9 drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 11 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c | 3 drivers/gpu/drm/mediatek/mtk_crtc.c | 36 drivers/gpu/drm/mediatek/mtk_crtc.h | 1 drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 1 drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 9 drivers/gpu/drm/mediatek/mtk_disp_drv.h | 1 drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 7 drivers/gpu/drm/mediatek/mtk_plane.c | 12 drivers/gpu/drm/mediatek/mtk_plane.h | 3 drivers/gpu/drm/panfrost/panfrost_job.c | 2 drivers/gpu/drm/xe/xe_gt.c | 13 drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 19 drivers/gpu/drm/xe/xe_gt_sriov_pf.h | 5 drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 27 drivers/gpu/drm/xe/xe_ring_ops.c | 22 drivers/hid/hid-core.c | 19 drivers/hwmon/corsair-cpro.c | 5 drivers/i2c/busses/i2c-omap.c | 7 drivers/i2c/busses/i2c-stm32.c | 8 drivers/i2c/busses/i2c-stm32f7.c | 24 drivers/iio/accel/fxls8962af-core.c | 2 drivers/iio/accel/st_accel_core.c | 10 drivers/iio/adc/ad7380.c | 5 drivers/iio/adc/adi-axi-adc.c | 6 drivers/iio/adc/axp20x_adc.c | 1 drivers/iio/adc/max1363.c | 43 drivers/iio/adc/stm32-adc-core.c | 7 drivers/iio/common/st_sensors/st_sensors_core.c | 36 drivers/iio/common/st_sensors/st_sensors_trigger.c | 20 drivers/iio/industrialio-backend.c | 5 drivers/input/joystick/xpad.c | 2 drivers/md/dm-bufio.c | 6 drivers/memstick/core/memstick.c | 2 drivers/mmc/host/bcm2835.c | 3 drivers/mmc/host/sdhci-pci-core.c | 3 drivers/mmc/host/sdhci_am654.c | 9 drivers/net/can/m_can/tcan4x5x-core.c | 61 - drivers/net/ethernet/airoha/airoha_npu.c | 3 drivers/net/ethernet/intel/ice/ice_debugfs.c | 2 drivers/net/ethernet/intel/ice/ice_lag.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 8 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 9 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 20 drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 drivers/net/hyperv/netvsc_drv.c | 5 drivers/net/phy/phy_device.c | 6 drivers/net/usb/sierra_net.c | 4 drivers/net/virtio_net.c | 2 drivers/net/wireless/intel/iwlwifi/fw/api/nvm-reg.h | 5 drivers/net/wireless/intel/iwlwifi/fw/regulatory.c | 1 drivers/net/wireless/intel/iwlwifi/mld/regulatory.c | 4 drivers/nvme/host/core.c | 27 drivers/nvme/target/tcp.c | 4 drivers/nvmem/imx-ocotp-ele.c | 5 drivers/nvmem/imx-ocotp.c | 5 drivers/nvmem/layouts/u-boot-env.c | 6 drivers/phy/phy-core.c | 5 drivers/phy/tegra/xusb-tegra186.c | 75 - drivers/phy/tegra/xusb.h | 1 drivers/pmdomain/governor.c | 18 drivers/soc/aspeed/aspeed-lpc-snoop.c | 13 drivers/soundwire/amd_manager.c | 4 drivers/soundwire/qcom.c | 26 drivers/spi/spi.c | 14 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 95 + drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | 1 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.h | 2 drivers/thunderbolt/switch.c | 10 drivers/thunderbolt/tb.h | 2 drivers/thunderbolt/usb4.c | 12 drivers/tty/serial/pch_uart.c | 2 drivers/usb/core/hub.c | 36 drivers/usb/core/hub.h | 1 drivers/usb/dwc2/gadget.c | 38 drivers/usb/dwc3/dwc3-qcom.c | 8 drivers/usb/gadget/configfs.c | 4 drivers/usb/musb/musb_gadget.c | 2 drivers/usb/serial/ftdi_sio.c | 2 drivers/usb/serial/ftdi_sio_ids.h | 3 drivers/usb/serial/option.c | 5 fs/cachefiles/io.c | 2 fs/cachefiles/ondemand.c | 4 fs/efivarfs/super.c | 6 fs/isofs/inode.c | 9 fs/netfs/read_pgpriv2.c | 5 fs/notify/dnotify/dnotify.c | 8 fs/smb/client/cifs_debug.c | 23 fs/smb/client/file.c | 10 fs/smb/client/smb2inode.c | 3 fs/smb/client/smb2ops.c | 24 fs/smb/client/smbdirect.c | 544 ++++------ fs/smb/client/smbdirect.h | 64 - fs/smb/common/smbdirect/smbdirect.h | 37 fs/smb/common/smbdirect/smbdirect_pdu.h | 55 + fs/smb/common/smbdirect/smbdirect_socket.h | 43 fs/xfs/libxfs/xfs_group.c | 14 fs/xfs/xfs_extent_busy.h | 8 include/linux/phy/phy.h | 2 include/net/bluetooth/hci.h | 2 include/net/bluetooth/hci_core.h | 50 include/net/cfg80211.h | 2 include/net/netfilter/nf_conntrack.h | 15 include/trace/events/netfs.h | 30 include/trace/events/rxrpc.h | 6 io_uring/net.c | 12 io_uring/poll.c | 2 kernel/bpf/helpers.c | 11 kernel/cgroup/legacy_freezer.c | 8 kernel/freezer.c | 15 kernel/sched/ext.c | 12 kernel/sched/loadavg.c | 2 kernel/sched/sched.h | 2 kernel/trace/trace_events.c | 5 kernel/trace/trace_osnoise.c | 2 kernel/trace/trace_probe.c | 2 net/8021q/vlan.c | 42 net/8021q/vlan.h | 1 net/bluetooth/hci_core.c | 4 net/bluetooth/hci_debugfs.c | 8 net/bluetooth/hci_event.c | 19 net/bluetooth/hci_sync.c | 63 - net/bluetooth/l2cap_core.c | 26 net/bluetooth/l2cap_sock.c | 3 net/bluetooth/mgmt.c | 38 net/bluetooth/msft.c | 2 net/bluetooth/smp.c | 21 net/bluetooth/smp.h | 1 net/bridge/br_switchdev.c | 3 net/ipv4/tcp_offload.c | 1 net/ipv4/udp_offload.c | 1 net/ipv6/mcast.c | 2 net/ipv6/rpl_iptunnel.c | 8 net/mptcp/options.c | 3 net/mptcp/pm.c | 8 net/mptcp/protocol.c | 56 - net/mptcp/protocol.h | 29 net/mptcp/subflow.c | 30 net/netfilter/nf_conntrack_core.c | 26 net/packet/af_packet.c | 27 net/phonet/pep.c | 2 net/rxrpc/ar-internal.h | 4 net/rxrpc/call_accept.c | 14 net/rxrpc/call_object.c | 28 net/rxrpc/io_thread.c | 14 net/rxrpc/output.c | 22 net/rxrpc/peer_object.c | 6 net/rxrpc/recvmsg.c | 23 net/rxrpc/security.c | 8 net/sched/sch_htb.c | 4 net/sched/sch_qfq.c | 30 net/smc/af_smc.c | 14 net/smc/smc.h | 8 net/tls/tls_strp.c | 3 rust/Makefile | 1 rust/kernel/firmware.rs | 2 rust/kernel/init.rs | 8 rust/kernel/kunit.rs | 2 rust/kernel/lib.rs | 2 rust/macros/module.rs | 10 scripts/Makefile.build | 2 sound/core/compress_offload.c | 48 sound/pci/hda/patch_realtek.c | 2 tools/hv/hv_fcopy_uio_daemon.c | 91 + tools/lib/bpf/libbpf.c | 20 tools/objtool/check.c | 1 tools/testing/selftests/net/udpgro.sh | 8 tools/testing/selftests/sched_ext/exit.c | 8 227 files changed, 2113 insertions(+), 1236 deletions(-) Al Viro (1): fix a leak in fcntl_dirnotify() Alessandro Gasbarroni (1): Bluetooth: hci_sync: fix connectable extended advertising when using static random address Alexey Charkov (1): arm64: dts: rockchip: list all CPU supplies on ArmSoM Sige5 Alok Tiwari (3): thunderbolt: Fix bit masking in tb_dp_port_set_hops() net: emaclite: Fix missing pointer increment in aligned_read() net: airoha: fix potential use-after-free in airoha_npu_get() Amit Pundir (1): soundwire: Revert "soundwire: qcom: Add set_channel_map api support" Andrea Righi (1): selftests/sched_ext: Fix exit selftest hang on UP Andreas Schwab (1): riscv: traps_misaligned: properly sign extend value in misaligned load handler Andrew Jeffery (2): soc: aspeed: lpc-snoop: Cleanup resources in stack-order soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Andrii Nakryiko (1): libbpf: Fix handling of BPF arena relocations Andy Yan (2): arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi CM5 arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi 4B Arnd Bergmann (1): ALSA: compress_offload: tighten ioctl command number checks Aruna Ramakrishna (1): sched: Change nr_uninterruptible type to unsigned long Balasubramani Vivekanandan (1): drm/xe/mocs: Initialize MOCS index early Benjamin Tissoires (3): HID: core: ensure the allocated report buffer can contain the reserved report ID HID: core: ensure __hid_request reserves the report ID as the first byte HID: core: do not bypass hid_hw_raw_request Breno Leitao (2): efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths sched/ext: Prevent update_locked_rq() calls with NULL rq Brett Werling (1): can: tcan4x5x: fix reset gpio usage during probe Chen Ni (1): iio: adc: stm32-adc: Fix race in installing chained IRQ handler Chen Ridong (2): Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" sched,freezer: Remove unnecessary warning in __thaw_task Chen-Yu Tsai (1): iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps Cheng Ming Lin (1): spi: Add check for 8-bit transfer with 8 IO mode support Christian Eggers (3): Bluetooth: hci_core: fix typos in macros Bluetooth: hci_core: add missing braces when using macro parameters Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap Christoph Hellwig (2): xfs: don't allocate the xfs_extent_busy structure for zoned RTGs nvme: revert the cross-controller atomic write size validation Christoph Paasch (1): net/mlx5: Correctly set gso_size when LRO is used Christophe JAILLET (2): i2c: omap: Handle omap_i2c_init() errors in omap_i2c_probe() i2c: omap: Fix an error handling path in omap_i2c_probe() Clayton King (1): drm/amd/display: Free memory allocation Clément Le Goffic (2): i2c: stm32: fix the device used for the DMA map i2c: stm32f7: unmap DMA mapped buffer Dan Carpenter (1): dmaengine: nbpfaxi: Fix memory corruption in probe() Daniel Lezcano (1): cpuidle: psci: Fix cpuhotplug routine with PREEMPT_RT=y Dave Ertman (1): ice: add NULL check in eswitch lag check David Howells (9): netfs: Fix copy-to-cache so that it performs collection with ceph+fscache netfs: Fix race between cache write completion and ALL_QUEUED being set rxrpc: Fix irq-disabled in local_bh_enable() rxrpc: Fix recv-recv race of completed call rxrpc: Fix notification vs call-release vs recvmsg rxrpc: Fix transmission of an abort in response to an abort rxrpc: Fix to use conn aborts for conn-wide failures cifs: Fix the smbd_response slab to allow usercopy cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code David Lechner (2): iio: adc: ad7380: fix adi,gain-milli property parsing iio: adc: adi-axi-adc: fix ad7606_bus_reg_read() Dmitry Baryshkov (1): phy: use per-PHY lockdep keys Dong Chenchen (1): net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Drew Hamilton (1): usb: musb: fix gadget state on disconnect Edip Hazuri (1): ALSA: hda/realtek - Fix mute LED for HP Victus 16-r0xxx Edson Juliano Drosdeck (1): mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Eeli Haapalainen (1): drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume Fabio Estevam (2): iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] iio: adc: max1363: Reorder mode_list[] entries Fabio Porcedda (1): USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Felix Fietkau (1): net: fix segmentation after TCP/UDP fraglist GRO Florian Westphal (1): netfilter: nf_conntrack: fix crash due to removal of uninitialised entry Francesco Dolcini (1): arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on Greg Kroah-Hartman (1): Linux 6.15.8 Haotien Hsu (1): phy: tegra: xusb: Disable periodic tracking on Tegra234 Ian Abbott (9): comedi: pcl812: Fix bit shift out of bounds comedi: aio_iiro_16: Fix bit shift out of bounds comedi: das16m1: Fix bit shift out of bounds comedi: das6402: Fix bit shift out of bounds comedi: comedi_test: Fix possible deletion of uninitialized timers comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large comedi: Fix some signed shift left operations comedi: Fix use of uninitialized data in insn_rw_emulate_bits() comedi: Fix initialization of data for instructions that write to subdevice Icenowy Zheng (1): drm/mediatek: only announce AFBC if really supported Ilya Leoshkevich (1): s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Jakob Unterwurzacher (1): arm64: dts: rockchip: use cs-gpios for spi1 on ringneck Jakub Kicinski (1): tls: always refresh the queue when reading sock Jan Kara (1): isofs: Verify inode mode when loading from disk Janne Grunau (1): rust: init: Fix generics in *_init! macros Jason-JH Lin (1): drm/mediatek: Add wait_event_timeout when disabling plane Jiawen Wu (4): net: libwx: remove duplicate page_pool_put_full_page() net: libwx: fix the using of Rx buffer DMA net: libwx: properly reset Rx ring descriptor net: libwx: fix multicast packets received count Johannes Berg (1): wifi: cfg80211: remove scan request n_channels counted_by John Garry (1): nvme: fix endianness of command word prints in nvme_log_err_passthru() Joseph Huang (1): net: bridge: Do not offload IGMP/MLD messages Judith Mendez (1): mmc: sdhci_am654: Workaround for Errata i2312 Krishna Kurapati (1): usb: dwc3: qcom: Don't leave BCR asserted Kuniyuki Iwashima (3): rpl: Fix use-after-free in rpl_do_srh_inline(). smc: Fix various oops due to inet_sock type confusion. Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Li Tian (1): hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf Lijo Lazar (1): drm/amdgpu: Increase reset counter only on success Luiz Augusto von Dentz (4): Bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type Bluetooth: SMP: If an unallowed command is received consider it a failure Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Manuel Andreas (1): KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls Maor Gottlieb (1): net/mlx5: Update the list of the PCI supported devices Mario Limonciello (1): thunderbolt: Fix wake on connect at runtime Marius Zachmann (1): hwmon: (corsair-cpro) Validate the size of the received input buffer Markus Blöchl (1): net: stmmac: intel: populate entire system_counterval_t in get_time_fn() callback Markus Burri (1): iio: backend: fix out-of-bound write Mathias Nyman (4): usb: hub: fix detection of high tier USB3 devices behind suspended hubs usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm usb: hub: Fix flushing of delayed work used for post resume purposes usb: hub: Don't try to recover devices lost during warm reset. Matthew Brost (1): drm/xe: Move page fault init after topology init Maud Spierings (1): iio: common: st_sensors: Fix use of uninitialize device structs Maulik Shah (1): pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Maurizio Lombardi (1): nvmet-tcp: fix callback lock for TLS handshake Melissa Wen (1): drm/amd/display: Disable CRTC degamma LUT for DCN401 Meng Li (1): arm64: dts: add big-endian property back into watchdog node Michael C. Pratt (1): nvmem: layouts: u-boot-env: remove crc32 endianness conversion Michal Swiatkowski (1): ice: check correct pointer in fwlog debugfs Michal Wajdeczko (2): drm/xe/pf: Prepare to stop SR-IOV support prior GT reset drm/xe/pf: Resend PF provisioning after GT reset Miguel Ojeda (2): objtool/rust: add one more `noreturn` Rust function for Rust 1.89.0 rust: use `#[used(compiler)]` to fix build and `modpost` with Rust >= 1.89.0 Minas Harutyunyan (1): usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY Ming Lei (2): block: fix kobject leak in blk_unregister_queue loop: use kiocb helpers to fix lockdep warning Nam Cao (1): riscv: Enable interrupt during exception handling Naman Jain (1): tools/hv: fcopy: Fix irregularities with size of ring buffer Nathan Chancellor (3): tracing/probes: Avoid using params uninitialized in parse_btf_arg() phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Nilton Perim Neto (1): Input: xpad - set correct controller type for Acer NGR200 Oliver Neukum (1): usb: net: sierra: check for no status endpoint Pagadala Yesu Anjaneyulu (1): wifi: iwlwifi: mask reserved bits in chan_state_active_bitmap Paolo Abeni (4): mptcp: make fallback action and fallback decision atomic mptcp: plug races between subflow fail and subflow creation mptcp: reset fallback status gracefully at disconnect() time selftests: net: increase inter-packet timeout in udpgro.sh Paul Chaignon (1): bpf: Reject %p% format string in bprintf-like helpers Pavel Begunkov (1): io_uring/poll: fix POLLERR handling Philipp Stanner (1): drm/panfrost: Fix scheduler workqueue bug Qiu-ji Chen (1): dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Richard Zhu (1): arm64: dts: imx95: Correct the DMA interrupter number of pcie0_ep Ryan Mann (NDI) (1): USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Sean Anderson (1): net: phy: Don't register LEDs for genphy Sean Nyekjaer (1): iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush Sheng Yong (1): dm-bufio: fix sched in atomic context Slark Xiao (1): USB: serial: option: add Foxconn T99W640 Stefan Metzmacher (8): smb: smbdirect: add smbdirect_pdu.h with protocol definitions smb: client: make use of common smbdirect_pdu.h smb: smbdirect: add smbdirect.h with public structures smb: smbdirect: add smbdirect_socket.h smb: client: make use of common smbdirect_socket smb: smbdirect: introduce smbdirect_socket_parameters smb: client: make use of common smbdirect_socket_parameters smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data Stefan Wahren (2): Revert "staging: vchiq_arm: Improve initial VCHIQ connect" Revert "staging: vchiq_arm: Create keep-alive thread during probe" Steffen Bätz (1): nvmem: imx-ocotp: fix MAC address byte length Steve French (1): Fix SMB311 posix special file creation to servers which do not advertise reparse support Steven Rostedt (1): tracing: Add down_write(trace_event_sem) when adding trace event Takashi Iwai (1): ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS Tejas Upadhyay (1): drm/xe: Dont skip TLB invalidations on VF Thomas Fourier (2): pch_uart: Fix dma_sync_sg_for_device() nents value mmc: bcm2835: Fix dma_unmap_sg() nents value Tim Harvey (4): arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency arm64: dts: imx8mp-venice-gw72xx: fix TPM SPI frequency arm64: dts: imx8mp-venice-gw73xx: fix TPM SPI frequency Tomas Glozar (1): tracing/osnoise: Fix crash in timerlat_dump_stack() Vijendar Mukunda (2): soundwire: amd: fix for handling slave alerts after link is down soundwire: amd: fix for clearing command status register Wang Zhaolong (2): smb: client: fix use-after-free in crypt_message when using async crypto smb: client: fix use-after-free in cifs_oplock_break Wayne Chang (2): phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode phy: tegra: xusb: Decouple CYA_TRK_CODE_UPDATE_ON_IDLE from trk_hw_mode Wei Fang (2): arm64: dts: imx95-19x19-evk: fix the overshoot issue of NETC arm64: dts: imx95-15x15-evk: fix the overshoot issue of NETC William Liu (1): net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Xiang Mei (1): net/sched: sch_qfq: Fix race condition on qfq_aggregate Xinyu Liu (1): usb: gadget: configfs: Fix OOB read on empty string write Yu Kuai (1): nvme: fix misaccounting of nvme-mpath inflight I/O Yue Haibing (1): ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Yun Lu (2): af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() af_packet: fix soft lockup issue caused by tpacket_snd() Zheng Qixing (1): nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() Zigit Zo (1): virtio-net: fix recursived rtnl_lock() during probe() Zijun Hu (1): Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID Zizhi Wo (1): cachefiles: Fix the incorrect return value in __cachefiles_write()

1 month, 3 weeks

1
1
0 0

Linux 6.12.40

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.40 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 3 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 arch/arm64/boot/dts/freescale/imx8mp-venice-gw71xx.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts | 2 arch/arm64/boot/dts/freescale/imx95.dtsi | 2 arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 23 ++ arch/arm64/boot/dts/rockchip/rk3588-coolpi-cm5.dtsi | 1 arch/arm64/boot/dts/rockchip/rk3588s-coolpi-4b.dts | 1 arch/riscv/kernel/traps.c | 10 arch/riscv/kernel/traps_misaligned.c | 2 arch/s390/net/bpf_jit_comp.c | 10 arch/x86/kvm/xen.c | 2 block/blk-sysfs.c | 1 drivers/block/loop.c | 5 drivers/bluetooth/btintel.c | 2 drivers/bluetooth/btusb.c | 78 +++--- drivers/comedi/comedi_fops.c | 30 ++ drivers/comedi/drivers.c | 17 - drivers/comedi/drivers/aio_iiro_16.c | 3 drivers/comedi/drivers/das16m1.c | 3 drivers/comedi/drivers/das6402.c | 3 drivers/comedi/drivers/pcl812.c | 3 drivers/cpuidle/cpuidle-psci.c | 23 +- drivers/dma/nbpfaxi.c | 11 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 9 drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 11 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c | 3 drivers/gpu/drm/mediatek/mtk_crtc.c | 36 +++ drivers/gpu/drm/mediatek/mtk_crtc.h | 1 drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 1 drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 9 drivers/gpu/drm/mediatek/mtk_disp_drv.h | 1 drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 7 drivers/gpu/drm/mediatek/mtk_plane.c | 12 - drivers/gpu/drm/mediatek/mtk_plane.h | 3 drivers/gpu/drm/xe/xe_gt.c | 13 - drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 114 +++++++++- drivers/gpu/drm/xe/xe_gt_sriov_pf.h | 6 drivers/gpu/drm/xe/xe_gt_sriov_pf_control.c | 3 drivers/gpu/drm/xe/xe_gt_sriov_pf_types.h | 10 drivers/hid/hid-core.c | 19 + drivers/hwmon/corsair-cpro.c | 5 drivers/i2c/busses/Kconfig | 1 drivers/i2c/busses/i2c-omap.c | 30 ++ drivers/i2c/busses/i2c-stm32.c | 8 drivers/i2c/busses/i2c-stm32f7.c | 24 -- drivers/iio/accel/fxls8962af-core.c | 2 drivers/iio/accel/st_accel_core.c | 10 drivers/iio/adc/axp20x_adc.c | 1 drivers/iio/adc/max1363.c | 43 +-- drivers/iio/adc/stm32-adc-core.c | 7 drivers/iio/common/st_sensors/st_sensors_core.c | 36 +-- drivers/iio/common/st_sensors/st_sensors_trigger.c | 20 - drivers/iio/industrialio-backend.c | 5 drivers/input/joystick/xpad.c | 2 drivers/iommu/intel/iommu.c | 6 drivers/md/dm-bufio.c | 6 drivers/memstick/core/memstick.c | 2 drivers/mmc/host/bcm2835.c | 3 drivers/mmc/host/sdhci-pci-core.c | 3 drivers/mmc/host/sdhci_am654.c | 9 drivers/net/can/m_can/tcan4x5x-core.c | 80 +++++-- drivers/net/can/m_can/tcan4x5x.h | 2 drivers/net/ethernet/intel/ice/ice_debugfs.c | 2 drivers/net/ethernet/intel/ice/ice_lag.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 - drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 8 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 9 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 20 - drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 drivers/net/hyperv/netvsc_drv.c | 5 drivers/net/phy/phy_device.c | 6 drivers/net/usb/sierra_net.c | 4 drivers/net/virtio_net.c | 2 drivers/nvme/host/core.c | 18 - drivers/nvme/target/tcp.c | 4 drivers/nvmem/imx-ocotp-ele.c | 5 drivers/nvmem/imx-ocotp.c | 5 drivers/nvmem/layouts/u-boot-env.c | 6 drivers/phy/tegra/xusb-tegra186.c | 75 ++++-- drivers/phy/tegra/xusb.h | 1 drivers/pmdomain/governor.c | 18 + drivers/soc/aspeed/aspeed-lpc-snoop.c | 13 + drivers/soundwire/amd_manager.c | 4 drivers/spi/spi.c | 14 - drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 69 +++--- drivers/thunderbolt/switch.c | 10 drivers/thunderbolt/tb.h | 2 drivers/thunderbolt/usb4.c | 12 - drivers/tty/serial/pch_uart.c | 2 drivers/usb/core/hub.c | 36 ++- drivers/usb/core/hub.h | 1 drivers/usb/dwc2/gadget.c | 38 ++- drivers/usb/dwc3/dwc3-qcom.c | 8 drivers/usb/gadget/configfs.c | 4 drivers/usb/musb/musb_gadget.c | 2 drivers/usb/serial/ftdi_sio.c | 2 drivers/usb/serial/ftdi_sio_ids.h | 3 drivers/usb/serial/option.c | 5 fs/btrfs/block-group.c | 3 fs/cachefiles/io.c | 2 fs/cachefiles/ondemand.c | 4 fs/efivarfs/super.c | 6 fs/isofs/inode.c | 9 fs/namespace.c | 5 fs/notify/dnotify/dnotify.c | 8 fs/smb/client/file.c | 10 fs/smb/client/smb2ops.c | 7 fs/smb/client/smbdirect.c | 31 ++ include/net/bluetooth/hci_core.h | 22 - include/net/cfg80211.h | 2 include/net/netfilter/nf_conntrack.h | 15 + include/trace/events/rxrpc.h | 3 io_uring/net.c | 12 - io_uring/poll.c | 2 kernel/bpf/helpers.c | 11 kernel/cgroup/legacy_freezer.c | 8 kernel/freezer.c | 15 - kernel/sched/loadavg.c | 2 kernel/sched/sched.h | 2 kernel/trace/trace_events.c | 5 kernel/trace/trace_osnoise.c | 2 kernel/trace/trace_probe.c | 2 net/8021q/vlan.c | 42 ++- net/8021q/vlan.h | 1 net/bluetooth/hci_sync.c | 4 net/bluetooth/l2cap_core.c | 26 +- net/bluetooth/l2cap_sock.c | 3 net/bluetooth/smp.c | 21 + net/bluetooth/smp.h | 1 net/bridge/br_switchdev.c | 3 net/ipv4/tcp_offload.c | 1 net/ipv4/udp_offload.c | 1 net/ipv6/mcast.c | 2 net/ipv6/rpl_iptunnel.c | 8 net/mptcp/options.c | 3 net/mptcp/pm.c | 8 net/mptcp/protocol.c | 56 ++++ net/mptcp/protocol.h | 29 +- net/mptcp/subflow.c | 30 +- net/netfilter/nf_conntrack_core.c | 26 +- net/packet/af_packet.c | 27 +- net/phonet/pep.c | 2 net/rxrpc/call_accept.c | 1 net/rxrpc/output.c | 3 net/rxrpc/recvmsg.c | 19 + net/sched/sch_htb.c | 4 net/sched/sch_qfq.c | 30 +- net/smc/af_smc.c | 14 + net/smc/smc.h | 8 net/tls/tls_strp.c | 3 rust/Makefile | 1 rust/kernel/lib.rs | 1 rust/macros/module.rs | 10 scripts/Makefile.build | 2 sound/pci/hda/patch_realtek.c | 2 tools/lib/bpf/libbpf.c | 20 + tools/objtool/check.c | 1 tools/testing/selftests/bpf/prog_tests/token.c | 19 + tools/testing/selftests/net/udpgro.sh | 8 tools/testing/selftests/sched_ext/exit.c | 8 167 files changed, 1334 insertions(+), 543 deletions(-) Al Viro (2): fix a leak in fcntl_dirnotify() clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns Alessandro Gasbarroni (1): Bluetooth: hci_sync: fix connectable extended advertising when using static random address Alok Tiwari (2): thunderbolt: Fix bit masking in tb_dp_port_set_hops() net: emaclite: Fix missing pointer increment in aligned_read() Andrea Righi (1): selftests/sched_ext: Fix exit selftest hang on UP Andreas Schwab (1): riscv: traps_misaligned: properly sign extend value in misaligned load handler Andrew Jeffery (2): soc: aspeed: lpc-snoop: Cleanup resources in stack-order soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Andrii Nakryiko (1): libbpf: Fix handling of BPF arena relocations Andy Yan (2): arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi CM5 arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi 4B Aruna Ramakrishna (1): sched: Change nr_uninterruptible type to unsigned long Balasubramani Vivekanandan (1): drm/xe/mocs: Initialize MOCS index early Ban ZuoXiang (1): iommu/vt-d: Fix misplaced domain_attached assignment Benjamin Tissoires (3): HID: core: ensure the allocated report buffer can contain the reserved report ID HID: core: ensure __hid_request reserves the report ID as the first byte HID: core: do not bypass hid_hw_raw_request Boris Burkov (1): btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Breno Leitao (1): efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths Brett Werling (1): can: tcan4x5x: fix reset gpio usage during probe Chen Ni (1): iio: adc: stm32-adc: Fix race in installing chained IRQ handler Chen Ridong (2): Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" sched,freezer: Remove unnecessary warning in __thaw_task Chen-Yu Tsai (1): iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps Cheng Ming Lin (1): spi: Add check for 8-bit transfer with 8 IO mode support Christian Eggers (1): Bluetooth: hci_core: add missing braces when using macro parameters Christoph Paasch (1): net/mlx5: Correctly set gso_size when LRO is used Christophe JAILLET (2): i2c: omap: Fix an error handling path in omap_i2c_probe() i2c: omap: Handle omap_i2c_init() errors in omap_i2c_probe() Clayton King (1): drm/amd/display: Free memory allocation Clément Le Goffic (2): i2c: stm32: fix the device used for the DMA map i2c: stm32f7: unmap DMA mapped buffer Dan Carpenter (1): dmaengine: nbpfaxi: Fix memory corruption in probe() Daniel Lezcano (1): cpuidle: psci: Fix cpuhotplug routine with PREEMPT_RT=y Dave Ertman (1): ice: add NULL check in eswitch lag check David Howells (2): rxrpc: Fix recv-recv race of completed call rxrpc: Fix transmission of an abort in response to an abort Dong Chenchen (1): net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Drew Hamilton (1): usb: musb: fix gadget state on disconnect Edip Hazuri (1): ALSA: hda/realtek - Fix mute LED for HP Victus 16-r0xxx Edson Juliano Drosdeck (1): mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Eeli Haapalainen (1): drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume Fabio Estevam (2): iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] iio: adc: max1363: Reorder mode_list[] entries Fabio Porcedda (1): USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Felix Fietkau (1): net: fix segmentation after TCP/UDP fraglist GRO Florian Westphal (1): netfilter: nf_conntrack: fix crash due to removal of uninitialised entry Francesco Dolcini (1): arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on Greg Kroah-Hartman (1): Linux 6.12.40 Haotien Hsu (1): phy: tegra: xusb: Disable periodic tracking on Tegra234 Ian Abbott (8): comedi: pcl812: Fix bit shift out of bounds comedi: aio_iiro_16: Fix bit shift out of bounds comedi: das16m1: Fix bit shift out of bounds comedi: das6402: Fix bit shift out of bounds comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large comedi: Fix some signed shift left operations comedi: Fix use of uninitialized data in insn_rw_emulate_bits() comedi: Fix initialization of data for instructions that write to subdevice Icenowy Zheng (1): drm/mediatek: only announce AFBC if really supported Ihor Solodrai (1): selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar Ilya Leoshkevich (1): s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Jakob Unterwurzacher (1): arm64: dts: rockchip: use cs-gpios for spi1 on ringneck Jakub Kicinski (1): tls: always refresh the queue when reading sock Jan Kara (1): isofs: Verify inode mode when loading from disk Jason-JH Lin (1): drm/mediatek: Add wait_event_timeout when disabling plane Jayesh Choudhary (1): i2c: omap: Add support for setting mux Jiawen Wu (4): net: libwx: remove duplicate page_pool_put_full_page() net: libwx: fix the using of Rx buffer DMA net: libwx: properly reset Rx ring descriptor net: libwx: fix multicast packets received count Johan Hovold (1): i2c: omap: fix deprecated of_property_read_bool() use Johannes Berg (1): wifi: cfg80211: remove scan request n_channels counted_by John Garry (1): nvme: fix endianness of command word prints in nvme_log_err_passthru() Joseph Huang (1): net: bridge: Do not offload IGMP/MLD messages Judith Mendez (1): mmc: sdhci_am654: Workaround for Errata i2312 Krishna Kurapati (1): usb: dwc3: qcom: Don't leave BCR asserted Kuniyuki Iwashima (3): rpl: Fix use-after-free in rpl_do_srh_inline(). smc: Fix various oops due to inet_sock type confusion. Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Li Tian (1): hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf Lijo Lazar (1): drm/amdgpu: Increase reset counter only on success Luiz Augusto von Dentz (4): Bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type Bluetooth: SMP: If an unallowed command is received consider it a failure Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Manuel Andreas (1): KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls Maor Gottlieb (1): net/mlx5: Update the list of the PCI supported devices Mario Limonciello (1): thunderbolt: Fix wake on connect at runtime Marius Zachmann (1): hwmon: (corsair-cpro) Validate the size of the received input buffer Markus Blöchl (1): net: stmmac: intel: populate entire system_counterval_t in get_time_fn() callback Markus Burri (1): iio: backend: fix out-of-bound write Mathias Nyman (4): usb: hub: fix detection of high tier USB3 devices behind suspended hubs usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm usb: hub: Fix flushing of delayed work used for post resume purposes usb: hub: Don't try to recover devices lost during warm reset. Matthew Brost (1): drm/xe: Move page fault init after topology init Maud Spierings (1): iio: common: st_sensors: Fix use of uninitialize device structs Maulik Shah (1): pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Maurizio Lombardi (1): nvmet-tcp: fix callback lock for TLS handshake Melissa Wen (1): drm/amd/display: Disable CRTC degamma LUT for DCN401 Meng Li (1): arm64: dts: add big-endian property back into watchdog node Michael C. Pratt (1): nvmem: layouts: u-boot-env: remove crc32 endianness conversion Michal Swiatkowski (1): ice: check correct pointer in fwlog debugfs Michal Wajdeczko (3): drm/xe/pf: Sanitize VF scratch registers on FLR drm/xe/pf: Move VFs reprovisioning to worker drm/xe/pf: Prepare to stop SR-IOV support prior GT reset Miguel Ojeda (2): objtool/rust: add one more `noreturn` Rust function for Rust 1.89.0 rust: use `#[used(compiler)]` to fix build and `modpost` with Rust >= 1.89.0 Minas Harutyunyan (1): usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY Ming Lei (2): block: fix kobject leak in blk_unregister_queue loop: use kiocb helpers to fix lockdep warning Nam Cao (1): riscv: Enable interrupt during exception handling Nathan Chancellor (3): tracing/probes: Avoid using params uninitialized in parse_btf_arg() phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Nilton Perim Neto (1): Input: xpad - set correct controller type for Acer NGR200 Oliver Neukum (1): usb: net: sierra: check for no status endpoint Paolo Abeni (4): mptcp: make fallback action and fallback decision atomic mptcp: plug races between subflow fail and subflow creation mptcp: reset fallback status gracefully at disconnect() time selftests: net: increase inter-packet timeout in udpgro.sh Paul Chaignon (1): bpf: Reject %p% format string in bprintf-like helpers Pavel Begunkov (1): io_uring/poll: fix POLLERR handling Richard Zhu (1): arm64: dts: imx95: Correct the DMA interrupter number of pcie0_ep Ryan Mann (NDI) (1): USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Sean Anderson (1): net: phy: Don't register LEDs for genphy Sean Nyekjaer (2): iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush can: tcan4x5x: add option for selecting nWKRQ voltage Sheng Yong (1): dm-bufio: fix sched in atomic context Slark Xiao (1): USB: serial: option: add Foxconn T99W640 Stefan Metzmacher (1): smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data Stefan Wahren (1): Revert "staging: vchiq_arm: Create keep-alive thread during probe" Steffen Bätz (1): nvmem: imx-ocotp: fix MAC address byte length Steven Rostedt (1): tracing: Add down_write(trace_event_sem) when adding trace event Takashi Iwai (1): ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS Thomas Fourier (2): pch_uart: Fix dma_sync_sg_for_device() nents value mmc: bcm2835: Fix dma_unmap_sg() nents value Tim Harvey (4): arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency arm64: dts: imx8mp-venice-gw72xx: fix TPM SPI frequency arm64: dts: imx8mp-venice-gw73xx: fix TPM SPI frequency Tomas Glozar (1): tracing/osnoise: Fix crash in timerlat_dump_stack() Vijendar Mukunda (2): soundwire: amd: fix for handling slave alerts after link is down soundwire: amd: fix for clearing command status register Wang Zhaolong (2): smb: client: fix use-after-free in crypt_message when using async crypto smb: client: fix use-after-free in cifs_oplock_break Wayne Chang (2): phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode phy: tegra: xusb: Decouple CYA_TRK_CODE_UPDATE_ON_IDLE from trk_hw_mode William Liu (1): net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Xiang Mei (1): net/sched: sch_qfq: Fix race condition on qfq_aggregate Xinyu Liu (1): usb: gadget: configfs: Fix OOB read on empty string write Yu Kuai (1): nvme: fix misaccounting of nvme-mpath inflight I/O Yue Haibing (1): ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Yun Lu (2): af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() af_packet: fix soft lockup issue caused by tpacket_snd() Zheng Qixing (1): nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() Zigit Zo (1): virtio-net: fix recursived rtnl_lock() during probe() Zijun Hu (1): Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID Zizhi Wo (1): cachefiles: Fix the incorrect return value in __cachefiles_write()

1 month, 3 weeks

1
1
0 0

Linux 6.6.100

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.100 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts | 2 arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 23 ++++ arch/arm64/kernel/cpufeature.c | 35 ++++-- arch/s390/net/bpf_jit_comp.c | 10 + arch/x86/kvm/xen.c | 2 block/blk-sysfs.c | 1 drivers/base/power/domain_governor.c | 18 +++ drivers/bluetooth/btusb.c | 78 ++++++++------- drivers/comedi/comedi_fops.c | 30 +++++ drivers/comedi/drivers.c | 17 +-- drivers/comedi/drivers/aio_iiro_16.c | 3 drivers/comedi/drivers/das16m1.c | 3 drivers/comedi/drivers/das6402.c | 3 drivers/comedi/drivers/pcl812.c | 3 drivers/dma/nbpfaxi.c | 11 -- drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 1 drivers/hid/hid-core.c | 19 ++- drivers/hwmon/corsair-cpro.c | 5 drivers/i2c/busses/Kconfig | 1 drivers/i2c/busses/i2c-omap.c | 30 +++++ drivers/i2c/busses/i2c-stm32.c | 8 - drivers/i2c/busses/i2c-stm32f7.c | 4 drivers/iio/accel/fxls8962af-core.c | 2 drivers/iio/adc/max1363.c | 43 ++++---- drivers/iio/adc/stm32-adc-core.c | 7 - drivers/input/joystick/xpad.c | 2 drivers/md/dm-bufio.c | 6 - drivers/memstick/core/memstick.c | 2 drivers/mmc/host/bcm2835.c | 3 drivers/mmc/host/sdhci-pci-core.c | 3 drivers/mmc/host/sdhci_am654.c | 9 + drivers/net/ethernet/intel/ice/ice_lag.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 - drivers/net/ethernet/wangxun/libwx/wx_lib.c | 20 +-- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 drivers/net/hyperv/netvsc_drv.c | 5 drivers/net/phy/phy_device.c | 6 - drivers/net/usb/sierra_net.c | 4 drivers/nvme/host/core.c | 6 - drivers/nvmem/imx-ocotp-ele.c | 5 drivers/nvmem/imx-ocotp.c | 5 drivers/nvmem/u-boot-env.c | 6 - drivers/phy/tegra/xusb-tegra186.c | 75 ++++++++------ drivers/phy/tegra/xusb.h | 1 drivers/regulator/pwm-regulator.c | 40 +++++++ drivers/soc/aspeed/aspeed-lpc-snoop.c | 13 ++ drivers/soundwire/amd_manager.c | 4 drivers/spi/spi.c | 14 +- drivers/thunderbolt/switch.c | 10 - drivers/thunderbolt/tb.h | 2 drivers/thunderbolt/usb4.c | 12 -- drivers/tty/serial/pch_uart.c | 2 drivers/usb/core/hub.c | 36 ++++++ drivers/usb/core/hub.h | 1 drivers/usb/dwc3/dwc3-qcom.c | 8 - drivers/usb/gadget/configfs.c | 4 drivers/usb/musb/musb_gadget.c | 2 drivers/usb/serial/ftdi_sio.c | 2 drivers/usb/serial/ftdi_sio_ids.h | 3 drivers/usb/serial/option.c | 5 fs/cachefiles/io.c | 2 fs/cachefiles/ondemand.c | 4 fs/isofs/inode.c | 9 + fs/namespace.c | 5 fs/smb/client/file.c | 10 + fs/smb/client/smb2ops.c | 7 + include/net/cfg80211.h | 2 include/net/netfilter/nf_conntrack.h | 15 ++ include/trace/events/rxrpc.h | 3 io_uring/net.c | 12 +- io_uring/poll.c | 2 kernel/bpf/helpers.c | 11 +- kernel/cgroup/legacy_freezer.c | 8 - kernel/sched/loadavg.c | 2 kernel/sched/sched.h | 2 kernel/trace/trace_events.c | 5 kernel/trace/trace_osnoise.c | 2 kernel/trace/trace_probe.c | 2 net/8021q/vlan.c | 42 ++++++-- net/8021q/vlan.h | 1 net/bluetooth/hci_sync.c | 4 net/bluetooth/l2cap_core.c | 26 ++++- net/bluetooth/l2cap_sock.c | 3 net/bluetooth/smp.c | 21 +++- net/bluetooth/smp.h | 1 net/bridge/br_switchdev.c | 3 net/ipv6/addrconf.c | 3 net/ipv6/mcast.c | 2 net/ipv6/rpl_iptunnel.c | 8 - net/netfilter/nf_conntrack_core.c | 26 +++-- net/packet/af_packet.c | 27 ++--- net/phonet/pep.c | 2 net/rxrpc/call_accept.c | 1 net/rxrpc/output.c | 3 net/rxrpc/recvmsg.c | 19 +++ net/sched/sch_htb.c | 4 net/sched/sch_qfq.c | 30 ++++- net/tls/tls_strp.c | 3 sound/pci/hda/patch_realtek.c | 1 sound/soc/fsl/fsl_sai.c | 14 +- tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c | 27 ----- tools/testing/selftests/bpf/progs/dummy_st_ops_success.c | 13 -- tools/testing/selftests/net/udpgro.sh | 8 - 108 files changed, 751 insertions(+), 349 deletions(-) Al Viro (1): clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns Alessandro Gasbarroni (1): Bluetooth: hci_sync: fix connectable extended advertising when using static random address Alok Tiwari (2): thunderbolt: Fix bit masking in tb_dp_port_set_hops() net: emaclite: Fix missing pointer increment in aligned_read() Andrew Jeffery (2): soc: aspeed: lpc-snoop: Cleanup resources in stack-order soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Arun Raghavan (1): ASoC: fsl_sai: Force a software reset when starting in consumer mode Aruna Ramakrishna (1): sched: Change nr_uninterruptible type to unsigned long Benjamin Tissoires (3): HID: core: ensure the allocated report buffer can contain the reserved report ID HID: core: ensure __hid_request reserves the report ID as the first byte HID: core: do not bypass hid_hw_raw_request Chen Ni (1): iio: adc: stm32-adc: Fix race in installing chained IRQ handler Chen Ridong (1): Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" Cheng Ming Lin (1): spi: Add check for 8-bit transfer with 8 IO mode support Christoph Paasch (1): net/mlx5: Correctly set gso_size when LRO is used Christophe JAILLET (2): i2c: omap: Fix an error handling path in omap_i2c_probe() i2c: omap: Handle omap_i2c_init() errors in omap_i2c_probe() Clément Le Goffic (1): i2c: stm32: fix the device used for the DMA map Dan Carpenter (1): dmaengine: nbpfaxi: Fix memory corruption in probe() Dave Ertman (1): ice: add NULL check in eswitch lag check David Howells (2): rxrpc: Fix recv-recv race of completed call rxrpc: Fix transmission of an abort in response to an abort Dong Chenchen (1): net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Drew Hamilton (1): usb: musb: fix gadget state on disconnect Edson Juliano Drosdeck (1): mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Eeli Haapalainen (1): drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume Eric Dumazet (1): ipv6: make addrconf_wq single threaded Fabio Estevam (2): iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] iio: adc: max1363: Reorder mode_list[] entries Fabio Porcedda (1): USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Florian Westphal (1): netfilter: nf_conntrack: fix crash due to removal of uninitialised entry Francesco Dolcini (1): arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on Greg Kroah-Hartman (1): Linux 6.6.100 Haotien Hsu (1): phy: tegra: xusb: Disable periodic tracking on Tegra234 Ian Abbott (8): comedi: pcl812: Fix bit shift out of bounds comedi: aio_iiro_16: Fix bit shift out of bounds comedi: das16m1: Fix bit shift out of bounds comedi: das6402: Fix bit shift out of bounds comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large comedi: Fix some signed shift left operations comedi: Fix use of uninitialized data in insn_rw_emulate_bits() comedi: Fix initialization of data for instructions that write to subdevice Ilya Leoshkevich (1): s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Jakob Unterwurzacher (1): arm64: dts: rockchip: use cs-gpios for spi1 on ringneck Jakub Kicinski (1): tls: always refresh the queue when reading sock Jan Kara (1): isofs: Verify inode mode when loading from disk Jayesh Choudhary (1): i2c: omap: Add support for setting mux Jiawen Wu (3): net: libwx: remove duplicate page_pool_put_full_page() net: libwx: fix the using of Rx buffer DMA net: libwx: properly reset Rx ring descriptor Johan Hovold (1): i2c: omap: fix deprecated of_property_read_bool() use Johannes Berg (1): wifi: cfg80211: remove scan request n_channels counted_by Joseph Huang (1): net: bridge: Do not offload IGMP/MLD messages Judith Mendez (1): mmc: sdhci_am654: Workaround for Errata i2312 Krishna Kurapati (1): usb: dwc3: qcom: Don't leave BCR asserted Kuniyuki Iwashima (2): rpl: Fix use-after-free in rpl_do_srh_inline(). Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Li Tian (1): hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf Luiz Augusto von Dentz (3): Bluetooth: SMP: If an unallowed command is received consider it a failure Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Manuel Andreas (1): KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls Maor Gottlieb (1): net/mlx5: Update the list of the PCI supported devices Mario Limonciello (1): thunderbolt: Fix wake on connect at runtime Marius Zachmann (1): hwmon: (corsair-cpro) Validate the size of the received input buffer Mark Brown (1): arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Martin Blumenstingl (2): regulator: pwm-regulator: Calculate the output voltage for disabled PWMs regulator: pwm-regulator: Manage boot-on with disabled PWM channels Mathias Nyman (4): usb: hub: fix detection of high tier USB3 devices behind suspended hubs usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm usb: hub: Fix flushing of delayed work used for post resume purposes usb: hub: Don't try to recover devices lost during warm reset. Maulik Shah (1): pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Michael C. Pratt (1): nvmem: layouts: u-boot-env: remove crc32 endianness conversion Ming Lei (1): block: fix kobject leak in blk_unregister_queue Nathan Chancellor (3): tracing/probes: Avoid using params uninitialized in parse_btf_arg() phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Nilton Perim Neto (1): Input: xpad - set correct controller type for Acer NGR200 Oliver Neukum (1): usb: net: sierra: check for no status endpoint Paolo Abeni (1): selftests: net: increase inter-packet timeout in udpgro.sh Paul Chaignon (1): bpf: Reject %p% format string in bprintf-like helpers Pavel Begunkov (1): io_uring/poll: fix POLLERR handling Ryan Mann (NDI) (1): USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Sean Anderson (1): net: phy: Don't register LEDs for genphy Sean Nyekjaer (1): iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush Sheng Yong (1): dm-bufio: fix sched in atomic context Shung-Hsi Yu (2): Revert "selftests/bpf: adjust dummy_st_ops_success to detect additional error" Revert "selftests/bpf: dummy_st_ops should reject 0 for non-nullable params" Slark Xiao (1): USB: serial: option: add Foxconn T99W640 Steffen Bätz (1): nvmem: imx-ocotp: fix MAC address byte length Steven Rostedt (1): tracing: Add down_write(trace_event_sem) when adding trace event Takashi Iwai (1): ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS Thomas Fourier (2): pch_uart: Fix dma_sync_sg_for_device() nents value mmc: bcm2835: Fix dma_unmap_sg() nents value Tim Harvey (1): arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency Tomas Glozar (1): tracing/osnoise: Fix crash in timerlat_dump_stack() Vijendar Mukunda (2): soundwire: amd: fix for handling slave alerts after link is down soundwire: amd: fix for clearing command status register Wang Zhaolong (2): smb: client: fix use-after-free in crypt_message when using async crypto smb: client: fix use-after-free in cifs_oplock_break Wayne Chang (2): phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode phy: tegra: xusb: Decouple CYA_TRK_CODE_UPDATE_ON_IDLE from trk_hw_mode William Liu (1): net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Xiang Mei (1): net/sched: sch_qfq: Fix race condition on qfq_aggregate Xinyu Liu (1): usb: gadget: configfs: Fix OOB read on empty string write Yu Kuai (1): nvme: fix misaccounting of nvme-mpath inflight I/O Yue Haibing (1): ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Yun Lu (2): af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() af_packet: fix soft lockup issue caused by tpacket_snd() Zheng Qixing (1): nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() Zijun Hu (1): Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID Zizhi Wo (1): cachefiles: Fix the incorrect return value in __cachefiles_write()

1 month, 3 weeks

1
1
0 0

Linux 6.1.147

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.147 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 drivers/base/power/domain_governor.c | 18 + drivers/bluetooth/btusb.c | 78 ++++---- drivers/comedi/comedi_fops.c | 30 ++- drivers/comedi/drivers.c | 17 + drivers/comedi/drivers/aio_iiro_16.c | 3 drivers/comedi/drivers/das16m1.c | 3 drivers/comedi/drivers/das6402.c | 3 drivers/comedi/drivers/pcl812.c | 3 drivers/dma/nbpfaxi.c | 11 - drivers/hid/hid-core.c | 19 +- drivers/hid/hid-mcp2221.c | 2 drivers/hwmon/corsair-cpro.c | 5 drivers/i2c/busses/i2c-stm32.c | 8 drivers/i2c/busses/i2c-stm32f7.c | 4 drivers/iio/accel/fxls8962af-core.c | 2 drivers/iio/adc/max1363.c | 43 ++-- drivers/iio/adc/stm32-adc-core.c | 7 drivers/input/joystick/xpad.c | 2 drivers/memstick/core/memstick.c | 2 drivers/mmc/host/bcm2835.c | 3 drivers/mmc/host/sdhci-pci-core.c | 3 drivers/mmc/host/sdhci_am654.c | 9 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 - drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 drivers/net/usb/sierra_net.c | 4 drivers/nvme/host/core.c | 4 drivers/nvmem/u-boot-env.c | 2 drivers/phy/tegra/xusb-tegra186.c | 59 +++--- drivers/soc/aspeed/aspeed-lpc-snoop.c | 13 + drivers/thunderbolt/switch.c | 2 drivers/tty/serial/pch_uart.c | 2 drivers/usb/core/hub.c | 36 +++ drivers/usb/core/hub.h | 1 drivers/usb/dwc3/dwc3-qcom.c | 7 drivers/usb/gadget/configfs.c | 2 drivers/usb/musb/musb_core.c | 62 +++--- drivers/usb/musb/musb_core.h | 11 + drivers/usb/musb/musb_debugfs.c | 6 drivers/usb/musb/musb_gadget.c | 30 +-- drivers/usb/musb/musb_host.c | 6 drivers/usb/musb/musb_virthub.c | 18 - drivers/usb/serial/ftdi_sio.c | 2 drivers/usb/serial/ftdi_sio_ids.h | 3 drivers/usb/serial/option.c | 5 fs/cachefiles/io.c | 2 fs/cachefiles/ondemand.c | 4 fs/isofs/inode.c | 9 fs/namespace.c | 5 fs/smb/client/file.c | 10 - fs/smb/client/smb2ops.c | 7 include/net/netfilter/nf_conntrack.h | 15 + io_uring/net.c | 12 - io_uring/poll.c | 2 kernel/bpf/helpers.c | 11 - kernel/cgroup/legacy_freezer.c | 8 kernel/sched/loadavg.c | 2 kernel/sched/sched.h | 2 kernel/trace/trace_events.c | 5 mm/vmalloc.c | 22 +- net/8021q/vlan.c | 42 +++- net/8021q/vlan.h | 1 net/bluetooth/hci_event.c | 36 --- net/bluetooth/hci_sync.c | 217 ++++++++++++++--------- net/bluetooth/l2cap_core.c | 26 ++ net/bluetooth/l2cap_sock.c | 3 net/bluetooth/smp.c | 21 ++ net/bluetooth/smp.h | 1 net/bridge/br_switchdev.c | 3 net/ipv6/mcast.c | 2 net/ipv6/rpl_iptunnel.c | 8 net/netfilter/nf_conntrack_core.c | 26 ++ net/packet/af_packet.c | 27 +- net/phonet/pep.c | 2 net/sched/sch_htb.c | 4 net/sched/sch_qfq.c | 30 ++- net/tls/tls_strp.c | 3 sound/soc/fsl/fsl_sai.c | 14 - tools/testing/selftests/net/udpgro.sh | 8 81 files changed, 741 insertions(+), 417 deletions(-) Al Viro (1): clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns Alessandro Gasbarroni (1): Bluetooth: hci_sync: fix connectable extended advertising when using static random address Alexander Gordeev (1): mm/vmalloc: leave lazy MMU mode on PTE mapping error Alok Tiwari (2): thunderbolt: Fix bit masking in tb_dp_port_set_hops() net: emaclite: Fix missing pointer increment in aligned_read() Andrew Jeffery (2): soc: aspeed: lpc-snoop: Cleanup resources in stack-order soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Arun Raghavan (1): ASoC: fsl_sai: Force a software reset when starting in consumer mode Aruna Ramakrishna (1): sched: Change nr_uninterruptible type to unsigned long Benjamin Tissoires (3): HID: core: ensure the allocated report buffer can contain the reserved report ID HID: core: ensure __hid_request reserves the report ID as the first byte HID: core: do not bypass hid_hw_raw_request Chen Ni (1): iio: adc: stm32-adc: Fix race in installing chained IRQ handler Chen Ridong (1): Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" Christian Eggers (1): Bluetooth: HCI: Set extended advertising data synchronously Christoph Paasch (1): net/mlx5: Correctly set gso_size when LRO is used Clément Le Goffic (1): i2c: stm32: fix the device used for the DMA map Dan Carpenter (1): dmaengine: nbpfaxi: Fix memory corruption in probe() Dong Chenchen (1): net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Drew Hamilton (1): usb: musb: fix gadget state on disconnect Edson Juliano Drosdeck (1): mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Fabio Estevam (2): iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] iio: adc: max1363: Reorder mode_list[] entries Fabio Porcedda (1): USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Florian Westphal (1): netfilter: nf_conntrack: fix crash due to removal of uninitialised entry Francesco Dolcini (1): arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on Greg Kroah-Hartman (1): Linux 6.1.147 Hamish Martin (1): HID: mcp2221: Set driver data before I2C adapter add Ian Abbott (8): comedi: pcl812: Fix bit shift out of bounds comedi: aio_iiro_16: Fix bit shift out of bounds comedi: das16m1: Fix bit shift out of bounds comedi: das6402: Fix bit shift out of bounds comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large comedi: Fix some signed shift left operations comedi: Fix use of uninitialized data in insn_rw_emulate_bits() comedi: Fix initialization of data for instructions that write to subdevice Jakub Kicinski (1): tls: always refresh the queue when reading sock Jan Kara (1): isofs: Verify inode mode when loading from disk Joseph Huang (1): net: bridge: Do not offload IGMP/MLD messages Judith Mendez (1): mmc: sdhci_am654: Workaround for Errata i2312 Krishna Kurapati (1): usb: dwc3: qcom: Don't leave BCR asserted Kuniyuki Iwashima (2): rpl: Fix use-after-free in rpl_do_srh_inline(). Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Luiz Augusto von Dentz (3): Bluetooth: SMP: If an unallowed command is received consider it a failure Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Maor Gottlieb (1): net/mlx5: Update the list of the PCI supported devices Marius Zachmann (1): hwmon: (corsair-cpro) Validate the size of the received input buffer Mathias Nyman (4): usb: hub: fix detection of high tier USB3 devices behind suspended hubs usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm usb: hub: Fix flushing of delayed work used for post resume purposes usb: hub: Don't try to recover devices lost during warm reset. Maulik Shah (1): pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Michael C. Pratt (1): nvmem: layouts: u-boot-env: remove crc32 endianness conversion Nathan Chancellor (2): phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Nilton Perim Neto (1): Input: xpad - set correct controller type for Acer NGR200 Oliver Neukum (1): usb: net: sierra: check for no status endpoint Paolo Abeni (1): selftests: net: increase inter-packet timeout in udpgro.sh Paul Cercueil (1): usb: musb: Add and use inline functions musb_{get,set}_state Paul Chaignon (1): bpf: Reject %p% format string in bprintf-like helpers Pavel Begunkov (1): io_uring/poll: fix POLLERR handling Ryan Mann (NDI) (1): USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Sean Nyekjaer (1): iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush Slark Xiao (1): USB: serial: option: add Foxconn T99W640 Steven Rostedt (1): tracing: Add down_write(trace_event_sem) when adding trace event Thomas Fourier (2): pch_uart: Fix dma_sync_sg_for_device() nents value mmc: bcm2835: Fix dma_unmap_sg() nents value Wang Zhaolong (2): smb: client: fix use-after-free in crypt_message when using async crypto smb: client: fix use-after-free in cifs_oplock_break Wayne Chang (1): phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode William Liu (1): net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Xiang Mei (1): net/sched: sch_qfq: Fix race condition on qfq_aggregate Xinyu Liu (1): usb: gadget: configfs: Fix OOB read on empty string write Yu Kuai (1): nvme: fix misaccounting of nvme-mpath inflight I/O Yue Haibing (1): ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Yun Lu (2): af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() af_packet: fix soft lockup issue caused by tpacket_snd() Zijun Hu (1): Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID Zizhi Wo (1): cachefiles: Fix the incorrect return value in __cachefiles_write()

1 month, 3 weeks

1
1
0 0

[PATCH v2] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()

by Qasim Ijaz

A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...] Fixes: c8000deb6836 ("HID: multitouch: Add support for GT7868Q") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- v2: - Simplify fix with a if-size check after discussion with Jiri Slaby - Change explanation of bug to reflect inclusion of a if-size check drivers/hid/hid-multitouch.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index 294516a8f541..22c6314a8843 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -1503,6 +1503,14 @@ static const __u8 *mt_report_fixup(struct hid_device *hdev, __u8 *rdesc, if (hdev->vendor == I2C_VENDOR_ID_GOODIX && (hdev->product == I2C_DEVICE_ID_GOODIX_01E8 || hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) { + if (*size < 608) { + dev_info( + &hdev->dev, + "GT7868Q fixup: report descriptor is only %u bytes, skipping\n", + *size); + return rdesc; + } + if (rdesc[607] == 0x15) { rdesc[607] = 0x25; dev_info( -- 2.39.5

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f4a8f561d08e39f7833d4a278ebfb12a41eef15f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062007-outrage-unaudited-e2a9@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f4a8f561d08e39f7833d4a278ebfb12a41eef15f Mon Sep 17 00:00:00 2001 From: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Date: Fri, 30 May 2025 15:36:43 -0700 Subject: [PATCH] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0 ... [ 4054.290195] __might_resched+0x13c/0x1f4 [ 4054.290209] rt_spin_lock+0x54/0x11c [ 4054.290219] input_event+0x48/0x80 [ 4054.290230] gpio_keys_irq_timer+0x4c/0x78 [ 4054.290243] __hrtimer_run_queues+0x1a4/0x438 [ 4054.290257] hrtimer_interrupt+0xe4/0x240 [ 4054.290269] arch_timer_handler_phys+0x2c/0x44 [ 4054.290283] handle_percpu_devid_irq+0x8c/0x14c [ 4054.290297] handle_irq_desc+0x40/0x58 [ 4054.290307] generic_handle_domain_irq+0x1c/0x28 [ 4054.290316] gic_handle_irq+0x44/0xcc Considering the gpio_keys_irq_isr() can run in any context, e.g. it can be threaded, it seems there's no point in requesting the timer isr to run in hard irq context. Relax the hrtimer not to use the hard context. Fixes: 019002f20cb5 ("Input: gpio-keys - use hrtimer for release timer") Suggested-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Signed-off-by: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Signed-off-by: Gatien Chevallier <gatien.chevallier(a)foss.st.com> Link: https://lore.kernel.org/r/20250528-gpio_keys_preempt_rt-v2-1-3fc55a9c3619@f… Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/keyboard/gpio_keys.c b/drivers/input/keyboard/gpio_keys.c index 5c39a217b94c..d884538107c9 100644 --- a/drivers/input/keyboard/gpio_keys.c +++ b/drivers/input/keyboard/gpio_keys.c @@ -486,7 +486,7 @@ static irqreturn_t gpio_keys_irq_isr(int irq, void *dev_id) if (bdata->release_delay) hrtimer_start(&bdata->release_timer, ms_to_ktime(bdata->release_delay), - HRTIMER_MODE_REL_HARD); + HRTIMER_MODE_REL); out: return IRQ_HANDLED; } @@ -628,7 +628,7 @@ static int gpio_keys_setup_key(struct platform_device *pdev, bdata->release_delay = button->debounce_interval; hrtimer_setup(&bdata->release_timer, gpio_keys_irq_timer, - CLOCK_REALTIME, HRTIMER_MODE_REL_HARD); + CLOCK_REALTIME, HRTIMER_MODE_REL); isr = gpio_keys_irq_isr; irqflags = 0;

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f4a8f561d08e39f7833d4a278ebfb12a41eef15f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062006-onshore-stool-de98@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f4a8f561d08e39f7833d4a278ebfb12a41eef15f Mon Sep 17 00:00:00 2001 From: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Date: Fri, 30 May 2025 15:36:43 -0700 Subject: [PATCH] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0 ... [ 4054.290195] __might_resched+0x13c/0x1f4 [ 4054.290209] rt_spin_lock+0x54/0x11c [ 4054.290219] input_event+0x48/0x80 [ 4054.290230] gpio_keys_irq_timer+0x4c/0x78 [ 4054.290243] __hrtimer_run_queues+0x1a4/0x438 [ 4054.290257] hrtimer_interrupt+0xe4/0x240 [ 4054.290269] arch_timer_handler_phys+0x2c/0x44 [ 4054.290283] handle_percpu_devid_irq+0x8c/0x14c [ 4054.290297] handle_irq_desc+0x40/0x58 [ 4054.290307] generic_handle_domain_irq+0x1c/0x28 [ 4054.290316] gic_handle_irq+0x44/0xcc Considering the gpio_keys_irq_isr() can run in any context, e.g. it can be threaded, it seems there's no point in requesting the timer isr to run in hard irq context. Relax the hrtimer not to use the hard context. Fixes: 019002f20cb5 ("Input: gpio-keys - use hrtimer for release timer") Suggested-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Signed-off-by: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Signed-off-by: Gatien Chevallier <gatien.chevallier(a)foss.st.com> Link: https://lore.kernel.org/r/20250528-gpio_keys_preempt_rt-v2-1-3fc55a9c3619@f… Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/keyboard/gpio_keys.c b/drivers/input/keyboard/gpio_keys.c index 5c39a217b94c..d884538107c9 100644 --- a/drivers/input/keyboard/gpio_keys.c +++ b/drivers/input/keyboard/gpio_keys.c @@ -486,7 +486,7 @@ static irqreturn_t gpio_keys_irq_isr(int irq, void *dev_id) if (bdata->release_delay) hrtimer_start(&bdata->release_timer, ms_to_ktime(bdata->release_delay), - HRTIMER_MODE_REL_HARD); + HRTIMER_MODE_REL); out: return IRQ_HANDLED; } @@ -628,7 +628,7 @@ static int gpio_keys_setup_key(struct platform_device *pdev, bdata->release_delay = button->debounce_interval; hrtimer_setup(&bdata->release_timer, gpio_keys_irq_timer, - CLOCK_REALTIME, HRTIMER_MODE_REL_HARD); + CLOCK_REALTIME, HRTIMER_MODE_REL); isr = gpio_keys_irq_isr; irqflags = 0;

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f4a8f561d08e39f7833d4a278ebfb12a41eef15f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062008-carrousel-lazily-2f19@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f4a8f561d08e39f7833d4a278ebfb12a41eef15f Mon Sep 17 00:00:00 2001 From: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Date: Fri, 30 May 2025 15:36:43 -0700 Subject: [PATCH] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0 ... [ 4054.290195] __might_resched+0x13c/0x1f4 [ 4054.290209] rt_spin_lock+0x54/0x11c [ 4054.290219] input_event+0x48/0x80 [ 4054.290230] gpio_keys_irq_timer+0x4c/0x78 [ 4054.290243] __hrtimer_run_queues+0x1a4/0x438 [ 4054.290257] hrtimer_interrupt+0xe4/0x240 [ 4054.290269] arch_timer_handler_phys+0x2c/0x44 [ 4054.290283] handle_percpu_devid_irq+0x8c/0x14c [ 4054.290297] handle_irq_desc+0x40/0x58 [ 4054.290307] generic_handle_domain_irq+0x1c/0x28 [ 4054.290316] gic_handle_irq+0x44/0xcc Considering the gpio_keys_irq_isr() can run in any context, e.g. it can be threaded, it seems there's no point in requesting the timer isr to run in hard irq context. Relax the hrtimer not to use the hard context. Fixes: 019002f20cb5 ("Input: gpio-keys - use hrtimer for release timer") Suggested-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Signed-off-by: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Signed-off-by: Gatien Chevallier <gatien.chevallier(a)foss.st.com> Link: https://lore.kernel.org/r/20250528-gpio_keys_preempt_rt-v2-1-3fc55a9c3619@f… Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/keyboard/gpio_keys.c b/drivers/input/keyboard/gpio_keys.c index 5c39a217b94c..d884538107c9 100644 --- a/drivers/input/keyboard/gpio_keys.c +++ b/drivers/input/keyboard/gpio_keys.c @@ -486,7 +486,7 @@ static irqreturn_t gpio_keys_irq_isr(int irq, void *dev_id) if (bdata->release_delay) hrtimer_start(&bdata->release_timer, ms_to_ktime(bdata->release_delay), - HRTIMER_MODE_REL_HARD); + HRTIMER_MODE_REL); out: return IRQ_HANDLED; } @@ -628,7 +628,7 @@ static int gpio_keys_setup_key(struct platform_device *pdev, bdata->release_delay = button->debounce_interval; hrtimer_setup(&bdata->release_timer, gpio_keys_irq_timer, - CLOCK_REALTIME, HRTIMER_MODE_REL_HARD); + CLOCK_REALTIME, HRTIMER_MODE_REL); isr = gpio_keys_irq_isr; irqflags = 0;

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] perf/x86/intel: Fix crash in icl_update_topdown_event()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062338-sliver-bacteria-7a82@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed Mon Sep 17 00:00:00 2001 From: Kan Liang <kan.liang(a)linux.intel.com> Date: Thu, 12 Jun 2025 07:38:18 -0700 Subject: [PATCH] perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/ Reported-by: Vince Weaver <vincent.weaver(a)maine.edu> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Tested-by: Vince Weaver <vincent.weaver(a)maine.edu> Cc: stable(a)vger.kernel.org # v6.15+ Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 741b229f0718..c2fb729c270e 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -2826,7 +2826,7 @@ static void intel_pmu_read_event(struct perf_event *event) * If the PEBS counters snapshotting is enabled, * the topdown event is available in PEBS records. */ - if (is_topdown_event(event) && !is_pebs_counter_event_group(event)) + if (is_topdown_count(event) && !is_pebs_counter_event_group(event)) static_call(intel_pmu_update_topdown_event)(event, NULL); else intel_pmu_drain_pebs_buffer();

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] perf/x86/intel: Fix crash in icl_update_topdown_event()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062337-conceal-parole-52a4@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed Mon Sep 17 00:00:00 2001 From: Kan Liang <kan.liang(a)linux.intel.com> Date: Thu, 12 Jun 2025 07:38:18 -0700 Subject: [PATCH] perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/ Reported-by: Vince Weaver <vincent.weaver(a)maine.edu> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Tested-by: Vince Weaver <vincent.weaver(a)maine.edu> Cc: stable(a)vger.kernel.org # v6.15+ Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 741b229f0718..c2fb729c270e 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -2826,7 +2826,7 @@ static void intel_pmu_read_event(struct perf_event *event) * If the PEBS counters snapshotting is enabled, * the topdown event is available in PEBS records. */ - if (is_topdown_event(event) && !is_pebs_counter_event_group(event)) + if (is_topdown_count(event) && !is_pebs_counter_event_group(event)) static_call(intel_pmu_update_topdown_event)(event, NULL); else intel_pmu_drain_pebs_buffer();

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x f4a8f561d08e39f7833d4a278ebfb12a41eef15f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062006-pristine-unfitted-7204@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f4a8f561d08e39f7833d4a278ebfb12a41eef15f Mon Sep 17 00:00:00 2001 From: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Date: Fri, 30 May 2025 15:36:43 -0700 Subject: [PATCH] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0 ... [ 4054.290195] __might_resched+0x13c/0x1f4 [ 4054.290209] rt_spin_lock+0x54/0x11c [ 4054.290219] input_event+0x48/0x80 [ 4054.290230] gpio_keys_irq_timer+0x4c/0x78 [ 4054.290243] __hrtimer_run_queues+0x1a4/0x438 [ 4054.290257] hrtimer_interrupt+0xe4/0x240 [ 4054.290269] arch_timer_handler_phys+0x2c/0x44 [ 4054.290283] handle_percpu_devid_irq+0x8c/0x14c [ 4054.290297] handle_irq_desc+0x40/0x58 [ 4054.290307] generic_handle_domain_irq+0x1c/0x28 [ 4054.290316] gic_handle_irq+0x44/0xcc Considering the gpio_keys_irq_isr() can run in any context, e.g. it can be threaded, it seems there's no point in requesting the timer isr to run in hard irq context. Relax the hrtimer not to use the hard context. Fixes: 019002f20cb5 ("Input: gpio-keys - use hrtimer for release timer") Suggested-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Signed-off-by: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Signed-off-by: Gatien Chevallier <gatien.chevallier(a)foss.st.com> Link: https://lore.kernel.org/r/20250528-gpio_keys_preempt_rt-v2-1-3fc55a9c3619@f… Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/keyboard/gpio_keys.c b/drivers/input/keyboard/gpio_keys.c index 5c39a217b94c..d884538107c9 100644 --- a/drivers/input/keyboard/gpio_keys.c +++ b/drivers/input/keyboard/gpio_keys.c @@ -486,7 +486,7 @@ static irqreturn_t gpio_keys_irq_isr(int irq, void *dev_id) if (bdata->release_delay) hrtimer_start(&bdata->release_timer, ms_to_ktime(bdata->release_delay), - HRTIMER_MODE_REL_HARD); + HRTIMER_MODE_REL); out: return IRQ_HANDLED; } @@ -628,7 +628,7 @@ static int gpio_keys_setup_key(struct platform_device *pdev, bdata->release_delay = button->debounce_interval; hrtimer_setup(&bdata->release_timer, gpio_keys_irq_timer, - CLOCK_REALTIME, HRTIMER_MODE_REL_HARD); + CLOCK_REALTIME, HRTIMER_MODE_REL); isr = gpio_keys_irq_isr; irqflags = 0;

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] x86/hyperv: Fix APIC ID and VP index confusion in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 86c48271e0d60c82665e9fd61277002391efcef7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025061756-shale-squiggly-9c9a@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 86c48271e0d60c82665e9fd61277002391efcef7 Mon Sep 17 00:00:00 2001 From: Roman Kisel <romank(a)linux.microsoft.com> Date: Wed, 7 May 2025 11:22:25 -0700 Subject: [PATCH] x86/hyperv: Fix APIC ID and VP index confusion in hv_snp_boot_ap() To start an application processor in SNP-isolated guest, a hypercall is used that takes a virtual processor index. The hv_snp_boot_ap() function uses that START_VP hypercall but passes as VP index to it what it receives as a wakeup_secondary_cpu_64 callback: the APIC ID. As those two aren't generally interchangeable, that may lead to hung APs if the VP index and the APIC ID don't match up. Update the parameter names to avoid confusion as to what the parameter is. Use the APIC ID to the VP index conversion to provide the correct input to the hypercall. Cc: stable(a)vger.kernel.org Fixes: 44676bb9d566 ("x86/hyperv: Add smp support for SEV-SNP guest") Signed-off-by: Roman Kisel <romank(a)linux.microsoft.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Link: https://lore.kernel.org/r/20250507182227.7421-2-romank@linux.microsoft.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20250507182227.7421-2-romank(a)linux.microsoft.com> diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c index 3b569291dfed..9a8fc144e195 100644 --- a/arch/x86/hyperv/hv_init.c +++ b/arch/x86/hyperv/hv_init.c @@ -672,3 +672,36 @@ bool hv_is_hyperv_initialized(void) return hypercall_msr.enable; } EXPORT_SYMBOL_GPL(hv_is_hyperv_initialized); + +int hv_apicid_to_vp_index(u32 apic_id) +{ + u64 control; + u64 status; + unsigned long irq_flags; + struct hv_get_vp_from_apic_id_in *input; + u32 *output, ret; + + local_irq_save(irq_flags); + + input = *this_cpu_ptr(hyperv_pcpu_input_arg); + memset(input, 0, sizeof(*input)); + input->partition_id = HV_PARTITION_ID_SELF; + input->apic_ids[0] = apic_id; + + output = *this_cpu_ptr(hyperv_pcpu_output_arg); + + control = HV_HYPERCALL_REP_COMP_1 | HVCALL_GET_VP_INDEX_FROM_APIC_ID; + status = hv_do_hypercall(control, input, output); + ret = output[0]; + + local_irq_restore(irq_flags); + + if (!hv_result_success(status)) { + pr_err("failed to get vp index from apic id %d, status %#llx\n", + apic_id, status); + return -EINVAL; + } + + return ret; +} +EXPORT_SYMBOL_GPL(hv_apicid_to_vp_index); diff --git a/arch/x86/hyperv/hv_vtl.c b/arch/x86/hyperv/hv_vtl.c index ac3d27a766d5..2f32ac1ae40e 100644 --- a/arch/x86/hyperv/hv_vtl.c +++ b/arch/x86/hyperv/hv_vtl.c @@ -211,41 +211,9 @@ static int hv_vtl_bringup_vcpu(u32 target_vp_index, int cpu, u64 eip_ignored) return ret; } -static int hv_vtl_apicid_to_vp_id(u32 apic_id) -{ - u64 control; - u64 status; - unsigned long irq_flags; - struct hv_get_vp_from_apic_id_in *input; - u32 *output, ret; - - local_irq_save(irq_flags); - - input = *this_cpu_ptr(hyperv_pcpu_input_arg); - memset(input, 0, sizeof(*input)); - input->partition_id = HV_PARTITION_ID_SELF; - input->apic_ids[0] = apic_id; - - output = *this_cpu_ptr(hyperv_pcpu_output_arg); - - control = HV_HYPERCALL_REP_COMP_1 | HVCALL_GET_VP_ID_FROM_APIC_ID; - status = hv_do_hypercall(control, input, output); - ret = output[0]; - - local_irq_restore(irq_flags); - - if (!hv_result_success(status)) { - pr_err("failed to get vp id from apic id %d, status %#llx\n", - apic_id, status); - return -EINVAL; - } - - return ret; -} - static int hv_vtl_wakeup_secondary_cpu(u32 apicid, unsigned long start_eip) { - int vp_id, cpu; + int vp_index, cpu; /* Find the logical CPU for the APIC ID */ for_each_present_cpu(cpu) { @@ -256,18 +224,18 @@ static int hv_vtl_wakeup_secondary_cpu(u32 apicid, unsigned long start_eip) return -EINVAL; pr_debug("Bringing up CPU with APIC ID %d in VTL2...\n", apicid); - vp_id = hv_vtl_apicid_to_vp_id(apicid); + vp_index = hv_apicid_to_vp_index(apicid); - if (vp_id < 0) { + if (vp_index < 0) { pr_err("Couldn't find CPU with APIC ID %d\n", apicid); return -EINVAL; } - if (vp_id > ms_hyperv.max_vp_index) { - pr_err("Invalid CPU id %d for APIC ID %d\n", vp_id, apicid); + if (vp_index > ms_hyperv.max_vp_index) { + pr_err("Invalid CPU id %d for APIC ID %d\n", vp_index, apicid); return -EINVAL; } - return hv_vtl_bringup_vcpu(vp_id, cpu, start_eip); + return hv_vtl_bringup_vcpu(vp_index, cpu, start_eip); } int __init hv_vtl_early_init(void) diff --git a/arch/x86/hyperv/ivm.c b/arch/x86/hyperv/ivm.c index 77bf05f06b9e..0cc239cdb4da 100644 --- a/arch/x86/hyperv/ivm.c +++ b/arch/x86/hyperv/ivm.c @@ -9,6 +9,7 @@ #include <linux/bitfield.h> #include <linux/types.h> #include <linux/slab.h> +#include <linux/cpu.h> #include <asm/svm.h> #include <asm/sev.h> #include <asm/io.h> @@ -288,7 +289,7 @@ static void snp_cleanup_vmsa(struct sev_es_save_area *vmsa) free_page((unsigned long)vmsa); } -int hv_snp_boot_ap(u32 cpu, unsigned long start_ip) +int hv_snp_boot_ap(u32 apic_id, unsigned long start_ip) { struct sev_es_save_area *vmsa = (struct sev_es_save_area *) __get_free_page(GFP_KERNEL | __GFP_ZERO); @@ -297,10 +298,27 @@ int hv_snp_boot_ap(u32 cpu, unsigned long start_ip) u64 ret, retry = 5; struct hv_enable_vp_vtl *start_vp_input; unsigned long flags; + int cpu, vp_index; if (!vmsa) return -ENOMEM; + /* Find the Hyper-V VP index which might be not the same as APIC ID */ + vp_index = hv_apicid_to_vp_index(apic_id); + if (vp_index < 0 || vp_index > ms_hyperv.max_vp_index) + return -EINVAL; + + /* + * Find the Linux CPU number for addressing the per-CPU data, and it + * might not be the same as APIC ID. + */ + for_each_present_cpu(cpu) { + if (arch_match_cpu_phys_id(cpu, apic_id)) + break; + } + if (cpu >= nr_cpu_ids) + return -EINVAL; + native_store_gdt(&gdtr); vmsa->gdtr.base = gdtr.address; @@ -348,7 +366,7 @@ int hv_snp_boot_ap(u32 cpu, unsigned long start_ip) start_vp_input = (struct hv_enable_vp_vtl *)ap_start_input_arg; memset(start_vp_input, 0, sizeof(*start_vp_input)); start_vp_input->partition_id = -1; - start_vp_input->vp_index = cpu; + start_vp_input->vp_index = vp_index; start_vp_input->target_vtl.target_vtl = ms_hyperv.vtl; *(u64 *)&start_vp_input->vp_context = __pa(vmsa) | 1; diff --git a/arch/x86/include/asm/mshyperv.h b/arch/x86/include/asm/mshyperv.h index bab5ccfc60a7..0b9a3a307d06 100644 --- a/arch/x86/include/asm/mshyperv.h +++ b/arch/x86/include/asm/mshyperv.h @@ -268,11 +268,11 @@ int hv_unmap_ioapic_interrupt(int ioapic_id, struct hv_interrupt_entry *entry); #ifdef CONFIG_AMD_MEM_ENCRYPT bool hv_ghcb_negotiate_protocol(void); void __noreturn hv_ghcb_terminate(unsigned int set, unsigned int reason); -int hv_snp_boot_ap(u32 cpu, unsigned long start_ip); +int hv_snp_boot_ap(u32 apic_id, unsigned long start_ip); #else static inline bool hv_ghcb_negotiate_protocol(void) { return false; } static inline void hv_ghcb_terminate(unsigned int set, unsigned int reason) {} -static inline int hv_snp_boot_ap(u32 cpu, unsigned long start_ip) { return 0; } +static inline int hv_snp_boot_ap(u32 apic_id, unsigned long start_ip) { return 0; } #endif #if defined(CONFIG_AMD_MEM_ENCRYPT) || defined(CONFIG_INTEL_TDX_GUEST) @@ -306,6 +306,7 @@ static __always_inline u64 hv_raw_get_msr(unsigned int reg) { return __rdmsr(reg); } +int hv_apicid_to_vp_index(u32 apic_id); #else /* CONFIG_HYPERV */ static inline void hyperv_init(void) {} @@ -327,6 +328,7 @@ static inline void hv_set_msr(unsigned int reg, u64 value) { } static inline u64 hv_get_msr(unsigned int reg) { return 0; } static inline void hv_set_non_nested_msr(unsigned int reg, u64 value) { } static inline u64 hv_get_non_nested_msr(unsigned int reg) { return 0; } +static inline int hv_apicid_to_vp_index(u32 apic_id) { return -EINVAL; } #endif /* CONFIG_HYPERV */ diff --git a/include/hyperv/hvgdk_mini.h b/include/hyperv/hvgdk_mini.h index cf0923dc727d..2d431b53f587 100644 --- a/include/hyperv/hvgdk_mini.h +++ b/include/hyperv/hvgdk_mini.h @@ -475,7 +475,7 @@ union hv_vp_assist_msr_contents { /* HV_REGISTER_VP_ASSIST_PAGE */ #define HVCALL_CREATE_PORT 0x0095 #define HVCALL_CONNECT_PORT 0x0096 #define HVCALL_START_VP 0x0099 -#define HVCALL_GET_VP_ID_FROM_APIC_ID 0x009a +#define HVCALL_GET_VP_INDEX_FROM_APIC_ID 0x009a #define HVCALL_FLUSH_GUEST_PHYSICAL_ADDRESS_SPACE 0x00af #define HVCALL_FLUSH_GUEST_PHYSICAL_ADDRESS_LIST 0x00b0 #define HVCALL_SIGNAL_EVENT_DIRECT 0x00c0

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] ext4: fix incorrect punch max_end" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 29ec9bed2395061350249ae356fb300dd82a78e7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062009-junior-thriving-f882@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 29ec9bed2395061350249ae356fb300dd82a78e7 Mon Sep 17 00:00:00 2001 From: Zhang Yi <yi.zhang(a)huawei.com> Date: Tue, 6 May 2025 09:20:07 +0800 Subject: [PATCH] ext4: fix incorrect punch max_end For the extents based inodes, the maxbytes should be sb->s_maxbytes instead of sbi->s_bitmap_maxbytes. Additionally, for the calculation of max_end, the -sb->s_blocksize operation is necessary only for indirect-block based inodes. Correct the maxbytes and max_end value to correct the behavior of punch hole. Fixes: 2da376228a24 ("ext4: limit length to bitmap_maxbytes - blocksize in punch_hole") Signed-off-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Baokun Li <libaokun1(a)huawei.com> Link: https://patch.msgid.link/20250506012009.3896990-2-yi.zhang@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Cc: stable(a)kernel.org diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 99f30b9cfe17..01038b4ecee0 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4051,7 +4051,7 @@ int ext4_punch_hole(struct file *file, loff_t offset, loff_t length) struct inode *inode = file_inode(file); struct super_block *sb = inode->i_sb; ext4_lblk_t start_lblk, end_lblk; - loff_t max_end = EXT4_SB(sb)->s_bitmap_maxbytes - sb->s_blocksize; + loff_t max_end = sb->s_maxbytes; loff_t end = offset + length; handle_t *handle; unsigned int credits; @@ -4060,14 +4060,20 @@ int ext4_punch_hole(struct file *file, loff_t offset, loff_t length) trace_ext4_punch_hole(inode, offset, length, 0); WARN_ON_ONCE(!inode_is_locked(inode)); + /* + * For indirect-block based inodes, make sure that the hole within + * one block before last range. + */ + if (!ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) + max_end = EXT4_SB(sb)->s_bitmap_maxbytes - sb->s_blocksize; + /* No need to punch hole beyond i_size */ if (offset >= inode->i_size || offset >= max_end) return 0; /* * If the hole extends beyond i_size, set the hole to end after - * the page that contains i_size, and also make sure that the hole - * within one block before last range. + * the page that contains i_size. */ if (end > inode->i_size) end = round_up(inode->i_size, PAGE_SIZE);

1 month, 3 weeks

2
11
0 0

FAILED: patch "[PATCH] crypto: powerpc/poly1305 - add depends on BROKEN for now" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x bc8169003b41e89fe7052e408cf9fdbecb4017fe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062040-daylight-scrubber-8837@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bc8169003b41e89fe7052e408cf9fdbecb4017fe Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)google.com> Date: Tue, 20 May 2025 10:39:29 +0800 Subject: [PATCH] crypto: powerpc/poly1305 - add depends on BROKEN for now As discussed in the thread containing https://lore.kernel.org/linux-crypto/20250510053308.GB505731@sol/, the Power10-optimized Poly1305 code is currently not safe to call in softirq context. Disable it for now. It can be re-enabled once it is fixed. Fixes: ba8f8624fde2 ("crypto: poly1305-p10 - Glue code for optmized Poly1305 implementation for ppc64le") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/powerpc/lib/crypto/Kconfig b/arch/powerpc/lib/crypto/Kconfig index ffa541ad6d5d..3f9e1bbd9905 100644 --- a/arch/powerpc/lib/crypto/Kconfig +++ b/arch/powerpc/lib/crypto/Kconfig @@ -10,6 +10,7 @@ config CRYPTO_CHACHA20_P10 config CRYPTO_POLY1305_P10 tristate depends on PPC64 && CPU_LITTLE_ENDIAN && VSX + depends on BROKEN # Needs to be fixed to work in softirq context default CRYPTO_LIB_POLY1305 select CRYPTO_ARCH_HAVE_LIB_POLY1305 select CRYPTO_LIB_POLY1305_GENERIC

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] crypto: powerpc/poly1305 - add depends on BROKEN for now" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x bc8169003b41e89fe7052e408cf9fdbecb4017fe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062040-renderer-tremor-6a52@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bc8169003b41e89fe7052e408cf9fdbecb4017fe Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)google.com> Date: Tue, 20 May 2025 10:39:29 +0800 Subject: [PATCH] crypto: powerpc/poly1305 - add depends on BROKEN for now As discussed in the thread containing https://lore.kernel.org/linux-crypto/20250510053308.GB505731@sol/, the Power10-optimized Poly1305 code is currently not safe to call in softirq context. Disable it for now. It can be re-enabled once it is fixed. Fixes: ba8f8624fde2 ("crypto: poly1305-p10 - Glue code for optmized Poly1305 implementation for ppc64le") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/powerpc/lib/crypto/Kconfig b/arch/powerpc/lib/crypto/Kconfig index ffa541ad6d5d..3f9e1bbd9905 100644 --- a/arch/powerpc/lib/crypto/Kconfig +++ b/arch/powerpc/lib/crypto/Kconfig @@ -10,6 +10,7 @@ config CRYPTO_CHACHA20_P10 config CRYPTO_POLY1305_P10 tristate depends on PPC64 && CPU_LITTLE_ENDIAN && VSX + depends on BROKEN # Needs to be fixed to work in softirq context default CRYPTO_LIB_POLY1305 select CRYPTO_ARCH_HAVE_LIB_POLY1305 select CRYPTO_LIB_POLY1305_GENERIC

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] mtd: rawnand: qcom: Fix last codeword read in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 47bddabbf69da50999ec68be92b58356c687e1d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062002-disperser-removing-78fc@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 47bddabbf69da50999ec68be92b58356c687e1d6 Mon Sep 17 00:00:00 2001 From: Md Sadre Alam <quic_mdalam(a)quicinc.com> Date: Thu, 10 Apr 2025 15:30:18 +0530 Subject: [PATCH] mtd: rawnand: qcom: Fix last codeword read in qcom_param_page_type_exec() For QPIC V2 onwards there is a separate register to read last code word "QPIC_NAND_READ_LOCATION_LAST_CW_n". qcom_param_page_type_exec() is used to read only one code word If it configures the number of code words to 1 in QPIC_NAND_DEV0_CFG0 register then QPIC controller thinks its reading the last code word, since we are having separate register to read the last code word, we have to configure "QPIC_NAND_READ_LOCATION_LAST_CW_n" register to fetch data from QPIC buffer to system memory. Without this change page read was failing with timeout error / # hexdump -C /dev/mtd1 [ 129.206113] qcom-nandc 1cc8000.nand-controller: failure to read page/oob hexdump: /dev/mtd1: Connection timed out This issue only seen on SDX targets since SDX target used QPICv2. But same working on IPQ targets since IPQ used QPICv1. Cc: stable(a)vger.kernel.org Fixes: 89550beb098e ("mtd: rawnand: qcom: Implement exec_op()") Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> Tested-by: Lakshmi Sowjanya D <quic_laksd(a)quicinc.com> Signed-off-by: Md Sadre Alam <quic_mdalam(a)quicinc.com> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> diff --git a/drivers/mtd/nand/raw/qcom_nandc.c b/drivers/mtd/nand/raw/qcom_nandc.c index ef2dd158ca34..a73bb154353f 100644 --- a/drivers/mtd/nand/raw/qcom_nandc.c +++ b/drivers/mtd/nand/raw/qcom_nandc.c @@ -1863,7 +1863,12 @@ static int qcom_param_page_type_exec(struct nand_chip *chip, const struct nand_ const struct nand_op_instr *instr = NULL; unsigned int op_id = 0; unsigned int len = 0; - int ret; + int ret, reg_base; + + reg_base = NAND_READ_LOCATION_0; + + if (nandc->props->qpic_version2) + reg_base = NAND_READ_LOCATION_LAST_CW_0; ret = qcom_parse_instructions(chip, subop, &q_op); if (ret) @@ -1915,7 +1920,10 @@ static int qcom_param_page_type_exec(struct nand_chip *chip, const struct nand_ op_id = q_op.data_instr_idx; len = nand_subop_get_data_len(subop, op_id); - nandc_set_read_loc(chip, 0, 0, 0, len, 1); + if (nandc->props->qpic_version2) + nandc_set_read_loc_last(chip, reg_base, 0, len, 1); + else + nandc_set_read_loc_first(chip, reg_base, 0, len, 1); if (!nandc->props->qpic_version2) { qcom_write_reg_dma(nandc, &nandc->regs->vld, NAND_DEV_CMD_VLD, 1, 0);

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] mtd: rawnand: qcom: Fix last codeword read in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 47bddabbf69da50999ec68be92b58356c687e1d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062000-manhunt-treachery-4c42@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 47bddabbf69da50999ec68be92b58356c687e1d6 Mon Sep 17 00:00:00 2001 From: Md Sadre Alam <quic_mdalam(a)quicinc.com> Date: Thu, 10 Apr 2025 15:30:18 +0530 Subject: [PATCH] mtd: rawnand: qcom: Fix last codeword read in qcom_param_page_type_exec() For QPIC V2 onwards there is a separate register to read last code word "QPIC_NAND_READ_LOCATION_LAST_CW_n". qcom_param_page_type_exec() is used to read only one code word If it configures the number of code words to 1 in QPIC_NAND_DEV0_CFG0 register then QPIC controller thinks its reading the last code word, since we are having separate register to read the last code word, we have to configure "QPIC_NAND_READ_LOCATION_LAST_CW_n" register to fetch data from QPIC buffer to system memory. Without this change page read was failing with timeout error / # hexdump -C /dev/mtd1 [ 129.206113] qcom-nandc 1cc8000.nand-controller: failure to read page/oob hexdump: /dev/mtd1: Connection timed out This issue only seen on SDX targets since SDX target used QPICv2. But same working on IPQ targets since IPQ used QPICv1. Cc: stable(a)vger.kernel.org Fixes: 89550beb098e ("mtd: rawnand: qcom: Implement exec_op()") Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> Tested-by: Lakshmi Sowjanya D <quic_laksd(a)quicinc.com> Signed-off-by: Md Sadre Alam <quic_mdalam(a)quicinc.com> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> diff --git a/drivers/mtd/nand/raw/qcom_nandc.c b/drivers/mtd/nand/raw/qcom_nandc.c index ef2dd158ca34..a73bb154353f 100644 --- a/drivers/mtd/nand/raw/qcom_nandc.c +++ b/drivers/mtd/nand/raw/qcom_nandc.c @@ -1863,7 +1863,12 @@ static int qcom_param_page_type_exec(struct nand_chip *chip, const struct nand_ const struct nand_op_instr *instr = NULL; unsigned int op_id = 0; unsigned int len = 0; - int ret; + int ret, reg_base; + + reg_base = NAND_READ_LOCATION_0; + + if (nandc->props->qpic_version2) + reg_base = NAND_READ_LOCATION_LAST_CW_0; ret = qcom_parse_instructions(chip, subop, &q_op); if (ret) @@ -1915,7 +1920,10 @@ static int qcom_param_page_type_exec(struct nand_chip *chip, const struct nand_ op_id = q_op.data_instr_idx; len = nand_subop_get_data_len(subop, op_id); - nandc_set_read_loc(chip, 0, 0, 0, len, 1); + if (nandc->props->qpic_version2) + nandc_set_read_loc_last(chip, reg_base, 0, len, 1); + else + nandc_set_read_loc_first(chip, reg_base, 0, len, 1); if (!nandc->props->qpic_version2) { qcom_write_reg_dma(nandc, &nandc->regs->vld, NAND_DEV_CMD_VLD, 1, 0);

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] arm64: dts: qcom: x1e78100-t14s: mark l12b and l15b always-on" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 673fa129e558c5f1196adb27d97ac90ddfe4f19c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025060255-dislike-elaborate-1e0f@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 673fa129e558c5f1196adb27d97ac90ddfe4f19c Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Fri, 14 Mar 2025 15:54:34 +0100 Subject: [PATCH] arm64: dts: qcom: x1e78100-t14s: mark l12b and l15b always-on The l12b and l15b supplies are used by components that are not (fully) described (and some never will be) and must never be disabled. Mark the regulators as always-on to prevent them from being disabled, for example, when consumers probe defer or suspend. Fixes: 7d1cbe2f4985 ("arm64: dts: qcom: Add X1E78100 ThinkPad T14s Gen 6") Cc: stable(a)vger.kernel.org # 6.12 Reviewed-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Link: https://lore.kernel.org/r/20250314145440.11371-3-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> diff --git a/arch/arm64/boot/dts/qcom/x1e78100-lenovo-thinkpad-t14s.dtsi b/arch/arm64/boot/dts/qcom/x1e78100-lenovo-thinkpad-t14s.dtsi index eff0e73640bc..160c052db1ec 100644 --- a/arch/arm64/boot/dts/qcom/x1e78100-lenovo-thinkpad-t14s.dtsi +++ b/arch/arm64/boot/dts/qcom/x1e78100-lenovo-thinkpad-t14s.dtsi @@ -456,6 +456,7 @@ vreg_l12b_1p2: ldo12 { regulator-min-microvolt = <1200000>; regulator-max-microvolt = <1200000>; regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>; + regulator-always-on; }; vreg_l13b_3p0: ldo13 { @@ -477,6 +478,7 @@ vreg_l15b_1p8: ldo15 { regulator-min-microvolt = <1800000>; regulator-max-microvolt = <1800000>; regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>; + regulator-always-on; }; vreg_l17b_2p5: ldo17 {

1 month, 3 weeks

2
1
0 0

[PATCH v3 1/2] x86/fpu: Fix NULL dereference in avx512_status()

by Sohil Mehta

From: Fushuai Wang <wangfushuai(a)baidu.com> Problem ------- With CONFIG_X86_DEBUG_FPU enabled, reading /proc/[kthread]/arch_status causes a kernel NULL pointer dereference. Kernel threads aren't expected to access the FPU state directly. Kernel usage of FPU registers is contained within kernel_fpu_begin()/_end() sections. However, to report AVX-512 usage, the avx512_timestamp variable within struct fpu needs to be accessed, which triggers a warning in x86_task_fpu(). For Kthreads: proc_pid_arch_status() avx512_status() x86_task_fpu() => Warning and returns NULL x86_task_fpu()->avx512_timestamp => NULL dereference The warning is a false alarm in this case, since the access isn't intended for modifying the FPU state. All kernel threads (except the init_task) have a "struct fpu" with an accessible avx512_timestamp variable. The init_task (PID 0) never follows this path since it is not exposed in /proc. Solution -------- One option is to get rid of the warning in x86_task_fpu() for kernel threads. However, that warning was recently added and might be useful to catch any potential misuse of the FPU state in kernel threads. Another option is to avoid the access altogether. The kernel does not track AVX-512 usage for kernel threads. save_fpregs_to_fpstate()->update_avx_timestamp() is never invoked for kernel threads, so avx512_timestamp is always guaranteed to be 0. Also, the legacy behavior of reporting "AVX512_elapsed_ms: -1", which signifies "no AVX-512 usage", is misleading. The kernel usage just isn't tracked. Update the ABI for kernel threads and do not report AVX-512 usage for them. Not having a value in the file avoids the NULL dereference as well as the misleading report. Suggested-by: Dave Hansen <dave.hansen(a)intel.com> Fixes: 22aafe3bcb67 ("x86/fpu: Remove init_task FPU state dependencies, add debugging warning for PF_KTHREAD tasks") Cc: stable(a)vger.kernel.org Signed-off-by: Fushuai Wang <wangfushuai(a)baidu.com> Co-developed-by: Sohil Mehta <sohil.mehta(a)intel.com> Signed-off-by: Sohil Mehta <sohil.mehta(a)intel.com> --- v3: - Do not report anything for kernel threads. (DaveH) - Make the commit message more precise. v2: https://lore.kernel.org/lkml/20250721215302.3562784-1-sohil.mehta@intel.com/ - Avoid making the fix dependent on CONFIG_X86_DEBUG_FPU. - Include PF_USER_WORKER in the kernel thread check. - Update commit message for clarity. --- arch/x86/kernel/fpu/xstate.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c index 9aa9ac8399ae..b90b2eec8fb8 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -1855,19 +1855,20 @@ long fpu_xstate_prctl(int option, unsigned long arg2) #ifdef CONFIG_PROC_PID_ARCH_STATUS /* * Report the amount of time elapsed in millisecond since last AVX512 - * use in the task. + * use in the task. Report -1 if no AVX-512 usage. */ static void avx512_status(struct seq_file *m, struct task_struct *task) { - unsigned long timestamp = READ_ONCE(x86_task_fpu(task)->avx512_timestamp); - long delta; + unsigned long timestamp; + long delta = -1; - if (!timestamp) { - /* - * Report -1 if no AVX512 usage - */ - delta = -1; - } else { + /* AVX-512 usage is not tracked for kernel threads. */ + if (task->flags & (PF_KTHREAD | PF_USER_WORKER)) + return; + + timestamp = READ_ONCE(x86_task_fpu(task)->avx512_timestamp); + + if (timestamp) { delta = (long)(jiffies - timestamp); /* * Cap to LONG_MAX if time difference > LONG_MAX -- 2.43.0

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] x86/traps: Initialize DR7 by writing its architectural reset" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x fa7d0f83c5c4223a01598876352473cb3d3bd4d7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025063026-grandma-tributary-5bd8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fa7d0f83c5c4223a01598876352473cb3d3bd4d7 Mon Sep 17 00:00:00 2001 From: "Xin Li (Intel)" <xin(a)zytor.com> Date: Fri, 20 Jun 2025 16:15:04 -0700 Subject: [PATCH] x86/traps: Initialize DR7 by writing its architectural reset value Initialize DR7 by writing its architectural reset value to always set bit 10, which is reserved to '1', when "clearing" DR7 so as not to trigger unanticipated behavior if said bit is ever unreserved, e.g. as a feature enabling flag with inverted polarity. Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Reviewed-by: Sohil Mehta <sohil.mehta(a)intel.com> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Acked-by: Sean Christopherson <seanjc(a)google.com> Tested-by: Sohil Mehta <sohil.mehta(a)intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250620231504.2676902-3-xin%40zytor.com diff --git a/arch/x86/include/asm/debugreg.h b/arch/x86/include/asm/debugreg.h index 363110e6b2e3..a2c1f2d24b64 100644 --- a/arch/x86/include/asm/debugreg.h +++ b/arch/x86/include/asm/debugreg.h @@ -9,6 +9,14 @@ #include <asm/cpufeature.h> #include <asm/msr.h> +/* + * Define bits that are always set to 1 in DR7, only bit 10 is + * architecturally reserved to '1'. + * + * This is also the init/reset value for DR7. + */ +#define DR7_FIXED_1 0x00000400 + DECLARE_PER_CPU(unsigned long, cpu_dr7); #ifndef CONFIG_PARAVIRT_XXL @@ -100,8 +108,8 @@ static __always_inline void native_set_debugreg(int regno, unsigned long value) static inline void hw_breakpoint_disable(void) { - /* Zero the control register for HW Breakpoint */ - set_debugreg(0UL, 7); + /* Reset the control register for HW Breakpoint */ + set_debugreg(DR7_FIXED_1, 7); /* Zero-out the individual HW breakpoint address registers */ set_debugreg(0UL, 0); @@ -125,9 +133,12 @@ static __always_inline unsigned long local_db_save(void) return 0; get_debugreg(dr7, 7); - dr7 &= ~0x400; /* architecturally set bit */ + + /* Architecturally set bit */ + dr7 &= ~DR7_FIXED_1; if (dr7) - set_debugreg(0, 7); + set_debugreg(DR7_FIXED_1, 7); + /* * Ensure the compiler doesn't lower the above statements into * the critical section; disabling breakpoints late would not diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b4a391929cdb..639d9bcee842 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -31,6 +31,7 @@ #include <asm/apic.h> #include <asm/pvclock-abi.h> +#include <asm/debugreg.h> #include <asm/desc.h> #include <asm/mtrr.h> #include <asm/msr-index.h> @@ -249,7 +250,6 @@ enum x86_intercept_stage; #define DR7_BP_EN_MASK 0x000000ff #define DR7_GE (1 << 9) #define DR7_GD (1 << 13) -#define DR7_FIXED_1 0x00000400 #define DR7_VOLATILE 0xffff2bff #define KVM_GUESTDBG_VALID_MASK \ diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 0f6c280a94f0..27125e009847 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -2246,7 +2246,7 @@ EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); static void initialize_debug_regs(void) { /* Control register first -- to make sure everything is disabled. */ - set_debugreg(0, 7); + set_debugreg(DR7_FIXED_1, 7); set_debugreg(DR6_RESERVED, 6); /* dr5 and dr4 don't exist */ set_debugreg(0, 3); diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c index 102641fd2172..8b1a9733d13e 100644 --- a/arch/x86/kernel/kgdb.c +++ b/arch/x86/kernel/kgdb.c @@ -385,7 +385,7 @@ static void kgdb_disable_hw_debug(struct pt_regs *regs) struct perf_event *bp; /* Disable hardware debugging while we are in kgdb: */ - set_debugreg(0UL, 7); + set_debugreg(DR7_FIXED_1, 7); for (i = 0; i < HBP_NUM; i++) { if (!breakinfo[i].enabled) continue; diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c index a10e180cbf23..3ef15c2f152f 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -93,7 +93,7 @@ void __show_regs(struct pt_regs *regs, enum show_regs_mode mode, /* Only print out debug registers if they are in their non-default state. */ if ((d0 == 0) && (d1 == 0) && (d2 == 0) && (d3 == 0) && - (d6 == DR6_RESERVED) && (d7 == 0x400)) + (d6 == DR6_RESERVED) && (d7 == DR7_FIXED_1)) return; printk("%sDR0: %08lx DR1: %08lx DR2: %08lx DR3: %08lx\n", diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index 8d6cf25127aa..b972bf72fb8b 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -133,7 +133,7 @@ void __show_regs(struct pt_regs *regs, enum show_regs_mode mode, /* Only print out debug registers if they are in their non-default state. */ if (!((d0 == 0) && (d1 == 0) && (d2 == 0) && (d3 == 0) && - (d6 == DR6_RESERVED) && (d7 == 0x400))) { + (d6 == DR6_RESERVED) && (d7 == DR7_FIXED_1))) { printk("%sDR0: %016lx DR1: %016lx DR2: %016lx\n", log_lvl, d0, d1, d2); printk("%sDR3: %016lx DR6: %016lx DR7: %016lx\n", diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index b58a74c1722d..a9d992d5652f 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11035,7 +11035,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) if (unlikely(vcpu->arch.switch_db_regs && !(vcpu->arch.switch_db_regs & KVM_DEBUGREG_AUTO_SWITCH))) { - set_debugreg(0, 7); + set_debugreg(DR7_FIXED_1, 7); set_debugreg(vcpu->arch.eff_db[0], 0); set_debugreg(vcpu->arch.eff_db[1], 1); set_debugreg(vcpu->arch.eff_db[2], 2); @@ -11044,7 +11044,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); } else if (unlikely(hw_breakpoint_active())) { - set_debugreg(0, 7); + set_debugreg(DR7_FIXED_1, 7); } vcpu->arch.host_debugctl = get_debugctlmsr();

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] x86/traps: Initialize DR7 by writing its architectural reset" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x fa7d0f83c5c4223a01598876352473cb3d3bd4d7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025063026-replace-hardly-8dd1@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fa7d0f83c5c4223a01598876352473cb3d3bd4d7 Mon Sep 17 00:00:00 2001 From: "Xin Li (Intel)" <xin(a)zytor.com> Date: Fri, 20 Jun 2025 16:15:04 -0700 Subject: [PATCH] x86/traps: Initialize DR7 by writing its architectural reset value Initialize DR7 by writing its architectural reset value to always set bit 10, which is reserved to '1', when "clearing" DR7 so as not to trigger unanticipated behavior if said bit is ever unreserved, e.g. as a feature enabling flag with inverted polarity. Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Reviewed-by: Sohil Mehta <sohil.mehta(a)intel.com> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Acked-by: Sean Christopherson <seanjc(a)google.com> Tested-by: Sohil Mehta <sohil.mehta(a)intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250620231504.2676902-3-xin%40zytor.com diff --git a/arch/x86/include/asm/debugreg.h b/arch/x86/include/asm/debugreg.h index 363110e6b2e3..a2c1f2d24b64 100644 --- a/arch/x86/include/asm/debugreg.h +++ b/arch/x86/include/asm/debugreg.h @@ -9,6 +9,14 @@ #include <asm/cpufeature.h> #include <asm/msr.h> +/* + * Define bits that are always set to 1 in DR7, only bit 10 is + * architecturally reserved to '1'. + * + * This is also the init/reset value for DR7. + */ +#define DR7_FIXED_1 0x00000400 + DECLARE_PER_CPU(unsigned long, cpu_dr7); #ifndef CONFIG_PARAVIRT_XXL @@ -100,8 +108,8 @@ static __always_inline void native_set_debugreg(int regno, unsigned long value) static inline void hw_breakpoint_disable(void) { - /* Zero the control register for HW Breakpoint */ - set_debugreg(0UL, 7); + /* Reset the control register for HW Breakpoint */ + set_debugreg(DR7_FIXED_1, 7); /* Zero-out the individual HW breakpoint address registers */ set_debugreg(0UL, 0); @@ -125,9 +133,12 @@ static __always_inline unsigned long local_db_save(void) return 0; get_debugreg(dr7, 7); - dr7 &= ~0x400; /* architecturally set bit */ + + /* Architecturally set bit */ + dr7 &= ~DR7_FIXED_1; if (dr7) - set_debugreg(0, 7); + set_debugreg(DR7_FIXED_1, 7); + /* * Ensure the compiler doesn't lower the above statements into * the critical section; disabling breakpoints late would not diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b4a391929cdb..639d9bcee842 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -31,6 +31,7 @@ #include <asm/apic.h> #include <asm/pvclock-abi.h> +#include <asm/debugreg.h> #include <asm/desc.h> #include <asm/mtrr.h> #include <asm/msr-index.h> @@ -249,7 +250,6 @@ enum x86_intercept_stage; #define DR7_BP_EN_MASK 0x000000ff #define DR7_GE (1 << 9) #define DR7_GD (1 << 13) -#define DR7_FIXED_1 0x00000400 #define DR7_VOLATILE 0xffff2bff #define KVM_GUESTDBG_VALID_MASK \ diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 0f6c280a94f0..27125e009847 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -2246,7 +2246,7 @@ EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); static void initialize_debug_regs(void) { /* Control register first -- to make sure everything is disabled. */ - set_debugreg(0, 7); + set_debugreg(DR7_FIXED_1, 7); set_debugreg(DR6_RESERVED, 6); /* dr5 and dr4 don't exist */ set_debugreg(0, 3); diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c index 102641fd2172..8b1a9733d13e 100644 --- a/arch/x86/kernel/kgdb.c +++ b/arch/x86/kernel/kgdb.c @@ -385,7 +385,7 @@ static void kgdb_disable_hw_debug(struct pt_regs *regs) struct perf_event *bp; /* Disable hardware debugging while we are in kgdb: */ - set_debugreg(0UL, 7); + set_debugreg(DR7_FIXED_1, 7); for (i = 0; i < HBP_NUM; i++) { if (!breakinfo[i].enabled) continue; diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c index a10e180cbf23..3ef15c2f152f 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -93,7 +93,7 @@ void __show_regs(struct pt_regs *regs, enum show_regs_mode mode, /* Only print out debug registers if they are in their non-default state. */ if ((d0 == 0) && (d1 == 0) && (d2 == 0) && (d3 == 0) && - (d6 == DR6_RESERVED) && (d7 == 0x400)) + (d6 == DR6_RESERVED) && (d7 == DR7_FIXED_1)) return; printk("%sDR0: %08lx DR1: %08lx DR2: %08lx DR3: %08lx\n", diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index 8d6cf25127aa..b972bf72fb8b 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -133,7 +133,7 @@ void __show_regs(struct pt_regs *regs, enum show_regs_mode mode, /* Only print out debug registers if they are in their non-default state. */ if (!((d0 == 0) && (d1 == 0) && (d2 == 0) && (d3 == 0) && - (d6 == DR6_RESERVED) && (d7 == 0x400))) { + (d6 == DR6_RESERVED) && (d7 == DR7_FIXED_1))) { printk("%sDR0: %016lx DR1: %016lx DR2: %016lx\n", log_lvl, d0, d1, d2); printk("%sDR3: %016lx DR6: %016lx DR7: %016lx\n", diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index b58a74c1722d..a9d992d5652f 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11035,7 +11035,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) if (unlikely(vcpu->arch.switch_db_regs && !(vcpu->arch.switch_db_regs & KVM_DEBUGREG_AUTO_SWITCH))) { - set_debugreg(0, 7); + set_debugreg(DR7_FIXED_1, 7); set_debugreg(vcpu->arch.eff_db[0], 0); set_debugreg(vcpu->arch.eff_db[1], 1); set_debugreg(vcpu->arch.eff_db[2], 2); @@ -11044,7 +11044,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); } else if (unlikely(hw_breakpoint_active())) { - set_debugreg(0, 7); + set_debugreg(DR7_FIXED_1, 7); } vcpu->arch.host_debugctl = get_debugctlmsr();

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] usb: typec: tcpm: apply vbus before data bringup in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x bec15191d52300defa282e3fd83820f69e447116 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070814-evict-shelf-8b8d@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bec15191d52300defa282e3fd83820f69e447116 Mon Sep 17 00:00:00 2001 From: RD Babiera <rdbabiera(a)google.com> Date: Wed, 18 Jun 2025 23:06:04 +0000 Subject: [PATCH] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect SNKAS. tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance testers can interpret the TryWait.Src to Attached.Src transition after Try.Snk as being in Attached.Src the entire time, so ~170ms is lost to the debounce timer. Setting the data role can be a costly operation in host mode, and when completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4 to fail. Turn VBUS on before tcpm_set_roles to meet timing requirement. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable <stable(a)kernel.org> Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250618230606.3272497-2-rdbabiera@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 1a1f9e1f8e4e..1f6fdfaa34bf 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4410,17 +4410,6 @@ static int tcpm_src_attach(struct tcpm_port *port) tcpm_enable_auto_vbus_discharge(port, true); - ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, - TYPEC_SOURCE, tcpm_data_role_for_source(port)); - if (ret < 0) - return ret; - - if (port->pd_supported) { - ret = port->tcpc->set_pd_rx(port->tcpc, true); - if (ret < 0) - goto out_disable_mux; - } - /* * USB Type-C specification, version 1.2, * chapter 4.5.2.2.8.1 (Attached.SRC Requirements) @@ -4430,13 +4419,24 @@ static int tcpm_src_attach(struct tcpm_port *port) (polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) { ret = tcpm_set_vconn(port, true); if (ret < 0) - goto out_disable_pd; + return ret; } ret = tcpm_set_vbus(port, true); if (ret < 0) goto out_disable_vconn; + ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE, + tcpm_data_role_for_source(port)); + if (ret < 0) + goto out_disable_vbus; + + if (port->pd_supported) { + ret = port->tcpc->set_pd_rx(port->tcpc, true); + if (ret < 0) + goto out_disable_mux; + } + port->pd_capable = false; port->partner = NULL; @@ -4447,14 +4447,14 @@ static int tcpm_src_attach(struct tcpm_port *port) return 0; -out_disable_vconn: - tcpm_set_vconn(port, false); -out_disable_pd: - if (port->pd_supported) - port->tcpc->set_pd_rx(port->tcpc, false); out_disable_mux: tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE, TYPEC_ORIENTATION_NONE); +out_disable_vbus: + tcpm_set_vbus(port, false); +out_disable_vconn: + tcpm_set_vconn(port, false); + return ret; }

1 month, 3 weeks

2
3
0 0

FAILED: patch "[PATCH] usb: typec: tcpm: apply vbus before data bringup in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x bec15191d52300defa282e3fd83820f69e447116 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070815-spongy-caravan-a8f7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bec15191d52300defa282e3fd83820f69e447116 Mon Sep 17 00:00:00 2001 From: RD Babiera <rdbabiera(a)google.com> Date: Wed, 18 Jun 2025 23:06:04 +0000 Subject: [PATCH] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect SNKAS. tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance testers can interpret the TryWait.Src to Attached.Src transition after Try.Snk as being in Attached.Src the entire time, so ~170ms is lost to the debounce timer. Setting the data role can be a costly operation in host mode, and when completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4 to fail. Turn VBUS on before tcpm_set_roles to meet timing requirement. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable <stable(a)kernel.org> Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250618230606.3272497-2-rdbabiera@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 1a1f9e1f8e4e..1f6fdfaa34bf 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4410,17 +4410,6 @@ static int tcpm_src_attach(struct tcpm_port *port) tcpm_enable_auto_vbus_discharge(port, true); - ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, - TYPEC_SOURCE, tcpm_data_role_for_source(port)); - if (ret < 0) - return ret; - - if (port->pd_supported) { - ret = port->tcpc->set_pd_rx(port->tcpc, true); - if (ret < 0) - goto out_disable_mux; - } - /* * USB Type-C specification, version 1.2, * chapter 4.5.2.2.8.1 (Attached.SRC Requirements) @@ -4430,13 +4419,24 @@ static int tcpm_src_attach(struct tcpm_port *port) (polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) { ret = tcpm_set_vconn(port, true); if (ret < 0) - goto out_disable_pd; + return ret; } ret = tcpm_set_vbus(port, true); if (ret < 0) goto out_disable_vconn; + ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE, + tcpm_data_role_for_source(port)); + if (ret < 0) + goto out_disable_vbus; + + if (port->pd_supported) { + ret = port->tcpc->set_pd_rx(port->tcpc, true); + if (ret < 0) + goto out_disable_mux; + } + port->pd_capable = false; port->partner = NULL; @@ -4447,14 +4447,14 @@ static int tcpm_src_attach(struct tcpm_port *port) return 0; -out_disable_vconn: - tcpm_set_vconn(port, false); -out_disable_pd: - if (port->pd_supported) - port->tcpc->set_pd_rx(port->tcpc, false); out_disable_mux: tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE, TYPEC_ORIENTATION_NONE); +out_disable_vbus: + tcpm_set_vbus(port, false); +out_disable_vconn: + tcpm_set_vconn(port, false); + return ret; }

1 month, 3 weeks

2
3
0 0

[PATCH v2] x86: Clear feature bits disabled at compile-time

by Maciej Wieczor-Retman

If some config options are disabled during compile time, they still are enumerated in macros that use the x86_capability bitmask - cpu_has() or this_cpu_has(). The features are also visible in /proc/cpuinfo even though they are not enabled - which is contrary to what the documentation states about the file. Examples of such feature flags are lam, fred, sgx, ibrs_enhanced, split_lock_detect, user_shstk, avx_vnni and enqcmd. Add a DISABLED_MASK() macro that returns 32 bit chunks of the disabled feature bits bitmask. Initialize the cpu_caps_cleared and cpu_caps_set arrays with the contents of the disabled and required bitmasks respectively. Then let apply_forced_caps() clear/set these feature bits in the x86_capability. Fixes: 6449dcb0cac7 ("x86: CPUID and CR3/CR4 flags for Linear Address Masking") Fixes: 51c158f7aacc ("x86/cpufeatures: Add the CPU feature bit for FRED") Fixes: 706d51681d63 ("x86/speculation: Support Enhanced IBRS on future CPUs") Fixes: e7b6385b01d8 ("x86/cpufeatures: Add Intel SGX hardware bits") Fixes: 6650cdd9a8cc ("x86/split_lock: Enable split lock detection by kernel") Fixes: 701fb66d576e ("x86/cpufeatures: Add CPU feature flags for shadow stacks") Fixes: ff4f82816dff ("x86/cpufeatures: Enumerate ENQCMD and ENQCMDS instructions") Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman(a)intel.com> Cc: <stable(a)vger.kernel.org> --- Changelog v2: - Redo the patch to utilize a more generic solution, not just fix the LAM and FRED feature bits. - Note more feature flags that shouldn't be present. - Add fixes and cc tags. arch/x86/kernel/cpu/common.c | 12 ++++++++++++ arch/x86/tools/cpufeaturemasks.awk | 8 ++++++++ 2 files changed, 20 insertions(+) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 77afca95cced..ba8b5fba8552 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1709,6 +1709,16 @@ static void __init cpu_parse_early_param(void) } } +static __init void init_cpu_cap(struct cpuinfo_x86 *c) +{ + int i; + + for (i = 0; i < NCAPINTS; i++) { + cpu_caps_set[i] = REQUIRED_MASK(i); + cpu_caps_cleared[i] = DISABLED_MASK(i); + } +} + /* * Do minimum CPU detection early. * Fields really needed: vendor, cpuid_level, family, model, mask, @@ -1782,6 +1792,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) if (!pgtable_l5_enabled()) setup_clear_cpu_cap(X86_FEATURE_LA57); + init_cpu_cap(c); + detect_nopl(); } diff --git a/arch/x86/tools/cpufeaturemasks.awk b/arch/x86/tools/cpufeaturemasks.awk index 173d5bf2d999..2e2412f7681f 100755 --- a/arch/x86/tools/cpufeaturemasks.awk +++ b/arch/x86/tools/cpufeaturemasks.awk @@ -82,6 +82,14 @@ END { } printf " 0\t\\\n"; printf "\t) & (1U << ((x) & 31)))\n\n"; + + printf "\n#define %s_MASK(x)\t\t\t\t\\\n", s; + printf "\t((\t\t\t\t"; + for (i = 0; i < ncapints; i++) { + if (masks[i]) + printf "\t\t\\\n\t\t(x) == %2d ? %s_MASK%d :", i, s, i; + } + printf " 0))\t\\\n\n"; } printf "#endif /* _ASM_X86_CPUFEATUREMASKS_H */\n"; -- 2.49.0

1 month, 3 weeks

5
14
0 0

FAILED: patch "[PATCH] usb: typec: tcpm: apply vbus before data bringup in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x bec15191d52300defa282e3fd83820f69e447116 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070814-resume-lazy-4b81@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bec15191d52300defa282e3fd83820f69e447116 Mon Sep 17 00:00:00 2001 From: RD Babiera <rdbabiera(a)google.com> Date: Wed, 18 Jun 2025 23:06:04 +0000 Subject: [PATCH] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect SNKAS. tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance testers can interpret the TryWait.Src to Attached.Src transition after Try.Snk as being in Attached.Src the entire time, so ~170ms is lost to the debounce timer. Setting the data role can be a costly operation in host mode, and when completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4 to fail. Turn VBUS on before tcpm_set_roles to meet timing requirement. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable <stable(a)kernel.org> Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250618230606.3272497-2-rdbabiera@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 1a1f9e1f8e4e..1f6fdfaa34bf 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4410,17 +4410,6 @@ static int tcpm_src_attach(struct tcpm_port *port) tcpm_enable_auto_vbus_discharge(port, true); - ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, - TYPEC_SOURCE, tcpm_data_role_for_source(port)); - if (ret < 0) - return ret; - - if (port->pd_supported) { - ret = port->tcpc->set_pd_rx(port->tcpc, true); - if (ret < 0) - goto out_disable_mux; - } - /* * USB Type-C specification, version 1.2, * chapter 4.5.2.2.8.1 (Attached.SRC Requirements) @@ -4430,13 +4419,24 @@ static int tcpm_src_attach(struct tcpm_port *port) (polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) { ret = tcpm_set_vconn(port, true); if (ret < 0) - goto out_disable_pd; + return ret; } ret = tcpm_set_vbus(port, true); if (ret < 0) goto out_disable_vconn; + ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE, + tcpm_data_role_for_source(port)); + if (ret < 0) + goto out_disable_vbus; + + if (port->pd_supported) { + ret = port->tcpc->set_pd_rx(port->tcpc, true); + if (ret < 0) + goto out_disable_mux; + } + port->pd_capable = false; port->partner = NULL; @@ -4447,14 +4447,14 @@ static int tcpm_src_attach(struct tcpm_port *port) return 0; -out_disable_vconn: - tcpm_set_vconn(port, false); -out_disable_pd: - if (port->pd_supported) - port->tcpc->set_pd_rx(port->tcpc, false); out_disable_mux: tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE, TYPEC_ORIENTATION_NONE); +out_disable_vbus: + tcpm_set_vbus(port, false); +out_disable_vconn: + tcpm_set_vconn(port, false); + return ret; }

1 month, 3 weeks

2
3
0 0

FAILED: patch "[PATCH] usb: typec: tcpm: apply vbus before data bringup in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x bec15191d52300defa282e3fd83820f69e447116 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070813-unwoven-idealness-eaa2@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bec15191d52300defa282e3fd83820f69e447116 Mon Sep 17 00:00:00 2001 From: RD Babiera <rdbabiera(a)google.com> Date: Wed, 18 Jun 2025 23:06:04 +0000 Subject: [PATCH] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect SNKAS. tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance testers can interpret the TryWait.Src to Attached.Src transition after Try.Snk as being in Attached.Src the entire time, so ~170ms is lost to the debounce timer. Setting the data role can be a costly operation in host mode, and when completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4 to fail. Turn VBUS on before tcpm_set_roles to meet timing requirement. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable <stable(a)kernel.org> Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250618230606.3272497-2-rdbabiera@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 1a1f9e1f8e4e..1f6fdfaa34bf 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4410,17 +4410,6 @@ static int tcpm_src_attach(struct tcpm_port *port) tcpm_enable_auto_vbus_discharge(port, true); - ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, - TYPEC_SOURCE, tcpm_data_role_for_source(port)); - if (ret < 0) - return ret; - - if (port->pd_supported) { - ret = port->tcpc->set_pd_rx(port->tcpc, true); - if (ret < 0) - goto out_disable_mux; - } - /* * USB Type-C specification, version 1.2, * chapter 4.5.2.2.8.1 (Attached.SRC Requirements) @@ -4430,13 +4419,24 @@ static int tcpm_src_attach(struct tcpm_port *port) (polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) { ret = tcpm_set_vconn(port, true); if (ret < 0) - goto out_disable_pd; + return ret; } ret = tcpm_set_vbus(port, true); if (ret < 0) goto out_disable_vconn; + ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE, + tcpm_data_role_for_source(port)); + if (ret < 0) + goto out_disable_vbus; + + if (port->pd_supported) { + ret = port->tcpc->set_pd_rx(port->tcpc, true); + if (ret < 0) + goto out_disable_mux; + } + port->pd_capable = false; port->partner = NULL; @@ -4447,14 +4447,14 @@ static int tcpm_src_attach(struct tcpm_port *port) return 0; -out_disable_vconn: - tcpm_set_vconn(port, false); -out_disable_pd: - if (port->pd_supported) - port->tcpc->set_pd_rx(port->tcpc, false); out_disable_mux: tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE, TYPEC_ORIENTATION_NONE); +out_disable_vbus: + tcpm_set_vbus(port, false); +out_disable_vconn: + tcpm_set_vconn(port, false); + return ret; }

1 month, 3 weeks

2
3
0 0

FAILED: patch "[PATCH] usb: typec: tcpm: apply vbus before data bringup in" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x bec15191d52300defa282e3fd83820f69e447116 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070813-antidote-uncoated-dabd@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bec15191d52300defa282e3fd83820f69e447116 Mon Sep 17 00:00:00 2001 From: RD Babiera <rdbabiera(a)google.com> Date: Wed, 18 Jun 2025 23:06:04 +0000 Subject: [PATCH] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect SNKAS. tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance testers can interpret the TryWait.Src to Attached.Src transition after Try.Snk as being in Attached.Src the entire time, so ~170ms is lost to the debounce timer. Setting the data role can be a costly operation in host mode, and when completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4 to fail. Turn VBUS on before tcpm_set_roles to meet timing requirement. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable <stable(a)kernel.org> Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250618230606.3272497-2-rdbabiera@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 1a1f9e1f8e4e..1f6fdfaa34bf 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4410,17 +4410,6 @@ static int tcpm_src_attach(struct tcpm_port *port) tcpm_enable_auto_vbus_discharge(port, true); - ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, - TYPEC_SOURCE, tcpm_data_role_for_source(port)); - if (ret < 0) - return ret; - - if (port->pd_supported) { - ret = port->tcpc->set_pd_rx(port->tcpc, true); - if (ret < 0) - goto out_disable_mux; - } - /* * USB Type-C specification, version 1.2, * chapter 4.5.2.2.8.1 (Attached.SRC Requirements) @@ -4430,13 +4419,24 @@ static int tcpm_src_attach(struct tcpm_port *port) (polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) { ret = tcpm_set_vconn(port, true); if (ret < 0) - goto out_disable_pd; + return ret; } ret = tcpm_set_vbus(port, true); if (ret < 0) goto out_disable_vconn; + ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE, + tcpm_data_role_for_source(port)); + if (ret < 0) + goto out_disable_vbus; + + if (port->pd_supported) { + ret = port->tcpc->set_pd_rx(port->tcpc, true); + if (ret < 0) + goto out_disable_mux; + } + port->pd_capable = false; port->partner = NULL; @@ -4447,14 +4447,14 @@ static int tcpm_src_attach(struct tcpm_port *port) return 0; -out_disable_vconn: - tcpm_set_vconn(port, false); -out_disable_pd: - if (port->pd_supported) - port->tcpc->set_pd_rx(port->tcpc, false); out_disable_mux: tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE, TYPEC_ORIENTATION_NONE); +out_disable_vbus: + tcpm_set_vbus(port, false); +out_disable_vconn: + tcpm_set_vconn(port, false); + return ret; }

1 month, 3 weeks

2
3
0 0

FAILED: patch "[PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e0a911ac86857a73182edde9e50d9b4b949b7f01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071244-canon-whacky-600c@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e0a911ac86857a73182edde9e50d9b4b949b7f01 Mon Sep 17 00:00:00 2001 From: Daniel Dadap <ddadap(a)nvidia.com> Date: Thu, 26 Jun 2025 16:16:30 -0500 Subject: [PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs Add codec IDs for several NVIDIA products with HDA controllers to the snd_hda_id_hdmi[] patch table. Signed-off-by: Daniel Dadap <ddadap(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/aF24rqwMKFWoHu12@ddadap-lakeline.nvidia.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index 08308231b4ed..9a7793eb16e9 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -4551,7 +4551,9 @@ HDA_CODEC_ENTRY(0x10de002e, "Tegra186 HDMI/DP1", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de002f, "Tegra194 HDMI/DP2", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0030, "Tegra194 HDMI/DP3", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0031, "Tegra234 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0033, "SoC 33 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0034, "Tegra264 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0035, "SoC 35 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0040, "GPU 40 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0041, "GPU 41 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0042, "GPU 42 HDMI/DP", patch_nvhdmi), @@ -4590,15 +4592,32 @@ HDA_CODEC_ENTRY(0x10de0097, "GPU 97 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0098, "GPU 98 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0099, "GPU 99 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009a, "GPU 9a HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009b, "GPU 9b HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009c, "GPU 9c HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a1, "GPU a1 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a8, "GPU a8 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a9, "GPU a9 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00aa, "GPU aa HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ab, "GPU ab HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ad, "GPU ad HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ae, "GPU ae HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00af, "GPU af HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b0, "GPU b0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b1, "GPU b1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c0, "GPU c0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c1, "GPU c1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c3, "GPU c3 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c4, "GPU c4 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c5, "GPU c5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi),

1 month, 3 weeks

3
4
0 0

FAILED: patch "[PATCH] drm/amdgpu: Fix SDMA engine reset with logical instance ID" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 09b585592fa481384597c81388733aed4a04dd05 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025063022-wham-parachute-8574@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 09b585592fa481384597c81388733aed4a04dd05 Mon Sep 17 00:00:00 2001 From: Jesse Zhang <jesse.zhang(a)amd.com> Date: Wed, 11 Jun 2025 15:02:09 +0800 Subject: [PATCH] drm/amdgpu: Fix SDMA engine reset with logical instance ID This commit makes the following improvements to SDMA engine reset handling: 1. Clarifies in the function documentation that instance_id refers to a logical ID 2. Adds conversion from logical to physical instance ID before performing reset using GET_INST(SDMA0, instance_id) macro 3. Improves error messaging to indicate when a logical instance reset fails 4. Adds better code organization with blank lines for readability The change ensures proper SDMA engine reset by using the correct physical instance ID while maintaining the logical ID interface for callers. V2: Remove harvest_config check and convert directly to physical instance (Lijo) Suggested-by: Jonathan Kim <jonathan.kim(a)amd.com> Signed-off-by: Jesse Zhang <Jesse.Zhang(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 5efa6217c239ed1ceec0f0414f9b6f6927387dfc) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c index 6716ac281c49..9b54a1ece447 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c @@ -540,8 +540,10 @@ static int amdgpu_sdma_soft_reset(struct amdgpu_device *adev, u32 instance_id) case IP_VERSION(4, 4, 2): case IP_VERSION(4, 4, 4): case IP_VERSION(4, 4, 5): - /* For SDMA 4.x, use the existing DPM interface for backward compatibility */ - r = amdgpu_dpm_reset_sdma(adev, 1 << instance_id); + /* For SDMA 4.x, use the existing DPM interface for backward compatibility, + * we need to convert the logical instance ID to physical instance ID before reset. + */ + r = amdgpu_dpm_reset_sdma(adev, 1 << GET_INST(SDMA0, instance_id)); break; case IP_VERSION(5, 0, 0): case IP_VERSION(5, 0, 1): @@ -568,7 +570,7 @@ static int amdgpu_sdma_soft_reset(struct amdgpu_device *adev, u32 instance_id) /** * amdgpu_sdma_reset_engine - Reset a specific SDMA engine * @adev: Pointer to the AMDGPU device - * @instance_id: ID of the SDMA engine instance to reset + * @instance_id: Logical ID of the SDMA engine instance to reset * * Returns: 0 on success, or a negative error code on failure. */ @@ -601,7 +603,7 @@ int amdgpu_sdma_reset_engine(struct amdgpu_device *adev, uint32_t instance_id) /* Perform the SDMA reset for the specified instance */ ret = amdgpu_sdma_soft_reset(adev, instance_id); if (ret) { - dev_err(adev->dev, "Failed to reset SDMA instance %u\n", instance_id); + dev_err(adev->dev, "Failed to reset SDMA logical instance %u\n", instance_id); goto exit; }

1 month, 3 weeks

2
3
0 0

FAILED: patch "[PATCH] drm/amdkfd: Don't call mmput from MMU notifier callback" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x cf234231fcbc7d391e2135b9518613218cc5347f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071256-province-work-ddbd@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cf234231fcbc7d391e2135b9518613218cc5347f Mon Sep 17 00:00:00 2001 From: Philip Yang <Philip.Yang(a)amd.com> Date: Fri, 20 Jun 2025 18:32:32 -0400 Subject: [PATCH] drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadlock will leak kfd process as mmu notifier release is not called and cause VRAM leaking. The fix is to take mm reference mmget_non_zero when adding prange to the deferred list to pair with mmput in deferred list work. If prange split and add into pchild list, the pchild work_item.mm is not used, so remove the mm parameter from svm_range_unmap_split and svm_range_add_child. The backtrace of hung task: INFO: task python:348105 blocked for more than 64512 seconds. Call Trace: __schedule+0x1c3/0x550 schedule+0x46/0xb0 rwsem_down_write_slowpath+0x24b/0x4c0 unlink_anon_vmas+0xb1/0x1c0 free_pgtables+0xa9/0x130 exit_mmap+0xbc/0x1a0 mmput+0x5a/0x140 svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu] mn_itree_invalidate+0x72/0xc0 __mmu_notifier_invalidate_range_start+0x48/0x60 try_to_unmap_one+0x10fa/0x1400 rmap_walk_anon+0x196/0x460 try_to_unmap+0xbb/0x210 migrate_page_unmap+0x54d/0x7e0 migrate_pages_batch+0x1c3/0xae0 migrate_pages_sync+0x98/0x240 migrate_pages+0x25c/0x520 compact_zone+0x29d/0x590 compact_zone_order+0xb6/0xf0 try_to_compact_pages+0xbe/0x220 __alloc_pages_direct_compact+0x96/0x1a0 __alloc_pages_slowpath+0x410/0x930 __alloc_pages_nodemask+0x3a9/0x3e0 do_huge_pmd_anonymous_page+0xd7/0x3e0 __handle_mm_fault+0x5e3/0x5f0 handle_mm_fault+0xf7/0x2e0 hmm_vma_fault.isra.0+0x4d/0xa0 walk_pmd_range.isra.0+0xa8/0x310 walk_pud_range+0x167/0x240 walk_pgd_range+0x55/0x100 __walk_page_range+0x87/0x90 walk_page_range+0xf6/0x160 hmm_range_fault+0x4f/0x90 amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu] amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu] init_user_pages+0xb1/0x2a0 [amdgpu] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu] kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu] kfd_ioctl+0x29d/0x500 [amdgpu] Fixes: fa582c6f3684 ("drm/amdkfd: Use mmget_not_zero in MMU notifier") Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c index 7763e4742080..a0f22ea6d15a 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c @@ -1171,13 +1171,12 @@ svm_range_split_head(struct svm_range *prange, uint64_t new_start, } static void -svm_range_add_child(struct svm_range *prange, struct mm_struct *mm, - struct svm_range *pchild, enum svm_work_list_ops op) +svm_range_add_child(struct svm_range *prange, struct svm_range *pchild, enum svm_work_list_ops op) { pr_debug("add child 0x%p [0x%lx 0x%lx] to prange 0x%p child list %d\n", pchild, pchild->start, pchild->last, prange, op); - pchild->work_item.mm = mm; + pchild->work_item.mm = NULL; pchild->work_item.op = op; list_add_tail(&pchild->child_list, &prange->child_list); } @@ -2394,15 +2393,17 @@ svm_range_add_list_work(struct svm_range_list *svms, struct svm_range *prange, prange->work_item.op != SVM_OP_UNMAP_RANGE) prange->work_item.op = op; } else { - prange->work_item.op = op; - - /* Pairs with mmput in deferred_list_work */ - mmget(mm); - prange->work_item.mm = mm; - list_add_tail(&prange->deferred_list, - &prange->svms->deferred_range_list); - pr_debug("add prange 0x%p [0x%lx 0x%lx] to work list op %d\n", - prange, prange->start, prange->last, op); + /* Pairs with mmput in deferred_list_work. + * If process is exiting and mm is gone, don't update mmu notifier. + */ + if (mmget_not_zero(mm)) { + prange->work_item.mm = mm; + prange->work_item.op = op; + list_add_tail(&prange->deferred_list, + &prange->svms->deferred_range_list); + pr_debug("add prange 0x%p [0x%lx 0x%lx] to work list op %d\n", + prange, prange->start, prange->last, op); + } } spin_unlock(&svms->deferred_list_lock); } @@ -2416,8 +2417,7 @@ void schedule_deferred_list_work(struct svm_range_list *svms) } static void -svm_range_unmap_split(struct mm_struct *mm, struct svm_range *parent, - struct svm_range *prange, unsigned long start, +svm_range_unmap_split(struct svm_range *parent, struct svm_range *prange, unsigned long start, unsigned long last) { struct svm_range *head; @@ -2438,12 +2438,12 @@ svm_range_unmap_split(struct mm_struct *mm, struct svm_range *parent, svm_range_split(tail, last + 1, tail->last, &head); if (head != prange && tail != prange) { - svm_range_add_child(parent, mm, head, SVM_OP_UNMAP_RANGE); - svm_range_add_child(parent, mm, tail, SVM_OP_ADD_RANGE); + svm_range_add_child(parent, head, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, tail, SVM_OP_ADD_RANGE); } else if (tail != prange) { - svm_range_add_child(parent, mm, tail, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, tail, SVM_OP_UNMAP_RANGE); } else if (head != prange) { - svm_range_add_child(parent, mm, head, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, head, SVM_OP_UNMAP_RANGE); } else if (parent != prange) { prange->work_item.op = SVM_OP_UNMAP_RANGE; } @@ -2520,14 +2520,14 @@ svm_range_unmap_from_cpu(struct mm_struct *mm, struct svm_range *prange, l = min(last, pchild->last); if (l >= s) svm_range_unmap_from_gpus(pchild, s, l, trigger); - svm_range_unmap_split(mm, prange, pchild, start, last); + svm_range_unmap_split(prange, pchild, start, last); mutex_unlock(&pchild->lock); } s = max(start, prange->start); l = min(last, prange->last); if (l >= s) svm_range_unmap_from_gpus(prange, s, l, trigger); - svm_range_unmap_split(mm, prange, prange, start, last); + svm_range_unmap_split(prange, prange, start, last); if (unmap_parent) svm_range_add_list_work(svms, prange, mm, SVM_OP_UNMAP_RANGE); @@ -2570,8 +2570,6 @@ svm_range_cpu_invalidate_pagetables(struct mmu_interval_notifier *mni, if (range->event == MMU_NOTIFY_RELEASE) return true; - if (!mmget_not_zero(mni->mm)) - return true; start = mni->interval_tree.start; last = mni->interval_tree.last; @@ -2598,7 +2596,6 @@ svm_range_cpu_invalidate_pagetables(struct mmu_interval_notifier *mni, } svm_range_unlock(prange); - mmput(mni->mm); return true; }

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] drm/amdkfd: Don't call mmput from MMU notifier callback" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x cf234231fcbc7d391e2135b9518613218cc5347f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071252-fountain-preacher-2c65@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cf234231fcbc7d391e2135b9518613218cc5347f Mon Sep 17 00:00:00 2001 From: Philip Yang <Philip.Yang(a)amd.com> Date: Fri, 20 Jun 2025 18:32:32 -0400 Subject: [PATCH] drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadlock will leak kfd process as mmu notifier release is not called and cause VRAM leaking. The fix is to take mm reference mmget_non_zero when adding prange to the deferred list to pair with mmput in deferred list work. If prange split and add into pchild list, the pchild work_item.mm is not used, so remove the mm parameter from svm_range_unmap_split and svm_range_add_child. The backtrace of hung task: INFO: task python:348105 blocked for more than 64512 seconds. Call Trace: __schedule+0x1c3/0x550 schedule+0x46/0xb0 rwsem_down_write_slowpath+0x24b/0x4c0 unlink_anon_vmas+0xb1/0x1c0 free_pgtables+0xa9/0x130 exit_mmap+0xbc/0x1a0 mmput+0x5a/0x140 svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu] mn_itree_invalidate+0x72/0xc0 __mmu_notifier_invalidate_range_start+0x48/0x60 try_to_unmap_one+0x10fa/0x1400 rmap_walk_anon+0x196/0x460 try_to_unmap+0xbb/0x210 migrate_page_unmap+0x54d/0x7e0 migrate_pages_batch+0x1c3/0xae0 migrate_pages_sync+0x98/0x240 migrate_pages+0x25c/0x520 compact_zone+0x29d/0x590 compact_zone_order+0xb6/0xf0 try_to_compact_pages+0xbe/0x220 __alloc_pages_direct_compact+0x96/0x1a0 __alloc_pages_slowpath+0x410/0x930 __alloc_pages_nodemask+0x3a9/0x3e0 do_huge_pmd_anonymous_page+0xd7/0x3e0 __handle_mm_fault+0x5e3/0x5f0 handle_mm_fault+0xf7/0x2e0 hmm_vma_fault.isra.0+0x4d/0xa0 walk_pmd_range.isra.0+0xa8/0x310 walk_pud_range+0x167/0x240 walk_pgd_range+0x55/0x100 __walk_page_range+0x87/0x90 walk_page_range+0xf6/0x160 hmm_range_fault+0x4f/0x90 amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu] amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu] init_user_pages+0xb1/0x2a0 [amdgpu] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu] kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu] kfd_ioctl+0x29d/0x500 [amdgpu] Fixes: fa582c6f3684 ("drm/amdkfd: Use mmget_not_zero in MMU notifier") Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c index 7763e4742080..a0f22ea6d15a 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c @@ -1171,13 +1171,12 @@ svm_range_split_head(struct svm_range *prange, uint64_t new_start, } static void -svm_range_add_child(struct svm_range *prange, struct mm_struct *mm, - struct svm_range *pchild, enum svm_work_list_ops op) +svm_range_add_child(struct svm_range *prange, struct svm_range *pchild, enum svm_work_list_ops op) { pr_debug("add child 0x%p [0x%lx 0x%lx] to prange 0x%p child list %d\n", pchild, pchild->start, pchild->last, prange, op); - pchild->work_item.mm = mm; + pchild->work_item.mm = NULL; pchild->work_item.op = op; list_add_tail(&pchild->child_list, &prange->child_list); } @@ -2394,15 +2393,17 @@ svm_range_add_list_work(struct svm_range_list *svms, struct svm_range *prange, prange->work_item.op != SVM_OP_UNMAP_RANGE) prange->work_item.op = op; } else { - prange->work_item.op = op; - - /* Pairs with mmput in deferred_list_work */ - mmget(mm); - prange->work_item.mm = mm; - list_add_tail(&prange->deferred_list, - &prange->svms->deferred_range_list); - pr_debug("add prange 0x%p [0x%lx 0x%lx] to work list op %d\n", - prange, prange->start, prange->last, op); + /* Pairs with mmput in deferred_list_work. + * If process is exiting and mm is gone, don't update mmu notifier. + */ + if (mmget_not_zero(mm)) { + prange->work_item.mm = mm; + prange->work_item.op = op; + list_add_tail(&prange->deferred_list, + &prange->svms->deferred_range_list); + pr_debug("add prange 0x%p [0x%lx 0x%lx] to work list op %d\n", + prange, prange->start, prange->last, op); + } } spin_unlock(&svms->deferred_list_lock); } @@ -2416,8 +2417,7 @@ void schedule_deferred_list_work(struct svm_range_list *svms) } static void -svm_range_unmap_split(struct mm_struct *mm, struct svm_range *parent, - struct svm_range *prange, unsigned long start, +svm_range_unmap_split(struct svm_range *parent, struct svm_range *prange, unsigned long start, unsigned long last) { struct svm_range *head; @@ -2438,12 +2438,12 @@ svm_range_unmap_split(struct mm_struct *mm, struct svm_range *parent, svm_range_split(tail, last + 1, tail->last, &head); if (head != prange && tail != prange) { - svm_range_add_child(parent, mm, head, SVM_OP_UNMAP_RANGE); - svm_range_add_child(parent, mm, tail, SVM_OP_ADD_RANGE); + svm_range_add_child(parent, head, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, tail, SVM_OP_ADD_RANGE); } else if (tail != prange) { - svm_range_add_child(parent, mm, tail, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, tail, SVM_OP_UNMAP_RANGE); } else if (head != prange) { - svm_range_add_child(parent, mm, head, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, head, SVM_OP_UNMAP_RANGE); } else if (parent != prange) { prange->work_item.op = SVM_OP_UNMAP_RANGE; } @@ -2520,14 +2520,14 @@ svm_range_unmap_from_cpu(struct mm_struct *mm, struct svm_range *prange, l = min(last, pchild->last); if (l >= s) svm_range_unmap_from_gpus(pchild, s, l, trigger); - svm_range_unmap_split(mm, prange, pchild, start, last); + svm_range_unmap_split(prange, pchild, start, last); mutex_unlock(&pchild->lock); } s = max(start, prange->start); l = min(last, prange->last); if (l >= s) svm_range_unmap_from_gpus(prange, s, l, trigger); - svm_range_unmap_split(mm, prange, prange, start, last); + svm_range_unmap_split(prange, prange, start, last); if (unmap_parent) svm_range_add_list_work(svms, prange, mm, SVM_OP_UNMAP_RANGE); @@ -2570,8 +2570,6 @@ svm_range_cpu_invalidate_pagetables(struct mmu_interval_notifier *mni, if (range->event == MMU_NOTIFY_RELEASE) return true; - if (!mmget_not_zero(mni->mm)) - return true; start = mni->interval_tree.start; last = mni->interval_tree.last; @@ -2598,7 +2596,6 @@ svm_range_cpu_invalidate_pagetables(struct mmu_interval_notifier *mni, } svm_range_unlock(prange); - mmput(mni->mm); return true; }

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] wifi: mt76: mt7921: prevent decap offload config before STA" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7035a082348acf1d43ffb9ff735899f8e3863f8f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071231-projector-jubilance-2909@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7035a082348acf1d43ffb9ff735899f8e3863f8f Mon Sep 17 00:00:00 2001 From: Deren Wu <deren.wu(a)mediatek.com> Date: Sun, 25 May 2025 14:11:22 +0800 Subject: [PATCH] wifi: mt76: mt7921: prevent decap offload config before STA initialization The decap offload configuration should only be applied after the STA has been successfully initialized. Attempting to configure it earlier can lead to corruption of the MAC configuration in the chip's hardware state. Add an early check for `msta->deflink.wcid.sta` to ensure the station peer is properly initialized before proceeding with decapsulation offload configuration. Cc: stable(a)vger.kernel.org Fixes: 24299fc869f7 ("mt76: mt7921: enable rx header traslation offload") Signed-off-by: Deren Wu <deren.wu(a)mediatek.com> Link: https://patch.msgid.link/f23a72ba7a3c1ad38ba9e13bb54ef21d6ef44ffb.174814985… Signed-off-by: Felix Fietkau <nbd(a)nbd.name> diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c index 1fffa43379b2..77f73ae1d7ec 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c @@ -1180,6 +1180,9 @@ static void mt7921_sta_set_decap_offload(struct ieee80211_hw *hw, struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv; struct mt792x_dev *dev = mt792x_hw_dev(hw); + if (!msta->deflink.wcid.sta) + return; + mt792x_mutex_acquire(dev); if (enabled)

1 month, 3 weeks

2
1
0 0

[PATCH 6.1.y-cip 2/5] [PARTIAL BACKPORT]drm: Add an HPD poll helper to reschedule the poll work

by Nicusor Huhulea

From: Imre Deak <imre.deak(a)intel.com> Add a helper to reschedule drm_mode_config::output_poll_work after polling has been enabled for a connector (and needing a reschedule, since previously polling was disabled for all connectors and hence output_poll_work was not running). This is needed by the next patch fixing HPD polling on i915. CC: stable(a)vger.kernel.org # 6.4+ Cc: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Cc: dri-devel(a)lists.freedesktop.org Reviewed-by: Jouni Högander <jouni.hogander(a)intel.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Signed-off-by: Imre Deak <imre.deak(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230822113015.41224-1-imre.d… (cherry picked from commit fe2352fd64029918174de4b460dfe6df0c6911cd) Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Partial-Backport-by: Nicusor Huhulea <nicusor.huhulea(a)siemens.com> --- drivers/gpu/drm/drm_probe_helper.c | 74 +++++++++++++++++++----------- include/drm/drm_probe_helper.h | 1 + 2 files changed, 49 insertions(+), 26 deletions(-) diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c index 0e5eadc6d44de..787f6699971f1 100644 --- a/drivers/gpu/drm/drm_probe_helper.c +++ b/drivers/gpu/drm/drm_probe_helper.c @@ -224,6 +224,26 @@ drm_connector_mode_valid(struct drm_connector *connector, } #define DRM_OUTPUT_POLL_PERIOD (10*HZ) +static void reschedule_output_poll_work(struct drm_device *dev) +{ + unsigned long delay = DRM_OUTPUT_POLL_PERIOD; + + if (dev->mode_config.delayed_event) + /* + * FIXME: + * + * Use short (1s) delay to handle the initial delayed event. + * This delay should not be needed, but Optimus/nouveau will + * fail in a mysterious way if the delayed event is handled as + * soon as possible like it is done in + * drm_helper_probe_single_connector_modes() in case the poll + * was enabled before. + */ + delay = HZ; + + schedule_delayed_work(&dev->mode_config.output_poll_work, delay); +} + /** * drm_kms_helper_poll_enable - re-enable output polling. * @dev: drm_device @@ -244,43 +264,45 @@ drm_connector_mode_valid(struct drm_connector *connector, */ void drm_kms_helper_poll_enable(struct drm_device *dev) { - bool poll = false; + struct drm_connector *connector; struct drm_connector_list_iter conn_iter; - unsigned long delay = DRM_OUTPUT_POLL_PERIOD; if (drm_WARN_ON_ONCE(dev, !dev->mode_config.poll_enabled) || !drm_kms_helper_poll || dev->mode_config.poll_running) return; - drm_connector_list_iter_begin(dev, &conn_iter); - drm_for_each_connector_iter(connector, &conn_iter) { - if (connector->polled & (DRM_CONNECTOR_POLL_CONNECT | - DRM_CONNECTOR_POLL_DISCONNECT)) - poll = true; - } - drm_connector_list_iter_end(&conn_iter); + if (drm_kms_helper_enable_hpd(dev) || + dev->mode_config.delayed_event) + reschedule_output_poll_work(dev); - if (dev->mode_config.delayed_event) { - /* - * FIXME: - * - * Use short (1s) delay to handle the initial delayed event. - * This delay should not be needed, but Optimus/nouveau will - * fail in a mysterious way if the delayed event is handled as - * soon as possible like it is done in - * drm_helper_probe_single_connector_modes() in case the poll - * was enabled before. - */ - poll = true; - delay = HZ; - } - - if (poll) - schedule_delayed_work(&dev->mode_config.output_poll_work, delay); + dev->mode_config.poll_running = true; } EXPORT_SYMBOL(drm_kms_helper_poll_enable); +/** + * drm_kms_helper_poll_reschedule - reschedule the output polling work + * @dev: drm_device + * + * This function reschedules the output polling work, after polling for a + * connector has been enabled. + * + * Drivers must call this helper after enabling polling for a connector by + * setting %DRM_CONNECTOR_POLL_CONNECT / %DRM_CONNECTOR_POLL_DISCONNECT flags + * in drm_connector::polled. Note that after disabling polling by clearing these + * flags for a connector will stop the output polling work automatically if + * the polling is disabled for all other connectors as well. + * + * The function can be called only after polling has been enabled by calling + * drm_kms_helper_poll_init() / drm_kms_helper_poll_enable(). + */ +void drm_kms_helper_poll_reschedule(struct drm_device *dev) +{ + if (dev->mode_config.poll_running) + reschedule_output_poll_work(dev); +} +EXPORT_SYMBOL(drm_kms_helper_poll_reschedule); + static enum drm_connector_status drm_helper_probe_detect_ctx(struct drm_connector *connector, bool force) { diff --git a/include/drm/drm_probe_helper.h b/include/drm/drm_probe_helper.h index 5880daa146240..429a85f38036a 100644 --- a/include/drm/drm_probe_helper.h +++ b/include/drm/drm_probe_helper.h @@ -25,6 +25,7 @@ void drm_kms_helper_connector_hotplug_event(struct drm_connector *connector); void drm_kms_helper_poll_disable(struct drm_device *dev); void drm_kms_helper_poll_enable(struct drm_device *dev); +void drm_kms_helper_poll_reschedule(struct drm_device *dev); bool drm_kms_helper_is_poll_worker(void); enum drm_mode_status drm_crtc_helper_mode_valid_fixed(struct drm_crtc *crtc, -- 2.39.2

1 month, 3 weeks

3
2
0 0

FAILED: patch "[PATCH] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 964209202ebe1569c858337441e87ef0f9d71416 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070818-buddhism-wikipedia-516a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 964209202ebe1569c858337441e87ef0f9d71416 Mon Sep 17 00:00:00 2001 From: Zhang Rui <rui.zhang(a)intel.com> Date: Thu, 19 Jun 2025 15:13:40 +0800 Subject: [PATCH] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed PL1 cannot be disabled on some platforms. The ENABLE bit is still set after software clears it. This behavior leads to a scenario where, upon user request to disable the Power Limit through the powercap sysfs, the ENABLE bit remains set while the CLAMPING bit is inadvertently cleared. According to the Intel Software Developer's Manual, the CLAMPING bit, "When set, allows the processor to go below the OS requested P states in order to maintain the power below specified Platform Power Limit value." Thus this means the system may operate at higher power levels than intended on such platforms. Enhance the code to check ENABLE bit after writing to it, and stop further processing if ENABLE bit cannot be changed. Reported-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Fixes: 2d281d8196e3 ("PowerCap: Introduce Intel RAPL power capping driver") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Zhang Rui <rui.zhang(a)intel.com> Link: https://patch.msgid.link/20250619071340.384782-1-rui.zhang@intel.com [ rjw: Use str_enabled_disabled() instead of open-coded equivalent ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c index e3be40adc0d7..faa0b6bc5b53 100644 --- a/drivers/powercap/intel_rapl_common.c +++ b/drivers/powercap/intel_rapl_common.c @@ -341,12 +341,28 @@ static int set_domain_enable(struct powercap_zone *power_zone, bool mode) { struct rapl_domain *rd = power_zone_to_rapl_domain(power_zone); struct rapl_defaults *defaults = get_defaults(rd->rp); + u64 val; int ret; cpus_read_lock(); ret = rapl_write_pl_data(rd, POWER_LIMIT1, PL_ENABLE, mode); - if (!ret && defaults->set_floor_freq) + if (ret) + goto end; + + ret = rapl_read_pl_data(rd, POWER_LIMIT1, PL_ENABLE, false, &val); + if (ret) + goto end; + + if (mode != val) { + pr_debug("%s cannot be %s\n", power_zone->name, + str_enabled_disabled(mode)); + goto end; + } + + if (defaults->set_floor_freq) defaults->set_floor_freq(rd, mode); + +end: cpus_read_unlock(); return ret;

1 month, 3 weeks

4
5
0 0

[PATCH] ASoC: mediatek: common: fix device and OF node leak

by Johan Hovold

Make sure to drop the references to the accdet OF node and platform device taken by of_parse_phandle() and of_find_device_by_node() after looking up the sound component during probe. Fixes: cf536e2622e2 ("ASoC: mediatek: common: Handle mediatek,accdet property") Cc: stable(a)vger.kernel.org # 6.15 Cc: Nícolas F. R. A. Prado <nfraprado(a)collabora.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- sound/soc/mediatek/common/mtk-soundcard-driver.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/soc/mediatek/common/mtk-soundcard-driver.c b/sound/soc/mediatek/common/mtk-soundcard-driver.c index 713a368f79cf..95a083939f3e 100644 --- a/sound/soc/mediatek/common/mtk-soundcard-driver.c +++ b/sound/soc/mediatek/common/mtk-soundcard-driver.c @@ -262,9 +262,13 @@ int mtk_soundcard_common_probe(struct platform_device *pdev) soc_card_data->accdet = accdet_comp; else dev_err(&pdev->dev, "No sound component found from mediatek,accdet property\n"); + + put_device(&accdet_pdev->dev); } else { dev_err(&pdev->dev, "No device found from mediatek,accdet property\n"); } + + of_node_put(accdet_node); } platform_node = of_parse_phandle(pdev->dev.of_node, "mediatek,platform", 0); -- 2.49.1

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x e0a911ac86857a73182edde9e50d9b4b949b7f01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071243-other-defy-2a7d@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e0a911ac86857a73182edde9e50d9b4b949b7f01 Mon Sep 17 00:00:00 2001 From: Daniel Dadap <ddadap(a)nvidia.com> Date: Thu, 26 Jun 2025 16:16:30 -0500 Subject: [PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs Add codec IDs for several NVIDIA products with HDA controllers to the snd_hda_id_hdmi[] patch table. Signed-off-by: Daniel Dadap <ddadap(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/aF24rqwMKFWoHu12@ddadap-lakeline.nvidia.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index 08308231b4ed..9a7793eb16e9 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -4551,7 +4551,9 @@ HDA_CODEC_ENTRY(0x10de002e, "Tegra186 HDMI/DP1", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de002f, "Tegra194 HDMI/DP2", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0030, "Tegra194 HDMI/DP3", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0031, "Tegra234 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0033, "SoC 33 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0034, "Tegra264 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0035, "SoC 35 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0040, "GPU 40 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0041, "GPU 41 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0042, "GPU 42 HDMI/DP", patch_nvhdmi), @@ -4590,15 +4592,32 @@ HDA_CODEC_ENTRY(0x10de0097, "GPU 97 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0098, "GPU 98 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0099, "GPU 99 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009a, "GPU 9a HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009b, "GPU 9b HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009c, "GPU 9c HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a1, "GPU a1 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a8, "GPU a8 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a9, "GPU a9 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00aa, "GPU aa HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ab, "GPU ab HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ad, "GPU ad HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ae, "GPU ae HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00af, "GPU af HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b0, "GPU b0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b1, "GPU b1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c0, "GPU c0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c1, "GPU c1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c3, "GPU c3 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c4, "GPU c4 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c5, "GPU c5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi),

1 month, 3 weeks

3
3
0 0

FAILED: patch "[PATCH] drm/xe: Make WA BB part of LRC BO" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x afcad92411772a1f361339f22c49f855c6cc7d0f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071259-unrelated-extrovert-b5a9@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From afcad92411772a1f361339f22c49f855c6cc7d0f Mon Sep 17 00:00:00 2001 From: Matthew Brost <matthew.brost(a)intel.com> Date: Wed, 11 Jun 2025 20:19:25 -0700 Subject: [PATCH] drm/xe: Make WA BB part of LRC BO No idea why, but without this GuC context switches randomly fail when running IGTs in a loop. Need to follow up why this fixes the aforementioned issue but can live with a stable driver for now. Fixes: 617d824c5323 ("drm/xe: Add WA BB to capture active context utilization") Cc: stable(a)vger.kernel.org Signed-off-by: Matthew Brost <matthew.brost(a)intel.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Tested-by: Shuicheng Lin <shuicheng.lin(a)intel.com> Link: https://lore.kernel.org/r/20250612031925.4009701-1-matthew.brost@intel.com (cherry picked from commit 3a1edef8f4b58b0ba826bc68bf4bce4bdf59ecf3) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_lrc.c b/drivers/gpu/drm/xe/xe_lrc.c index bf7c3981897d..6e7b70532d11 100644 --- a/drivers/gpu/drm/xe/xe_lrc.c +++ b/drivers/gpu/drm/xe/xe_lrc.c @@ -40,6 +40,7 @@ #define LRC_PPHWSP_SIZE SZ_4K #define LRC_INDIRECT_RING_STATE_SIZE SZ_4K +#define LRC_WA_BB_SIZE SZ_4K static struct xe_device * lrc_to_xe(struct xe_lrc *lrc) @@ -910,7 +911,11 @@ static void xe_lrc_finish(struct xe_lrc *lrc) { xe_hw_fence_ctx_finish(&lrc->fence_ctx); xe_bo_unpin_map_no_vm(lrc->bo); - xe_bo_unpin_map_no_vm(lrc->bb_per_ctx_bo); +} + +static size_t wa_bb_offset(struct xe_lrc *lrc) +{ + return lrc->bo->size - LRC_WA_BB_SIZE; } /* @@ -943,15 +948,16 @@ static void xe_lrc_finish(struct xe_lrc *lrc) #define CONTEXT_ACTIVE 1ULL static int xe_lrc_setup_utilization(struct xe_lrc *lrc) { + const size_t max_size = LRC_WA_BB_SIZE; u32 *cmd, *buf = NULL; - if (lrc->bb_per_ctx_bo->vmap.is_iomem) { - buf = kmalloc(lrc->bb_per_ctx_bo->size, GFP_KERNEL); + if (lrc->bo->vmap.is_iomem) { + buf = kmalloc(max_size, GFP_KERNEL); if (!buf) return -ENOMEM; cmd = buf; } else { - cmd = lrc->bb_per_ctx_bo->vmap.vaddr; + cmd = lrc->bo->vmap.vaddr + wa_bb_offset(lrc); } *cmd++ = MI_STORE_REGISTER_MEM | MI_SRM_USE_GGTT | MI_SRM_ADD_CS_OFFSET; @@ -974,13 +980,14 @@ static int xe_lrc_setup_utilization(struct xe_lrc *lrc) *cmd++ = MI_BATCH_BUFFER_END; if (buf) { - xe_map_memcpy_to(gt_to_xe(lrc->gt), &lrc->bb_per_ctx_bo->vmap, 0, - buf, (cmd - buf) * sizeof(*cmd)); + xe_map_memcpy_to(gt_to_xe(lrc->gt), &lrc->bo->vmap, + wa_bb_offset(lrc), buf, + (cmd - buf) * sizeof(*cmd)); kfree(buf); } - xe_lrc_write_ctx_reg(lrc, CTX_BB_PER_CTX_PTR, - xe_bo_ggtt_addr(lrc->bb_per_ctx_bo) | 1); + xe_lrc_write_ctx_reg(lrc, CTX_BB_PER_CTX_PTR, xe_bo_ggtt_addr(lrc->bo) + + wa_bb_offset(lrc) + 1); return 0; } @@ -1018,20 +1025,13 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, * FIXME: Perma-pinning LRC as we don't yet support moving GGTT address * via VM bind calls. */ - lrc->bo = xe_bo_create_pin_map(xe, tile, NULL, lrc_size, + lrc->bo = xe_bo_create_pin_map(xe, tile, NULL, + lrc_size + LRC_WA_BB_SIZE, ttm_bo_type_kernel, bo_flags); if (IS_ERR(lrc->bo)) return PTR_ERR(lrc->bo); - lrc->bb_per_ctx_bo = xe_bo_create_pin_map(xe, tile, NULL, SZ_4K, - ttm_bo_type_kernel, - bo_flags); - if (IS_ERR(lrc->bb_per_ctx_bo)) { - err = PTR_ERR(lrc->bb_per_ctx_bo); - goto err_lrc_finish; - } - lrc->size = lrc_size; lrc->ring.size = ring_size; lrc->ring.tail = 0; @@ -1819,7 +1819,8 @@ struct xe_lrc_snapshot *xe_lrc_snapshot_capture(struct xe_lrc *lrc) snapshot->seqno = xe_lrc_seqno(lrc); snapshot->lrc_bo = xe_bo_get(lrc->bo); snapshot->lrc_offset = xe_lrc_pphwsp_offset(lrc); - snapshot->lrc_size = lrc->bo->size - snapshot->lrc_offset; + snapshot->lrc_size = lrc->bo->size - snapshot->lrc_offset - + LRC_WA_BB_SIZE; snapshot->lrc_snapshot = NULL; snapshot->ctx_timestamp = lower_32_bits(xe_lrc_ctx_timestamp(lrc)); snapshot->ctx_job_timestamp = xe_lrc_ctx_job_timestamp(lrc); diff --git a/drivers/gpu/drm/xe/xe_lrc_types.h b/drivers/gpu/drm/xe/xe_lrc_types.h index ae24cf6f8dd9..883e550a9423 100644 --- a/drivers/gpu/drm/xe/xe_lrc_types.h +++ b/drivers/gpu/drm/xe/xe_lrc_types.h @@ -53,9 +53,6 @@ struct xe_lrc { /** @ctx_timestamp: readout value of CTX_TIMESTAMP on last update */ u64 ctx_timestamp; - - /** @bb_per_ctx_bo: buffer object for per context batch wa buffer */ - struct xe_bo *bb_per_ctx_bo; }; struct xe_lrc_snapshot;

1 month, 3 weeks

2
1
0 0

[PATCH] devcoredump: Fix circular locking dependency with devcd->mutex.

by Maarten Lankhorst

The original code causes a circular locking dependency found by lockdep. ====================================================== WARNING: possible circular locking dependency detected 6.16.0-rc6-lgci-xe-xe-pw-151626v3+ #1 Tainted: G S U ------------------------------------------------------ xe_fault_inject/5091 is trying to acquire lock: ffff888156815688 ((work_completion)(&(&devcd->del_wk)->work)){+.+.}-{0:0}, at: __flush_work+0x25d/0x660 but task is already holding lock: ffff888156815620 (&devcd->mutex){+.+.}-{3:3}, at: dev_coredump_put+0x3f/0xa0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&devcd->mutex){+.+.}-{3:3}: mutex_lock_nested+0x4e/0xc0 devcd_data_write+0x27/0x90 sysfs_kf_bin_write+0x80/0xf0 kernfs_fop_write_iter+0x169/0x220 vfs_write+0x293/0x560 ksys_write+0x72/0xf0 __x64_sys_write+0x19/0x30 x64_sys_call+0x2bf/0x2660 do_syscall_64+0x93/0xb60 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (kn->active#236){++++}-{0:0}: kernfs_drain+0x1e2/0x200 __kernfs_remove+0xae/0x400 kernfs_remove_by_name_ns+0x5d/0xc0 remove_files+0x54/0x70 sysfs_remove_group+0x3d/0xa0 sysfs_remove_groups+0x2e/0x60 device_remove_attrs+0xc7/0x100 device_del+0x15d/0x3b0 devcd_del+0x19/0x30 process_one_work+0x22b/0x6f0 worker_thread+0x1e8/0x3d0 kthread+0x11c/0x250 ret_from_fork+0x26c/0x2e0 ret_from_fork_asm+0x1a/0x30 -> #0 ((work_completion)(&(&devcd->del_wk)->work)){+.+.}-{0:0}: __lock_acquire+0x1661/0x2860 lock_acquire+0xc4/0x2f0 __flush_work+0x27a/0x660 flush_delayed_work+0x5d/0xa0 dev_coredump_put+0x63/0xa0 xe_driver_devcoredump_fini+0x12/0x20 [xe] devm_action_release+0x12/0x30 release_nodes+0x3a/0x120 devres_release_all+0x8a/0xd0 device_unbind_cleanup+0x12/0x80 device_release_driver_internal+0x23a/0x280 device_driver_detach+0x14/0x20 unbind_store+0xaf/0xc0 drv_attr_store+0x21/0x50 sysfs_kf_write+0x4a/0x80 kernfs_fop_write_iter+0x169/0x220 vfs_write+0x293/0x560 ksys_write+0x72/0xf0 __x64_sys_write+0x19/0x30 x64_sys_call+0x2bf/0x2660 do_syscall_64+0x93/0xb60 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: (work_completion)(&(&devcd->del_wk)->work) --> kn->active#236 --> &devcd->mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&devcd->mutex); lock(kn->active#236); lock(&devcd->mutex); lock((work_completion)(&(&devcd->del_wk)->work)); *** DEADLOCK *** 5 locks held by xe_fault_inject/5091: #0: ffff8881129f9488 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x72/0xf0 #1: ffff88810c755078 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x123/0x220 #2: ffff8881054811a0 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0x55/0x280 #3: ffff888156815620 (&devcd->mutex){+.+.}-{3:3}, at: dev_coredump_put+0x3f/0xa0 #4: ffffffff8359e020 (rcu_read_lock){....}-{1:2}, at: __flush_work+0x72/0x660 stack backtrace: CPU: 14 UID: 0 PID: 5091 Comm: xe_fault_inject Tainted: G S U 6.16.0-rc6-lgci-xe-xe-pw-151626v3+ #1 PREEMPT_{RT,(lazy)} Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER Hardware name: Micro-Star International Co., Ltd. MS-7D25/PRO Z690-A DDR4(MS-7D25), BIOS 1.10 12/13/2021 Call Trace: <TASK> dump_stack_lvl+0x91/0xf0 dump_stack+0x10/0x20 print_circular_bug+0x285/0x360 check_noncircular+0x135/0x150 ? register_lock_class+0x48/0x4a0 __lock_acquire+0x1661/0x2860 lock_acquire+0xc4/0x2f0 ? __flush_work+0x25d/0x660 ? mark_held_locks+0x46/0x90 ? __flush_work+0x25d/0x660 __flush_work+0x27a/0x660 ? __flush_work+0x25d/0x660 ? trace_hardirqs_on+0x1e/0xd0 ? __pfx_wq_barrier_func+0x10/0x10 flush_delayed_work+0x5d/0xa0 dev_coredump_put+0x63/0xa0 xe_driver_devcoredump_fini+0x12/0x20 [xe] devm_action_release+0x12/0x30 release_nodes+0x3a/0x120 devres_release_all+0x8a/0xd0 device_unbind_cleanup+0x12/0x80 device_release_driver_internal+0x23a/0x280 ? bus_find_device+0xa8/0xe0 device_driver_detach+0x14/0x20 unbind_store+0xaf/0xc0 drv_attr_store+0x21/0x50 sysfs_kf_write+0x4a/0x80 kernfs_fop_write_iter+0x169/0x220 vfs_write+0x293/0x560 ksys_write+0x72/0xf0 __x64_sys_write+0x19/0x30 x64_sys_call+0x2bf/0x2660 do_syscall_64+0x93/0xb60 ? __f_unlock_pos+0x15/0x20 ? __x64_sys_getdents64+0x9b/0x130 ? __pfx_filldir64+0x10/0x10 ? do_syscall_64+0x1a2/0xb60 ? clear_bhb_loop+0x30/0x80 ? clear_bhb_loop+0x30/0x80 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x76e292edd574 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007fffe247a828 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000076e292edd574 RDX: 000000000000000c RSI: 00006267f6306063 RDI: 000000000000000b RBP: 000000000000000c R08: 000076e292fc4b20 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00006267f6306063 R13: 000000000000000b R14: 00006267e6859c00 R15: 000076e29322a000 </TASK> xe 0000:03:00.0: [drm] Xe device coredump has been deleted. Fixes: 01daccf74832 ("devcoredump : Serialize devcd_del work") Cc: Mukesh Ojha <quic_mojha(a)quicinc.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Johannes Berg <johannes(a)sipsolutions.net> Cc: "Rafael J. Wysocki" <rafael(a)kernel.org> Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: linux-kernel(a)vger.kernel.org Cc: <stable(a)vger.kernel.org> # v6.1+ Signed-off-by: Maarten Lankhorst <dev(a)lankhorst.se> Cc: Matthew Brost <matthew.brost(a)intel.com> --- drivers/base/devcoredump.c | 136 ++++++++++++++++++++++--------------- 1 file changed, 83 insertions(+), 53 deletions(-) diff --git a/drivers/base/devcoredump.c b/drivers/base/devcoredump.c index 03a39c417dc41..ad4bddde12ccb 100644 --- a/drivers/base/devcoredump.c +++ b/drivers/base/devcoredump.c @@ -23,50 +23,46 @@ struct devcd_entry { void *data; size_t datalen; /* - * Here, mutex is required to serialize the calls to del_wk work between - * user/kernel space which happens when devcd is added with device_add() - * and that sends uevent to user space. User space reads the uevents, - * and calls to devcd_data_write() which try to modify the work which is - * not even initialized/queued from devcoredump. + * There are 2 races for which mutex is required. * + * The first race is between device creation and userspace writing to + * schedule immediately destruction. * + * This race is handled by arming the timer before device creation, but + * when device creation fails the timer still exists. * - * cpu0(X) cpu1(Y) + * To solve this, hold the mutex during device_add(), and set + * init_completed on success before releasing the mutex. * - * dev_coredump() uevent sent to user space - * device_add() ======================> user space process Y reads the - * uevents writes to devcd fd - * which results into writes to + * That way the timer will never fire until device_add() is called, + * it will do nothing if init_completed is not set. The timer is also + * cancelled in that case. * - * devcd_data_write() - * mod_delayed_work() - * try_to_grab_pending() - * timer_delete() - * debug_assert_init() - * INIT_DELAYED_WORK() - * schedule_delayed_work() - * - * - * Also, mutex alone would not be enough to avoid scheduling of - * del_wk work after it get flush from a call to devcd_free() - * mentioned as below. - * - * disabled_store() - * devcd_free() - * mutex_lock() devcd_data_write() - * flush_delayed_work() - * mutex_unlock() - * mutex_lock() - * mod_delayed_work() - * mutex_unlock() - * So, delete_work flag is required. + * The second race involves multiple parallel invocations of devcd_free(), + * add a deleted flag so only 1 can call the destructor. */ struct mutex mutex; - bool delete_work; + bool init_completed, deleted; struct module *owner; ssize_t (*read)(char *buffer, loff_t offset, size_t count, void *data, size_t datalen); void (*free)(void *data); + /* + * If nothing interferes and device_add() was returns success, + * del_wk will destroy the device after the timer fires. + * + * Multiple userspace processes can interfere in the working of the timer: + * - Writing to the coredump will reschedule the timer to run immediately, + * if still armed. + * + * This is handled by using "if (cancel_delayed_work()) { + * schedule_delayed_work() }", to prevent re-arming after having + * been previously fired. + * - Writing to /sys/class/devcoredump/disabled will destroy the + * coredump synchronously. + * This is handled by using disable_delayed_work_sync(), and then + * checking if deleted flag is set with &devcd->mutex held. + */ struct delayed_work del_wk; struct device *failing_dev; }; @@ -95,14 +91,27 @@ static void devcd_dev_release(struct device *dev) kfree(devcd); } +static void __devcd_del(struct devcd_entry *devcd) +{ + devcd->deleted = true; + device_del(&devcd->devcd_dev); + put_device(&devcd->devcd_dev); +} + static void devcd_del(struct work_struct *wk) { struct devcd_entry *devcd; + bool init_completed; devcd = container_of(wk, struct devcd_entry, del_wk.work); - device_del(&devcd->devcd_dev); - put_device(&devcd->devcd_dev); + /* devcd->mutex serializes against dev_coredumpm_timeout */ + mutex_lock(&devcd->mutex); + init_completed = devcd->init_completed; + mutex_unlock(&devcd->mutex); + + if (init_completed) + __devcd_del(devcd); } static ssize_t devcd_data_read(struct file *filp, struct kobject *kobj, @@ -122,12 +131,12 @@ static ssize_t devcd_data_write(struct file *filp, struct kobject *kobj, struct device *dev = kobj_to_dev(kobj); struct devcd_entry *devcd = dev_to_devcd(dev); - mutex_lock(&devcd->mutex); - if (!devcd->delete_work) { - devcd->delete_work = true; - mod_delayed_work(system_wq, &devcd->del_wk, 0); - } - mutex_unlock(&devcd->mutex); + /* + * Although it's tempting to use mod_delayed work here, + * that will cause a reschedule if the timer already fired. + */ + if (cancel_delayed_work(&devcd->del_wk)) + schedule_delayed_work(&devcd->del_wk, 0); return count; } @@ -151,11 +160,21 @@ static int devcd_free(struct device *dev, void *data) { struct devcd_entry *devcd = dev_to_devcd(dev); + /* + * To prevent a race with devcd_data_write(), disable work and + * complete manually instead. + * + * We cannot rely on the return value of + * disable_delayed_work_sync() here, because it might be in the + * middle of a cancel_delayed_work + schedule_delayed_work pair. + * + * devcd->mutex here guards against multiple parallel invocations + * of devcd_free(). + */ + disable_delayed_work_sync(&devcd->del_wk); mutex_lock(&devcd->mutex); - if (!devcd->delete_work) - devcd->delete_work = true; - - flush_delayed_work(&devcd->del_wk); + if (!devcd->deleted) + __devcd_del(devcd); mutex_unlock(&devcd->mutex); return 0; } @@ -179,12 +198,10 @@ static ssize_t disabled_show(const struct class *class, const struct class_attri * put_device() <- last reference * error = fn(dev, data) devcd_dev_release() * devcd_free(dev, data) kfree(devcd) - * mutex_lock(&devcd->mutex); * * * In the above diagram, it looks like disabled_store() would be racing with parallelly - * running devcd_del() and result in memory abort while acquiring devcd->mutex which - * is called after kfree of devcd memory after dropping its last reference with + * running devcd_del() and result in memory abort after dropping its last reference with * put_device(). However, this will not happens as fn(dev, data) runs * with its own reference to device via klist_node so it is not its last reference. * so, above situation would not occur. @@ -374,7 +391,7 @@ void dev_coredumpm_timeout(struct device *dev, struct module *owner, devcd->read = read; devcd->free = free; devcd->failing_dev = get_device(dev); - devcd->delete_work = false; + devcd->deleted = false; mutex_init(&devcd->mutex); device_initialize(&devcd->devcd_dev); @@ -383,8 +400,14 @@ void dev_coredumpm_timeout(struct device *dev, struct module *owner, atomic_inc_return(&devcd_count)); devcd->devcd_dev.class = &devcd_class; - mutex_lock(&devcd->mutex); dev_set_uevent_suppress(&devcd->devcd_dev, true); + + /* devcd->mutex prevents devcd_del() completing until init finishes */ + mutex_lock(&devcd->mutex); + devcd->init_completed = false; + INIT_DELAYED_WORK(&devcd->del_wk, devcd_del); + schedule_delayed_work(&devcd->del_wk, timeout); + if (device_add(&devcd->devcd_dev)) goto put_device; @@ -401,13 +424,20 @@ void dev_coredumpm_timeout(struct device *dev, struct module *owner, dev_set_uevent_suppress(&devcd->devcd_dev, false); kobject_uevent(&devcd->devcd_dev.kobj, KOBJ_ADD); - INIT_DELAYED_WORK(&devcd->del_wk, devcd_del); - schedule_delayed_work(&devcd->del_wk, timeout); + + /* + * Safe to run devcd_del() now that we are done with devcd_dev. + * Alternatively we could have taken a ref on devcd_dev before + * dropping the lock. + */ + devcd->init_completed = true; mutex_unlock(&devcd->mutex); return; put_device: - put_device(&devcd->devcd_dev); mutex_unlock(&devcd->mutex); + cancel_delayed_work_sync(&devcd->del_wk); + put_device(&devcd->devcd_dev); + put_module: module_put(owner); free: -- 2.45.2

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x e0a911ac86857a73182edde9e50d9b4b949b7f01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071244-depraved-handwrite-5db8@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e0a911ac86857a73182edde9e50d9b4b949b7f01 Mon Sep 17 00:00:00 2001 From: Daniel Dadap <ddadap(a)nvidia.com> Date: Thu, 26 Jun 2025 16:16:30 -0500 Subject: [PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs Add codec IDs for several NVIDIA products with HDA controllers to the snd_hda_id_hdmi[] patch table. Signed-off-by: Daniel Dadap <ddadap(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/aF24rqwMKFWoHu12@ddadap-lakeline.nvidia.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index 08308231b4ed..9a7793eb16e9 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -4551,7 +4551,9 @@ HDA_CODEC_ENTRY(0x10de002e, "Tegra186 HDMI/DP1", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de002f, "Tegra194 HDMI/DP2", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0030, "Tegra194 HDMI/DP3", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0031, "Tegra234 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0033, "SoC 33 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0034, "Tegra264 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0035, "SoC 35 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0040, "GPU 40 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0041, "GPU 41 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0042, "GPU 42 HDMI/DP", patch_nvhdmi), @@ -4590,15 +4592,32 @@ HDA_CODEC_ENTRY(0x10de0097, "GPU 97 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0098, "GPU 98 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0099, "GPU 99 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009a, "GPU 9a HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009b, "GPU 9b HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009c, "GPU 9c HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a1, "GPU a1 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a8, "GPU a8 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a9, "GPU a9 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00aa, "GPU aa HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ab, "GPU ab HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ad, "GPU ad HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ae, "GPU ae HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00af, "GPU af HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b0, "GPU b0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b1, "GPU b1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c0, "GPU c0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c1, "GPU c1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c3, "GPU c3 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c4, "GPU c4 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c5, "GPU c5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi),

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x e0a911ac86857a73182edde9e50d9b4b949b7f01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071244-ethically-carport-4251@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e0a911ac86857a73182edde9e50d9b4b949b7f01 Mon Sep 17 00:00:00 2001 From: Daniel Dadap <ddadap(a)nvidia.com> Date: Thu, 26 Jun 2025 16:16:30 -0500 Subject: [PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs Add codec IDs for several NVIDIA products with HDA controllers to the snd_hda_id_hdmi[] patch table. Signed-off-by: Daniel Dadap <ddadap(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/aF24rqwMKFWoHu12@ddadap-lakeline.nvidia.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index 08308231b4ed..9a7793eb16e9 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -4551,7 +4551,9 @@ HDA_CODEC_ENTRY(0x10de002e, "Tegra186 HDMI/DP1", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de002f, "Tegra194 HDMI/DP2", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0030, "Tegra194 HDMI/DP3", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0031, "Tegra234 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0033, "SoC 33 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0034, "Tegra264 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0035, "SoC 35 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0040, "GPU 40 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0041, "GPU 41 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0042, "GPU 42 HDMI/DP", patch_nvhdmi), @@ -4590,15 +4592,32 @@ HDA_CODEC_ENTRY(0x10de0097, "GPU 97 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0098, "GPU 98 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0099, "GPU 99 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009a, "GPU 9a HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009b, "GPU 9b HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009c, "GPU 9c HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a1, "GPU a1 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a8, "GPU a8 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a9, "GPU a9 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00aa, "GPU aa HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ab, "GPU ab HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ad, "GPU ad HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ae, "GPU ae HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00af, "GPU af HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b0, "GPU b0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b1, "GPU b1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c0, "GPU c0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c1, "GPU c1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c3, "GPU c3 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c4, "GPU c4 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c5, "GPU c5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi),

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e0a911ac86857a73182edde9e50d9b4b949b7f01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071243-supermom-obedient-408a@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e0a911ac86857a73182edde9e50d9b4b949b7f01 Mon Sep 17 00:00:00 2001 From: Daniel Dadap <ddadap(a)nvidia.com> Date: Thu, 26 Jun 2025 16:16:30 -0500 Subject: [PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs Add codec IDs for several NVIDIA products with HDA controllers to the snd_hda_id_hdmi[] patch table. Signed-off-by: Daniel Dadap <ddadap(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/aF24rqwMKFWoHu12@ddadap-lakeline.nvidia.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index 08308231b4ed..9a7793eb16e9 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -4551,7 +4551,9 @@ HDA_CODEC_ENTRY(0x10de002e, "Tegra186 HDMI/DP1", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de002f, "Tegra194 HDMI/DP2", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0030, "Tegra194 HDMI/DP3", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0031, "Tegra234 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0033, "SoC 33 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0034, "Tegra264 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0035, "SoC 35 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0040, "GPU 40 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0041, "GPU 41 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0042, "GPU 42 HDMI/DP", patch_nvhdmi), @@ -4590,15 +4592,32 @@ HDA_CODEC_ENTRY(0x10de0097, "GPU 97 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0098, "GPU 98 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0099, "GPU 99 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009a, "GPU 9a HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009b, "GPU 9b HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009c, "GPU 9c HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a1, "GPU a1 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a8, "GPU a8 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a9, "GPU a9 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00aa, "GPU aa HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ab, "GPU ab HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ad, "GPU ad HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ae, "GPU ae HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00af, "GPU af HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b0, "GPU b0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b1, "GPU b1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c0, "GPU c0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c1, "GPU c1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c3, "GPU c3 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c4, "GPU c4 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c5, "GPU c5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi),

1 month, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e0a911ac86857a73182edde9e50d9b4b949b7f01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071243-multiple-shimmer-e8b6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e0a911ac86857a73182edde9e50d9b4b949b7f01 Mon Sep 17 00:00:00 2001 From: Daniel Dadap <ddadap(a)nvidia.com> Date: Thu, 26 Jun 2025 16:16:30 -0500 Subject: [PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs Add codec IDs for several NVIDIA products with HDA controllers to the snd_hda_id_hdmi[] patch table. Signed-off-by: Daniel Dadap <ddadap(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/aF24rqwMKFWoHu12@ddadap-lakeline.nvidia.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index 08308231b4ed..9a7793eb16e9 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -4551,7 +4551,9 @@ HDA_CODEC_ENTRY(0x10de002e, "Tegra186 HDMI/DP1", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de002f, "Tegra194 HDMI/DP2", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0030, "Tegra194 HDMI/DP3", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0031, "Tegra234 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0033, "SoC 33 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0034, "Tegra264 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0035, "SoC 35 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0040, "GPU 40 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0041, "GPU 41 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0042, "GPU 42 HDMI/DP", patch_nvhdmi), @@ -4590,15 +4592,32 @@ HDA_CODEC_ENTRY(0x10de0097, "GPU 97 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0098, "GPU 98 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0099, "GPU 99 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009a, "GPU 9a HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009b, "GPU 9b HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009c, "GPU 9c HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a1, "GPU a1 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a8, "GPU a8 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a9, "GPU a9 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00aa, "GPU aa HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ab, "GPU ab HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ad, "GPU ad HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ae, "GPU ae HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00af, "GPU af HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b0, "GPU b0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b1, "GPU b1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c0, "GPU c0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c1, "GPU c1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c3, "GPU c3 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c4, "GPU c4 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c5, "GPU c5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi),

1 month, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] erofs: fix large fragment handling" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x b44686c8391b427fb1c85a31c35077e6947c6d90 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071422-preview-germinate-b2de@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b44686c8391b427fb1c85a31c35077e6947c6d90 Mon Sep 17 00:00:00 2001 From: Gao Xiang <xiang(a)kernel.org> Date: Sat, 12 Jul 2025 03:58:26 +0800 Subject: [PATCH] erofs: fix large fragment handling Fragments aren't limited by Z_EROFS_PCLUSTER_MAX_DSIZE. However, if a fragment's logical length is larger than Z_EROFS_PCLUSTER_MAX_DSIZE but the fragment is not the whole inode, it currently returns -EOPNOTSUPP because m_flags has the wrong EROFS_MAP_ENCODED flag set. It is not intended by design but should be rare, as it can only be reproduced by mkfs with `-Eall-fragments` in a specific case. Let's normalize fragment m_flags using the new EROFS_MAP_FRAGMENT. Reported-by: Axel Fontaine <axel(a)axelfontaine.com> Closes: https://github.com/erofs/erofs-utils/issues/23 Fixes: 7c3ca1838a78 ("erofs: restrict pcluster size limitations") Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> Link: https://lore.kernel.org/r/20250711195826.3601157-1-hsiangkao@linux.alibaba.… diff --git a/fs/erofs/internal.h b/fs/erofs/internal.h index 0d19bde8c094..06b867d2fc3b 100644 --- a/fs/erofs/internal.h +++ b/fs/erofs/internal.h @@ -315,10 +315,12 @@ static inline struct folio *erofs_grab_folio_nowait(struct address_space *as, /* The length of extent is full */ #define EROFS_MAP_FULL_MAPPED 0x0008 /* Located in the special packed inode */ -#define EROFS_MAP_FRAGMENT 0x0010 +#define __EROFS_MAP_FRAGMENT 0x0010 /* The extent refers to partial decompressed data */ #define EROFS_MAP_PARTIAL_REF 0x0020 +#define EROFS_MAP_FRAGMENT (EROFS_MAP_MAPPED | __EROFS_MAP_FRAGMENT) + struct erofs_map_blocks { struct erofs_buf buf; diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c index 32e3905e75fe..e3f28a1bb945 100644 --- a/fs/erofs/zdata.c +++ b/fs/erofs/zdata.c @@ -1034,7 +1034,7 @@ static int z_erofs_scan_folio(struct z_erofs_frontend *f, if (!(map->m_flags & EROFS_MAP_MAPPED)) { folio_zero_segment(folio, cur, end); tight = false; - } else if (map->m_flags & EROFS_MAP_FRAGMENT) { + } else if (map->m_flags & __EROFS_MAP_FRAGMENT) { erofs_off_t fpos = offset + cur - map->m_la; err = z_erofs_read_fragment(inode->i_sb, folio, cur, diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c index 0bebc6e3a4d7..f1a15ff22147 100644 --- a/fs/erofs/zmap.c +++ b/fs/erofs/zmap.c @@ -413,8 +413,7 @@ static int z_erofs_map_blocks_fo(struct inode *inode, !vi->z_tailextent_headlcn) { map->m_la = 0; map->m_llen = inode->i_size; - map->m_flags = EROFS_MAP_MAPPED | - EROFS_MAP_FULL_MAPPED | EROFS_MAP_FRAGMENT; + map->m_flags = EROFS_MAP_FRAGMENT; return 0; } initial_lcn = ofs >> lclusterbits; @@ -489,7 +488,7 @@ static int z_erofs_map_blocks_fo(struct inode *inode, goto unmap_out; } } else if (fragment && m.lcn == vi->z_tailextent_headlcn) { - map->m_flags |= EROFS_MAP_FRAGMENT; + map->m_flags = EROFS_MAP_FRAGMENT; } else { map->m_pa = erofs_pos(sb, m.pblk); err = z_erofs_get_extent_compressedlen(&m, initial_lcn); @@ -617,7 +616,7 @@ static int z_erofs_map_blocks_ext(struct inode *inode, if (lstart < lend) { map->m_la = lstart; if (last && (vi->z_advise & Z_EROFS_ADVISE_FRAGMENT_PCLUSTER)) { - map->m_flags |= EROFS_MAP_MAPPED | EROFS_MAP_FRAGMENT; + map->m_flags = EROFS_MAP_FRAGMENT; vi->z_fragmentoff = map->m_plen; if (recsz > offsetof(struct z_erofs_extent, pstart_lo)) vi->z_fragmentoff |= map->m_pa << 32; @@ -797,7 +796,7 @@ static int z_erofs_iomap_begin_report(struct inode *inode, loff_t offset, iomap->length = map.m_llen; if (map.m_flags & EROFS_MAP_MAPPED) { iomap->type = IOMAP_MAPPED; - iomap->addr = map.m_flags & EROFS_MAP_FRAGMENT ? + iomap->addr = map.m_flags & __EROFS_MAP_FRAGMENT ? IOMAP_NULL_ADDR : map.m_pa; } else { iomap->type = IOMAP_HOLE;

1 month, 3 weeks

2
6
0 0

[PATCH v2] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()

by Michael Zhivich

For kernels compiled with CONFIG_INIT_STACK_NONE=y, the value of __reserved field in zen_patch_rev union on the stack may be garbage. If so, it will prevent correct microcode check when consulting p.ucode_rev, resulting in incorrect mitigation selection. Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael Zhivich <mzhivich(a)akamai.com> Fixes: 7a0395f6607a5 ("x86/bugs: Add a Transient Scheduler Attacks mitigation") --- Changes in v2: - Rework patch per feedback - Add Cc: stable arch/x86/kernel/cpu/amd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index efd42ee9d1cc..289ff197b1b3 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -378,6 +378,8 @@ static bool amd_check_tsa_microcode(void) p.model = c->x86_model; p.ext_model = c->x86_model >> 4; p.stepping = c->x86_stepping; + /* reserved bits are expected to be 0 in test below */ + p.__reserved = 0; if (cpu_has(c, X86_FEATURE_ZEN3) || cpu_has(c, X86_FEATURE_ZEN4)) { -- 2.34.1

1 month, 3 weeks

4
11
0 0

[PATCH 6.1.y-cip 1/5] [PARTIAL BACKPORT]drm/i915: Fix HPD polling, reenabling the output poll work as needed

by Nicusor Huhulea

From: Imre Deak <imre.deak(a)intel.com> After the commit in the Fixes: line below, HPD polling stopped working on i915, since after that change calling drm_kms_helper_poll_enable() doesn't restart drm_mode_config::output_poll_work if the work was stopped (no connectors needing polling) and enabling polling for a connector (during runtime suspend or detecting an HPD IRQ storm). After the above change calling drm_kms_helper_poll_enable() is a nop after it's been called already and polling for some connectors was disabled/re-enabled. Fix this by calling drm_kms_helper_poll_reschedule() added in the previous patch instead, which reschedules the work whenever expected. Fixes: d33a54e3991d ("drm/probe_helper: sort out poll_running vs poll_enabled") CC: stable(a)vger.kernel.org # 6.4+ Cc: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Cc: dri-devel(a)lists.freedesktop.org Reviewed-by: Jouni Högander <jouni.hogander(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230822113015.41224-2-imre.d… (cherry picked from commit 50452f2f76852322620b63e62922b85e955abe94) Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Partial-Backport-by: Nicusor Huhulea <nicusor.huhulea(a)siemens.com> --- drivers/gpu/drm/i915/display/intel_hotplug.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_hotplug.c b/drivers/gpu/drm/i915/display/intel_hotplug.c index f7a2f485b177c..6ba2d7b0cd1b7 100644 --- a/drivers/gpu/drm/i915/display/intel_hotplug.c +++ b/drivers/gpu/drm/i915/display/intel_hotplug.c @@ -208,7 +208,7 @@ intel_hpd_irq_storm_switch_to_polling(struct drm_i915_private *dev_priv) /* Enable polling and queue hotplug re-enabling. */ if (hpd_disabled) { - drm_kms_helper_poll_enable(dev); + drm_kms_helper_poll_reschedule(&dev_priv->drm); mod_delayed_work(system_wq, &dev_priv->display.hotplug.reenable_work, msecs_to_jiffies(HPD_STORM_REENABLE_DELAY)); } @@ -638,7 +638,7 @@ static void i915_hpd_poll_init_work(struct work_struct *work) drm_connector_list_iter_end(&conn_iter); if (enabled) - drm_kms_helper_poll_enable(dev); + drm_kms_helper_poll_reschedule(&dev_priv->drm); mutex_unlock(&dev->mode_config.mutex); -- 2.39.2

1 month, 3 weeks

1
0
0 0

[PATCH] iommu/vt-d: Fix misplaced domain_attached assignment

by Ban ZuoXiang

Commit fb5873b779dd ("iommu/vt-d: Restore context entry setup order for aliased devices") was incorrectly backported: the domain_attached assignment was mistakenly placed in device_set_dirty_tracking() instead of original identity_domain_attach_dev(). Fix this by moving the assignment to the correct function as in the original commit. Fixes: fb5873b779dd ("iommu/vt-d: Restore context entry setup order for aliased devices") Closes: https://lore.kernel.org/linux-iommu/721D44AF820A4FEB+722679cb-2226-4287-883… Cc: stable(a)vger.kernel.org Reported-by: Ban ZuoXiang <bbaa(a)bbaa.fun> Signed-off-by: Ban ZuoXiang <bbaa(a)bbaa.fun> --- drivers/iommu/intel/iommu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 56e9f125cda9..af4e6c1e55db 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -4414,9 +4414,6 @@ static int device_set_dirty_tracking(struct list_head *devices, bool enable) break; } - if (!ret) - info->domain_attached = true; - return ret; } @@ -4600,6 +4597,9 @@ static int identity_domain_attach_dev(struct iommu_domain *domain, struct device ret = device_setup_pass_through(dev); } + if (!ret) + info->domain_attached = true; + return ret; } -- 2.50.1

1 month, 3 weeks

2
1
0 0

[PATCH RESEND] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()

by Qasim Ijaz

A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this vulnerability by ensuring the descriptor size is greater than or equal to 608 before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...] Fixes: c8000deb6836 ("HID: multitouch: Add support for GT7868Q") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> Reviewed-by: Dmitry Savin <envelsavinds(a)gmail.com> --- drivers/hid/hid-multitouch.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index 7ac8e16e6158..af4abe3ba410 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -1461,18 +1461,25 @@ static const __u8 *mt_report_fixup(struct hid_device *hdev, __u8 *rdesc, if (hdev->vendor == I2C_VENDOR_ID_GOODIX && (hdev->product == I2C_DEVICE_ID_GOODIX_01E8 || hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) { - if (rdesc[607] == 0x15) { - rdesc[607] = 0x25; - dev_info( - &hdev->dev, - "GT7868Q report descriptor fixup is applied.\n"); + if (*size >= 608) { + if (rdesc[607] == 0x15) { + rdesc[607] = 0x25; + dev_info( + &hdev->dev, + "GT7868Q report descriptor fixup is applied.\n"); + } else { + dev_info( + &hdev->dev, + "The byte is not expected for fixing the report descriptor. \ + It's possible that the touchpad firmware is not suitable for applying the fix. \ + got: %x\n", + rdesc[607]); + } } else { dev_info( &hdev->dev, - "The byte is not expected for fixing the report descriptor. \ -It's possible that the touchpad firmware is not suitable for applying the fix. \ -got: %x\n", - rdesc[607]); + "GT7868Q fixup: report descriptor only %u bytes, skipping\n", + *size); } } -- 2.39.5

1 month, 3 weeks

3
5
0 0

[REGRESSION][BISECTED] PCI Passthrough / SR-IOV Failure on Stable Kernel ≥ v6.12.35

by Ban ZuoXiang

Hi all, We've identified a regression affecting PCI passthrough / SR-IOV virtualization starting from Linux v6.12.35. A user reported that [1], beginning with this version, SR-IOV virtual functions fail to initialize properly inside the guest. The issue appears to some MMIO operations not completing correctly in the guest. > [ 2.152320] i915 0000:07:00.0: [drm] *ERROR* GT0: GUC: mmio request 0x4509: failure 306/0 > [ 2.152327] i915 0000:07:00.0: [drm] *ERROR* GuC initialization failed (-ENXIO) > [ 2.152330] i915 0000:07:00.0: [drm] *ERROR* GT0: Failed to initialize GPU, declaring it wedged! Here is the |git bisect| log: > # bad: [fbad404f04d758c52bae79ca20d0e7fe5fef91d3] Linux 6.12.37 > # good: [e03ced99c437f4a7992b8fa3d97d598f55453fd0] Linux 6.12.33 > git bisect start 'HEAD' 'v6.12.33' > # bad: [b01a29a80cca28f0c7d0864e2d62fb9616051bfc] ACPI: bus: Bail out if acpi_kobj registration fails > git bisect bad b01a29a80cca28f0c7d0864e2d62fb9616051bfc > # bad: [b01a29a80cca28f0c7d0864e2d62fb9616051bfc] ACPI: bus: Bail out if acpi_kobj registration fails > git bisect bad b01a29a80cca28f0c7d0864e2d62fb9616051bfc > # good: [35f116a4658f787bea7e82fdd23e2e9789254f5e] drm/xe: Make xe_gt_freq part of the Documentation > git bisect good 35f116a4658f787bea7e82fdd23e2e9789254f5e > # good: [261f2a655b709e59a8d759ce9fa478778d9e84f4] crypto: qat - add shutdown handler to qat_c3xxx > git bisect good 261f2a655b709e59a8d759ce9fa478778d9e84f4 > # good: [4d0686b53cc9342be3f8ce06336fd5ab0d206355] ata: ahci: Disallow LPM for Asus B550-F motherboard > git bisect good 4d0686b53cc9342be3f8ce06336fd5ab0d206355 > # bad: [ce4ef0274cb66a4750000f33f2d316c0dbaf4515] KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY > git bisect bad ce4ef0274cb66a4750000f33f2d316c0dbaf4515 > # bad: [8d0645b59b19d97a3b7c5a3fb8dae0c89e98cde9] parisc/unaligned: Fix hex output to show 8 hex chars > git bisect bad 8d0645b59b19d97a3b7c5a3fb8dae0c89e98cde9 > # good: [fed611bd8c7b76b070aa407d0c7558e20d9e1f68] f2fs: fix to do sanity check on ino and xnid > git bisect good fed611bd8c7b76b070aa407d0c7558e20d9e1f68 > # good: [8a008c89e5e5c5332e4c0a33d707db9ddd529f8a] net/sched: fix use-after-free in taprio_dev_notifier > git bisect good 8a008c89e5e5c5332e4c0a33d707db9ddd529f8a > # bad: [3f2098f4fba7718eb2501207ca6e99d22427f25a] fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var > git bisect bad 3f2098f4fba7718eb2501207ca6e99d22427f25a > # bad: [fb5873b779dd5858123c19bbd6959566771e2e83] iommu/vt-d: Restore context entry setup order for aliased devices > git bisect bad fb5873b779dd5858123c19bbd6959566771e2e83 > # good: [81c64c2f84ab581d1c45dbbbca941c13128faee6] net: ftgmac100: select FIXED_PHY > git bisect good 81c64c2f84ab581d1c45dbbbca941c13128faee6 > # first bad commit: [fb5873b779dd5858123c19bbd6959566771e2e83] iommu/vt-d: Restore context entry setup order for aliased devices > > commit fb5873b779dd5858123c19bbd6959566771e2e83 > Author: Lu Baolu <baolu.lu(a)linux.intel.com> > Date: Tue May 20 15:58:49 2025 +0800 > > iommu/vt-d: Restore context entry setup order for aliased devices > > commit 320302baed05c6456164652541f23d2a96522c06 upstream. This commit was introduced in [2], and the issue only affects stable kernels prior to v6.15. Besides, the Ubuntu v6.14-series kernel used by Proxmox also appears to be affected [3]. Best regards, Ban ZuoXiang [1]: https://github.com/strongtz/i915-sriov-dkms/issues/320 [2]: https://lore.kernel.org/r/20250514060523.2862195-1-baolu.lu@linux.intel.com [3]: https://github.com/strongtz/i915-sriov-dkms/issues/312

1 month, 3 weeks

4
6
0 0

[PATCH v2 2/4] dt-bindings: ufs: mediatek,ufs: add ufs-disable-mcq flag for UFS host

by Macpaul Lin

Add the 'mediatek,ufs-disable-mcq' property to the UFS device-tree bindings. This flag corresponds to the UFS_MTK_CAP_DISABLE_MCQ host capability recently introduced in the UFS host driver, allowing it to disable the Multiple Circular Queue (MCQ) feature when present. The binding schema has also been updated to resolve DTBS check errors. Cc: stable(a)vger.kernel.org Fixes: 46bd3e31d74b ("scsi: ufs: mediatek: Add UFS_MTK_CAP_DISABLE_MCQ") Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> --- Documentation/devicetree/bindings/ufs/mediatek,ufs.yaml | 4 ++++ 1 file changed, 4 insertions(+) Changes for v2: - Split new property from the origin patch. - Add dependency description. Since the code in ufs-mediatek.c has been backport to stable tree. The dt-bindings should be backport to the same stable tree as well. diff --git a/Documentation/devicetree/bindings/ufs/mediatek,ufs.yaml b/Documentation/devicetree/bindings/ufs/mediatek,ufs.yaml index 32fd535a514a..20f341d25ebc 100644 --- a/Documentation/devicetree/bindings/ufs/mediatek,ufs.yaml +++ b/Documentation/devicetree/bindings/ufs/mediatek,ufs.yaml @@ -33,6 +33,10 @@ properties: vcc-supply: true + mediatek,ufs-disable-mcq: + $ref: /schemas/types.yaml#/definitions/flag + description: The mask to disable MCQ (Multi-Circular Queue) for UFS host. + required: - compatible - clocks -- 2.45.2

1 month, 3 weeks

3
2
0 0

[PATCH] net: usbnet: Avoid potential RCU stall on LINK_CHANGE event

by John Ernberg

Having a Gemalto Cinterion PLS83-W modem attached to USB and activating the cellular data link would sometimes yield the following RCU stall, leading to a system freeze: rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 0-.... } 33108 jiffies s: 201 root: 0x1/. rcu: blocking rcu_node structures (internal RCU debug): Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 Call trace: arch_local_irq_enable+0x4/0x8 local_bh_enable+0x18/0x20 __netdev_alloc_skb+0x18c/0x1cc rx_submit+0x68/0x1f8 [usbnet] rx_alloc_submit+0x4c/0x74 [usbnet] usbnet_bh+0x1d8/0x218 [usbnet] usbnet_bh_tasklet+0x10/0x18 [usbnet] tasklet_action_common+0xa8/0x110 tasklet_action+0x2c/0x34 handle_softirqs+0x2cc/0x3a0 __do_softirq+0x10/0x18 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 __irq_exit_rcu+0xa8/0xb8 irq_exit_rcu+0xc/0x30 el1_interrupt+0x34/0x48 el1h_64_irq_handler+0x14/0x1c el1h_64_irq+0x68/0x6c _raw_spin_unlock_irqrestore+0x38/0x48 xhci_urb_dequeue+0x1ac/0x45c [xhci_hcd] unlink1+0xd4/0xdc [usbcore] usb_hcd_unlink_urb+0x70/0xb0 [usbcore] usb_unlink_urb+0x24/0x44 [usbcore] unlink_urbs.constprop.0.isra.0+0x64/0xa8 [usbnet] __handle_link_change+0x34/0x70 [usbnet] usbnet_deferred_kevent+0x1c0/0x320 [usbnet] process_scheduled_works+0x2d0/0x48c worker_thread+0x150/0x1dc kthread+0xd8/0xe8 ret_from_fork+0x10/0x20 It turns out that during the link activation a LINK_CHANGE event is emitted which causes the active RX URBs to be unlinked, while that is happening rx_submit() may begin pushing new URBs to the queue being emptied. Causing the unlink queue to never empty. Use the same approach as commit 43daa96b166c ("usbnet: Stop RX Q on MTU change") and pause the RX queue while unlinking the URBs on LINK_CHANGE as well. Fixes: 4b49f58fff00 ("usbnet: handle link change") Cc: stable(a)vger.kernel.org Signed-off-by: John Ernberg <john.ernberg(a)actia.se> --- Tested on 6.12.20 and forward ported. --- drivers/net/usb/usbnet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index c04e715a4c2a..156f0e85a135 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1115,7 +1115,9 @@ static void __handle_link_change(struct usbnet *dev) if (!netif_carrier_ok(dev->net)) { /* kill URBs for reading packets to save bus bandwidth */ + usbnet_pause_rx(dev); unlink_urbs(dev, &dev->rxq); + usbnet_resume_rx(dev); /* * tx_timeout will unlink URBs for sending packets and -- 2.49.0

1 month, 3 weeks

3
9
0 0

[PATCH v3 4/5] drm/xe: use 4KiB alignment for cursor jumps

by Simon Richter

From: Mingcong Bai <jeffbai(a)aosc.io> It appears that the xe_res_cursor also assumes 4KiB alignment. Current implementation uses `PAGE_SIZE' as an assumed alignment reference, but 4KiB kernel page sizes is by no means a guarantee. On 16KiB-paged kernels, this causes driver failures during boot up: [ 23.242757] ------------[ cut here ]------------ [ 23.247363] WARNING: CPU: 0 PID: 2036 at drivers/gpu/drm/xe/xe_res_cursor.h:182 emit_pte+0x394/0x3b0 [xe] [ 23.256962] Modules linked in: nf_conntrack_netbios_ns(E) nf_conntrack_broadcast(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) rfkill(E) nft_chain_nat(E) ip6table_nat(E) ip6table_mangle(E) ip6table_raw(E) ip6table_security(E) iptable_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) iptable_mangle(E) iptable_raw(E) iptable_security(E) ip_set(E) nf_tables(E) ip6table_filter(E) ip6_tables(E) iptable_filter(E) snd_hda_codec_conexant(E) snd_hda_codec_generic(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) snd_intel_dspcfg(E) snd_hda_codec(E) nls_iso8859_1(E) qrtr(E) nls_cp437(E) snd_hda_core(E) loongson3_cpufreq(E) rtc_efi(E) snd_hwdep(E) snd_pcm(E) spi_loongson_pci(E) snd_timer(E) snd(E) spi_loongson_core(E) soundcore(E) gpio_loongson_64bit(E) rtc_loongson(E) i2c_ls2x(E) mousedev(E) input_leds(E) sch_fq_codel(E) fuse(E) nfnetlink(E) dmi_sysfs(E) ip_tables(E) x_tables(E) xe(E) d rm_gpuvm(E) drm_buddy(E) gpu_sched(E) [ 23.257034] drm_exec(E) drm_suballoc_helper(E) drm_display_helper(E) cec(E) rc_core(E) hid_generic(E) tpm_tis_spi(E) r8169(E) loongson(E) i2c_algo_bit(E) realtek(E) drm_ttm_helper(E) led_class(E) ttm(E) drm_client_lib(E) drm_kms_helper(E) sunrpc(E) i2c_dev(E) [ 23.369697] CPU: 0 UID: 1000 PID: 2036 Comm: QSGRenderThread Tainted: G E 6.14.0-rc4-aosc-main-g7cc07e6e50b0-dirty #8 [ 23.381640] Tainted: [E]=UNSIGNED_MODULE [ 23.385534] Hardware name: Loongson Loongson-3A6000-HV-7A2000-1w-V0.1-EVB/Loongson-3A6000-HV-7A2000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V4.0.05756-prestab [ 23.399319] pc ffff80000251efc0 ra ffff80000251eddc tp 900000011fe3c000 sp 900000011fe3f7e0 [ 23.407632] a0 0000000000000001 a1 0000000000000000 a2 0000000000000000 a3 0000000000000000 [ 23.415938] a4 0000000000000000 a5 0000000000000000 a6 0000000000060000 a7 900000010c947b00 [ 23.424240] t0 0000000000000000 t1 0000000000000000 t2 0000000000000000 t3 900000012e456230 [ 23.432543] t4 0000000000000035 t5 0000000000004000 t6 00000001fbc40403 t7 0000000000004000 [ 23.440845] t8 9000000100e688a8 u0 5cc06cee8ef0edee s9 9000000100024420 s0 0000000000000047 [ 23.449147] s1 0000000000004000 s2 0000000000000001 s3 900000012adba000 s4 ffffffffffffc000 [ 23.457450] s5 9000000108939428 s6 0000000000000000 s7 0000000000000000 s8 900000011fe3f8e0 [ 23.465851] ra: ffff80000251eddc emit_pte+0x1b0/0x3b0 [xe] [ 23.471761] ERA: ffff80000251efc0 emit_pte+0x394/0x3b0 [xe] [ 23.477557] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 23.483732] PRMD: 00000004 (PPLV0 +PIE -PWE) [ 23.488068] EUEN: 00000003 (+FPE +SXE -ASXE -BTE) [ 23.492832] ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) [ 23.497594] ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0) [ 23.503133] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV) [ 23.509164] CPU: 0 UID: 1000 PID: 2036 Comm: QSGRenderThread Tainted: G E 6.14.0-rc4-aosc-main-g7cc07e6e50b0-dirty #8 [ 23.509168] Tainted: [E]=UNSIGNED_MODULE [ 23.509168] Hardware name: Loongson Loongson-3A6000-HV-7A2000-1w-V0.1-EVB/Loongson-3A6000-HV-7A2000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V4.0.05756-prestab [ 23.509170] Stack : ffffffffffffffff ffffffffffffffff 900000000023eb34 900000011fe3c000 [ 23.509176] 900000011fe3f440 0000000000000000 900000011fe3f448 9000000001c31c70 [ 23.509181] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 23.509185] 0000000000000000 5cc06cee8ef0edee 0000000000000000 0000000000000000 [ 23.509190] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 23.509193] 0000000000000000 0000000000000000 00000000066b4000 9000000100024420 [ 23.509197] 9000000001eb8000 0000000000000000 9000000001c31c70 0000000000000004 [ 23.509202] 0000000000000004 0000000000000000 0000000000000000 0000000000000000 [ 23.509206] 900000011fe3f8e0 9000000001c31c70 9000000000244174 00007fffac097534 [ 23.509211] 00000000000000b0 0000000000000004 0000000000000003 0000000000071c1d [ 23.509216] ... [ 23.509218] Call Trace: [ 23.509220] [<9000000000244174>] show_stack+0x3c/0x16c [ 23.509226] [<900000000023eb30>] dump_stack_lvl+0x84/0xe0 [ 23.509230] [<9000000000288208>] __warn+0x8c/0x174 [ 23.509234] [<90000000017c1918>] report_bug+0x1c0/0x22c [ 23.509238] [<90000000017f66e8>] do_bp+0x280/0x344 [ 23.509243] [<90000000002428a0>] handle_bp+0x120/0x1c0 [ 23.509247] [<ffff80000251efc0>] emit_pte+0x394/0x3b0 [xe] [ 23.509295] [<ffff800002520d38>] xe_migrate_clear+0x2d8/0xa54 [xe] [ 23.509341] [<ffff8000024e6c38>] xe_bo_move+0x324/0x930 [xe] [ 23.509387] [<ffff800002209468>] ttm_bo_handle_move_mem+0xd0/0x194 [ttm] [ 23.509392] [<ffff800002209ebc>] ttm_bo_validate+0xd4/0x1cc [ttm] [ 23.509396] [<ffff80000220a138>] ttm_bo_init_reserved+0x184/0x1dc [ttm] [ 23.509399] [<ffff8000024e7840>] ___xe_bo_create_locked+0x1e8/0x3d4 [xe] [ 23.509445] [<ffff8000024e7cf8>] __xe_bo_create_locked+0x2cc/0x390 [xe] [ 23.509489] [<ffff8000024e7e98>] xe_bo_create_user+0x34/0xe4 [xe] [ 23.509533] [<ffff8000024e875c>] xe_gem_create_ioctl+0x154/0x4d8 [xe] [ 23.509578] [<9000000001062784>] drm_ioctl_kernel+0xe0/0x14c [ 23.509582] [<9000000001062c10>] drm_ioctl+0x420/0x5f4 [ 23.509585] [<ffff8000024ea778>] xe_drm_ioctl+0x64/0xac [xe] [ 23.509630] [<9000000000653504>] sys_ioctl+0x2b8/0xf98 [ 23.509634] [<90000000017f684c>] do_syscall+0xa0/0x140 [ 23.509637] [<9000000000241e38>] handle_syscall+0xb8/0x158 [ 23.509640] [ 23.509644] ---[ end trace 0000000000000000 ]--- Revise calls to `xe_res_dma()' and `xe_res_cursor()' to use `XE_PTE_MASK' (12) and `SZ_4K' to fix this potentially confused use of `PAGE_SIZE' in relevant code. Cc: stable(a)vger.kernel.org Fixes: e89b384cde62 ("drm/xe/migrate: Update emit_pte to cope with a size level than 4k") Tested-by: Mingcong Bai <jeffbai(a)aosc.io> Tested-by: Wenbin Fang <fangwenbin(a)vip.qq.com> Tested-by: Haien Liang <27873200(a)qq.com> Tested-by: Jianfeng Liu <liujianfeng1994(a)gmail.com> Tested-by: Shirong Liu <lsr1024(a)qq.com> Tested-by: Haofeng Wu <s2600cw2(a)126.com> Link: https://github.com/FanFansfan/loongson-linux/commit/22c55ab3931c32410a077b3… Link: https://t.me/c/1109254909/768552 Co-developed-by: Shang Yatsen <429839446(a)qq.com> Signed-off-by: Shang Yatsen <429839446(a)qq.com> Signed-off-by: Mingcong Bai <jeffbai(a)aosc.io> --- drivers/gpu/drm/xe/xe_migrate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_migrate.c b/drivers/gpu/drm/xe/xe_migrate.c index 6a80ae6104dd..89bd78c542b9 100644 --- a/drivers/gpu/drm/xe/xe_migrate.c +++ b/drivers/gpu/drm/xe/xe_migrate.c @@ -606,7 +606,7 @@ static void emit_pte(struct xe_migrate *m, u64 addr, flags = 0; bool devmem = false; - addr = xe_res_dma(cur) & PAGE_MASK; + addr = xe_res_dma(cur) & ~XE_PTE_MASK; if (is_vram) { if (vm->flags & XE_VM_FLAG_64K) { u64 va = cur_ofs * XE_PAGE_SIZE / 8; @@ -627,7 +627,7 @@ static void emit_pte(struct xe_migrate *m, bb->cs[bb->len++] = lower_32_bits(addr); bb->cs[bb->len++] = upper_32_bits(addr); - xe_res_next(cur, min_t(u32, size, PAGE_SIZE)); + xe_res_next(cur, min_t(u32, size, XE_PAGE_SIZE)); cur_ofs += 8; } } -- 2.47.2

1 month, 3 weeks

1
0
0 0

[PATCH 6.1.y 0/5] erofs: backport for `erofs: address D-cache aliasing`

by Gao Xiang

6.6.y fix: https://lore.kernel.org/r/20250722094449.2950654-1-hsiangkao@linux.alibaba.… Hi Jan & Stefan, Please help confirm this 6.1 fix backport if possible too. Thanks, Gao Xiang Gao Xiang (5): erofs: get rid of debug_one_dentry() erofs: sunset erofs_dbg() erofs: drop z_erofs_page_mark_eio() erofs: simplify z_erofs_transform_plain() erofs: address D-cache aliasing fs/erofs/decompressor.c | 23 +++++++---------- fs/erofs/dir.c | 17 ------------- fs/erofs/inode.c | 3 --- fs/erofs/internal.h | 2 -- fs/erofs/namei.c | 9 +++---- fs/erofs/zdata.c | 56 +++++++++++++++++------------------------ fs/erofs/zmap.c | 3 --- 7 files changed, 35 insertions(+), 78 deletions(-) -- 2.43.5

1 month, 3 weeks

2
10
0 0

FAILED: patch "[PATCH] rust: use `#[used(compiler)]` to fix build and `modpost` with" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 7498159226772d66f150dd406be462d75964a366 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072101-perfume-vitalize-a08b@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7498159226772d66f150dd406be462d75964a366 Mon Sep 17 00:00:00 2001 From: Miguel Ojeda <ojeda(a)kernel.org> Date: Sat, 12 Jul 2025 18:01:03 +0200 Subject: [PATCH] rust: use `#[used(compiler)]` to fix build and `modpost` with Rust >= 1.89.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Starting with Rust 1.89.0 (expected 2025-08-07), the Rust compiler fails to build the `rusttest` target due to undefined references such as: kernel...-cgu.0:(.text....+0x116): undefined reference to `rust_helper_kunit_get_current_test' Moreover, tooling like `modpost` gets confused: WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/gpu/drm/nova/nova.o ERROR: modpost: missing MODULE_LICENSE() in drivers/gpu/nova-core/nova_core.o The reason behind both issues is that the Rust compiler will now [1] treat `#[used]` as `#[used(linker)]` instead of `#[used(compiler)]` for our targets. This means that the retain section flag (`R`, `SHF_GNU_RETAIN`) will be used and that they will be marked as `unique` too, with different IDs. In turn, that means we end up with undefined references that did not get discarded in `rusttest` and that multiple `.modinfo` sections are generated, which confuse tooling like `modpost` because they only expect one. Thus start using `#[used(compiler)]` to keep the previous behavior and to be explicit about what we want. Sadly, it is an unstable feature (`used_with_arg`) [2] -- we will talk to upstream Rust about it. The good news is that it has been available for a long time (Rust >= 1.60) [3]. The changes should also be fine for previous Rust versions, since they behave the same way as before [4]. Alternatively, we could use `#[no_mangle]` or `#[export_name = ...]` since those still behave like `#[used(compiler)]`, but of course it is not really what we want to express, and it requires other changes to avoid symbol conflicts. Cc: David Wood <david(a)davidtw.co> Cc: Wesley Wiser <wwiser(a)gmail.com> Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Link: https://github.com/rust-lang/rust/pull/140872 [1] Link: https://github.com/rust-lang/rust/issues/93798 [2] Link: https://github.com/rust-lang/rust/pull/91504 [3] Link: https://godbolt.org/z/sxzWTMfzW [4] Reviewed-by: Alice Ryhl <aliceryhl(a)google.com> Acked-by: Björn Roy Baron <bjorn3_gh(a)protonmail.com> Link: https://lore.kernel.org/r/20250712160103.1244945-3-ojeda@kernel.org Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> diff --git a/rust/Makefile b/rust/Makefile index 27dec7904c3a..115b63b7d1e3 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -194,6 +194,7 @@ quiet_cmd_rustdoc_test = RUSTDOC T $< RUST_MODFILE=test.rs \ OBJTREE=$(abspath $(objtree)) \ $(RUSTDOC) --test $(rust_common_flags) \ + -Zcrate-attr='feature(used_with_arg)' \ @$(objtree)/include/generated/rustc_cfg \ $(rustc_target_flags) $(rustdoc_test_target_flags) \ $(rustdoc_test_quiet) \ diff --git a/rust/kernel/firmware.rs b/rust/kernel/firmware.rs index 2494c96e105f..4fe621f35716 100644 --- a/rust/kernel/firmware.rs +++ b/rust/kernel/firmware.rs @@ -202,7 +202,7 @@ macro_rules! module_firmware { }; #[link_section = ".modinfo"] - #[used] + #[used(compiler)] static __MODULE_FIRMWARE: [u8; $($builder)*::create(__MODULE_FIRMWARE_PREFIX) .build_length()] = $($builder)*::create(__MODULE_FIRMWARE_PREFIX).build(); }; diff --git a/rust/kernel/kunit.rs b/rust/kernel/kunit.rs index 4b8cdcb21e77..b9e65905e121 100644 --- a/rust/kernel/kunit.rs +++ b/rust/kernel/kunit.rs @@ -302,7 +302,7 @@ macro_rules! kunit_unsafe_test_suite { is_init: false, }; - #[used] + #[used(compiler)] #[allow(unused_unsafe)] #[cfg_attr(not(target_os = "macos"), link_section = ".kunit_test_suites")] static mut KUNIT_TEST_SUITE_ENTRY: *const ::kernel::bindings::kunit_suite = diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index 6b4774b2b1c3..e13d6ed88fa6 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -34,6 +34,9 @@ // Expected to become stable. #![feature(arbitrary_self_types)] // +// To be determined. +#![feature(used_with_arg)] +// // `feature(derive_coerce_pointee)` is expected to become stable. Before Rust // 1.84.0, it did not exist, so enable the predecessor features. #![cfg_attr(CONFIG_RUSTC_HAS_COERCE_POINTEE, feature(derive_coerce_pointee))] diff --git a/rust/macros/module.rs b/rust/macros/module.rs index 2ddd2eeb2852..75efc6eeeafc 100644 --- a/rust/macros/module.rs +++ b/rust/macros/module.rs @@ -57,7 +57,7 @@ fn emit_base(&mut self, field: &str, content: &str, builtin: bool) { {cfg} #[doc(hidden)] #[cfg_attr(not(target_os = \"macos\"), link_section = \".modinfo\")] - #[used] + #[used(compiler)] pub static __{module}_{counter}: [u8; {length}] = *{string}; ", cfg = if builtin { @@ -249,7 +249,7 @@ mod __module_init {{ // key or a new section. For the moment, keep it simple. #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] static __IS_RUST_MODULE: () = (); static mut __MOD: ::core::mem::MaybeUninit<{type_}> = @@ -273,7 +273,7 @@ mod __module_init {{ #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] #[link_section = \".init.data\"] static __UNIQUE_ID___addressable_init_module: unsafe extern \"C\" fn() -> i32 = init_module; @@ -293,7 +293,7 @@ mod __module_init {{ #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] #[link_section = \".exit.data\"] static __UNIQUE_ID___addressable_cleanup_module: extern \"C\" fn() = cleanup_module; @@ -303,7 +303,7 @@ mod __module_init {{ #[cfg(not(CONFIG_HAVE_ARCH_PREL32_RELOCATIONS))] #[doc(hidden)] #[link_section = \"{initcall_section}\"] - #[used] + #[used(compiler)] pub static __{ident}_initcall: extern \"C\" fn() -> ::kernel::ffi::c_int = __{ident}_init; diff --git a/scripts/Makefile.build b/scripts/Makefile.build index a6461ea411f7..ba71b27aa363 100644 --- a/scripts/Makefile.build +++ b/scripts/Makefile.build @@ -312,10 +312,11 @@ $(obj)/%.lst: $(obj)/%.c FORCE # - Stable since Rust 1.82.0: `feature(asm_const)`, `feature(raw_ref_op)`. # - Stable since Rust 1.87.0: `feature(asm_goto)`. # - Expected to become stable: `feature(arbitrary_self_types)`. +# - To be determined: `feature(used_with_arg)`. # # Please see https://github.com/Rust-for-Linux/linux/issues/2 for details on # the unstable features in use. -rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,raw_ref_op +rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,raw_ref_op,used_with_arg # `--out-dir` is required to avoid temporaries being created by `rustc` in the # current working directory, which may be not accessible in the out-of-tree

1 month, 3 weeks

3
2
0 0

[PATCH 5.15.y 0/4] Fix blank WHCAN value in 'ps' output

by Siddhi Katage

The 'ps' output prints blank(hyphen) WHCAN value for all the tasks. This patchset will help print the correct WCHAN value. Kees Cook (1): sched: Add wrapper for get_wchan() to keep task blocked Peter Zijlstra (2): x86: Fix __get_wchan() for !STACKTRACE x86: Pin task-stack in __get_wchan() Qi Zheng (1): x86: Fix get_wchan() to support the ORC unwinder arch/alpha/include/asm/processor.h | 2 +- arch/alpha/kernel/process.c | 5 +- arch/arc/include/asm/processor.h | 2 +- arch/arc/kernel/stacktrace.c | 4 +- arch/arm/include/asm/processor.h | 2 +- arch/arm/kernel/process.c | 4 +- arch/arm64/include/asm/processor.h | 2 +- arch/arm64/kernel/process.c | 4 +- arch/csky/include/asm/processor.h | 2 +- arch/csky/kernel/stacktrace.c | 5 +- arch/h8300/include/asm/processor.h | 2 +- arch/h8300/kernel/process.c | 5 +- arch/hexagon/include/asm/processor.h | 2 +- arch/hexagon/kernel/process.c | 4 +- arch/ia64/include/asm/processor.h | 2 +- arch/ia64/kernel/process.c | 5 +- arch/m68k/include/asm/processor.h | 2 +- arch/m68k/kernel/process.c | 4 +- arch/microblaze/include/asm/processor.h | 2 +- arch/microblaze/kernel/process.c | 2 +- arch/mips/include/asm/processor.h | 2 +- arch/mips/kernel/process.c | 8 ++-- arch/nds32/include/asm/processor.h | 2 +- arch/nds32/kernel/process.c | 7 +-- arch/nios2/include/asm/processor.h | 2 +- arch/nios2/kernel/process.c | 5 +- arch/openrisc/include/asm/processor.h | 2 +- arch/openrisc/kernel/process.c | 2 +- arch/parisc/include/asm/processor.h | 2 +- arch/parisc/kernel/process.c | 5 +- arch/powerpc/include/asm/processor.h | 2 +- arch/powerpc/kernel/process.c | 9 ++-- arch/riscv/include/asm/processor.h | 2 +- arch/riscv/kernel/stacktrace.c | 12 ++--- arch/s390/include/asm/processor.h | 2 +- arch/s390/kernel/process.c | 4 +- arch/sh/include/asm/processor_32.h | 2 +- arch/sh/kernel/process_32.c | 5 +- arch/sparc/include/asm/processor_32.h | 2 +- arch/sparc/include/asm/processor_64.h | 2 +- arch/sparc/kernel/process_32.c | 5 +- arch/sparc/kernel/process_64.c | 5 +- arch/um/include/asm/processor-generic.h | 2 +- arch/um/kernel/process.c | 5 +- arch/x86/include/asm/processor.h | 2 +- arch/x86/kernel/process.c | 62 ++++++------------------- arch/xtensa/include/asm/processor.h | 2 +- arch/xtensa/kernel/process.c | 5 +- include/linux/sched.h | 1 + kernel/sched/core.c | 19 ++++++++ 50 files changed, 94 insertions(+), 155 deletions(-) -- 2.47.1

1 month, 3 weeks

3
11
0 0

FAILED: patch "[PATCH] net: libwx: fix multicast packets received count" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 2b30a3d1ec2538a1fd363fde746b9fe1d38abc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072136-steersman-voicing-574e@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2b30a3d1ec2538a1fd363fde746b9fe1d38abc77 Mon Sep 17 00:00:00 2001 From: Jiawen Wu <jiawenwu(a)trustnetic.com> Date: Mon, 14 Jul 2025 09:56:56 +0800 Subject: [PATCH] net: libwx: fix multicast packets received count Multicast good packets received by PF rings that pass ethternet MAC address filtering are counted for rtnl_link_stats64.multicast. The counter is not cleared on read. Fix the duplicate counting on updating statistics. Fixes: 46b92e10d631 ("net: libwx: support hardware statistics") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/DA229A4F58B70E51+20250714015656.91772-1-jiawenwu@t… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 4cce07a69891..f0823aa1ede6 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2777,6 +2777,8 @@ void wx_update_stats(struct wx *wx) hwstats->fdirmiss += rd32(wx, WX_RDB_FDIR_MISS); } + /* qmprc is not cleared on read, manual reset it */ + hwstats->qmprc = 0; for (i = wx->num_vfs * wx->num_rx_queues_per_pool; i < wx->mac.max_rx_queues; i++) hwstats->qmprc += rd32(wx, WX_PX_MPRC(i));

1 month, 3 weeks

4
5
0 0

FAILED: patch "[PATCH] net: libwx: fix multicast packets received count" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 2b30a3d1ec2538a1fd363fde746b9fe1d38abc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072137-disarm-donator-b329@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2b30a3d1ec2538a1fd363fde746b9fe1d38abc77 Mon Sep 17 00:00:00 2001 From: Jiawen Wu <jiawenwu(a)trustnetic.com> Date: Mon, 14 Jul 2025 09:56:56 +0800 Subject: [PATCH] net: libwx: fix multicast packets received count Multicast good packets received by PF rings that pass ethternet MAC address filtering are counted for rtnl_link_stats64.multicast. The counter is not cleared on read. Fix the duplicate counting on updating statistics. Fixes: 46b92e10d631 ("net: libwx: support hardware statistics") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/DA229A4F58B70E51+20250714015656.91772-1-jiawenwu@t… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 4cce07a69891..f0823aa1ede6 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2777,6 +2777,8 @@ void wx_update_stats(struct wx *wx) hwstats->fdirmiss += rd32(wx, WX_RDB_FDIR_MISS); } + /* qmprc is not cleared on read, manual reset it */ + hwstats->qmprc = 0; for (i = wx->num_vfs * wx->num_rx_queues_per_pool; i < wx->mac.max_rx_queues; i++) hwstats->qmprc += rd32(wx, WX_PX_MPRC(i));

1 month, 3 weeks

4
5
0 0

FAILED: patch "[PATCH] rust: use `#[used(compiler)]` to fix build and `modpost` with" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 7498159226772d66f150dd406be462d75964a366 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072102-theorize-single-3700@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7498159226772d66f150dd406be462d75964a366 Mon Sep 17 00:00:00 2001 From: Miguel Ojeda <ojeda(a)kernel.org> Date: Sat, 12 Jul 2025 18:01:03 +0200 Subject: [PATCH] rust: use `#[used(compiler)]` to fix build and `modpost` with Rust >= 1.89.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Starting with Rust 1.89.0 (expected 2025-08-07), the Rust compiler fails to build the `rusttest` target due to undefined references such as: kernel...-cgu.0:(.text....+0x116): undefined reference to `rust_helper_kunit_get_current_test' Moreover, tooling like `modpost` gets confused: WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/gpu/drm/nova/nova.o ERROR: modpost: missing MODULE_LICENSE() in drivers/gpu/nova-core/nova_core.o The reason behind both issues is that the Rust compiler will now [1] treat `#[used]` as `#[used(linker)]` instead of `#[used(compiler)]` for our targets. This means that the retain section flag (`R`, `SHF_GNU_RETAIN`) will be used and that they will be marked as `unique` too, with different IDs. In turn, that means we end up with undefined references that did not get discarded in `rusttest` and that multiple `.modinfo` sections are generated, which confuse tooling like `modpost` because they only expect one. Thus start using `#[used(compiler)]` to keep the previous behavior and to be explicit about what we want. Sadly, it is an unstable feature (`used_with_arg`) [2] -- we will talk to upstream Rust about it. The good news is that it has been available for a long time (Rust >= 1.60) [3]. The changes should also be fine for previous Rust versions, since they behave the same way as before [4]. Alternatively, we could use `#[no_mangle]` or `#[export_name = ...]` since those still behave like `#[used(compiler)]`, but of course it is not really what we want to express, and it requires other changes to avoid symbol conflicts. Cc: David Wood <david(a)davidtw.co> Cc: Wesley Wiser <wwiser(a)gmail.com> Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Link: https://github.com/rust-lang/rust/pull/140872 [1] Link: https://github.com/rust-lang/rust/issues/93798 [2] Link: https://github.com/rust-lang/rust/pull/91504 [3] Link: https://godbolt.org/z/sxzWTMfzW [4] Reviewed-by: Alice Ryhl <aliceryhl(a)google.com> Acked-by: Björn Roy Baron <bjorn3_gh(a)protonmail.com> Link: https://lore.kernel.org/r/20250712160103.1244945-3-ojeda@kernel.org Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> diff --git a/rust/Makefile b/rust/Makefile index 27dec7904c3a..115b63b7d1e3 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -194,6 +194,7 @@ quiet_cmd_rustdoc_test = RUSTDOC T $< RUST_MODFILE=test.rs \ OBJTREE=$(abspath $(objtree)) \ $(RUSTDOC) --test $(rust_common_flags) \ + -Zcrate-attr='feature(used_with_arg)' \ @$(objtree)/include/generated/rustc_cfg \ $(rustc_target_flags) $(rustdoc_test_target_flags) \ $(rustdoc_test_quiet) \ diff --git a/rust/kernel/firmware.rs b/rust/kernel/firmware.rs index 2494c96e105f..4fe621f35716 100644 --- a/rust/kernel/firmware.rs +++ b/rust/kernel/firmware.rs @@ -202,7 +202,7 @@ macro_rules! module_firmware { }; #[link_section = ".modinfo"] - #[used] + #[used(compiler)] static __MODULE_FIRMWARE: [u8; $($builder)*::create(__MODULE_FIRMWARE_PREFIX) .build_length()] = $($builder)*::create(__MODULE_FIRMWARE_PREFIX).build(); }; diff --git a/rust/kernel/kunit.rs b/rust/kernel/kunit.rs index 4b8cdcb21e77..b9e65905e121 100644 --- a/rust/kernel/kunit.rs +++ b/rust/kernel/kunit.rs @@ -302,7 +302,7 @@ macro_rules! kunit_unsafe_test_suite { is_init: false, }; - #[used] + #[used(compiler)] #[allow(unused_unsafe)] #[cfg_attr(not(target_os = "macos"), link_section = ".kunit_test_suites")] static mut KUNIT_TEST_SUITE_ENTRY: *const ::kernel::bindings::kunit_suite = diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index 6b4774b2b1c3..e13d6ed88fa6 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -34,6 +34,9 @@ // Expected to become stable. #![feature(arbitrary_self_types)] // +// To be determined. +#![feature(used_with_arg)] +// // `feature(derive_coerce_pointee)` is expected to become stable. Before Rust // 1.84.0, it did not exist, so enable the predecessor features. #![cfg_attr(CONFIG_RUSTC_HAS_COERCE_POINTEE, feature(derive_coerce_pointee))] diff --git a/rust/macros/module.rs b/rust/macros/module.rs index 2ddd2eeb2852..75efc6eeeafc 100644 --- a/rust/macros/module.rs +++ b/rust/macros/module.rs @@ -57,7 +57,7 @@ fn emit_base(&mut self, field: &str, content: &str, builtin: bool) { {cfg} #[doc(hidden)] #[cfg_attr(not(target_os = \"macos\"), link_section = \".modinfo\")] - #[used] + #[used(compiler)] pub static __{module}_{counter}: [u8; {length}] = *{string}; ", cfg = if builtin { @@ -249,7 +249,7 @@ mod __module_init {{ // key or a new section. For the moment, keep it simple. #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] static __IS_RUST_MODULE: () = (); static mut __MOD: ::core::mem::MaybeUninit<{type_}> = @@ -273,7 +273,7 @@ mod __module_init {{ #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] #[link_section = \".init.data\"] static __UNIQUE_ID___addressable_init_module: unsafe extern \"C\" fn() -> i32 = init_module; @@ -293,7 +293,7 @@ mod __module_init {{ #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] #[link_section = \".exit.data\"] static __UNIQUE_ID___addressable_cleanup_module: extern \"C\" fn() = cleanup_module; @@ -303,7 +303,7 @@ mod __module_init {{ #[cfg(not(CONFIG_HAVE_ARCH_PREL32_RELOCATIONS))] #[doc(hidden)] #[link_section = \"{initcall_section}\"] - #[used] + #[used(compiler)] pub static __{ident}_initcall: extern \"C\" fn() -> ::kernel::ffi::c_int = __{ident}_init; diff --git a/scripts/Makefile.build b/scripts/Makefile.build index a6461ea411f7..ba71b27aa363 100644 --- a/scripts/Makefile.build +++ b/scripts/Makefile.build @@ -312,10 +312,11 @@ $(obj)/%.lst: $(obj)/%.c FORCE # - Stable since Rust 1.82.0: `feature(asm_const)`, `feature(raw_ref_op)`. # - Stable since Rust 1.87.0: `feature(asm_goto)`. # - Expected to become stable: `feature(arbitrary_self_types)`. +# - To be determined: `feature(used_with_arg)`. # # Please see https://github.com/Rust-for-Linux/linux/issues/2 for details on # the unstable features in use. -rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,raw_ref_op +rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,raw_ref_op,used_with_arg # `--out-dir` is required to avoid temporaries being created by `rustc` in the # current working directory, which may be not accessible in the out-of-tree

1 month, 3 weeks

3
2
0 0

[PATCH 6.6.y] erofs: address D-cache aliasing

by Gao Xiang

commit 27917e8194f91dffd8b4825350c63cb68e98ce58 upstream. Flush the D-cache before unlocking folios for compressed inodes, as they are dirtied during decompression. Avoid calling flush_dcache_folio() on every CPU write, since it's more like playing whack-a-mole without real benefit. It has no impact on x86 and arm64/risc-v: on x86, flush_dcache_folio() is a no-op, and on arm64/risc-v, PG_dcache_clean (PG_arch_1) is clear for new page cache folios. However, certain ARM boards are affected, as reported. Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") Closes: https://lore.kernel.org/r/c1e51e16-6cc6-49d0-a63e-4e9ff6c4dd53@pengutronix.… Closes: https://lore.kernel.org/r/38d43fae-1182-4155-9c5b-ffc7382d9917@siemens.com Tested-by: Jan Kiszka <jan.kiszka(a)siemens.com> Tested-by: Stefan Kerkmann <s.kerkmann(a)pengutronix.de> Link: https://lore.kernel.org/r/20250709034614.2780117-2-hsiangkao@linux.alibaba.… Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> --- Hi Jan & Stefan, Please help confirm this 6.6 fix backport if possible. Thanks, Gao Xiang fs/erofs/decompressor.c | 6 ++---- fs/erofs/zdata.c | 32 +++++++++++++++++++------------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index aa59788a61e6..86e088fd386e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -342,14 +342,12 @@ static int z_erofs_transform_plain(struct z_erofs_decompress_req *rq, if (outpages > inpages) { DBG_BUGON(!rq->out[outpages - 1]); - if (rq->out[outpages - 1] != rq->in[inpages - 1]) { + if (rq->out[outpages - 1] != rq->in[inpages - 1]) memcpy_to_page(rq->out[outpages - 1], 0, src + (interlaced_offset ? 0 : righthalf), lefthalf); - } else if (!interlaced_offset) { + else if (!interlaced_offset) memmove(src, src + righthalf, lefthalf); - flush_dcache_page(rq->in[inpages - 1]); - } } kunmap_local(src); return 0; diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c index 496e4c7c52a4..d852b43ac43e 100644 --- a/fs/erofs/zdata.c +++ b/fs/erofs/zdata.c @@ -122,9 +122,11 @@ static inline unsigned int z_erofs_pclusterpages(struct z_erofs_pcluster *pcl) /* * bit 30: I/O error occurred on this page + * bit 29: CPU has dirty data in D-cache (needs aliasing handling); * bit 0 - 29: remaining parts to complete this page */ -#define Z_EROFS_PAGE_EIO (1 << 30) +#define Z_EROFS_ONLINEPAGE_EIO 30 +#define Z_EROFS_ONLINEPAGE_DIRTY 29 static inline void z_erofs_onlinepage_init(struct page *page) { @@ -143,7 +145,7 @@ static inline void z_erofs_onlinepage_split(struct page *page) atomic_inc((atomic_t *)&page->private); } -static void z_erofs_onlinepage_endio(struct page *page, int err) +static void z_erofs_onlinepage_end(struct page *page, int err, bool dirty) { int orig, v; @@ -151,16 +153,20 @@ static void z_erofs_onlinepage_endio(struct page *page, int err) do { orig = atomic_read((atomic_t *)&page->private); - v = (orig - 1) | (err ? Z_EROFS_PAGE_EIO : 0); + DBG_BUGON(orig <= 0); + v = dirty << Z_EROFS_ONLINEPAGE_DIRTY; + v |= (orig - 1) | (!!err << Z_EROFS_ONLINEPAGE_EIO); } while (atomic_cmpxchg((atomic_t *)&page->private, orig, v) != orig); - if (!(v & ~Z_EROFS_PAGE_EIO)) { - set_page_private(page, 0); - ClearPagePrivate(page); - if (!(v & Z_EROFS_PAGE_EIO)) - SetPageUptodate(page); - unlock_page(page); - } + if (v & (BIT(Z_EROFS_ONLINEPAGE_DIRTY) - 1)) + return; + set_page_private(page, 0); + ClearPagePrivate(page); + if (v & BIT(Z_EROFS_ONLINEPAGE_DIRTY)) + flush_dcache_page(page); + if (!(v & BIT(Z_EROFS_ONLINEPAGE_EIO))) + SetPageUptodate(page); + unlock_page(page); } #define Z_EROFS_ONSTACK_PAGES 32 @@ -1060,7 +1066,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe, goto repeat; out: - z_erofs_onlinepage_endio(page, err); + z_erofs_onlinepage_end(page, err, false); return err; } @@ -1163,7 +1169,7 @@ static void z_erofs_fill_other_copies(struct z_erofs_decompress_backend *be, cur += len; } kunmap_local(dst); - z_erofs_onlinepage_endio(bvi->bvec.page, err); + z_erofs_onlinepage_end(bvi->bvec.page, err, true); list_del(p); kfree(bvi); } @@ -1333,7 +1339,7 @@ static int z_erofs_decompress_pcluster(struct z_erofs_decompress_backend *be, /* recycle all individual short-lived pages */ if (z_erofs_put_shortlivedpage(be->pagepool, page)) continue; - z_erofs_onlinepage_endio(page, err); + z_erofs_onlinepage_end(page, err, true); } if (be->decompressed_pages != be->onstack_pages) -- 2.43.5

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] x86/mce/amd: Add default names for MCA banks and blocks" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x d66e1e90b16055d2f0ee76e5384e3f119c3c2773 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071202-cycling-woof-6cf6@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d66e1e90b16055d2f0ee76e5384e3f119c3c2773 Mon Sep 17 00:00:00 2001 From: Yazen Ghannam <yazen.ghannam(a)amd.com> Date: Tue, 24 Jun 2025 14:15:58 +0000 Subject: [PATCH] x86/mce/amd: Add default names for MCA banks and blocks Ensure that sysfs init doesn't fail for new/unrecognized bank types or if a bank has additional blocks available. Most MCA banks have a single thresholding block, so the block takes the same name as the bank. Unified Memory Controllers (UMCs) are a special case where there are two blocks and each has a unique name. However, the microarchitecture allows for five blocks. Any new MCA bank types with more than one block will be missing names for the extra blocks. The MCE sysfs will fail to initialize in this case. Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems") Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c index 9d852c3b2cb5..6820ebce5d46 100644 --- a/arch/x86/kernel/cpu/mce/amd.c +++ b/arch/x86/kernel/cpu/mce/amd.c @@ -1113,13 +1113,20 @@ static const char *get_name(unsigned int cpu, unsigned int bank, struct threshol } bank_type = smca_get_bank_type(cpu, bank); - if (bank_type >= N_SMCA_BANK_TYPES) - return NULL; if (b && (bank_type == SMCA_UMC || bank_type == SMCA_UMC_V2)) { if (b->block < ARRAY_SIZE(smca_umc_block_names)) return smca_umc_block_names[b->block]; - return NULL; + } + + if (b && b->block) { + snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block); + return buf_mcatype; + } + + if (bank_type >= N_SMCA_BANK_TYPES) { + snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank); + return buf_mcatype; } if (per_cpu(smca_bank_counts, cpu)[bank_type] == 1)

1 month, 3 weeks

2
1
0 0

[PATCH 1/2] dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints

by Krzysztof Kozlowski

'minItems' alone does not impose upper bound, unlike 'maxItems' which implies lower bound. Add missing clock constraint so the list will have exact number of items (clocks). Fixes: 8cae15c60cf0 ("dt-bindings: display: add Unisoc's dpu bindings") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- .../devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml b/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml index 4ebea60b8c5b..8c52fa0ea5f8 100644 --- a/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml +++ b/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml @@ -25,7 +25,7 @@ properties: maxItems: 1 clocks: - minItems: 2 + maxItems: 2 clock-names: items: -- 2.48.1

1 month, 3 weeks

2
3
0 0

FAILED: patch "[PATCH] x86/mce/amd: Add default names for MCA banks and blocks" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x d66e1e90b16055d2f0ee76e5384e3f119c3c2773 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071201-coping-motto-1a12@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d66e1e90b16055d2f0ee76e5384e3f119c3c2773 Mon Sep 17 00:00:00 2001 From: Yazen Ghannam <yazen.ghannam(a)amd.com> Date: Tue, 24 Jun 2025 14:15:58 +0000 Subject: [PATCH] x86/mce/amd: Add default names for MCA banks and blocks Ensure that sysfs init doesn't fail for new/unrecognized bank types or if a bank has additional blocks available. Most MCA banks have a single thresholding block, so the block takes the same name as the bank. Unified Memory Controllers (UMCs) are a special case where there are two blocks and each has a unique name. However, the microarchitecture allows for five blocks. Any new MCA bank types with more than one block will be missing names for the extra blocks. The MCE sysfs will fail to initialize in this case. Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems") Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c index 9d852c3b2cb5..6820ebce5d46 100644 --- a/arch/x86/kernel/cpu/mce/amd.c +++ b/arch/x86/kernel/cpu/mce/amd.c @@ -1113,13 +1113,20 @@ static const char *get_name(unsigned int cpu, unsigned int bank, struct threshol } bank_type = smca_get_bank_type(cpu, bank); - if (bank_type >= N_SMCA_BANK_TYPES) - return NULL; if (b && (bank_type == SMCA_UMC || bank_type == SMCA_UMC_V2)) { if (b->block < ARRAY_SIZE(smca_umc_block_names)) return smca_umc_block_names[b->block]; - return NULL; + } + + if (b && b->block) { + snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block); + return buf_mcatype; + } + + if (bank_type >= N_SMCA_BANK_TYPES) { + snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank); + return buf_mcatype; } if (per_cpu(smca_bank_counts, cpu)[bank_type] == 1)

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] x86/mce/amd: Add default names for MCA banks and blocks" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x d66e1e90b16055d2f0ee76e5384e3f119c3c2773 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071200-cone-ogle-b45b@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d66e1e90b16055d2f0ee76e5384e3f119c3c2773 Mon Sep 17 00:00:00 2001 From: Yazen Ghannam <yazen.ghannam(a)amd.com> Date: Tue, 24 Jun 2025 14:15:58 +0000 Subject: [PATCH] x86/mce/amd: Add default names for MCA banks and blocks Ensure that sysfs init doesn't fail for new/unrecognized bank types or if a bank has additional blocks available. Most MCA banks have a single thresholding block, so the block takes the same name as the bank. Unified Memory Controllers (UMCs) are a special case where there are two blocks and each has a unique name. However, the microarchitecture allows for five blocks. Any new MCA bank types with more than one block will be missing names for the extra blocks. The MCE sysfs will fail to initialize in this case. Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems") Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c index 9d852c3b2cb5..6820ebce5d46 100644 --- a/arch/x86/kernel/cpu/mce/amd.c +++ b/arch/x86/kernel/cpu/mce/amd.c @@ -1113,13 +1113,20 @@ static const char *get_name(unsigned int cpu, unsigned int bank, struct threshol } bank_type = smca_get_bank_type(cpu, bank); - if (bank_type >= N_SMCA_BANK_TYPES) - return NULL; if (b && (bank_type == SMCA_UMC || bank_type == SMCA_UMC_V2)) { if (b->block < ARRAY_SIZE(smca_umc_block_names)) return smca_umc_block_names[b->block]; - return NULL; + } + + if (b && b->block) { + snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block); + return buf_mcatype; + } + + if (bank_type >= N_SMCA_BANK_TYPES) { + snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank); + return buf_mcatype; } if (per_cpu(smca_bank_counts, cpu)[bank_type] == 1)

1 month, 3 weeks

2
1
0 0

[PATCH] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()

by Tzung-Bi Shih

The blocking notifier is registered in cros_ec_register(); however, it isn't unregistered in cros_ec_unregister(). Fix it. Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW") Cc: stable(a)vger.kernel.org Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- This is separated from a series (https://lore.kernel.org/chrome-platform/20250721044456.2736300-3-tzungbi@ke…). While I'm still figuring out/testing the series, it'd be better to send the fix earlier (to catch up the upcoming merge window for example). drivers/platform/chrome/cros_ec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/platform/chrome/cros_ec.c b/drivers/platform/chrome/cros_ec.c index 110771a8645e..fd58781a2fb7 100644 --- a/drivers/platform/chrome/cros_ec.c +++ b/drivers/platform/chrome/cros_ec.c @@ -318,6 +318,9 @@ EXPORT_SYMBOL(cros_ec_register); */ void cros_ec_unregister(struct cros_ec_device *ec_dev) { + if (ec_dev->mkbp_event_supported) + blocking_notifier_chain_unregister(&ec_dev->event_notifier, + &ec_dev->notifier_ready); platform_device_unregister(ec_dev->pd); platform_device_unregister(ec_dev->ec); mutex_destroy(&ec_dev->lock); -- 2.50.0.727.gbf7dc18ff4-goog

1 month, 3 weeks

2
2
0 0

[PATCH v10 1/1] serial: 8250: fix panic due to PSLVERR

by Yunhui Cui

When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/8250/8250_port.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4b..2da9db960d09f 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags); -- 2.39.5

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] x86/mce/amd: Add default names for MCA banks and blocks" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d66e1e90b16055d2f0ee76e5384e3f119c3c2773 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071200-bath-copartner-6a91@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d66e1e90b16055d2f0ee76e5384e3f119c3c2773 Mon Sep 17 00:00:00 2001 From: Yazen Ghannam <yazen.ghannam(a)amd.com> Date: Tue, 24 Jun 2025 14:15:58 +0000 Subject: [PATCH] x86/mce/amd: Add default names for MCA banks and blocks Ensure that sysfs init doesn't fail for new/unrecognized bank types or if a bank has additional blocks available. Most MCA banks have a single thresholding block, so the block takes the same name as the bank. Unified Memory Controllers (UMCs) are a special case where there are two blocks and each has a unique name. However, the microarchitecture allows for five blocks. Any new MCA bank types with more than one block will be missing names for the extra blocks. The MCE sysfs will fail to initialize in this case. Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems") Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c index 9d852c3b2cb5..6820ebce5d46 100644 --- a/arch/x86/kernel/cpu/mce/amd.c +++ b/arch/x86/kernel/cpu/mce/amd.c @@ -1113,13 +1113,20 @@ static const char *get_name(unsigned int cpu, unsigned int bank, struct threshol } bank_type = smca_get_bank_type(cpu, bank); - if (bank_type >= N_SMCA_BANK_TYPES) - return NULL; if (b && (bank_type == SMCA_UMC || bank_type == SMCA_UMC_V2)) { if (b->block < ARRAY_SIZE(smca_umc_block_names)) return smca_umc_block_names[b->block]; - return NULL; + } + + if (b && b->block) { + snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block); + return buf_mcatype; + } + + if (bank_type >= N_SMCA_BANK_TYPES) { + snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank); + return buf_mcatype; } if (per_cpu(smca_bank_counts, cpu)[bank_type] == 1)

1 month, 3 weeks

2
1
0 0

[PATCH AUTOSEL 5.4 1/2] ethernet: intel: fix building with large NR_CPUS

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 24171a5a4a952c26568ff0d2a0bc8c4708a95e1d ] With large values of CONFIG_NR_CPUS, three Intel ethernet drivers fail to compile like: In function ‘i40e_free_q_vector’, inlined from ‘i40e_vsi_alloc_q_vectors’ at drivers/net/ethernet/intel/i40e/i40e_main.c:12112:3: 571 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) include/linux/rcupdate.h:1084:17: note: in expansion of macro ‘BUILD_BUG_ON’ 1084 | BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096); \ drivers/net/ethernet/intel/i40e/i40e_main.c:5113:9: note: in expansion of macro ‘kfree_rcu’ 5113 | kfree_rcu(q_vector, rcu); | ^~~~~~~~~ The problem is that the 'rcu' member in 'q_vector' is too far from the start of the structure. Move this member before the CPU mask instead, in all three drivers. Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Acked-by: David S. Miller <davem(a)davemloft.net> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Reviewed-by: Alexander Lobakin <aleksander.lobakin(a)intel.com> Tested-by: Sunitha Mekala <sunithax.d.mekala(a)intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Compilation Failure Fix**: This fixes a build-time compilation failure that occurs with large values of CONFIG_NR_CPUS. The error prevents the kernel from building successfully, which is a significant issue for systems configured with high CPU counts. 2. **Root Cause**: The issue stems from the `kfree_rcu()` macro in `include/linux/rcupdate.h:1084` which includes a `BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096)` check. This compile-time assertion ensures that the RCU head field is within the first 4096 bytes of the structure. 3. **Simple and Safe Fix**: The fix is straightforward - it moves the `struct rcu_head rcu` member earlier in the structure, placing it before the `cpumask_t affinity_mask` member. This is a safe change because: - It only reorders structure members - The RCU head doesn't need to be at any specific location functionally - Moving it earlier reduces the offset from the structure start - No functional code changes are required 4. **Affects Multiple Drivers**: The issue affects three Intel ethernet drivers (i40e, ixgbe, fm10k), all of which are fixed identically by moving the rcu member earlier in their respective q_vector structures. 5. **Configuration-Dependent Bug**: This bug only manifests with large CONFIG_NR_CPUS values (likely >= 512 or higher), where the `cpumask_t` type becomes large enough to push the rcu member beyond the 4096-byte offset limit. Systems with high core counts are becoming more common in production environments. 6. **No Risk of Regression**: The change is minimal and doesn't alter any functionality. It's purely a structural reordering that maintains all existing behavior while fixing the compilation issue. 7. **Meets Stable Criteria**: This fix clearly meets the stable kernel criteria as it: - Fixes a real bug (compilation failure) - Is minimal and contained - Has no risk of introducing new issues - Affects users with legitimate configurations The commit is an excellent candidate for stable backporting as it fixes a real compilation issue that prevents kernel builds on systems with large CPU counts, and the fix is trivial with no risk of regression. drivers/net/ethernet/intel/fm10k/fm10k.h | 3 ++- drivers/net/ethernet/intel/i40e/i40e.h | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/fm10k/fm10k.h b/drivers/net/ethernet/intel/fm10k/fm10k.h index b14441944b4b2..db72e5e4acd36 100644 --- a/drivers/net/ethernet/intel/fm10k/fm10k.h +++ b/drivers/net/ethernet/intel/fm10k/fm10k.h @@ -189,13 +189,14 @@ struct fm10k_q_vector { struct fm10k_ring_container rx, tx; struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ + cpumask_t affinity_mask; char name[IFNAMSIZ + 9]; #ifdef CONFIG_DEBUG_FS struct dentry *dbg_q_vector; #endif /* CONFIG_DEBUG_FS */ - struct rcu_head rcu; /* to avoid race with update stats on free */ /* for dynamic allocation of rings associated with this q_vector */ struct fm10k_ring ring[0] ____cacheline_internodealigned_in_smp; diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h index 4c8c31692e9e0..edb5e408c980f 100644 --- a/drivers/net/ethernet/intel/i40e/i40e.h +++ b/drivers/net/ethernet/intel/i40e/i40e.h @@ -864,6 +864,7 @@ struct i40e_q_vector { u16 reg_idx; /* register index of the interrupt */ struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ struct i40e_ring_container rx; struct i40e_ring_container tx; @@ -874,7 +875,6 @@ struct i40e_q_vector { cpumask_t affinity_mask; struct irq_affinity_notify affinity_notify; - struct rcu_head rcu; /* to avoid race with update stats on free */ char name[I40E_INT_NAME_STR_LEN]; bool arm_wb_state; } ____cacheline_internodealigned_in_smp; diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h index 0142ca226bf50..0f9a1fce0dee9 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h @@ -458,9 +458,10 @@ struct ixgbe_q_vector { struct ixgbe_ring_container rx, tx; struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ + cpumask_t affinity_mask; int numa_node; - struct rcu_head rcu; /* to avoid race with update stats on free */ char name[IFNAMSIZ + 9]; /* for dynamic allocation of rings associated with this q_vector */ -- 2.39.5

1 month, 3 weeks

1
1
0 0

[PATCH AUTOSEL 5.10 1/2] ethernet: intel: fix building with large NR_CPUS

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 24171a5a4a952c26568ff0d2a0bc8c4708a95e1d ] With large values of CONFIG_NR_CPUS, three Intel ethernet drivers fail to compile like: In function ‘i40e_free_q_vector’, inlined from ‘i40e_vsi_alloc_q_vectors’ at drivers/net/ethernet/intel/i40e/i40e_main.c:12112:3: 571 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) include/linux/rcupdate.h:1084:17: note: in expansion of macro ‘BUILD_BUG_ON’ 1084 | BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096); \ drivers/net/ethernet/intel/i40e/i40e_main.c:5113:9: note: in expansion of macro ‘kfree_rcu’ 5113 | kfree_rcu(q_vector, rcu); | ^~~~~~~~~ The problem is that the 'rcu' member in 'q_vector' is too far from the start of the structure. Move this member before the CPU mask instead, in all three drivers. Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Acked-by: David S. Miller <davem(a)davemloft.net> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Reviewed-by: Alexander Lobakin <aleksander.lobakin(a)intel.com> Tested-by: Sunitha Mekala <sunithax.d.mekala(a)intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Compilation Failure Fix**: This fixes a build-time compilation failure that occurs with large values of CONFIG_NR_CPUS. The error prevents the kernel from building successfully, which is a significant issue for systems configured with high CPU counts. 2. **Root Cause**: The issue stems from the `kfree_rcu()` macro in `include/linux/rcupdate.h:1084` which includes a `BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096)` check. This compile-time assertion ensures that the RCU head field is within the first 4096 bytes of the structure. 3. **Simple and Safe Fix**: The fix is straightforward - it moves the `struct rcu_head rcu` member earlier in the structure, placing it before the `cpumask_t affinity_mask` member. This is a safe change because: - It only reorders structure members - The RCU head doesn't need to be at any specific location functionally - Moving it earlier reduces the offset from the structure start - No functional code changes are required 4. **Affects Multiple Drivers**: The issue affects three Intel ethernet drivers (i40e, ixgbe, fm10k), all of which are fixed identically by moving the rcu member earlier in their respective q_vector structures. 5. **Configuration-Dependent Bug**: This bug only manifests with large CONFIG_NR_CPUS values (likely >= 512 or higher), where the `cpumask_t` type becomes large enough to push the rcu member beyond the 4096-byte offset limit. Systems with high core counts are becoming more common in production environments. 6. **No Risk of Regression**: The change is minimal and doesn't alter any functionality. It's purely a structural reordering that maintains all existing behavior while fixing the compilation issue. 7. **Meets Stable Criteria**: This fix clearly meets the stable kernel criteria as it: - Fixes a real bug (compilation failure) - Is minimal and contained - Has no risk of introducing new issues - Affects users with legitimate configurations The commit is an excellent candidate for stable backporting as it fixes a real compilation issue that prevents kernel builds on systems with large CPU counts, and the fix is trivial with no risk of regression. drivers/net/ethernet/intel/fm10k/fm10k.h | 3 ++- drivers/net/ethernet/intel/i40e/i40e.h | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/fm10k/fm10k.h b/drivers/net/ethernet/intel/fm10k/fm10k.h index 6119a41088381..65a2816142d96 100644 --- a/drivers/net/ethernet/intel/fm10k/fm10k.h +++ b/drivers/net/ethernet/intel/fm10k/fm10k.h @@ -189,13 +189,14 @@ struct fm10k_q_vector { struct fm10k_ring_container rx, tx; struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ + cpumask_t affinity_mask; char name[IFNAMSIZ + 9]; #ifdef CONFIG_DEBUG_FS struct dentry *dbg_q_vector; #endif /* CONFIG_DEBUG_FS */ - struct rcu_head rcu; /* to avoid race with update stats on free */ /* for dynamic allocation of rings associated with this q_vector */ struct fm10k_ring ring[] ____cacheline_internodealigned_in_smp; diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h index dd630b6bc74bd..add9a3107d9a0 100644 --- a/drivers/net/ethernet/intel/i40e/i40e.h +++ b/drivers/net/ethernet/intel/i40e/i40e.h @@ -863,6 +863,7 @@ struct i40e_q_vector { u16 reg_idx; /* register index of the interrupt */ struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ struct i40e_ring_container rx; struct i40e_ring_container tx; @@ -873,7 +874,6 @@ struct i40e_q_vector { cpumask_t affinity_mask; struct irq_affinity_notify affinity_notify; - struct rcu_head rcu; /* to avoid race with update stats on free */ char name[I40E_INT_NAME_STR_LEN]; bool arm_wb_state; } ____cacheline_internodealigned_in_smp; diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h index 18251edbfabfb..3ea7095fc04f5 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h @@ -457,9 +457,10 @@ struct ixgbe_q_vector { struct ixgbe_ring_container rx, tx; struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ + cpumask_t affinity_mask; int numa_node; - struct rcu_head rcu; /* to avoid race with update stats on free */ char name[IFNAMSIZ + 9]; /* for dynamic allocation of rings associated with this q_vector */ -- 2.39.5

1 month, 3 weeks

1
1
0 0

[PATCH AUTOSEL 5.15 1/2] ethernet: intel: fix building with large NR_CPUS

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 24171a5a4a952c26568ff0d2a0bc8c4708a95e1d ] With large values of CONFIG_NR_CPUS, three Intel ethernet drivers fail to compile like: In function ‘i40e_free_q_vector’, inlined from ‘i40e_vsi_alloc_q_vectors’ at drivers/net/ethernet/intel/i40e/i40e_main.c:12112:3: 571 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) include/linux/rcupdate.h:1084:17: note: in expansion of macro ‘BUILD_BUG_ON’ 1084 | BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096); \ drivers/net/ethernet/intel/i40e/i40e_main.c:5113:9: note: in expansion of macro ‘kfree_rcu’ 5113 | kfree_rcu(q_vector, rcu); | ^~~~~~~~~ The problem is that the 'rcu' member in 'q_vector' is too far from the start of the structure. Move this member before the CPU mask instead, in all three drivers. Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Acked-by: David S. Miller <davem(a)davemloft.net> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Reviewed-by: Alexander Lobakin <aleksander.lobakin(a)intel.com> Tested-by: Sunitha Mekala <sunithax.d.mekala(a)intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Compilation Failure Fix**: This fixes a build-time compilation failure that occurs with large values of CONFIG_NR_CPUS. The error prevents the kernel from building successfully, which is a significant issue for systems configured with high CPU counts. 2. **Root Cause**: The issue stems from the `kfree_rcu()` macro in `include/linux/rcupdate.h:1084` which includes a `BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096)` check. This compile-time assertion ensures that the RCU head field is within the first 4096 bytes of the structure. 3. **Simple and Safe Fix**: The fix is straightforward - it moves the `struct rcu_head rcu` member earlier in the structure, placing it before the `cpumask_t affinity_mask` member. This is a safe change because: - It only reorders structure members - The RCU head doesn't need to be at any specific location functionally - Moving it earlier reduces the offset from the structure start - No functional code changes are required 4. **Affects Multiple Drivers**: The issue affects three Intel ethernet drivers (i40e, ixgbe, fm10k), all of which are fixed identically by moving the rcu member earlier in their respective q_vector structures. 5. **Configuration-Dependent Bug**: This bug only manifests with large CONFIG_NR_CPUS values (likely >= 512 or higher), where the `cpumask_t` type becomes large enough to push the rcu member beyond the 4096-byte offset limit. Systems with high core counts are becoming more common in production environments. 6. **No Risk of Regression**: The change is minimal and doesn't alter any functionality. It's purely a structural reordering that maintains all existing behavior while fixing the compilation issue. 7. **Meets Stable Criteria**: This fix clearly meets the stable kernel criteria as it: - Fixes a real bug (compilation failure) - Is minimal and contained - Has no risk of introducing new issues - Affects users with legitimate configurations The commit is an excellent candidate for stable backporting as it fixes a real compilation issue that prevents kernel builds on systems with large CPU counts, and the fix is trivial with no risk of regression. drivers/net/ethernet/intel/fm10k/fm10k.h | 3 ++- drivers/net/ethernet/intel/i40e/i40e.h | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/fm10k/fm10k.h b/drivers/net/ethernet/intel/fm10k/fm10k.h index 6119a41088381..65a2816142d96 100644 --- a/drivers/net/ethernet/intel/fm10k/fm10k.h +++ b/drivers/net/ethernet/intel/fm10k/fm10k.h @@ -189,13 +189,14 @@ struct fm10k_q_vector { struct fm10k_ring_container rx, tx; struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ + cpumask_t affinity_mask; char name[IFNAMSIZ + 9]; #ifdef CONFIG_DEBUG_FS struct dentry *dbg_q_vector; #endif /* CONFIG_DEBUG_FS */ - struct rcu_head rcu; /* to avoid race with update stats on free */ /* for dynamic allocation of rings associated with this q_vector */ struct fm10k_ring ring[] ____cacheline_internodealigned_in_smp; diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h index a143440f3db62..223d5831a5bbe 100644 --- a/drivers/net/ethernet/intel/i40e/i40e.h +++ b/drivers/net/ethernet/intel/i40e/i40e.h @@ -961,6 +961,7 @@ struct i40e_q_vector { u16 reg_idx; /* register index of the interrupt */ struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ struct i40e_ring_container rx; struct i40e_ring_container tx; @@ -971,7 +972,6 @@ struct i40e_q_vector { cpumask_t affinity_mask; struct irq_affinity_notify affinity_notify; - struct rcu_head rcu; /* to avoid race with update stats on free */ char name[I40E_INT_NAME_STR_LEN]; bool arm_wb_state; bool in_busy_poll; diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h index 737590a0d849e..09f7a3787f272 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h @@ -458,9 +458,10 @@ struct ixgbe_q_vector { struct ixgbe_ring_container rx, tx; struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ + cpumask_t affinity_mask; int numa_node; - struct rcu_head rcu; /* to avoid race with update stats on free */ char name[IFNAMSIZ + 9]; /* for dynamic allocation of rings associated with this q_vector */ -- 2.39.5

1 month, 3 weeks

1
1
0 0

[PATCH AUTOSEL 6.1 1/3] ethernet: intel: fix building with large NR_CPUS

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 24171a5a4a952c26568ff0d2a0bc8c4708a95e1d ] With large values of CONFIG_NR_CPUS, three Intel ethernet drivers fail to compile like: In function ‘i40e_free_q_vector’, inlined from ‘i40e_vsi_alloc_q_vectors’ at drivers/net/ethernet/intel/i40e/i40e_main.c:12112:3: 571 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) include/linux/rcupdate.h:1084:17: note: in expansion of macro ‘BUILD_BUG_ON’ 1084 | BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096); \ drivers/net/ethernet/intel/i40e/i40e_main.c:5113:9: note: in expansion of macro ‘kfree_rcu’ 5113 | kfree_rcu(q_vector, rcu); | ^~~~~~~~~ The problem is that the 'rcu' member in 'q_vector' is too far from the start of the structure. Move this member before the CPU mask instead, in all three drivers. Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Acked-by: David S. Miller <davem(a)davemloft.net> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Reviewed-by: Alexander Lobakin <aleksander.lobakin(a)intel.com> Tested-by: Sunitha Mekala <sunithax.d.mekala(a)intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Compilation Failure Fix**: This fixes a build-time compilation failure that occurs with large values of CONFIG_NR_CPUS. The error prevents the kernel from building successfully, which is a significant issue for systems configured with high CPU counts. 2. **Root Cause**: The issue stems from the `kfree_rcu()` macro in `include/linux/rcupdate.h:1084` which includes a `BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096)` check. This compile-time assertion ensures that the RCU head field is within the first 4096 bytes of the structure. 3. **Simple and Safe Fix**: The fix is straightforward - it moves the `struct rcu_head rcu` member earlier in the structure, placing it before the `cpumask_t affinity_mask` member. This is a safe change because: - It only reorders structure members - The RCU head doesn't need to be at any specific location functionally - Moving it earlier reduces the offset from the structure start - No functional code changes are required 4. **Affects Multiple Drivers**: The issue affects three Intel ethernet drivers (i40e, ixgbe, fm10k), all of which are fixed identically by moving the rcu member earlier in their respective q_vector structures. 5. **Configuration-Dependent Bug**: This bug only manifests with large CONFIG_NR_CPUS values (likely >= 512 or higher), where the `cpumask_t` type becomes large enough to push the rcu member beyond the 4096-byte offset limit. Systems with high core counts are becoming more common in production environments. 6. **No Risk of Regression**: The change is minimal and doesn't alter any functionality. It's purely a structural reordering that maintains all existing behavior while fixing the compilation issue. 7. **Meets Stable Criteria**: This fix clearly meets the stable kernel criteria as it: - Fixes a real bug (compilation failure) - Is minimal and contained - Has no risk of introducing new issues - Affects users with legitimate configurations The commit is an excellent candidate for stable backporting as it fixes a real compilation issue that prevents kernel builds on systems with large CPU counts, and the fix is trivial with no risk of regression. drivers/net/ethernet/intel/fm10k/fm10k.h | 3 ++- drivers/net/ethernet/intel/i40e/i40e.h | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/fm10k/fm10k.h b/drivers/net/ethernet/intel/fm10k/fm10k.h index 6119a41088381..65a2816142d96 100644 --- a/drivers/net/ethernet/intel/fm10k/fm10k.h +++ b/drivers/net/ethernet/intel/fm10k/fm10k.h @@ -189,13 +189,14 @@ struct fm10k_q_vector { struct fm10k_ring_container rx, tx; struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ + cpumask_t affinity_mask; char name[IFNAMSIZ + 9]; #ifdef CONFIG_DEBUG_FS struct dentry *dbg_q_vector; #endif /* CONFIG_DEBUG_FS */ - struct rcu_head rcu; /* to avoid race with update stats on free */ /* for dynamic allocation of rings associated with this q_vector */ struct fm10k_ring ring[] ____cacheline_internodealigned_in_smp; diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h index 22ac8c48ca340..61590e92f3abc 100644 --- a/drivers/net/ethernet/intel/i40e/i40e.h +++ b/drivers/net/ethernet/intel/i40e/i40e.h @@ -980,6 +980,7 @@ struct i40e_q_vector { u16 reg_idx; /* register index of the interrupt */ struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ struct i40e_ring_container rx; struct i40e_ring_container tx; @@ -990,7 +991,6 @@ struct i40e_q_vector { cpumask_t affinity_mask; struct irq_affinity_notify affinity_notify; - struct rcu_head rcu; /* to avoid race with update stats on free */ char name[I40E_INT_NAME_STR_LEN]; bool arm_wb_state; bool in_busy_poll; diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h index 2bf387e52e202..f49b99b175ef4 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h @@ -498,9 +498,10 @@ struct ixgbe_q_vector { struct ixgbe_ring_container rx, tx; struct napi_struct napi; + struct rcu_head rcu; /* to avoid race with update stats on free */ + cpumask_t affinity_mask; int numa_node; - struct rcu_head rcu; /* to avoid race with update stats on free */ char name[IFNAMSIZ + 9]; /* for dynamic allocation of rings associated with this q_vector */ -- 2.39.5

1 month, 3 weeks

1
2
0 0

[PATCH AUTOSEL 6.6 1/5] ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx

by Sasha Levin

From: Lane Odenbach <laodenbach(a)gmail.com> [ Upstream commit 7bab1bd9fdf15b9fa7e6a4b0151deab93df3c80d ] This fixes the internal microphone in the stated device Signed-off-by: Lane Odenbach <laodenbach(a)gmail.com> Link: https://patch.msgid.link/20250715182038.10048-1-laodenbach@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Bug Fix for Hardware Functionality**: The commit fixes a non- functional internal microphone on the HP Laptop 17 cp-2033dx. This is a hardware enablement bug fix that prevents users from using a core functionality of their laptop. 2. **Minimal and Contained Change**: The change is extremely minimal - it only adds 7 lines to the DMI quirk table: ```c + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "HP"), + DMI_MATCH(DMI_BOARD_NAME, "8A81"), + } + }, ``` This is a simple DMI match addition with no algorithmic changes or side effects. 3. **Low Risk of Regression**: DMI quirk additions are inherently safe as they only affect the specific hardware model being added. The change cannot impact any other system that doesn't match the exact DMI strings. 4. **Follows Established Pattern**: All five similar commits provided as reference (for HP models with board names 8BD6, 8A3E, 8A22, 8A27, and other manufacturers) were marked as "Backport Status: YES". This type of commit has a well-established history of being backported. 5. **User-Impacting Issue**: Without this quirk, users of the HP Laptop 17 cp-2033dx cannot use their internal microphone, which is essential functionality for video calls, recording, and voice commands. This significantly degrades the user experience. 6. **Consistent with Stable Tree Rules**: The commit meets the stable kernel criteria: - It fixes a real bug that bothers users (non-functional microphone) - It's obviously correct and tested (standard DMI quirk pattern) - It's small (7 lines) - It doesn't add new features, only fixes existing functionality The AMD Yellow Carp (YC) audio driver uses DMI quirks to enable the internal microphone on specific laptop models. Without these quirks, the DMIC (Digital Microphone) won't be properly initialized on affected systems. This is a common pattern in the Linux kernel for handling hardware-specific configurations. sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c index 66ef8f4fd02cd..74f8e12aa7107 100644 --- a/sound/soc/amd/yc/acp6x-mach.c +++ b/sound/soc/amd/yc/acp6x-mach.c @@ -577,6 +577,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { DMI_MATCH(DMI_BOARD_NAME, "8A7F"), } }, + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "HP"), + DMI_MATCH(DMI_BOARD_NAME, "8A81"), + } + }, { .driver_data = &acp6x_card, .matches = { -- 2.39.5

1 month, 3 weeks

1
4
0 0

[PATCH AUTOSEL 6.12 1/6] ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx

by Sasha Levin

From: Lane Odenbach <laodenbach(a)gmail.com> [ Upstream commit 7bab1bd9fdf15b9fa7e6a4b0151deab93df3c80d ] This fixes the internal microphone in the stated device Signed-off-by: Lane Odenbach <laodenbach(a)gmail.com> Link: https://patch.msgid.link/20250715182038.10048-1-laodenbach@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Bug Fix for Hardware Functionality**: The commit fixes a non- functional internal microphone on the HP Laptop 17 cp-2033dx. This is a hardware enablement bug fix that prevents users from using a core functionality of their laptop. 2. **Minimal and Contained Change**: The change is extremely minimal - it only adds 7 lines to the DMI quirk table: ```c + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "HP"), + DMI_MATCH(DMI_BOARD_NAME, "8A81"), + } + }, ``` This is a simple DMI match addition with no algorithmic changes or side effects. 3. **Low Risk of Regression**: DMI quirk additions are inherently safe as they only affect the specific hardware model being added. The change cannot impact any other system that doesn't match the exact DMI strings. 4. **Follows Established Pattern**: All five similar commits provided as reference (for HP models with board names 8BD6, 8A3E, 8A22, 8A27, and other manufacturers) were marked as "Backport Status: YES". This type of commit has a well-established history of being backported. 5. **User-Impacting Issue**: Without this quirk, users of the HP Laptop 17 cp-2033dx cannot use their internal microphone, which is essential functionality for video calls, recording, and voice commands. This significantly degrades the user experience. 6. **Consistent with Stable Tree Rules**: The commit meets the stable kernel criteria: - It fixes a real bug that bothers users (non-functional microphone) - It's obviously correct and tested (standard DMI quirk pattern) - It's small (7 lines) - It doesn't add new features, only fixes existing functionality The AMD Yellow Carp (YC) audio driver uses DMI quirks to enable the internal microphone on specific laptop models. Without these quirks, the DMIC (Digital Microphone) won't be properly initialized on affected systems. This is a common pattern in the Linux kernel for handling hardware-specific configurations. sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c index 1689b6b22598e..42d123cb8b4c6 100644 --- a/sound/soc/amd/yc/acp6x-mach.c +++ b/sound/soc/amd/yc/acp6x-mach.c @@ -577,6 +577,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { DMI_MATCH(DMI_BOARD_NAME, "8A7F"), } }, + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "HP"), + DMI_MATCH(DMI_BOARD_NAME, "8A81"), + } + }, { .driver_data = &acp6x_card, .matches = { -- 2.39.5

1 month, 3 weeks

1
5
0 0

[PATCH AUTOSEL 6.15 1/8] drm/radeon: Do not hold console lock while suspending clients

by Sasha Levin

From: Thomas Zimmermann <tzimmermann(a)suse.de> [ Upstream commit 5dd0b96118e09a3725e3f83543e133b1fd02c18c ] The radeon driver holds the console lock while suspending in-kernel DRM clients. This creates a circular dependency with the client-list mutex, which is supposed to be acquired first. Reported when combining radeon with another DRM driver. Therefore, do not take the console lock in radeon, but let the fbdev DRM client acquire the lock when needed. This is what all other DRM drivers so. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reported-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> Closes: https://lore.kernel.org/dri-devel/0a087cfd-bd4c-48f1-aa2f-4a3b12593935@oss.… Suggested-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 612ec7c69d04cb58beb1332c2806da9f2f47a3ae) Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and the code changes, here is my assessment: **Answer: YES** This commit should be backported to stable kernel trees. Here's my extensive explanation: ## 1. **The commit fixes a real circular locking dependency bug** The commit message clearly states this fixes a "circular dependency with the client-list mutex" that was "Reported when combining radeon with another DRM driver." This is a real bug that can lead to deadlocks in production systems. ## 2. **The fix is minimal and focused** The code changes are very small and targeted: - In `radeon_suspend_kms()`: Changed from calling `drm_client_dev_suspend(dev, true)` with console_lock held to `drm_client_dev_suspend(dev, false)` without holding the lock - In `radeon_resume_kms()`: Removed the console_lock/unlock calls around `drm_client_dev_resume()` The second parameter to `drm_client_dev_suspend()` indicates whether the caller holds the console lock. By changing it from `true` to `false`, radeon now follows the same pattern as other DRM drivers. ## 3. **This aligns radeon with other DRM drivers** The commit message explicitly states: "This is what all other DRM drivers so." Looking at the similar commits provided: - Similar Commit #1 shows radeon being updated to use the new client suspend/resume infrastructure - Similar Commit #4 shows amdgpu (the successor to radeon) already using `drm_client_dev_suspend(dev, false)` without holding the console lock ## 4. **The bug has real-world impact** The issue was reported by a real user (Jeff Johnson) and occurs "when combining radeon with another DRM driver." Multi-GPU systems are increasingly common, especially with integrated + discrete GPU configurations. ## 5. **Low regression risk** The change removes lock acquisition rather than adding it, which generally has lower risk. The fbdev DRM client will acquire the console lock when needed (as mentioned in the commit message), so the necessary locking still occurs - just at the correct layer to avoid the circular dependency. ## 6. **Similar to historical fixes** Looking at Similar Commit #5 (amdgpu console lock restructuring), we can see there's a history of console lock ordering issues in AMD GPU drivers that have been fixed in the past. This suggests these types of fixes are considered important enough for the maintainers. ## 7. **The fix is already cherry-picked** The commit message shows "(cherry picked from commit 612ec7c69d04cb58beb1332c2806da9f2f47a3ae)" indicating this was already selected for backporting by maintainers. The only potential concern would be ensuring that the DRM client infrastructure this depends on is present in the stable kernels being targeted, but given that this is fixing a bug in existing code paths, the infrastructure must already be there. drivers/gpu/drm/radeon/radeon_device.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c index bbd39348a7aba..6f50cfdfe5a2e 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c @@ -1635,11 +1635,9 @@ int radeon_suspend_kms(struct drm_device *dev, bool suspend, pci_set_power_state(pdev, PCI_D3hot); } - if (notify_clients) { - console_lock(); - drm_client_dev_suspend(dev, true); - console_unlock(); - } + if (notify_clients) + drm_client_dev_suspend(dev, false); + return 0; } -- 2.39.5

1 month, 3 weeks

1
7
0 0

Re: Follow Up

by Clint Carnell

Hi, I wanted to check with you if you had time to go through my previous email. Let me know your thoughts about acquiring this email list. Regards, *Clint* *____________________________________________________________________________* Hi, We have successfully built a verified file of *Healthcare Industry *contacts with accurate emails. Would you be interested in acquiring* Healthcare Industry Professionals List* across North America, UK, Europe and Global? *Few Lists**:* Physicians and Surgeons Lists, Nurses Lists, Hospitals Lists, Ambulatory Surgery Centers List, Hospitals Executives Decision Makers list, Home Healthcare Lists, Pharmacy Lists, Clinical Director/Managers Email List, Facility Manager Lists, Hospital Administrator Lists, Nurse Manager Lists, Clinical Director Email List, Laboratory Managers & Directors Email List, General Medical & Surgical Hospitals Executives Email List, Pharmacy Decision Makers List, NP’s & PA’s Email list many more. *Few Physician Specialties**:* Anesthesiologist, Cardiologist, Dermatologist, Dentist, Emergency Medicine, Family Practitioners, Gastroenterologist, General Practitioners, Gynecologist, Hospitalist, Hematologist, Internal Medicine, Nephrologists, Neurologist, Oncologist, Ophthalmologist, Optometrist, Pathologist, Pediatrician, Psychiatrist, Psychologist, Plastic Surgeon, Podiatrist, Pulmonologist, Radiologist, Rheumatologist, Urologist, Physician Assistants, Nurse Practitioners, Registered Nurses, etc. *Our list comes with*: Company/Organization, Website, Contacts, Title, Address, Direct Number and Email Address, Revenue Size, Employee Size, Industry segment. Please send me your *target audience and geographical area*, so that I can give you more information, *Counts and Pricing *for your review. Looking forward to hearing from you. Regards, *Clint Carnell| Customer Success Manager* *B2B Marketing & Tradeshow Specialist*Clint(a)b2bleadsonline.us P *We have a responsibility to the environment* *Before printing this e-mail or any other document, let's ask ourselves whether we need a hard copy*

1 month, 3 weeks

1
0
0 0

[PATCH net, 1/2] net: core: Fix missing init of llist_node in setup_net()

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> Add init_llist_node for lock-less list nodes in struct net in setup_net(), so we can test if a node is on a list or not. Cc: stable(a)vger.kernel.org Fixes: d6b3358a2813 ("llist: add interface to check if a node is on a list.") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- net/core/net_namespace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index ae54f26709ca..2a821849558f 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -434,6 +434,9 @@ static __net_init int setup_net(struct net *net) LIST_HEAD(net_exit_list); int error = 0; + init_llist_node(&net->defer_free_list); + init_llist_node(&net->cleanup_list); + preempt_disable(); net->net_cookie = gen_cookie_next(&net_cookie); preempt_enable(); -- 2.34.1

1 month, 3 weeks

3
2
0 0

[PATCH v2] media: cec: extron-da-hd-4k-plus: drop external-module make commands

by Randy Dunlap

Delete the external-module style Makefile commands. They are not needed for in-tree modules. This is the only Makefile in the kernel tree (aside from tools/ and samples/) that uses this Makefile style. The same files are built with or without this patch. Fixes: 056f2821b631 ("media: cec: extron-da-hd-4k-plus: add the Extron DA HD 4K Plus CEC driver") Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org> Cc: stable(a)vger.kernel.org --- v2 changes, per the Media CI bot: - add Cc: stable(a)vger.kernel.org - move other Cc:s to mail headers only, not in the signoff area Cc: Hans Verkuil <hverkuil(a)kernel.org> Cc: Masahiro Yamada <masahiroy(a)kernel.org> drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile | 6 ------ 1 file changed, 6 deletions(-) --- linux-next-20250718.orig/drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile +++ linux-next-20250718/drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile @@ -1,8 +1,2 @@ extron-da-hd-4k-plus-cec-objs := extron-da-hd-4k-plus.o cec-splitter.o obj-$(CONFIG_USB_EXTRON_DA_HD_4K_PLUS_CEC) := extron-da-hd-4k-plus-cec.o - -all: - $(MAKE) -C $(KDIR) M=$(shell pwd) modules - -install: - $(MAKE) -C $(KDIR) M=$(shell pwd) modules_install

1 month, 3 weeks

1
0
0 0

[PATCH net, 2/2] hv_netvsc: Fix panic during namespace deletion with VF

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, skip the VF NIC's namespace change with netvsc when the VF namespace is being cleaned up, because the default_device_exit_net() will do it later. Cc: stable(a)vger.kernel.org Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- drivers/net/hyperv/netvsc_drv.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 8be9bce66a4e..8fc05a8c0018 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -2788,13 +2788,21 @@ static void netvsc_event_set_vf_ns(struct net_device *ndev) { struct net_device_context *ndev_ctx = netdev_priv(ndev); struct net_device *vf_netdev; + struct net *vfnet; int ret; vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); if (!vf_netdev) return; - if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) { + vfnet = dev_net(vf_netdev); + /* Do not move it now if its net is being cleaned up, + * net_cleanup_work will move it. + */ + if (llist_on_list(&vfnet->cleanup_list)) + return; + + if (!net_eq(dev_net(ndev), vfnet)) { ret = dev_change_net_namespace(vf_netdev, dev_net(ndev), "eth%d"); if (ret) -- 2.34.1

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: hub: Don't try to recover devices lost during warm" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2521106fc732b0b75fd3555c689b1ed1d29d273c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072256-verbally-zippy-bbd6@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2521106fc732b0b75fd3555c689b1ed1d29d273c Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Mon, 23 Jun 2025 16:39:47 +0300 Subject: [PATCH] usb: hub: Don't try to recover devices lost during warm reset. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hub driver warm-resets ports in SS.Inactive or Compliance mode to recover a possible connected device. The port reset code correctly detects if a connection is lost during reset, but hub driver port_event() fails to take this into account in some cases. port_event() ends up using stale values and assumes there is a connected device, and will try all means to recover it, including power-cycling the port. Details: This case was triggered when xHC host was suspended with DbC (Debug Capability) enabled and connected. DbC turns one xHC port into a simple usb debug device, allowing debugging a system with an A-to-A USB debug cable. xhci DbC code disables DbC when xHC is system suspended to D3, and enables it back during resume. We essentially end up with two hosts connected to each other during suspend, and, for a short while during resume, until DbC is enabled back. The suspended xHC host notices some activity on the roothub port, but can't train the link due to being suspended, so xHC hardware sets a CAS (Cold Attach Status) flag for this port to inform xhci host driver that the port needs to be warm reset once xHC resumes. CAS is xHCI specific, and not part of USB specification, so xhci driver tells usb core that the port has a connection and link is in compliance mode. Recovery from complinace mode is similar to CAS recovery. xhci CAS driver support that fakes a compliance mode connection was added in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS") Once xHCI resumes and DbC is enabled back, all activity on the xHC roothub host side port disappears. The hub driver will anyway think port has a connection and link is in compliance mode, and hub driver will try to recover it. The port power-cycle during recovery seems to cause issues to the active DbC connection. Fix this by clearing connect_change flag if hub_port_reset() returns -ENOTCONN, thus avoiding the whole unnecessary port recovery and initialization attempt. Cc: stable(a)vger.kernel.org Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS") Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 3e1215f7a9a0..256fe8c86828 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5751,6 +5751,7 @@ static void port_event(struct usb_hub *hub, int port1) struct usb_device *hdev = hub->hdev; u16 portstatus, portchange; int i = 0; + int err; connect_change = test_bit(port1, hub->change_bits); clear_bit(port1, hub->event_bits); @@ -5847,8 +5848,11 @@ static void port_event(struct usb_hub *hub, int port1) } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) || udev->state == USB_STATE_NOTATTACHED) { dev_dbg(&port_dev->dev, "do warm reset, port only\n"); - if (hub_port_reset(hub, port1, NULL, - HUB_BH_RESET_TIME, true) < 0) + err = hub_port_reset(hub, port1, NULL, + HUB_BH_RESET_TIME, true); + if (!udev && err == -ENOTCONN) + connect_change = 0; + else if (err < 0) hub_port_disable(hub, port1, 1); } else { dev_dbg(&port_dev->dev, "do warm reset, full device\n");

1 month, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] usb: hub: Don't try to recover devices lost during warm" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2521106fc732b0b75fd3555c689b1ed1d29d273c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072258-fervor-reabsorb-1b7a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2521106fc732b0b75fd3555c689b1ed1d29d273c Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Mon, 23 Jun 2025 16:39:47 +0300 Subject: [PATCH] usb: hub: Don't try to recover devices lost during warm reset. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hub driver warm-resets ports in SS.Inactive or Compliance mode to recover a possible connected device. The port reset code correctly detects if a connection is lost during reset, but hub driver port_event() fails to take this into account in some cases. port_event() ends up using stale values and assumes there is a connected device, and will try all means to recover it, including power-cycling the port. Details: This case was triggered when xHC host was suspended with DbC (Debug Capability) enabled and connected. DbC turns one xHC port into a simple usb debug device, allowing debugging a system with an A-to-A USB debug cable. xhci DbC code disables DbC when xHC is system suspended to D3, and enables it back during resume. We essentially end up with two hosts connected to each other during suspend, and, for a short while during resume, until DbC is enabled back. The suspended xHC host notices some activity on the roothub port, but can't train the link due to being suspended, so xHC hardware sets a CAS (Cold Attach Status) flag for this port to inform xhci host driver that the port needs to be warm reset once xHC resumes. CAS is xHCI specific, and not part of USB specification, so xhci driver tells usb core that the port has a connection and link is in compliance mode. Recovery from complinace mode is similar to CAS recovery. xhci CAS driver support that fakes a compliance mode connection was added in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS") Once xHCI resumes and DbC is enabled back, all activity on the xHC roothub host side port disappears. The hub driver will anyway think port has a connection and link is in compliance mode, and hub driver will try to recover it. The port power-cycle during recovery seems to cause issues to the active DbC connection. Fix this by clearing connect_change flag if hub_port_reset() returns -ENOTCONN, thus avoiding the whole unnecessary port recovery and initialization attempt. Cc: stable(a)vger.kernel.org Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS") Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 3e1215f7a9a0..256fe8c86828 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5751,6 +5751,7 @@ static void port_event(struct usb_hub *hub, int port1) struct usb_device *hdev = hub->hdev; u16 portstatus, portchange; int i = 0; + int err; connect_change = test_bit(port1, hub->change_bits); clear_bit(port1, hub->event_bits); @@ -5847,8 +5848,11 @@ static void port_event(struct usb_hub *hub, int port1) } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) || udev->state == USB_STATE_NOTATTACHED) { dev_dbg(&port_dev->dev, "do warm reset, port only\n"); - if (hub_port_reset(hub, port1, NULL, - HUB_BH_RESET_TIME, true) < 0) + err = hub_port_reset(hub, port1, NULL, + HUB_BH_RESET_TIME, true); + if (!udev && err == -ENOTCONN) + connect_change = 0; + else if (err < 0) hub_port_disable(hub, port1, 1); } else { dev_dbg(&port_dev->dev, "do warm reset, full device\n");

1 month, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] usb: hub: Don't try to recover devices lost during warm" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2521106fc732b0b75fd3555c689b1ed1d29d273c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072257-ranging-salvaging-2f13@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2521106fc732b0b75fd3555c689b1ed1d29d273c Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Mon, 23 Jun 2025 16:39:47 +0300 Subject: [PATCH] usb: hub: Don't try to recover devices lost during warm reset. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hub driver warm-resets ports in SS.Inactive or Compliance mode to recover a possible connected device. The port reset code correctly detects if a connection is lost during reset, but hub driver port_event() fails to take this into account in some cases. port_event() ends up using stale values and assumes there is a connected device, and will try all means to recover it, including power-cycling the port. Details: This case was triggered when xHC host was suspended with DbC (Debug Capability) enabled and connected. DbC turns one xHC port into a simple usb debug device, allowing debugging a system with an A-to-A USB debug cable. xhci DbC code disables DbC when xHC is system suspended to D3, and enables it back during resume. We essentially end up with two hosts connected to each other during suspend, and, for a short while during resume, until DbC is enabled back. The suspended xHC host notices some activity on the roothub port, but can't train the link due to being suspended, so xHC hardware sets a CAS (Cold Attach Status) flag for this port to inform xhci host driver that the port needs to be warm reset once xHC resumes. CAS is xHCI specific, and not part of USB specification, so xhci driver tells usb core that the port has a connection and link is in compliance mode. Recovery from complinace mode is similar to CAS recovery. xhci CAS driver support that fakes a compliance mode connection was added in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS") Once xHCI resumes and DbC is enabled back, all activity on the xHC roothub host side port disappears. The hub driver will anyway think port has a connection and link is in compliance mode, and hub driver will try to recover it. The port power-cycle during recovery seems to cause issues to the active DbC connection. Fix this by clearing connect_change flag if hub_port_reset() returns -ENOTCONN, thus avoiding the whole unnecessary port recovery and initialization attempt. Cc: stable(a)vger.kernel.org Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS") Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 3e1215f7a9a0..256fe8c86828 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5751,6 +5751,7 @@ static void port_event(struct usb_hub *hub, int port1) struct usb_device *hdev = hub->hdev; u16 portstatus, portchange; int i = 0; + int err; connect_change = test_bit(port1, hub->change_bits); clear_bit(port1, hub->event_bits); @@ -5847,8 +5848,11 @@ static void port_event(struct usb_hub *hub, int port1) } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) || udev->state == USB_STATE_NOTATTACHED) { dev_dbg(&port_dev->dev, "do warm reset, port only\n"); - if (hub_port_reset(hub, port1, NULL, - HUB_BH_RESET_TIME, true) < 0) + err = hub_port_reset(hub, port1, NULL, + HUB_BH_RESET_TIME, true); + if (!udev && err == -ENOTCONN) + connect_change = 0; + else if (err < 0) hub_port_disable(hub, port1, 1); } else { dev_dbg(&port_dev->dev, "do warm reset, full device\n");

1 month, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] usb: hub: fix detection of high tier USB3 devices behind" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 8f5b7e2bec1c36578fdaa74a6951833541103e27 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072211-wolverine-heroics-ee1b@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8f5b7e2bec1c36578fdaa74a6951833541103e27 Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Wed, 11 Jun 2025 14:24:41 +0300 Subject: [PATCH] usb: hub: fix detection of high tier USB3 devices behind suspended hubs USB3 devices connected behind several external suspended hubs may not be detected when plugged in due to aggressive hub runtime pm suspend. The hub driver immediately runtime-suspends hubs if there are no active children or port activity. There is a delay between the wake signal causing hub resume, and driver visible port activity on the hub downstream facing ports. Most of the LFPS handshake, resume signaling and link training done on the downstream ports is not visible to the hub driver until completed, when device then will appear fully enabled and running on the port. This delay between wake signal and detectable port change is even more significant with chained suspended hubs where the wake signal will propagate upstream first. Suspended hubs will only start resuming downstream ports after upstream facing port resumes. The hub driver may resume a USB3 hub, read status of all ports, not yet see any activity, and runtime suspend back the hub before any port activity is visible. This exact case was seen when conncting USB3 devices to a suspended Thunderbolt dock. USB3 specification defines a 100ms tU3WakeupRetryDelay, indicating USB3 devices expect to be resumed within 100ms after signaling wake. if not then device will resend the wake signal. Give the USB3 hubs twice this time (200ms) to detect any port changes after resume, before allowing hub to runtime suspend again. Cc: stable <stable(a)kernel.org> Fixes: 2839f5bcfcfc ("USB: Turn on auto-suspend for USB 3.0 hubs.") Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250611112441.2267883-1-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 770d1e91183c..5c12dfdef569 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -68,6 +68,12 @@ */ #define USB_SHORT_SET_ADDRESS_REQ_TIMEOUT 500 /* ms */ +/* + * Give SS hubs 200ms time after wake to train downstream links before + * assuming no port activity and allowing hub to runtime suspend back. + */ +#define USB_SS_PORT_U0_WAKE_TIME 200 /* ms */ + /* Protect struct usb_device->state and ->children members * Note: Both are also protected by ->dev.sem, except that ->state can * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ @@ -1068,11 +1074,12 @@ int usb_remove_device(struct usb_device *udev) enum hub_activation_type { HUB_INIT, HUB_INIT2, HUB_INIT3, /* INITs must come first */ - HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, + HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, HUB_POST_RESUME, }; static void hub_init_func2(struct work_struct *ws); static void hub_init_func3(struct work_struct *ws); +static void hub_post_resume(struct work_struct *ws); static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) { @@ -1095,6 +1102,13 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) goto init2; goto init3; } + + if (type == HUB_POST_RESUME) { + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); + hub_put(hub); + return; + } + hub_get(hub); /* The superspeed hub except for root hub has to use Hub Depth @@ -1343,6 +1357,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) device_unlock(&hdev->dev); } + if (type == HUB_RESUME && hub_is_superspeed(hub->hdev)) { + /* give usb3 downstream links training time after hub resume */ + INIT_DELAYED_WORK(&hub->init_work, hub_post_resume); + queue_delayed_work(system_power_efficient_wq, &hub->init_work, + msecs_to_jiffies(USB_SS_PORT_U0_WAKE_TIME)); + usb_autopm_get_interface_no_resume( + to_usb_interface(hub->intfdev)); + return; + } + hub_put(hub); } @@ -1361,6 +1385,13 @@ static void hub_init_func3(struct work_struct *ws) hub_activate(hub, HUB_INIT3); } +static void hub_post_resume(struct work_struct *ws) +{ + struct usb_hub *hub = container_of(ws, struct usb_hub, init_work.work); + + hub_activate(hub, HUB_POST_RESUME); +} + enum hub_quiescing_type { HUB_DISCONNECT, HUB_PRE_RESET, HUB_SUSPEND };

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] comedi: Fix initialization of data for instructions that" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 46d8c744136ce2454aa4c35c138cc06817f92b8e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072152-submitter-sterile-1681@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 46d8c744136ce2454aa4c35c138cc06817f92b8e Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Mon, 7 Jul 2025 17:14:39 +0100 Subject: [PATCH] comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first `insn->n` data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first `MIN_SAMPLES` elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For `do_insnlist_ioctl()`, the same data buffer elements are used for handling a list of instructions, so ensure the first `MIN_SAMPLES` elements are initialized for each instruction that writes to the subdevice. Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: stable(a)vger.kernel.org # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250707161439.88385-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 962fb9b18a52..c83fd14dd7ad 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -1556,21 +1556,27 @@ static int do_insnlist_ioctl(struct comedi_device *dev, } for (i = 0; i < n_insns; ++i) { + unsigned int n = insns[i].n; + if (insns[i].insn & INSN_MASK_WRITE) { if (copy_from_user(data, insns[i].data, - insns[i].n * sizeof(unsigned int))) { + n * sizeof(unsigned int))) { dev_dbg(dev->class_dev, "copy_from_user failed\n"); ret = -EFAULT; goto error; } + if (n < MIN_SAMPLES) { + memset(&data[n], 0, (MIN_SAMPLES - n) * + sizeof(unsigned int)); + } } ret = parse_insn(dev, insns + i, data, file); if (ret < 0) goto error; if (insns[i].insn & INSN_MASK_READ) { if (copy_to_user(insns[i].data, data, - insns[i].n * sizeof(unsigned int))) { + n * sizeof(unsigned int))) { dev_dbg(dev->class_dev, "copy_to_user failed\n"); ret = -EFAULT; @@ -1643,6 +1649,10 @@ static int do_insn_ioctl(struct comedi_device *dev, ret = -EFAULT; goto error; } + if (insn->n < MIN_SAMPLES) { + memset(&data[insn->n], 0, + (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); + } } ret = parse_insn(dev, insn, data, file); if (ret < 0)

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] smb: client: fix use-after-free in crypt_message when using" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b220bed63330c0e1733dc06ea8e75d5b9962b6b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072141-jujitsu-ebay-6dbf@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b220bed63330c0e1733dc06ea8e75d5b9962b6b6 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Date: Sat, 5 Jul 2025 10:51:18 +0800 Subject: [PATCH] smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediately rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); // Free creq while async operation is still in progress kvfree_sensitive(creq, ...); Hardware crypto modules often implement async AEAD operations for performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, the operation completes asynchronously. Without crypto_wait_req(), the function immediately frees the request buffer, leading to crashes when the driver later accesses the freed memory. This results in a use-after-free condition when the hardware crypto driver later accesses the freed request structure, leading to kernel crashes with NULL pointer dereferences. The issue occurs because crypto_alloc_aead() with mask=0 doesn't guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in the mask, async implementations can be selected. Fix by restoring the async crypto handling: - DECLARE_CRYPTO_WAIT(wait) for completion tracking - aead_request_set_callback() for async completion notification - crypto_wait_req() to wait for operation completion This ensures the request buffer isn't freed until the crypto operation completes, whether synchronous or asynchronous, while preserving the CVE-2024-50047 fix. Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweiclou… Cc: stable(a)vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index 1468c16ea9b8..cb659256d219 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -4316,6 +4316,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, u8 key[SMB3_ENC_DEC_KEY_SIZE]; struct aead_request *req; u8 *iv; + DECLARE_CRYPTO_WAIT(wait); unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); void *creq; size_t sensitive_size; @@ -4366,7 +4367,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + crypto_req_done, &wait); + + rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) + : crypto_aead_decrypt(req), &wait); if (!rc && enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);

1 month, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] smb: client: fix use-after-free in crypt_message when using" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b220bed63330c0e1733dc06ea8e75d5b9962b6b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072141-busybody-favoring-f21d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b220bed63330c0e1733dc06ea8e75d5b9962b6b6 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Date: Sat, 5 Jul 2025 10:51:18 +0800 Subject: [PATCH] smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediately rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); // Free creq while async operation is still in progress kvfree_sensitive(creq, ...); Hardware crypto modules often implement async AEAD operations for performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, the operation completes asynchronously. Without crypto_wait_req(), the function immediately frees the request buffer, leading to crashes when the driver later accesses the freed memory. This results in a use-after-free condition when the hardware crypto driver later accesses the freed request structure, leading to kernel crashes with NULL pointer dereferences. The issue occurs because crypto_alloc_aead() with mask=0 doesn't guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in the mask, async implementations can be selected. Fix by restoring the async crypto handling: - DECLARE_CRYPTO_WAIT(wait) for completion tracking - aead_request_set_callback() for async completion notification - crypto_wait_req() to wait for operation completion This ensures the request buffer isn't freed until the crypto operation completes, whether synchronous or asynchronous, while preserving the CVE-2024-50047 fix. Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweiclou… Cc: stable(a)vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index 1468c16ea9b8..cb659256d219 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -4316,6 +4316,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, u8 key[SMB3_ENC_DEC_KEY_SIZE]; struct aead_request *req; u8 *iv; + DECLARE_CRYPTO_WAIT(wait); unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); void *creq; size_t sensitive_size; @@ -4366,7 +4367,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + crypto_req_done, &wait); + + rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) + : crypto_aead_decrypt(req), &wait); if (!rc && enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);

1 month, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072156-salt-despair-a696@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072155-viper-viewer-98bd@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072155-catering-series-cf00@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072154-unchain-champion-e3d6@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072153-clerical-autograph-74d4@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1b98304c09a0192598d0767f1eb8c83d7e793091 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072153-splinter-buckshot-87f5@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti(a)mev.co.uk> Date: Tue, 8 Jul 2025 14:06:27 +0100 Subject: [PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: stable(a)vger.kernel.org # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); }

1 month, 3 weeks

2
1
0 0

[PATCH v2] PCI/pwrctrl: Skip creating pwrctrl device unless CONFIG_PCI_PWRCTRL is enabled

by Manivannan Sadhasivam

If devicetree describes power supplies related to a PCI device, we previously created a pwrctrl device even if CONFIG_PCI_PWRCTL was not enabled. When pci_pwrctrl_create_device() creates and returns a pwrctrl device, pci_scan_device() doesn't enumerate the PCI device. It assumes the pwrctrl core will rescan the bus after turning on the power. However, if CONFIG_PCI_PWRCTL is not enabled, the rescan never happens. This may break PCI enumeration on any system that describes power supplies in devicetree but does not use pwrctrl. Jim reported that some brcmstb platforms break this way. While the actual fix would be to convert all the platforms to use pwrctrl framework, we also need to skip creating the pwrctrl device if CONFIG_PCI_PWRCTL is not enabled and let the PCI core scan the device normally (assuming it is already powered on or by the controller driver). Cc: stable(a)vger.kernel.org # 6.15 Fixes: 957f40d039a9 ("PCI/pwrctrl: Move creation of pwrctrl devices to pci_scan_device()") Reported-by: Jim Quinlan <james.quinlan(a)broadcom.com> Closes: https://lore.kernel.org/r/CA+-6iNwgaByXEYD3j=-+H_PKAxXRU78svPMRHDKKci8AGXAU… Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- Changes in v2: * Used the stub instead of returning NULL inside the function drivers/pci/probe.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index 4b8693ec9e4c..e6a34db77826 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -2508,6 +2508,7 @@ bool pci_bus_read_dev_vendor_id(struct pci_bus *bus, int devfn, u32 *l, } EXPORT_SYMBOL(pci_bus_read_dev_vendor_id); +#if IS_ENABLED(CONFIG_PCI_PWRCTRL) static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, int devfn) { struct pci_host_bridge *host = pci_find_host_bridge(bus); @@ -2537,6 +2538,12 @@ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, in return pdev; } +#else +static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, int devfn) +{ + return NULL; +} +#endif /* * Read the config data for a PCI device, sanity-check it, -- 2.43.0

1 month, 3 weeks

4
12
0 0

[PATCH 1/3] PCI/pwrctrl: Fix device leak at registration

by Johan Hovold

Make sure to drop the reference to the pwrctrl device taken by of_find_device_by_node() when registering a PCI device. Fixes: b458ff7e8176 ("PCI/pwrctl: Ensure that pwrctl drivers are probed before PCI client drivers") Cc: stable(a)vger.kernel.org # 6.13 Cc: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/pci/bus.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c index 69048869ef1c..0394a9c77b38 100644 --- a/drivers/pci/bus.c +++ b/drivers/pci/bus.c @@ -362,11 +362,15 @@ void pci_bus_add_device(struct pci_dev *dev) * before PCI client drivers. */ pdev = of_find_device_by_node(dn); - if (pdev && of_pci_supply_present(dn)) { - if (!device_link_add(&dev->dev, &pdev->dev, - DL_FLAG_AUTOREMOVE_CONSUMER)) - pci_err(dev, "failed to add device link to power control device %s\n", - pdev->name); + if (pdev) { + if (of_pci_supply_present(dn)) { + if (!device_link_add(&dev->dev, &pdev->dev, + DL_FLAG_AUTOREMOVE_CONSUMER)) { + pci_err(dev, "failed to add device link to power control device %s\n", + pdev->name); + } + } + put_device(&pdev->dev); } if (!dn || of_device_is_available(dn)) -- 2.49.1

1 month, 3 weeks

4
3
0 0

[PATCH net] net: core: Fix the loop in default_device_exit_net()

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The loop in default_device_exit_net() won't be able to properly detect the head then stop, and will hit NULL pointer, when a driver, like hv_netvsc, automatically moves the slave device together with the master device. To fix this, add a helper function to return the first migratable netdev correctly, no matter one or two devices were removed from this net's list in the last iteration. Cc: stable(a)vger.kernel.org # 5.4+ Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- net/core/dev.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/net/core/dev.c b/net/core/dev.c index 621a639aeba1..d83f5f12cf70 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -12629,19 +12629,11 @@ static struct pernet_operations __net_initdata netdev_net_ops = { .exit = netdev_exit, }; -static void __net_exit default_device_exit_net(struct net *net) +static inline struct net_device *first_migratable_netdev(struct net *net) { - struct netdev_name_node *name_node, *tmp; struct net_device *dev, *aux; - /* - * Push all migratable network devices back to the - * initial network namespace - */ - ASSERT_RTNL(); - for_each_netdev_safe(net, dev, aux) { - int err; - char fb_name[IFNAMSIZ]; + for_each_netdev_safe(net, dev, aux) { /* Ignore unmoveable devices (i.e. loopback) */ if (dev->netns_immutable) continue; @@ -12650,6 +12642,25 @@ static void __net_exit default_device_exit_net(struct net *net) if (dev->rtnl_link_ops && !dev->rtnl_link_ops->netns_refund) continue; + return dev; + } + + return NULL; +} + +static void __net_exit default_device_exit_net(struct net *net) +{ + struct netdev_name_node *name_node, *tmp; + struct net_device *dev; + /* + * Push all migratable network devices back to the + * initial network namespace + */ + ASSERT_RTNL(); + while ((dev = first_migratable_netdev(net)) != NULL) { + int err; + char fb_name[IFNAMSIZ]; + /* Push remaining network devices to init_net */ snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex); if (netdev_name_in_use(&init_net, fb_name)) -- 2.34.1

1 month, 3 weeks

3
2
0 0

[PATCH v2] sunvdc: Balance device refcount in vdc_port_mpgroup_check

by Ma Ke

Using device_find_child() to locate a probed virtual-device-port node causes a device refcount imbalance, as device_find_child() internally calls get_device() to increment the device’s reference count before returning its pointer. vdc_port_mpgroup_check() directly returns true upon finding a matching device without releasing the reference via put_device(). We should call put_device() to decrement refcount. As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - keep the change style simple as suggestions. --- drivers/block/sunvdc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c index b5727dea15bd..7af21fe67671 100644 --- a/drivers/block/sunvdc.c +++ b/drivers/block/sunvdc.c @@ -957,8 +957,10 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev) dev = device_find_child(vdev->dev.parent, &port_data, vdc_device_probed); - if (dev) + if (dev) { + put_device(dev); return true; + } return false; } -- 2.25.1

1 month, 3 weeks

2
1
0 0

[PATCH] comedi: fix race between polling and detaching

by Ian Abbott

syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl. Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`. Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter. Thanks to Jens Axboe for diagnosing the problem and co-developing this patch. Cc: <stable(a)vger.kernel.org> # 5.13+ Fixes: 2f3fdcd7ce93 ("staging: comedi: add rw_semaphore to protect against device detachment") Link: https://lore.kernel.org/all/687bd5fe.a70a0220.693ce.0091.GAE@google.com/ Reported-by: syzbot+01523a0ae5600aef5895(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=01523a0ae5600aef5895 Co-developed-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm release series 5.10 and 5.4. --- drivers/comedi/comedi_fops.c | 31 ++++++++++++++++++++++++------- drivers/comedi/comedi_internal.h | 1 + drivers/comedi/drivers.c | 13 ++++++++++--- 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 3383a7ce27ff..3007fe946e42 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -787,6 +787,7 @@ static int is_device_busy(struct comedi_device *dev) struct comedi_subdevice *s; int i; + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); if (!dev->attached) return 0; @@ -795,7 +796,16 @@ static int is_device_busy(struct comedi_device *dev) s = &dev->subdevices[i]; if (s->busy) return 1; - if (s->async && comedi_buf_is_mmapped(s)) + if (!s->async) + continue; + if (comedi_buf_is_mmapped(s)) + return 1; + /* + * There may be tasks still waiting on the subdevice's wait + * queue, although they should already be about to be removed + * from it since the subdevice has no active async command. + */ + if (wq_has_sleeper(&s->async->wait_head)) return 1; } @@ -825,15 +835,22 @@ static int do_devconfig_ioctl(struct comedi_device *dev, return -EPERM; if (!arg) { - if (is_device_busy(dev)) - return -EBUSY; + int rc = 0; + if (dev->attached) { - struct module *driver_module = dev->driver->module; + down_write(&dev->attach_lock); + if (is_device_busy(dev)) { + rc = -EBUSY; + } else { + struct module *driver_module = + dev->driver->module; - comedi_device_detach(dev); - module_put(driver_module); + comedi_device_detach_locked(dev); + module_put(driver_module); + } + up_write(&dev->attach_lock); } - return 0; + return rc; } if (copy_from_user(&it, arg, sizeof(it))) diff --git a/drivers/comedi/comedi_internal.h b/drivers/comedi/comedi_internal.h index 9b3631a654c8..cf10ba016ebc 100644 --- a/drivers/comedi/comedi_internal.h +++ b/drivers/comedi/comedi_internal.h @@ -50,6 +50,7 @@ extern struct mutex comedi_drivers_list_lock; int insn_inval(struct comedi_device *dev, struct comedi_subdevice *s, struct comedi_insn *insn, unsigned int *data); +void comedi_device_detach_locked(struct comedi_device *dev); void comedi_device_detach(struct comedi_device *dev); int comedi_device_attach(struct comedi_device *dev, struct comedi_devconfig *it); diff --git a/drivers/comedi/drivers.c b/drivers/comedi/drivers.c index 376130bfba8a..f5c2ee271d0e 100644 --- a/drivers/comedi/drivers.c +++ b/drivers/comedi/drivers.c @@ -158,7 +158,7 @@ static void comedi_device_detach_cleanup(struct comedi_device *dev) int i; struct comedi_subdevice *s; - lockdep_assert_held(&dev->attach_lock); + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); if (dev->subdevices) { for (i = 0; i < dev->n_subdevices; i++) { @@ -196,16 +196,23 @@ static void comedi_device_detach_cleanup(struct comedi_device *dev) comedi_clear_hw_dev(dev); } -void comedi_device_detach(struct comedi_device *dev) +void comedi_device_detach_locked(struct comedi_device *dev) { + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); comedi_device_cancel_all(dev); - down_write(&dev->attach_lock); dev->attached = false; dev->detach_count++; if (dev->driver) dev->driver->detach(dev); comedi_device_detach_cleanup(dev); +} + +void comedi_device_detach(struct comedi_device *dev) +{ + lockdep_assert_held(&dev->mutex); + down_write(&dev->attach_lock); + comedi_device_detach_locked(dev); up_write(&dev->attach_lock); } -- 2.47.2

1 month, 3 weeks

2
1
0 0

[PATCH v3] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again

by Muhammad Usama Anjum

Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Clear essential fields as they may have stale data Changes since v2: - Add comment and reviewed by tag --- drivers/net/wireless/ath/ath11k/core.c | 6 +----- drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++ drivers/net/wireless/ath/ath11k/hal.h | 1 + 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index 4488e4cdc5e9e..34b27711ed00f 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2213,14 +2213,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index b32de563d453a..e8ebf963f195c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1359,6 +1359,22 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + /* No need to memset rdp and wrp memory since each individual + * segment would get cleared ath11k_hal_srng_src_hw_init() and + * ath11k_hal_srng_dst_hw_init(). + */ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c752..839095af9267e 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len); -- 2.39.5

1 month, 3 weeks

3
4
0 0

FAILED: patch "[PATCH] tracing: Add down_write(trace_event_sem) when adding trace" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-perjury-dynamite-23ba@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Jul 2025 22:31:58 -0400 Subject: [PATCH] tracing: Add down_write(trace_event_sem) when adding trace event MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang(a)luxshare-ict.com> Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 120531268abf..d01e5c910ce1 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -3136,7 +3136,10 @@ __register_event(struct trace_event_call *call, struct module *mod) if (ret < 0) return ret; + down_write(&trace_event_sem); list_add(&call->list, &ftrace_events); + up_write(&trace_event_sem); + if (call->flags & TRACE_EVENT_FL_DYNAMIC) atomic_set(&call->refcnt, 0); else @@ -3750,6 +3753,8 @@ __trace_add_event_dirs(struct trace_array *tr) struct trace_event_call *call; int ret; + lockdep_assert_held(&trace_event_sem); + list_for_each_entry(call, &ftrace_events, list) { ret = __trace_add_new_event(call, tr); if (ret < 0)

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] tracing: Add down_write(trace_event_sem) when adding trace" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-nutty-other-f178@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Jul 2025 22:31:58 -0400 Subject: [PATCH] tracing: Add down_write(trace_event_sem) when adding trace event MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang(a)luxshare-ict.com> Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 120531268abf..d01e5c910ce1 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -3136,7 +3136,10 @@ __register_event(struct trace_event_call *call, struct module *mod) if (ret < 0) return ret; + down_write(&trace_event_sem); list_add(&call->list, &ftrace_events); + up_write(&trace_event_sem); + if (call->flags & TRACE_EVENT_FL_DYNAMIC) atomic_set(&call->refcnt, 0); else @@ -3750,6 +3753,8 @@ __trace_add_event_dirs(struct trace_array *tr) struct trace_event_call *call; int ret; + lockdep_assert_held(&trace_event_sem); + list_for_each_entry(call, &ftrace_events, list) { ret = __trace_add_new_event(call, tr); if (ret < 0)

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] pmdomain: governor: Consider CPU latency tolerance from" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 500ba33284416255b9a5b50ace24470b6fe77ea5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072114-matriarch-decline-2598@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001 From: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Date: Wed, 9 Jul 2025 14:00:11 +0530 Subject: [PATCH] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov pm_domain_cpu_gov is selecting a cluster idle state but does not consider latency tolerance of child CPUs. This results in deeper cluster idle state whose latency does not meet latency tolerance requirement. Select deeper idle state only if global and device latency tolerance of all child CPUs meet. Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than domain idle state entry (2150) + exit (1983) usec latency mentioned in devicetree, demonstrate the issue. # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us Before: (Usage is incrementing) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 29817 537 8 270 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 30348 542 8 271 0 After: (Usage is not incrementing due to latency tolerance) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 Signed-off-by: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualc… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/governor.c b/drivers/pmdomain/governor.c index c1e148657c87..39359811a930 100644 --- a/drivers/pmdomain/governor.c +++ b/drivers/pmdomain/governor.c @@ -8,6 +8,7 @@ #include <linux/pm_domain.h> #include <linux/pm_qos.h> #include <linux/hrtimer.h> +#include <linux/cpu.h> #include <linux/cpuidle.h> #include <linux/cpumask.h> #include <linux/ktime.h> @@ -349,6 +350,8 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) struct cpuidle_device *dev; ktime_t domain_wakeup, next_hrtimer; ktime_t now = ktime_get(); + struct device *cpu_dev; + s64 cpu_constraint, global_constraint; s64 idle_duration_ns; int cpu, i; @@ -359,6 +362,7 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) return true; + global_constraint = cpu_latency_qos_limit(); /* * Find the next wakeup for any of the online CPUs within the PM domain * and its subdomains. Note, we only need the genpd->cpus, as it already @@ -372,8 +376,16 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (ktime_before(next_hrtimer, domain_wakeup)) domain_wakeup = next_hrtimer; } + + cpu_dev = get_cpu_device(cpu); + if (cpu_dev) { + cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); + if (cpu_constraint < global_constraint) + global_constraint = cpu_constraint; + } } + global_constraint *= NSEC_PER_USEC; /* The minimum idle duration is from now - until the next wakeup. */ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); if (idle_duration_ns <= 0) @@ -389,8 +401,10 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) */ i = genpd->state_idx; do { - if (idle_duration_ns >= (genpd->states[i].residency_ns + - genpd->states[i].power_off_latency_ns)) { + if ((idle_duration_ns >= (genpd->states[i].residency_ns + + genpd->states[i].power_off_latency_ns)) && + (global_constraint >= (genpd->states[i].power_on_latency_ns + + genpd->states[i].power_off_latency_ns))) { genpd->state_idx = i; genpd->gd->last_enter = now; genpd->gd->reflect_residency = true;

1 month, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] pmdomain: governor: Consider CPU latency tolerance from" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 500ba33284416255b9a5b50ace24470b6fe77ea5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-grill-thimble-5d5c@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001 From: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Date: Wed, 9 Jul 2025 14:00:11 +0530 Subject: [PATCH] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov pm_domain_cpu_gov is selecting a cluster idle state but does not consider latency tolerance of child CPUs. This results in deeper cluster idle state whose latency does not meet latency tolerance requirement. Select deeper idle state only if global and device latency tolerance of all child CPUs meet. Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than domain idle state entry (2150) + exit (1983) usec latency mentioned in devicetree, demonstrate the issue. # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us Before: (Usage is incrementing) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 29817 537 8 270 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 30348 542 8 271 0 After: (Usage is not incrementing due to latency tolerance) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 Signed-off-by: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualc… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/governor.c b/drivers/pmdomain/governor.c index c1e148657c87..39359811a930 100644 --- a/drivers/pmdomain/governor.c +++ b/drivers/pmdomain/governor.c @@ -8,6 +8,7 @@ #include <linux/pm_domain.h> #include <linux/pm_qos.h> #include <linux/hrtimer.h> +#include <linux/cpu.h> #include <linux/cpuidle.h> #include <linux/cpumask.h> #include <linux/ktime.h> @@ -349,6 +350,8 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) struct cpuidle_device *dev; ktime_t domain_wakeup, next_hrtimer; ktime_t now = ktime_get(); + struct device *cpu_dev; + s64 cpu_constraint, global_constraint; s64 idle_duration_ns; int cpu, i; @@ -359,6 +362,7 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) return true; + global_constraint = cpu_latency_qos_limit(); /* * Find the next wakeup for any of the online CPUs within the PM domain * and its subdomains. Note, we only need the genpd->cpus, as it already @@ -372,8 +376,16 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (ktime_before(next_hrtimer, domain_wakeup)) domain_wakeup = next_hrtimer; } + + cpu_dev = get_cpu_device(cpu); + if (cpu_dev) { + cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); + if (cpu_constraint < global_constraint) + global_constraint = cpu_constraint; + } } + global_constraint *= NSEC_PER_USEC; /* The minimum idle duration is from now - until the next wakeup. */ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); if (idle_duration_ns <= 0) @@ -389,8 +401,10 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) */ i = genpd->state_idx; do { - if (idle_duration_ns >= (genpd->states[i].residency_ns + - genpd->states[i].power_off_latency_ns)) { + if ((idle_duration_ns >= (genpd->states[i].residency_ns + + genpd->states[i].power_off_latency_ns)) && + (global_constraint >= (genpd->states[i].power_on_latency_ns + + genpd->states[i].power_off_latency_ns))) { genpd->state_idx = i; genpd->gd->last_enter = now; genpd->gd->reflect_residency = true;

1 month, 3 weeks

2
1
0 0

[PATCH 6.1] crypto: qat - fix ring to service map for QAT GEN4

by Giovanni Cabiddu

[ Upstream commit a238487f7965d102794ed9f8aff0b667cd2ae886 ] The 4xxx drivers hardcode the ring to service mapping. However, when additional configurations where added to the driver, the mappings were not updated. This implies that an incorrect mapping might be reported through pfvf for certain configurations. This is a backport of the upstream commit with modifications, as the original patch does not apply cleanly to kernel v6.1.x. The logic has been simplified to reflect the limited configurations of the QAT driver in this version: crypto-only and compression. Instead of dynamically computing the ring to service mappings, these are now hardcoded to simplify the backport. Fixes: 0cec19c761e5 ("crypto: qat - add support for compression for 4xxx") Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Reviewed-by: Damian Muszynski <damian.muszynski(a)intel.com> Reviewed-by: Tero Kristo <tero.kristo(a)linux.intel.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: <stable(a)vger.kernel.org> # 6.1.x Reviewed-by: Ahsan Atta <ahsan.atta(a)intel.com> Tested-by: Ahsan Atta <ahsan.atta(a)intel.com> --- drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 13 +++++++++++++ drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 + drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 6 ++++++ drivers/crypto/qat/qat_common/adf_init.c | 3 +++ 4 files changed, 23 insertions(+) diff --git a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c index fda5f699ff57..65b52c692add 100644 --- a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c +++ b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c @@ -297,6 +297,18 @@ static char *uof_get_name(struct adf_accel_dev *accel_dev, u32 obj_num) return NULL; } +static u16 get_ring_to_svc_map(struct adf_accel_dev *accel_dev) +{ + switch (get_service_enabled(accel_dev)) { + case SVC_CY: + return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP; + case SVC_DC: + return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC; + } + + return 0; +} + static u32 uof_get_ae_mask(struct adf_accel_dev *accel_dev, u32 obj_num) { switch (get_service_enabled(accel_dev)) { @@ -353,6 +365,7 @@ void adf_init_hw_data_4xxx(struct adf_hw_device_data *hw_data) hw_data->uof_get_ae_mask = uof_get_ae_mask; hw_data->set_msix_rttable = set_msix_default_rttable; hw_data->set_ssm_wdtimer = adf_gen4_set_ssm_wdtimer; + hw_data->get_ring_to_svc_map = get_ring_to_svc_map; hw_data->disable_iov = adf_disable_sriov; hw_data->ring_pair_reset = adf_gen4_ring_pair_reset; hw_data->enable_pm = adf_gen4_enable_pm; diff --git a/drivers/crypto/qat/qat_common/adf_accel_devices.h b/drivers/crypto/qat/qat_common/adf_accel_devices.h index ad01d99e6e2b..7993d0f82dea 100644 --- a/drivers/crypto/qat/qat_common/adf_accel_devices.h +++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h @@ -176,6 +176,7 @@ struct adf_hw_device_data { void (*get_arb_info)(struct arb_info *arb_csrs_info); void (*get_admin_info)(struct admin_info *admin_csrs_info); enum dev_sku_info (*get_sku)(struct adf_hw_device_data *self); + u16 (*get_ring_to_svc_map)(struct adf_accel_dev *accel_dev); int (*alloc_irq)(struct adf_accel_dev *accel_dev); void (*free_irq)(struct adf_accel_dev *accel_dev); void (*enable_error_correction)(struct adf_accel_dev *accel_dev); diff --git a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h index 4fb4b3df5a18..5e653ec755e6 100644 --- a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h +++ b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h @@ -95,6 +95,12 @@ do { \ ADF_RING_BUNDLE_SIZE * (bank) + \ ADF_RING_CSR_RING_SRV_ARB_EN, (value)) +#define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC \ + (COMP << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_1_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_2_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_3_SHIFT) + /* Default ring mapping */ #define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP \ (ASYM << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \ diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c index 2e3481270c4b..49f07584f8c9 100644 --- a/drivers/crypto/qat/qat_common/adf_init.c +++ b/drivers/crypto/qat/qat_common/adf_init.c @@ -95,6 +95,9 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) return -EFAULT; } + if (hw_data->get_ring_to_svc_map) + hw_data->ring_to_svc_map = hw_data->get_ring_to_svc_map(accel_dev); + if (adf_ae_init(accel_dev)) { dev_err(&GET_DEV(accel_dev), "Failed to initialise Acceleration Engine\n"); -- 2.50.0

1 month, 3 weeks

3
6
0 0

Re: Patch "smb: client: make use of common smbdirect_socket_parameters" has been added to the 6.12-stable tree

by Stefan Metzmacher

Hi, any reason why this is only backported to 6.12, but not 6.15? I'm looking at v6.15.5 and v6.12.36 and the following are missing from 6.15: bced02aca343 David Howells Wed Apr 2 20:27:26 2025 +0100 cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code 87dcc7e33fc3 David Howells Wed Jun 25 14:15:04 2025 +0100 cifs: Fix the smbd_response slab to allow usercopy b8ddcca4391e Stefan Metzmacher Wed May 28 18:01:40 2025 +0200 smb: client: make use of common smbdirect_socket_parameters 69cafc413c2d Stefan Metzmacher Wed May 28 18:01:39 2025 +0200 smb: smbdirect: introduce smbdirect_socket_parameters c39639bc7723 Stefan Metzmacher Wed May 28 18:01:37 2025 +0200 smb: client: make use of common smbdirect_socket f4b05342c293 Stefan Metzmacher Wed May 28 18:01:36 2025 +0200 smb: smbdirect: add smbdirect_socket.h a6ec1fcafd41 Stefan Metzmacher Wed May 28 18:01:33 2025 +0200 smb: smbdirect: add smbdirect.h with public structures 6509de31b1b6 Stefan Metzmacher Wed May 28 18:01:31 2025 +0200 smb: client: make use of common smbdirect_pdu.h a9bb4006c4f3 Stefan Metzmacher Wed May 28 18:01:30 2025 +0200 smb: smbdirect: add smbdirect_pdu.h with protocol definitions With these being backported to 6.15 too, the following is missing in both: commit 1944f6ab4967db7ad8d4db527dceae8c77de76e9 Author: Stefan Metzmacher <metze(a)samba.org> AuthorDate: Wed Jun 25 10:16:38 2025 +0200 Commit: Steve French <stfrench(a)microsoft.com> CommitDate: Wed Jun 25 11:12:54 2025 -0500 smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data As it was marked as Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be info->max_send_size in backports But now that the patches up to b8ddcca4391e are backported it can be cherry-picked just fine to both branches. Thanks! metze Am 29.06.25 um 16:56 schrieb Steve French: >> Steve: Do you agree? > > Yes > > Thanks, > > Steve > > On Sun, Jun 29, 2025, 9:48 AM Stefan Metzmacher <metze(a)samba.org> wrote: > >> Hi, >> >> if these patches are backported to stable then >> 1944f6ab4967db7ad8d4db527dceae8c77de76e9 >> "smb: client: let smbd_post_send_iter() respect the peers max_send_size >> and transmit all data" >> can also be backported as is. >> >> I just added the >> "Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be >> info->max_send_size in backports" >> because I thought they would not be backported. >> >> I'm fine with backporting the header changes... >> >> @Steve: Do you agree? >> >> Thanks! >> metze >> >> Am 29.06.25 um 16:28 schrieb Sasha Levin: >>> This is a note to let you know that I've just added the patch titled >>> >>> smb: client: make use of common smbdirect_socket_parameters >>> >>> to the 6.12-stable tree which can be found at: >>> >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… >>> >>> The filename of the patch is: >>> smb-client-make-use-of-common-smbdirect_socket_param.patch >>> and it can be found in the queue-6.12 subdirectory. >>> >>> If you, or anyone else, feels it should not be added to the stable tree, >>> please let <stable(a)vger.kernel.org> know about it. >>> >>> >>> >>> commit a1fa1698297356797d7a0379b7e056744fd133ac >>> Author: Stefan Metzmacher <metze(a)samba.org> >>> Date: Wed May 28 18:01:40 2025 +0200 >>> >>> smb: client: make use of common smbdirect_socket_parameters >>> >>> [ Upstream commit cc55f65dd352bdb7bdf8db1c36fb348c294c3b66 ] >>> >>> Cc: Steve French <smfrench(a)gmail.com> >>> Cc: Tom Talpey <tom(a)talpey.com> >>> Cc: Long Li <longli(a)microsoft.com> >>> Cc: Namjae Jeon <linkinjeon(a)kernel.org> >>> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> >>> Cc: Meetakshi Setiya <meetakshisetiyaoss(a)gmail.com> >>> Cc: linux-cifs(a)vger.kernel.org >>> Cc: samba-technical(a)lists.samba.org >>> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> >>> Signed-off-by: Steve French <stfrench(a)microsoft.com> >>> Stable-dep-of: 43e7e284fc77 ("cifs: Fix the smbd_response slab to >> allow usercopy") >>> Signed-off-by: Sasha Levin <sashal(a)kernel.org> >>> >>> diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c >>> index 56b0b5c82dd19..c0196be0e65fc 100644 >>> --- a/fs/smb/client/cifs_debug.c >>> +++ b/fs/smb/client/cifs_debug.c >>> @@ -362,6 +362,10 @@ static int cifs_debug_data_proc_show(struct >> seq_file *m, void *v) >>> c = 0; >>> spin_lock(&cifs_tcp_ses_lock); >>> list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) { >>> +#ifdef CONFIG_CIFS_SMB_DIRECT >>> + struct smbdirect_socket_parameters *sp; >>> +#endif >>> + >>> /* channel info will be printed as a part of sessions >> below */ >>> if (SERVER_IS_CHAN(server)) >>> continue; >>> @@ -383,6 +387,7 @@ static int cifs_debug_data_proc_show(struct seq_file >> *m, void *v) >>> seq_printf(m, "\nSMBDirect transport not >> available"); >>> goto skip_rdma; >>> } >>> + sp = &server->smbd_conn->socket.parameters; >>> >>> seq_printf(m, "\nSMBDirect (in hex) protocol version: %x " >>> "transport status: %x", >>> @@ -390,18 +395,18 @@ static int cifs_debug_data_proc_show(struct >> seq_file *m, void *v) >>> server->smbd_conn->socket.status); >>> seq_printf(m, "\nConn receive_credit_max: %x " >>> "send_credit_target: %x max_send_size: %x", >>> - server->smbd_conn->receive_credit_max, >>> - server->smbd_conn->send_credit_target, >>> - server->smbd_conn->max_send_size); >>> + sp->recv_credit_max, >>> + sp->send_credit_target, >>> + sp->max_send_size); >>> seq_printf(m, "\nConn max_fragmented_recv_size: %x " >>> "max_fragmented_send_size: %x max_receive_size:%x", >>> - server->smbd_conn->max_fragmented_recv_size, >>> - server->smbd_conn->max_fragmented_send_size, >>> - server->smbd_conn->max_receive_size); >>> + sp->max_fragmented_recv_size, >>> + sp->max_fragmented_send_size, >>> + sp->max_recv_size); >>> seq_printf(m, "\nConn keep_alive_interval: %x " >>> "max_readwrite_size: %x rdma_readwrite_threshold: >> %x", >>> - server->smbd_conn->keep_alive_interval, >>> - server->smbd_conn->max_readwrite_size, >>> + sp->keepalive_interval_msec * 1000, >>> + sp->max_read_write_size, >>> server->smbd_conn->rdma_readwrite_threshold); >>> seq_printf(m, "\nDebug count_get_receive_buffer: %x " >>> "count_put_receive_buffer: %x count_send_empty: >> %x", >>> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c >>> index 74bcc51ccd32f..e596bc4837b68 100644 >>> --- a/fs/smb/client/smb2ops.c >>> +++ b/fs/smb/client/smb2ops.c >>> @@ -504,6 +504,9 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, struct >> smb3_fs_context *ctx) >>> wsize = min_t(unsigned int, wsize, server->max_write); >>> #ifdef CONFIG_CIFS_SMB_DIRECT >>> if (server->rdma) { >>> + struct smbdirect_socket_parameters *sp = >>> + &server->smbd_conn->socket.parameters; >>> + >>> if (server->sign) >>> /* >>> * Account for SMB2 data transfer packet header and >>> @@ -511,12 +514,12 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, >> struct smb3_fs_context *ctx) >>> */ >>> wsize = min_t(unsigned int, >>> wsize, >>> - >> server->smbd_conn->max_fragmented_send_size - >>> + sp->max_fragmented_send_size - >>> SMB2_READWRITE_PDU_HEADER_SIZE - >>> sizeof(struct smb2_transform_hdr)); >>> else >>> wsize = min_t(unsigned int, >>> - wsize, >> server->smbd_conn->max_readwrite_size); >>> + wsize, sp->max_read_write_size); >>> } >>> #endif >>> if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) >>> @@ -552,6 +555,9 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, struct >> smb3_fs_context *ctx) >>> rsize = min_t(unsigned int, rsize, server->max_read); >>> #ifdef CONFIG_CIFS_SMB_DIRECT >>> if (server->rdma) { >>> + struct smbdirect_socket_parameters *sp = >>> + &server->smbd_conn->socket.parameters; >>> + >>> if (server->sign) >>> /* >>> * Account for SMB2 data transfer packet header and >>> @@ -559,12 +565,12 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, >> struct smb3_fs_context *ctx) >>> */ >>> rsize = min_t(unsigned int, >>> rsize, >>> - >> server->smbd_conn->max_fragmented_recv_size - >>> + sp->max_fragmented_recv_size - >>> SMB2_READWRITE_PDU_HEADER_SIZE - >>> sizeof(struct smb2_transform_hdr)); >>> else >>> rsize = min_t(unsigned int, >>> - rsize, >> server->smbd_conn->max_readwrite_size); >>> + rsize, sp->max_read_write_size); >>> } >>> #endif >>> >>> diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c >>> index ac489df8151a1..cbc85bca006f7 100644 >>> --- a/fs/smb/client/smbdirect.c >>> +++ b/fs/smb/client/smbdirect.c >>> @@ -320,6 +320,8 @@ static bool process_negotiation_response( >>> struct smbd_response *response, int packet_length) >>> { >>> struct smbd_connection *info = response->info; >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct smbdirect_negotiate_resp *packet = >> smbd_response_payload(response); >>> >>> if (packet_length < sizeof(struct smbdirect_negotiate_resp)) { >>> @@ -349,20 +351,20 @@ static bool process_negotiation_response( >>> >>> atomic_set(&info->receive_credits, 0); >>> >>> - if (le32_to_cpu(packet->preferred_send_size) > >> info->max_receive_size) { >>> + if (le32_to_cpu(packet->preferred_send_size) > sp->max_recv_size) { >>> log_rdma_event(ERR, "error: preferred_send_size=%d\n", >>> le32_to_cpu(packet->preferred_send_size)); >>> return false; >>> } >>> - info->max_receive_size = le32_to_cpu(packet->preferred_send_size); >>> + sp->max_recv_size = le32_to_cpu(packet->preferred_send_size); >>> >>> if (le32_to_cpu(packet->max_receive_size) < SMBD_MIN_RECEIVE_SIZE) >> { >>> log_rdma_event(ERR, "error: max_receive_size=%d\n", >>> le32_to_cpu(packet->max_receive_size)); >>> return false; >>> } >>> - info->max_send_size = min_t(int, info->max_send_size, >>> - >> le32_to_cpu(packet->max_receive_size)); >>> + sp->max_send_size = min_t(u32, sp->max_send_size, >>> + le32_to_cpu(packet->max_receive_size)); >>> >>> if (le32_to_cpu(packet->max_fragmented_size) < >>> SMBD_MIN_FRAGMENTED_SIZE) { >>> @@ -370,18 +372,18 @@ static bool process_negotiation_response( >>> le32_to_cpu(packet->max_fragmented_size)); >>> return false; >>> } >>> - info->max_fragmented_send_size = >>> + sp->max_fragmented_send_size = >>> le32_to_cpu(packet->max_fragmented_size); >>> info->rdma_readwrite_threshold = >>> - rdma_readwrite_threshold > info->max_fragmented_send_size ? >>> - info->max_fragmented_send_size : >>> + rdma_readwrite_threshold > sp->max_fragmented_send_size ? >>> + sp->max_fragmented_send_size : >>> rdma_readwrite_threshold; >>> >>> >>> - info->max_readwrite_size = min_t(u32, >>> + sp->max_read_write_size = min_t(u32, >>> le32_to_cpu(packet->max_readwrite_size), >>> info->max_frmr_depth * PAGE_SIZE); >>> - info->max_frmr_depth = info->max_readwrite_size / PAGE_SIZE; >>> + info->max_frmr_depth = sp->max_read_write_size / PAGE_SIZE; >>> >>> return true; >>> } >>> @@ -689,6 +691,7 @@ static int smbd_ia_open( >>> static int smbd_post_send_negotiate_req(struct smbd_connection *info) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_send_wr send_wr; >>> int rc = -ENOMEM; >>> struct smbd_request *request; >>> @@ -704,11 +707,11 @@ static int smbd_post_send_negotiate_req(struct >> smbd_connection *info) >>> packet->min_version = cpu_to_le16(SMBDIRECT_V1); >>> packet->max_version = cpu_to_le16(SMBDIRECT_V1); >>> packet->reserved = 0; >>> - packet->credits_requested = cpu_to_le16(info->send_credit_target); >>> - packet->preferred_send_size = cpu_to_le32(info->max_send_size); >>> - packet->max_receive_size = cpu_to_le32(info->max_receive_size); >>> + packet->credits_requested = cpu_to_le16(sp->send_credit_target); >>> + packet->preferred_send_size = cpu_to_le32(sp->max_send_size); >>> + packet->max_receive_size = cpu_to_le32(sp->max_recv_size); >>> packet->max_fragmented_size = >>> - cpu_to_le32(info->max_fragmented_recv_size); >>> + cpu_to_le32(sp->max_fragmented_recv_size); >>> >>> request->num_sge = 1; >>> request->sge[0].addr = ib_dma_map_single( >>> @@ -800,6 +803,7 @@ static int smbd_post_send(struct smbd_connection >> *info, >>> struct smbd_request *request) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_send_wr send_wr; >>> int rc, i; >>> >>> @@ -831,7 +835,7 @@ static int smbd_post_send(struct smbd_connection >> *info, >>> } else >>> /* Reset timer for idle connection after packet is sent */ >>> mod_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> >>> return rc; >>> } >>> @@ -841,6 +845,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> int *_remaining_data_length) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> int i, rc; >>> int header_length; >>> int data_length; >>> @@ -868,7 +873,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> >>> wait_send_queue: >>> wait_event(info->wait_post_send, >>> - atomic_read(&info->send_pending) < >> info->send_credit_target || >>> + atomic_read(&info->send_pending) < sp->send_credit_target >> || >>> sc->status != SMBDIRECT_SOCKET_CONNECTED); >>> >>> if (sc->status != SMBDIRECT_SOCKET_CONNECTED) { >>> @@ -878,7 +883,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> } >>> >>> if (unlikely(atomic_inc_return(&info->send_pending) > >>> - info->send_credit_target)) { >>> + sp->send_credit_target)) { >>> atomic_dec(&info->send_pending); >>> goto wait_send_queue; >>> } >>> @@ -917,7 +922,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> >>> /* Fill in the packet header */ >>> packet = smbd_request_payload(request); >>> - packet->credits_requested = cpu_to_le16(info->send_credit_target); >>> + packet->credits_requested = cpu_to_le16(sp->send_credit_target); >>> >>> new_credits = manage_credits_prior_sending(info); >>> atomic_add(new_credits, &info->receive_credits); >>> @@ -1017,16 +1022,17 @@ static int smbd_post_recv( >>> struct smbd_connection *info, struct smbd_response >> *response) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_recv_wr recv_wr; >>> int rc = -EIO; >>> >>> response->sge.addr = ib_dma_map_single( >>> sc->ib.dev, response->packet, >>> - info->max_receive_size, DMA_FROM_DEVICE); >>> + sp->max_recv_size, DMA_FROM_DEVICE); >>> if (ib_dma_mapping_error(sc->ib.dev, response->sge.addr)) >>> return rc; >>> >>> - response->sge.length = info->max_receive_size; >>> + response->sge.length = sp->max_recv_size; >>> response->sge.lkey = sc->ib.pd->local_dma_lkey; >>> >>> response->cqe.done = recv_done; >>> @@ -1274,6 +1280,8 @@ static void idle_connection_timer(struct >> work_struct *work) >>> struct smbd_connection *info = container_of( >>> work, struct smbd_connection, >>> idle_timer_work.work); >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> >>> if (info->keep_alive_requested != KEEP_ALIVE_NONE) { >>> log_keep_alive(ERR, >>> @@ -1288,7 +1296,7 @@ static void idle_connection_timer(struct >> work_struct *work) >>> >>> /* Setup the next idle timeout work */ >>> queue_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> } >>> >>> /* >>> @@ -1300,6 +1308,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> { >>> struct smbd_connection *info = server->smbd_conn; >>> struct smbdirect_socket *sc; >>> + struct smbdirect_socket_parameters *sp; >>> struct smbd_response *response; >>> unsigned long flags; >>> >>> @@ -1308,6 +1317,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> return; >>> } >>> sc = &info->socket; >>> + sp = &sc->parameters; >>> >>> log_rdma_event(INFO, "destroying rdma session\n"); >>> if (sc->status != SMBDIRECT_SOCKET_DISCONNECTED) { >>> @@ -1349,7 +1359,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> log_rdma_event(INFO, "free receive buffers\n"); >>> wait_event(info->wait_receive_queues, >>> info->count_receive_queue + info->count_empty_packet_queue >>> - == info->receive_credit_max); >>> + == sp->recv_credit_max); >>> destroy_receive_buffers(info); >>> >>> /* >>> @@ -1437,6 +1447,8 @@ static void destroy_caches_and_workqueue(struct >> smbd_connection *info) >>> #define MAX_NAME_LEN 80 >>> static int allocate_caches_and_workqueue(struct smbd_connection *info) >>> { >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> char name[MAX_NAME_LEN]; >>> int rc; >>> >>> @@ -1451,7 +1463,7 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> return -ENOMEM; >>> >>> info->request_mempool = >>> - mempool_create(info->send_credit_target, >> mempool_alloc_slab, >>> + mempool_create(sp->send_credit_target, mempool_alloc_slab, >>> mempool_free_slab, info->request_cache); >>> if (!info->request_mempool) >>> goto out1; >>> @@ -1461,13 +1473,13 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> kmem_cache_create( >>> name, >>> sizeof(struct smbd_response) + >>> - info->max_receive_size, >>> + sp->max_recv_size, >>> 0, SLAB_HWCACHE_ALIGN, NULL); >>> if (!info->response_cache) >>> goto out2; >>> >>> info->response_mempool = >>> - mempool_create(info->receive_credit_max, >> mempool_alloc_slab, >>> + mempool_create(sp->recv_credit_max, mempool_alloc_slab, >>> mempool_free_slab, info->response_cache); >>> if (!info->response_mempool) >>> goto out3; >>> @@ -1477,7 +1489,7 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> if (!info->workqueue) >>> goto out4; >>> >>> - rc = allocate_receive_buffers(info, info->receive_credit_max); >>> + rc = allocate_receive_buffers(info, sp->recv_credit_max); >>> if (rc) { >>> log_rdma_event(ERR, "failed to allocate receive >> buffers\n"); >>> goto out5; >>> @@ -1505,6 +1517,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> int rc; >>> struct smbd_connection *info; >>> struct smbdirect_socket *sc; >>> + struct smbdirect_socket_parameters *sp; >>> struct rdma_conn_param conn_param; >>> struct ib_qp_init_attr qp_attr; >>> struct sockaddr_in *addr_in = (struct sockaddr_in *) dstaddr; >>> @@ -1515,6 +1528,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> if (!info) >>> return NULL; >>> sc = &info->socket; >>> + sp = &sc->parameters; >>> >>> sc->status = SMBDIRECT_SOCKET_CONNECTING; >>> rc = smbd_ia_open(info, dstaddr, port); >>> @@ -1541,12 +1555,12 @@ static struct smbd_connection >> *_smbd_get_connection( >>> goto config_failed; >>> } >>> >>> - info->receive_credit_max = smbd_receive_credit_max; >>> - info->send_credit_target = smbd_send_credit_target; >>> - info->max_send_size = smbd_max_send_size; >>> - info->max_fragmented_recv_size = smbd_max_fragmented_recv_size; >>> - info->max_receive_size = smbd_max_receive_size; >>> - info->keep_alive_interval = smbd_keep_alive_interval; >>> + sp->recv_credit_max = smbd_receive_credit_max; >>> + sp->send_credit_target = smbd_send_credit_target; >>> + sp->max_send_size = smbd_max_send_size; >>> + sp->max_fragmented_recv_size = smbd_max_fragmented_recv_size; >>> + sp->max_recv_size = smbd_max_receive_size; >>> + sp->keepalive_interval_msec = smbd_keep_alive_interval * 1000; >>> >>> if (sc->ib.dev->attrs.max_send_sge < SMBDIRECT_MAX_SEND_SGE || >>> sc->ib.dev->attrs.max_recv_sge < SMBDIRECT_MAX_RECV_SGE) { >>> @@ -1561,7 +1575,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> >>> sc->ib.send_cq = >>> ib_alloc_cq_any(sc->ib.dev, info, >>> - info->send_credit_target, IB_POLL_SOFTIRQ); >>> + sp->send_credit_target, IB_POLL_SOFTIRQ); >>> if (IS_ERR(sc->ib.send_cq)) { >>> sc->ib.send_cq = NULL; >>> goto alloc_cq_failed; >>> @@ -1569,7 +1583,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> >>> sc->ib.recv_cq = >>> ib_alloc_cq_any(sc->ib.dev, info, >>> - info->receive_credit_max, IB_POLL_SOFTIRQ); >>> + sp->recv_credit_max, IB_POLL_SOFTIRQ); >>> if (IS_ERR(sc->ib.recv_cq)) { >>> sc->ib.recv_cq = NULL; >>> goto alloc_cq_failed; >>> @@ -1578,8 +1592,8 @@ static struct smbd_connection >> *_smbd_get_connection( >>> memset(&qp_attr, 0, sizeof(qp_attr)); >>> qp_attr.event_handler = smbd_qp_async_error_upcall; >>> qp_attr.qp_context = info; >>> - qp_attr.cap.max_send_wr = info->send_credit_target; >>> - qp_attr.cap.max_recv_wr = info->receive_credit_max; >>> + qp_attr.cap.max_send_wr = sp->send_credit_target; >>> + qp_attr.cap.max_recv_wr = sp->recv_credit_max; >>> qp_attr.cap.max_send_sge = SMBDIRECT_MAX_SEND_SGE; >>> qp_attr.cap.max_recv_sge = SMBDIRECT_MAX_RECV_SGE; >>> qp_attr.cap.max_inline_data = 0; >>> @@ -1654,7 +1668,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> init_waitqueue_head(&info->wait_send_queue); >>> INIT_DELAYED_WORK(&info->idle_timer_work, idle_connection_timer); >>> queue_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> >>> init_waitqueue_head(&info->wait_send_pending); >>> atomic_set(&info->send_pending, 0); >>> @@ -1971,6 +1985,7 @@ int smbd_send(struct TCP_Server_Info *server, >>> { >>> struct smbd_connection *info = server->smbd_conn; >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct smb_rqst *rqst; >>> struct iov_iter iter; >>> unsigned int remaining_data_length, klen; >>> @@ -1988,10 +2003,10 @@ int smbd_send(struct TCP_Server_Info *server, >>> for (i = 0; i < num_rqst; i++) >>> remaining_data_length += smb_rqst_len(server, >> &rqst_array[i]); >>> >>> - if (unlikely(remaining_data_length > >> info->max_fragmented_send_size)) { >>> + if (unlikely(remaining_data_length > >> sp->max_fragmented_send_size)) { >>> /* assertion: payload never exceeds negotiated maximum */ >>> log_write(ERR, "payload size %d > max size %d\n", >>> - remaining_data_length, >> info->max_fragmented_send_size); >>> + remaining_data_length, >> sp->max_fragmented_send_size); >>> return -EINVAL; >>> } >>> >>> diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h >>> index 4b559a4147af1..3d552ab27e0f3 100644 >>> --- a/fs/smb/client/smbdirect.h >>> +++ b/fs/smb/client/smbdirect.h >>> @@ -69,15 +69,7 @@ struct smbd_connection { >>> spinlock_t lock_new_credits_offered; >>> int new_credits_offered; >>> >>> - /* Connection parameters defined in [MS-SMBD] 3.1.1.1 */ >>> - int receive_credit_max; >>> - int send_credit_target; >>> - int max_send_size; >>> - int max_fragmented_recv_size; >>> - int max_fragmented_send_size; >>> - int max_receive_size; >>> - int keep_alive_interval; >>> - int max_readwrite_size; >>> + /* dynamic connection parameters defined in [MS-SMBD] 3.1.1.1 */ >>> enum keep_alive_status keep_alive_requested; >>> int protocol; >>> atomic_t send_credits; >> >> >

1 month, 3 weeks

2
6
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror