- Linux-stable-mirror - lists.linaro.org

Re: [PATCH v2] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Ira Weiny

Guangshuo Li wrote: > Hi Alison, Dave, and all, > > Thanks for the feedback. I’ve adopted your suggestions. Below is what I > plan to take in v3. I would just post v3. The review tags given on that version will be picked up when the patch is merged if it is ok. Thanks, Ira [snip]

1 month, 2 weeks

1
0
0 0

[PATCH 01/15] serial: sc16is7xx: remove useless enable of enhanced features

by Hugo Villeneuve

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Commit 43c51bb573aa ("sc16is7xx: make sure device is in suspend once probed") permanently enabled access to the enhanced features in sc16is7xx_probe(), and it is never disabled after that. Therefore, remove useless re-enable of enhanced features in sc16is7xx_set_baud(). Fixes: 43c51bb573aa ("sc16is7xx: make sure device is in suspend once probed") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- drivers/tty/serial/sc16is7xx.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 1a2c4c14f6aac..c7435595dce13 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -588,13 +588,6 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) div /= prescaler; } - /* Enable enhanced features */ - sc16is7xx_efr_lock(port); - sc16is7xx_port_update(port, SC16IS7XX_EFR_REG, - SC16IS7XX_EFR_ENABLE_BIT, - SC16IS7XX_EFR_ENABLE_BIT); - sc16is7xx_efr_unlock(port); - /* If bit MCR_CLKSEL is set, the divide by 4 prescaler is activated. */ sc16is7xx_port_update(port, SC16IS7XX_MCR_REG, SC16IS7XX_MCR_CLKSEL_BIT, -- 2.39.5

1 month, 2 weeks

1
0
0 0

Re: [PATCH v2] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Dave Jiang

On 9/24/25 12:42 AM, Guangshuo Li wrote: > Hi Alison, Dave, and all, > > Thanks for the feedback. I’ve adopted your suggestions. Below is what I plan to take in v3. > > - p->dcr_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > - p->label_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > - p->dimm_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > > + p->dcr_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->dcr_dma) { > + rc = -ENOMEM; > + goto err; > + } > + > + p->label_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->label_dma) { > + rc = -ENOMEM; > + goto err; > + } > + > + p->dimm_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->dimm_dma) { > + rc = -ENOMEM; > + goto err; > + } You'll need to create new goto labels because you'll have to free previously allocated memory in the error path. Diff below is uncompiled and untested. diff --git a/tools/testing/nvdimm/test/ndtest.c b/tools/testing/nvdimm/test/ndtest.c index 68a064ce598c..49d326819ea9 100644 --- a/tools/testing/nvdimm/test/ndtest.c +++ b/tools/testing/nvdimm/test/ndtest.c @@ -841,6 +841,7 @@ static void ndtest_remove(struct platform_device *pdev) static int ndtest_probe(struct platform_device *pdev) { + struct device *dev = &pdev->dev; struct ndtest_priv *p; int rc; @@ -848,12 +849,23 @@ static int ndtest_probe(struct platform_device *pdev) if (ndtest_bus_register(p)) return -ENOMEM; - p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); - p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); - p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); + p->dcr_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->dcr_dma) + return -ENOMEM; + + p->label_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), + GFP_KERNEL); + if (!p->label_dma) { + rc = -ENOMEM; + goto err_label_dma; + } + + p->dimm_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), + GFP_KERNEL); + if (!p->dimm_dma) { + rc = -ENOMEM; + goto err_dimm_dma; + } rc = ndtest_nvdimm_init(p); if (rc) @@ -863,7 +875,7 @@ static int ndtest_probe(struct platform_device *pdev) if (rc) goto err; - rc = devm_add_action_or_reset(&pdev->dev, put_dimms, p); + rc = devm_add_action_or_reset(dev, put_dimms, p); if (rc) goto err; @@ -872,6 +884,11 @@ static int ndtest_probe(struct platform_device *pdev) return 0; err: + devm_kfree(dev, p->dimm_dma); +err_dimm_dma: + devm_kfree(dev, p->label_dma); +err_label_dma: + devm_kfree(dev, p->dcr_dma); pr_err("%s:%d Failed nvdimm init\n", __func__, __LINE__); return rc; } > > If this looks good, I’ll send v3 accordingly. Also, if you’re comfortable with the changes, may I add your Reviewed-by tags? Please don't add review tags until they are given. > > Best regards, > Guangshuo

1 month, 2 weeks

1
0
0 0

[PATCH v4 1/7] efi: Add missing static initializer for efi_mm::cpus_allowed_lock

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> Initialize the cpus_allowed_lock struct member of efi_mm. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ce428e2ac8a..fc407d891348 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -74,6 +74,9 @@ struct mm_struct efi_mm = { .page_table_lock = __SPIN_LOCK_UNLOCKED(efi_mm.page_table_lock), .mmlist = LIST_HEAD_INIT(efi_mm.mmlist), .cpu_bitmap = { [BITS_TO_LONGS(NR_CPUS)] = 0}, +#ifdef CONFIG_SCHED_MM_CID + .cpus_allowed_lock = __RAW_SPIN_LOCK_UNLOCKED(efi_mm.cpus_allowed_lock), +#endif }; struct workqueue_struct *efi_rts_wq; -- 2.51.0.534.gc79095c0ca-goog

1 month, 2 weeks

1
0
0 0

[PATCH] asm-generic/io.h: Skip trace helpers if rwmmio events are disabled

by Varad Gautam

With `CONFIG_TRACE_MMIO_ACCESS=y`, the `{read,write}{b,w,l,q}{_relaxed}()` mmio accessors unconditionally call `log_{post_}{read,write}_mmio()` helpers, which in turn call the ftrace ops for `rwmmio` trace events This adds a performance penalty per mmio accessor call, even when `rwmmio` events are disabled at runtime (~80% overhead on local measurement). Guard these with `tracepoint_enabled()`. Signed-off-by: Varad Gautam <varadgautam(a)google.com> Fixes: 210031971cdd ("asm-generic/io: Add logging support for MMIO accessors") Cc: <stable(a)vger.kernel.org> --- include/asm-generic/io.h | 98 +++++++++++++++++++++++++++------------- 1 file changed, 66 insertions(+), 32 deletions(-) diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h index 3c61c29ff6ab..a9b5da547523 100644 --- a/include/asm-generic/io.h +++ b/include/asm-generic/io.h @@ -75,6 +75,7 @@ #if IS_ENABLED(CONFIG_TRACE_MMIO_ACCESS) && !(defined(__DISABLE_TRACE_MMIO__)) #include <linux/tracepoint-defs.h> +#define rwmmio_tracepoint_enabled(tracepoint) tracepoint_enabled(tracepoint) DECLARE_TRACEPOINT(rwmmio_write); DECLARE_TRACEPOINT(rwmmio_post_write); DECLARE_TRACEPOINT(rwmmio_read); @@ -91,6 +92,7 @@ void log_post_read_mmio(u64 val, u8 width, const volatile void __iomem *addr, #else +#define rwmmio_tracepoint_enabled(tracepoint) false static inline void log_write_mmio(u64 val, u8 width, volatile void __iomem *addr, unsigned long caller_addr, unsigned long caller_addr0) {} static inline void log_post_write_mmio(u64 val, u8 width, volatile void __iomem *addr, @@ -189,11 +191,13 @@ static inline u8 readb(const volatile void __iomem *addr) { u8 val; - log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __raw_readb(addr); __io_ar(val); - log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -204,11 +208,13 @@ static inline u16 readw(const volatile void __iomem *addr) { u16 val; - log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le16_to_cpu((__le16 __force)__raw_readw(addr)); __io_ar(val); - log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -219,11 +225,13 @@ static inline u32 readl(const volatile void __iomem *addr) { u32 val; - log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le32_to_cpu((__le32 __force)__raw_readl(addr)); __io_ar(val); - log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -235,11 +243,13 @@ static inline u64 readq(const volatile void __iomem *addr) { u64 val; - log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le64_to_cpu((__le64 __force)__raw_readq(addr)); __io_ar(val); - log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -249,11 +259,13 @@ static inline u64 readq(const volatile void __iomem *addr) #define writeb writeb static inline void writeb(u8 value, volatile void __iomem *addr) { - log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writeb(value, addr); __io_aw(); - log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); } #endif @@ -261,11 +273,13 @@ static inline void writeb(u8 value, volatile void __iomem *addr) #define writew writew static inline void writew(u16 value, volatile void __iomem *addr) { - log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writew((u16 __force)cpu_to_le16(value), addr); __io_aw(); - log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); } #endif @@ -273,11 +287,13 @@ static inline void writew(u16 value, volatile void __iomem *addr) #define writel writel static inline void writel(u32 value, volatile void __iomem *addr) { - log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writel((u32 __force)__cpu_to_le32(value), addr); __io_aw(); - log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); } #endif @@ -286,11 +302,13 @@ static inline void writel(u32 value, volatile void __iomem *addr) #define writeq writeq static inline void writeq(u64 value, volatile void __iomem *addr) { - log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writeq((u64 __force)__cpu_to_le64(value), addr); __io_aw(); - log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); } #endif #endif /* CONFIG_64BIT */ @@ -306,9 +324,11 @@ static inline u8 readb_relaxed(const volatile void __iomem *addr) { u8 val; - log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); val = __raw_readb(addr); - log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -319,9 +339,11 @@ static inline u16 readw_relaxed(const volatile void __iomem *addr) { u16 val; - log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); val = __le16_to_cpu((__le16 __force)__raw_readw(addr)); - log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -332,9 +354,11 @@ static inline u32 readl_relaxed(const volatile void __iomem *addr) { u32 val; - log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); val = __le32_to_cpu((__le32 __force)__raw_readl(addr)); - log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -345,9 +369,11 @@ static inline u64 readq_relaxed(const volatile void __iomem *addr) { u64 val; - log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); val = __le64_to_cpu((__le64 __force)__raw_readq(addr)); - log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -356,9 +382,11 @@ static inline u64 readq_relaxed(const volatile void __iomem *addr) #define writeb_relaxed writeb_relaxed static inline void writeb_relaxed(u8 value, volatile void __iomem *addr) { - log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); __raw_writeb(value, addr); - log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); } #endif @@ -366,9 +394,11 @@ static inline void writeb_relaxed(u8 value, volatile void __iomem *addr) #define writew_relaxed writew_relaxed static inline void writew_relaxed(u16 value, volatile void __iomem *addr) { - log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); __raw_writew((u16 __force)cpu_to_le16(value), addr); - log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); } #endif @@ -376,9 +406,11 @@ static inline void writew_relaxed(u16 value, volatile void __iomem *addr) #define writel_relaxed writel_relaxed static inline void writel_relaxed(u32 value, volatile void __iomem *addr) { - log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); __raw_writel((u32 __force)__cpu_to_le32(value), addr); - log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); } #endif @@ -386,9 +418,11 @@ static inline void writel_relaxed(u32 value, volatile void __iomem *addr) #define writeq_relaxed writeq_relaxed static inline void writeq_relaxed(u64 value, volatile void __iomem *addr) { - log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); __raw_writeq((u64 __force)__cpu_to_le64(value), addr); - log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); } #endif -- 2.49.0.472.ge94155a9ec-goog

1 month, 2 weeks

2
7
0 0

[PATCH 6.16 000/149] 6.16.9-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.9 release. There are 149 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.9-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.9-rc1 SeongJae Park <sj(a)kernel.org> samples/damon/prcl: avoid starting DAMON before initialization Chen-Yu Tsai <wens(a)csie.org> clk: sunxi-ng: mp: Fix dual-divider clock rate readback SeongJae Park <sj(a)kernel.org> samples/damon/mtier: avoid starting DAMON before initialization Honggyu Kim <honggyu.kim(a)sk.com> samples/damon: change enable parameters to enabled SeongJae Park <sj(a)kernel.org> samples/damon/prcl: fix boot time enable crash Alex Elder <elder(a)riscstar.com> dt-bindings: serial: 8250: move a constraint Yixun Lan <dlan(a)gentoo.org> dt-bindings: serial: 8250: spacemit: set clocks property as required Frank Li <Frank.Li(a)nxp.com> dt-bindings: serial: 8250: allow clock 'uartclk' and 'reg' for nxp,lpc1850-uart Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 Yang Xiuwei <yangxiuwei(a)kylinos.cn> io_uring: fix incorrect io_kiocb reference in io_link_skb Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Paulo Alcantara <pc(a)manguebit.org> smb: client: fix file open check in __cifs_unlink() Jens Axboe <axboe(a)kernel.dk> io_uring/msg_ring: kill alloc_cache for io_kiocb allocations Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg Stefan Metzmacher <metze(a)samba.org> smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) Stefan Metzmacher <metze(a)samba.org> smb: client: use disable[_delayed]_work_sync in smbdirect.c Paulo Alcantara <pc(a)manguebit.org> smb: client: fix filename matching of deferred files Stefan Metzmacher <metze(a)samba.org> smb: client: let recv_done verify data_offset, data_length and remaining_data_length Stefan Metzmacher <metze(a)samba.org> smb: client: make use of struct smbdirect_recv_io Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: introduce struct smbdirect_recv_io Stefan Metzmacher <metze(a)samba.org> smb: client: make use of smbdirect_socket->recv_io.expected Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: introduce smbdirect_socket.recv_io.expected Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe/guc: Set RCS/CCS yield policy Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe/guc: Enable extended CAT error reporting Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: Fix error handling if PXP fails to start Takashi Iwai <tiwai(a)suse.de> ALSA: usb: qcom: Fix false-positive address space check Dan Carpenter <dan.carpenter(a)linaro.org> drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Drop rounddown_pow_of_two fair LMEM limitation Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/tile: Release kobject for the failure path Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Fix incorrect retrival of acp_chip_info Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd: Fix alias device DTE setting Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> ASoC: Intel: catpt: Expose correct bit depth to userspace Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: SDCA: Fix return value in sdca_regmap_mbq_size() Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Dan Carpenter <dan.carpenter(a)linaro.org> ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded() Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct PLL rate rounding Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Borislav Petkov (AMD) <bp(a)alien8.de> crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> gpiolib: acpi: initialize acpi_gpio_info struct Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Max Kellermann <max.kellermann(a)ionos.com> io_uring/io-wq: fix `max_workers` breakage and `nr_workers` underflow Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Only restore cached manual clock settings in restore if OD enabled Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: suspend KFD and KGD user queues for S0ix Alex Deucher <alexander.deucher(a)amd.com> drm/amdkfd: add proper handling for S0ix Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Tom Lendacky <thomas.lendacky(a)amd.com> x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-uhs2: Fix calling incorrect sdhci_set_clock() function Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9767: Fix initializing the UHS-II interface during a power-on Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci: Move the code related to setting the clock from sdhci_set_ios_common() into sdhci_set_ios() Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Maciej Strozek <mstrozek(a)opensource.cirrus.com> ASoC: SDCA: Add quirk for incorrect function types for 3 systems Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Niklas Schnelle <schnelle(a)linux.ibm.com> iommu/s390: Make attach succeed when the device was surprise removed Matthew Rosato <mjrosato(a)linux.ibm.com> iommu/s390: Fix memory corruption when using identity domain Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd/pgtbl: Fix possible race while increase page table level Zhen Ni <zhen.ni(a)easystack.cn> iommu/amd: Fix ivrs_base memleak in early_amd_iommu_init() Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix VM migration failure with PTW enabled Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_pch_pic_regs_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_sw_status_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_regs_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_ctrl_access() Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Handle jump tables options for RUST Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Make LTO case independent in Makefile Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Guangshuo Li <202321181(a)mail.sdu.edu.cn> LoongArch: vDSO: Check kcalloc() result in init_vdso() Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Fix unreliable stack for live patching Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark special atomic instruction as INSN_BUG type Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark types based on break immediate code Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Update help info of ARCH_STRICT_ALIGN Hugh Dickins <hughd(a)google.com> mm: folio_may_be_lru_cached() unless folio_test_large() Hugh Dickins <hughd(a)google.com> mm: revert "mm: vmscan.c: fix OOM on swap stress test" Hugh Dickins <hughd(a)google.com> mm/gup: local lru_add_drain() to avoid lru_add_drain_all() Li Zhe <lizhe.67(a)bytedance.com> gup: optimize longterm pin_user_pages() for large folio Hugh Dickins <hughd(a)google.com> mm: revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" Hugh Dickins <hughd(a)google.com> mm/gup: check ref_count instead of lru before migration Mikulas Patocka <mpatocka(a)redhat.com> dm-stripe: fix a possible integer overflow Mikulas Patocka <mpatocka(a)redhat.com> dm-raid: don't set io_min and io_opt for raid1 austinchang <austinchang(a)synology.com> btrfs: initialize inode::file_extent_tree after i_mode has been set Andrea Righi <arighi(a)nvidia.com> Revert "sched_ext: Skip per-CPU tasks in scx_bpf_reenqueue_local()" H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Sergey Senozhatsky <senozhatsky(a)chromium.org> zram: fix slot write race condition Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Eric Dumazet <edumazet(a)google.com> net: clear sk->sk_ino in sk_set_socket(sk, NULL) Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Sathesh B Edara <sedara(a)marvell.com> octeon_ep: fix VF MAC address lifecycle handling Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Lama Kayal <lkayal(a)nvidia.com> net/mlx5e: Add a miss level for ipsec crypto offload Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Harden uplink netdev access against device unbind Remy D. Farley <one-d-wide(a)protonmail.com> doc/netlink: Fix typos in operation attributes Kohei Enju <enjuk(a)amazon.com> igc: don't fail igc_probe() on LED setup error Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: destroy aci.lock later within ixgbe_remove path Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: initialize aci.lock before it's used Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix Rx page leak on multi-buffer frames Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Geliang Tang <geliang(a)kernel.org> selftests: mptcp: sockopt: fix error messages Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: tfo: record 'deny join id0' info Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Hangbin Liu <liuhangbin(a)gmail.com> bonding: set random address only when slaves already exist Ilya Maximets <i.maximets(a)ovn.org> net: dst_metadata: fix IP_DF bit not extracted from tunnel headers Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Kamal Heib <kheib(a)redhat.com> octeon_ep: Validate the VF ID David Howells <dhowells(a)redhat.com> rxrpc: Fix untrusted unsigned subtract David Howells <dhowells(a)redhat.com> rxrpc: Fix unhandled errors in rxgk_verify_packet_integrity() Ivan Vecera <ivecera(a)redhat.com> dpll: fix clock quality level reporting Anderson Nascimento <anderson(a)allelesecurity.com> net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Li Tian <litian(a)redhat.com> net/mlx5: Not returning mlx5_link_info table when speed is unknown Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix FD copy size in os_rcv_fd_msg() Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Stefan Metzmacher <metze(a)samba.org> smb: server: let smb_direct_writev() respect SMB_DIRECT_MAX_SEND_SGES Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Felix Fietkau <nbd(a)nbd.name> wifi: mt76: do not add non-sta wcid entries to the poll list Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Christoph Hellwig <hch(a)lst.de> nvme: fix PI insert on write Ajay.Kathat(a)microchip.com <Ajay.Kathat(a)microchip.com> wifi: wilc1000: avoid buffer overflow in WID string configuration Ian Rogers <irogers(a)google.com> perf maps: Ensure kmap is set up for all inserts Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix incorrect ASSERT in btrfs_zoned_reserve_data_reloc_bg() Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues ------------- Diffstat: Documentation/devicetree/bindings/serial/8250.yaml | 77 ++++++--- Documentation/netlink/specs/conntrack.yaml | 9 +- Documentation/netlink/specs/mptcp_pm.yaml | 4 +- Makefile | 4 +- arch/loongarch/Kconfig | 12 +- arch/loongarch/Makefile | 15 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/include/asm/kvm_mmu.h | 20 ++- arch/loongarch/kernel/env.c | 2 + arch/loongarch/kernel/stacktrace.c | 3 +- arch/loongarch/kernel/vdso.c | 3 + arch/loongarch/kvm/intc/eiointc.c | 87 ++++++---- arch/loongarch/kvm/intc/pch_pic.c | 21 ++- arch/loongarch/kvm/mmu.c | 8 +- arch/s390/include/asm/pci_insn.h | 10 +- arch/um/drivers/virtio_uml.c | 6 +- arch/um/os-Linux/file.c | 2 +- arch/x86/include/asm/sev.h | 38 ++--- arch/x86/kvm/svm/svm.c | 3 +- crypto/af_alg.c | 10 +- drivers/block/zram/zram_drv.c | 8 +- drivers/clk/sunxi-ng/ccu_mp.c | 2 +- drivers/crypto/ccp/sev-dev.c | 2 +- drivers/dpll/dpll_netlink.c | 4 +- drivers/gpio/gpiolib-acpi-core.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 16 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 12 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 24 ++- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 36 ++++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 ++++- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 2 +- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/gpu/drm/xe/abi/guc_actions_abi.h | 5 + drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 40 +++++ drivers/gpu/drm/xe/xe_exec_queue.c | 22 ++- drivers/gpu/drm/xe/xe_exec_queue_types.h | 8 +- drivers/gpu/drm/xe/xe_execlist.c | 25 ++- drivers/gpu/drm/xe/xe_execlist_types.h | 2 +- drivers/gpu/drm/xe/xe_gt.c | 3 +- drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 1 - drivers/gpu/drm/xe/xe_guc.c | 62 ++++++- drivers/gpu/drm/xe/xe_guc.h | 1 + drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 4 +- drivers/gpu/drm/xe/xe_guc_submit.c | 141 +++++++++++++--- drivers/gpu/drm/xe/xe_guc_submit.h | 2 + drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 +- drivers/gpu/drm/xe/xe_uc.c | 4 + drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/init.c | 9 +- drivers/iommu/amd/io_pgtable.c | 25 ++- drivers/iommu/intel/iommu.c | 7 +- drivers/iommu/s390-iommu.c | 29 +++- drivers/md/dm-raid.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/mmc/host/sdhci-pci-gli.c | 68 +++++++- drivers/mmc/host/sdhci-uhs2.c | 3 +- drivers/mmc/host/sdhci.c | 34 ++-- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++++----- drivers/net/ethernet/intel/ice/ice_txrx.h | 1 - drivers/net/ethernet/intel/igc/igc.h | 1 + drivers/net/ethernet/intel/igc/igc_main.c | 12 +- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 22 +-- .../net/ethernet/marvell/octeon_ep/octep_main.c | 16 ++ .../ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 + .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 1 + .../ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 + .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 ++- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 +- drivers/net/ethernet/mellanox/mlx5/core/port.c | 6 +- drivers/net/ethernet/natsemi/ns83820.c | 13 +- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 39 +++-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 +- drivers/nvme/host/core.c | 18 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/platform/x86/asus-nb-wmi.c | 25 ++- drivers/platform/x86/asus-wmi.h | 3 +- drivers/power/supply/bq27xxx_battery.c | 4 +- fs/btrfs/delayed-inode.c | 3 - fs/btrfs/inode.c | 11 +- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/btrfs/zoned.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/cifsproto.h | 4 +- fs/smb/client/inode.c | 23 ++- fs/smb/client/misc.c | 36 ++-- fs/smb/client/smbdirect.c | 132 +++++++++------ fs/smb/client/smbdirect.h | 23 --- fs/smb/common/smbdirect/smbdirect_socket.h | 29 ++++ fs/smb/server/transport_rdma.c | 185 ++++++++++++++------- include/crypto/if_alg.h | 10 +- include/linux/io_uring_types.h | 3 - include/linux/mlx5/driver.h | 1 + include/linux/swap.h | 10 ++ include/net/dst_metadata.h | 11 +- include/net/sock.h | 5 +- include/sound/sdca.h | 1 + include/uapi/linux/mptcp.h | 2 + include/uapi/linux/mptcp_pm.h | 4 +- io_uring/io-wq.c | 6 +- io_uring/io_uring.c | 10 +- io_uring/io_uring.h | 4 +- io_uring/msg_ring.c | 24 +-- io_uring/notif.c | 2 +- io_uring/poll.c | 2 +- io_uring/timeout.c | 2 +- io_uring/uring_cmd.c | 2 +- kernel/cgroup/cgroup.c | 43 ++++- kernel/sched/ext.c | 6 +- mm/gup.c | 52 ++++-- mm/mlock.c | 6 +- mm/swap.c | 50 +++--- mm/vmscan.c | 2 +- net/ipv4/tcp.c | 5 + net/ipv4/tcp_ao.c | 4 +- net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 16 ++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 ++- net/rfkill/rfkill-gpio.c | 4 +- net/rxrpc/rxgk.c | 18 +- net/rxrpc/rxgk_app.c | 29 +++- net/rxrpc/rxgk_common.h | 14 +- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 +- samples/damon/mtier.c | 25 +-- samples/damon/prcl.c | 31 +++- samples/damon/wsse.c | 22 +-- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/acp/acp-i2s.c | 11 +- sound/soc/codecs/sma1307.c | 7 +- sound/soc/codecs/wm8940.c | 9 +- sound/soc/codecs/wm8974.c | 8 +- sound/soc/intel/catpt/pcm.c | 23 ++- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 +- sound/soc/sdca/sdca_device.c | 20 +++ sound/soc/sdca/sdca_functions.c | 13 +- sound/soc/sdca/sdca_regmap.c | 2 +- sound/soc/sof/intel/hda-stream.c | 2 +- sound/usb/qcom/qc_audio_offload.c | 92 +++++----- tools/arch/loongarch/include/asm/inst.h | 12 ++ tools/objtool/arch/loongarch/decode.c | 33 +++- tools/perf/util/maps.c | 9 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 169 files changed, 1797 insertions(+), 824 deletions(-)

1 month, 2 weeks

17
165
0 0

[PATCH 2/3] media: mediatek: mdp: fix device leak on probe

by Johan Hovold

Make sure to drop the reference taken when looking up the VPU firmware device during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: c8eb2d7e8202 ("[media] media: Add Mediatek MDP Driver") Cc: stable(a)vger.kernel.org # 4.10 Cc: Minghsiu Tsai <minghsiu.tsai(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/media/platform/mediatek/mdp/mtk_mdp_core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c index 80fdc6ff57e0..5c7dcf4090f4 100644 --- a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c +++ b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c @@ -198,7 +198,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) VPU_RST_MDP); if (ret) { dev_err(&pdev->dev, "Failed to register reset handler\n"); - goto err_m2m_register; + goto err_put_vpu; } platform_set_drvdata(pdev, mdp); @@ -206,7 +206,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) ret = vb2_dma_contig_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32)); if (ret) { dev_err(&pdev->dev, "Failed to set vb2 dma mag seg size\n"); - goto err_m2m_register; + goto err_put_vpu; } pm_runtime_enable(dev); @@ -214,6 +214,8 @@ static int mtk_mdp_probe(struct platform_device *pdev) return 0; +err_put_vpu: + put_device(&mdp->vpu_dev->dev); err_m2m_register: v4l2_device_unregister(&mdp->v4l2_dev); @@ -241,6 +243,7 @@ static void mtk_mdp_remove(struct platform_device *pdev) struct mtk_mdp_comp *comp, *comp_temp; pm_runtime_disable(&pdev->dev); + put_device(&mdp->vpu_dev->dev); vb2_dma_contig_clear_max_seg_size(&pdev->dev); mtk_mdp_unregister_m2m_device(mdp); v4l2_device_unregister(&mdp->v4l2_dev); -- 2.49.1

1 month, 2 weeks

1
0
0 0

[PATCH 1/3] media: mediatek: vcodec: fix device leak on codec init

by Johan Hovold

Make sure to drop the reference taken when looking up the VPU firmware device during codec init on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") Cc: stable(a)vger.kernel.org # 4.8 Cc: Tiffany Lin <tiffany.lin(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- .../mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c index d7027d600208..9237738d7632 100644 --- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c +++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c @@ -83,12 +83,20 @@ static const struct mtk_vcodec_fw_ops mtk_vcodec_vpu_msg = { .release = mtk_vcodec_vpu_release, }; +static void mtk_vcodec_vpu_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_init(void *priv, enum mtk_vcodec_fw_use fw_use) { struct platform_device *fw_pdev; struct platform_device *plat_dev; struct mtk_vcodec_fw *fw; enum rst_id rst_id; + int ret; if (fw_use == ENCODER) { struct mtk_vcodec_enc_dev *enc_dev = priv; @@ -111,6 +119,11 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_init(void *priv, enum mtk_vcodec_fw_use return ERR_PTR(-EINVAL); } + ret = devm_add_action_or_reset(&plat_dev->dev, mtk_vcodec_vpu_put_device, + &fw_pdev->dev); + if (ret) + return ERR_PTR(ret); + if (fw_use == DECODER) vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_dec_handler, priv, rst_id); else -- 2.49.1

1 month, 2 weeks

1
0
0 0

[PATCH 6.12.y 1/3] drm/sched: Optimise drm_sched_entity_push_job

by Jules Maselbas

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> commit d42a254633c773921884a19e8a1a0f53a31150c3 upstream. In FIFO mode (which is the default), both drm_sched_entity_push_job() and drm_sched_rq_update_fifo(), where the latter calls the former, are currently taking and releasing the same entity->rq_lock. We can avoid that design inelegance, and also have a miniscule efficiency improvement on the submit from idle path, by introducing a new drm_sched_rq_update_fifo_locked() helper and pulling up the lock taking to its callers. v2: * Remove drm_sched_rq_update_fifo() altogether. (Christian) v3: * Improved commit message. (Philipp) Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Luben Tuikov <ltuikov89(a)gmail.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Philipp Stanner <pstanner(a)redhat.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241016122013.7857-2-tursuli… (cherry picked from commit d42a254633c773921884a19e8a1a0f53a31150c3) Signed-off-by: Jules Maselbas <jmaselbas(a)zdiv.net> --- drivers/gpu/drm/scheduler/sched_entity.c | 13 +++++++++---- drivers/gpu/drm/scheduler/sched_main.c | 6 +++--- include/drm/gpu_scheduler.h | 2 +- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index 3e75fc1f6607..9dbae7b08bc9 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -505,8 +505,12 @@ struct drm_sched_job *drm_sched_entity_pop_job(struct drm_sched_entity *entity) struct drm_sched_job *next; next = to_drm_sched_job(spsc_queue_peek(&entity->job_queue)); - if (next) - drm_sched_rq_update_fifo(entity, next->submit_ts); + if (next) { + spin_lock(&entity->rq_lock); + drm_sched_rq_update_fifo_locked(entity, + next->submit_ts); + spin_unlock(&entity->rq_lock); + } } /* Jobs and entities might have different lifecycles. Since we're @@ -606,10 +610,11 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) sched = rq->sched; drm_sched_rq_add_entity(rq, entity); - spin_unlock(&entity->rq_lock); if (drm_sched_policy == DRM_SCHED_POLICY_FIFO) - drm_sched_rq_update_fifo(entity, submit_ts); + drm_sched_rq_update_fifo_locked(entity, submit_ts); + + spin_unlock(&entity->rq_lock); drm_sched_wakeup(sched); } diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 416590ea0dc3..3609d5a8fecd 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -169,14 +169,15 @@ static inline void drm_sched_rq_remove_fifo_locked(struct drm_sched_entity *enti } } -void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts) +void drm_sched_rq_update_fifo_locked(struct drm_sched_entity *entity, ktime_t ts) { /* * Both locks need to be grabbed, one to protect from entity->rq change * for entity from within concurrent drm_sched_entity_select_rq and the * other to update the rb tree structure. */ - spin_lock(&entity->rq_lock); + lockdep_assert_held(&entity->rq_lock); + spin_lock(&entity->rq->lock); drm_sched_rq_remove_fifo_locked(entity); @@ -187,7 +188,6 @@ void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts) drm_sched_entity_compare_before); spin_unlock(&entity->rq->lock); - spin_unlock(&entity->rq_lock); } /** diff --git a/include/drm/gpu_scheduler.h b/include/drm/gpu_scheduler.h index 9c437a057e5d..346a3c261b43 100644 --- a/include/drm/gpu_scheduler.h +++ b/include/drm/gpu_scheduler.h @@ -593,7 +593,7 @@ void drm_sched_rq_add_entity(struct drm_sched_rq *rq, void drm_sched_rq_remove_entity(struct drm_sched_rq *rq, struct drm_sched_entity *entity); -void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts); +void drm_sched_rq_update_fifo_locked(struct drm_sched_entity *entity, ktime_t ts); int drm_sched_entity_init(struct drm_sched_entity *entity, enum drm_sched_priority priority, -- 2.51.0

1 month, 2 weeks

4
11
0 0

[PATCH v2] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- v2: Merged the chanlist_len check with existing early return check as suggested by Ian Abbott --- drivers/comedi/comedi_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..c7c262a2d8ca 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -317,7 +317,7 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, unsigned int count = 0; const unsigned int num_sample_bytes = comedi_bytes_per_sample(s); - if (!s->munge || (async->cmd.flags & CMDF_RAWDATA)) { + if (!s->munge || (async->cmd.flags & CMDF_RAWDATA) || async->cmd.chanlist_len == 0) { async->munge_count += num_bytes; return num_bytes; } -- 2.43.0

1 month, 2 weeks

2
1
0 0

دعوة لنشر الأبحاث والمقالات العلمية

by journal

###**🌟 فرصتك للنشر في مجلات علمية محكمة دوليًا – دعوة مفتوحة للباحثين والأكاديميين** **انضم إلى النخبة العلمية… وانشر أبحاثك معنا.** **انطلاقًا من إيماننا بأن البحث العلمي هو الركيزة الأساسية لنهضة المجتمعات وتقدمها،** يسر*فكر للدراسات والتطوير* أن تتشرف بدعوتكم للنشر في مجلاتها العلمية المحكمة، التي تمثل منبرًا أكاديميًا رصينًا لاحتضان الأفكار الأصيلة، والمشاريع البحثية الجادة، والرؤى التي تسهم في إنتاج معرفة تطبيقية تخدم قضايا الإنسان والمجتمع. إن دعوتنا هذه تأتي ضمن رؤيتنا في تمكين الباحثين والكتّاب في العالم العربي والإسلامي من إيصال أبحاثهم إلى أوسع نطاق، والمساهمة الفاعلة في الحراك العلمي محليًا ودوليًا، عبر منصات نشر معتمدة وموثوقة. ➡️ **قدّم مخطوطتك الآن:** [https://7m8ue.r.ag.d.sendibm3.com/mk/cl/f/sh/WCPzyXJTZ7nvI8YYc4qB1knr1PmTmi… ####عامل تأثير عربي=2.7 مجلة ريحان للنشر العلمي ----------------------- (Rihan Journal for Scientific Publishing) ###$50 *مجلة علمية دولية، محكّمة، شهرية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN-E: 2709-2097** تستقبل المجلة الأبحاث والمقالات العلمية بثلاث لغات: **العربية، الإنجليزية، والتركية**، في مختلف التخصصات، وتخضع جميع المواد المقدمة لعملية تحكيم علمي صارمة، تضمن جودة المحتوى وموثوقيته الأكاديمية. ####عامل تأثير عربي=1.7 مجلة ايبرس للنشر الطبي ---------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN-E: 2959-5371** تأسست مجلة إيبرس للنشر الطبي عام 2022، لتكون منصة علمية رصينة في مجال العلوم الطبية والصحية، ووجهة موثوقة للباحثين والطلبة وأعضاء الهيئات التدريسية والأكاديميين لنشر أبحاثهم الأصيلة، ومراجعاتهم العلمية، ومشاركتهم في تطوير المعرفة الطبية الحديثة. تستقبل المجلة الدراسات والأبحاث باللغة **العربية، الإنجليزية، والتركية**، وتخضع جميع المواد لعملية تحكيم علمي دقيقة، وفق أعلى المعايير الأكاديمية الدولية. مجلة طُوى للعلوم الاجتماعية --------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN: 3104-7211** **مجلة طُوى** هي منصة أكاديمية تُعنى بنشر البحوث والدراسات الأصيلة في **مجالات العلوم الاجتماعية المتداخلة**، بما يسهم في إنتاج معرفة تحليلية معمقة حول قضايا الإنسان والمجتمع. تلتزم المجلة بمعايير **التحكيم العلمي الرصين**، وتُرحّب بالأعمال المقدّمة باللغات: **العربية، الإنجليزية، والتركية**. جاء اختيار اسم "طُوى" استلهامًا من **الوادي المقدّس طُوى**، تعبيرًا عن قدسية المعرفة، وإيمانًا بأن الفكر العلمي رسالة إنسانية لا تقل أثرًا وعمقًا عن أي رسالة تغيير أو بناء مجتمعي. مجلة زنوبيا لدراسات المرأة والطفل والاسرة ----------------------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير* بالتعاون مع **المنتدى الثقافي النسائي السوري** رقم التسلسل المعياري الدولي: **ISSN: 3104-7874** تُعنى **مجلة زنوبيا** بنشر البحوث والدراسات الأكاديمية التي تتناول قضايا **المرأة، والطفل، والأسرة** من زوايا علمية، اجتماعية، وثقافية متعددة، مع التركيز على التحديات والتحولات المعاصرة التي تمس هذه الفئات داخل السياقات العربية والعالمية. وتوفّر المجلة منبرًا أكاديميًا موثوقًا يعزز التفكير النقدي والتحليل العلمي البنّاء، ويسعى لإبراز التجارب والرؤى التي تدعم التمكين المجتمعي. مجلة زكا للعلوم المالية والاقتصادية والإدارية --------------------------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي **ISSN: 3104-7289** تُعنى **مجلة زكا** بنشر أبحاث علمية أصيلة وعالية الجودة في مجالات: **إدارة الأعمال، الاقتصاد، المحاسبة، العلوم المالية، التسويق، الاقتصاد الإسلامي، الإدارة العامة، والتمويل**. وتمثل المجلة منصة أكاديمية رصينة تستهدف الباحثين، الأكاديميين، وطلبة الدراسات العليا في التخصصات المالية والإدارية، وتسعى إلى الإسهام الفعّال في تطوير المعرفة الاقتصادية والإدارية، وفقًا لأحدث المعايير العلمية والمنهجيات البحثية الحديثة. مجلة روح للعلوم الإنسانية ------------------------- ###$50 **(RUH Journal of Humanities)** *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN: 3105-2436** تهدف **مجلة روح للعلوم الإنسانية** إلى نشر الأبحاث العلمية المتميزة في مختلف مجالات العلوم الإنسانية، وتعزيز الفكر الأكاديمي والنقاش العلمي المتخصص في القضايا الإنسانية المعاصرة على المستويين العربي والعالمي. تُعد المجلة منصة أكاديمية رصينة تجمع الباحثين من تخصصات متعددة لتبادل المعرفة، وتحفيز الدراسات الرصينة ذات الأثر المجتمعي والثقافي، وتوسيع دائرة الحوار العلمي حول الإنسان والمجتمع. جاء اختيار اسم **"روح"** ليعكس جوهر العلوم الإنسانية، التي تنطلق من فهم الإنسان: مشاعره، ثقافته، سلوكه، وتاريخه. تشير الكلمة إلى **العنصر الحيوي** الذي يمنح الإنسان والمجتمع معناهما، مما يرسّخ رؤية المجلة في أن **العلوم الإنسانية هي الروح النابضة لفهم المجتمعات وتطورها**. دعوة للتبرع ------------ ###$10 ###🎓 ساهم في نهضة العلم في سوريا – كن جزءًا من التغيير الحقيقي! إذا كنت تؤمن بقوة المعرفة وأهمية دعم البحث العلمي في سوريا، فقد حان الوقت لتشارك في صناعة الأمل. **تبرعك اليوم لا يُقدَّر بثمن…** إنه استثمار في العقول، وفي جيل جديد من الباحثين والمفكرين الذين يسعون لإعادة بناء المجتمع على أسس علمية وإنسانية. 📢 **ساهم في صناعة الأمل… تبرعك اليوم يصنع فرقاً حقيقياً غداً!** المؤتمرات العلمية ----------------- ###$100 ###🏛️ **مركز فكر للمؤتمرات العلمية** **مركز فكر للمؤتمرات العلمية** هو أحد برامج مركز فكر للدراسات والتطوير، يُعنى بتنظيم المؤتمرات والملتقيات العلمية المتخصصة، بهدف دعم البحث الأكاديمي وتوسيع دائرة الحوار المعرفي حول القضايا المعاصرة التي تهم المجتمعات العربية والعالمية. ينطلق المركز من رؤية تؤمن بأن **المؤتمر العلمي ليس مجرد حدث أكاديمي، بل هو منصة استراتيجية لإنتاج المعرفة، وتبادل الخبرات، وصياغة حلول مستندة إلى البحث العلمي**. ###📚 **مجالات المؤتمرات:** العلوم الإنسانية والاجتماعية العلوم الطبية والصحية الدراسات الاقتصادية والمالية دراسات المرأة والطفل والأسرة البيئة والتنمية المستدامة التكنولوجيا والتحول الرقمي التعليم والتربية **مع خالص الشكر والتقدير،** ============================ **نثمّن وقتكم واهتمامكم، ونتطلع إلى تعاون مثمر يجمعنا في خدمة البحث العلمي والمجتمع.** ====================================================================================== **نؤمن أن العمل المشترك هو مفتاح التغيير الحقيقي، ونرحّب بكم دائمًا ضمن شبكتنا العلمية والمجتمعية.** ==================================================================================================== ➡️ **قدّم مخطوطتك الآن:** [https://forms.gle/g7McfPrkaYYDFC2N6](https://forms.gle/g7McfPrkaYYDFC2N6) Maria Abdel Rahim [pr@rjsp.org](mailto:ahmet@rjsp.org) rihanjournal(a)gmail.com [00905306359001](https://) gazimuhtarpas 29600,gazantap [Unsubscribe](https://7m8ue.r.ag.d.sendibm3.com/mk/un/v2/sh/7nVTPdbLJ2bPbEmD…

1 month, 2 weeks

1
0
0 0

[PATCH 1/1] mm/thp: fix MTE tag mismatch when replacing zero-filled subpages

by Lance Yang

From: Lance Yang <lance.yang(a)linux.dev> When both THP and MTE are enabled, splitting a THP and replacing its zero-filled subpages with the shared zeropage can cause MTE tag mismatch faults in userspace. Remapping zero-filled subpages to the shared zeropage is unsafe, as the zeropage has a fixed tag of zero, which may not match the tag expected by the userspace pointer. KSM already avoids this problem by using memcmp_pages(), which on arm64 intentionally reports MTE-tagged pages as non-identical to prevent unsafe merging. As suggested by David[1], this patch adopts the same pattern, replacing the memchr_inv() byte-level check with a call to pages_identical(). This leverages existing architecture-specific logic to determine if a page is truly identical to the shared zeropage. Having both the THP shrinker and KSM rely on pages_identical() makes the design more future-proof, IMO. Instead of handling quirks in generic code, we just let the architecture decide what makes two pages identical. [1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com Cc: <stable(a)vger.kernel.org> Reported-by: Qun-wei Lin <Qun-wei.Lin(a)mediatek.com> Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@… Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Suggested-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Lance Yang <lance.yang(a)linux.dev> --- Tested on x86_64 and on QEMU for arm64 (with and without MTE support), and the fix works as expected. mm/huge_memory.c | 15 +++------------ mm/migrate.c | 8 +------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 32e0ec2dde36..28d4b02a1aa5 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -4104,29 +4104,20 @@ static unsigned long deferred_split_count(struct shrinker *shrink, static bool thp_underused(struct folio *folio) { int num_zero_pages = 0, num_filled_pages = 0; - void *kaddr; int i; for (i = 0; i < folio_nr_pages(folio); i++) { - kaddr = kmap_local_folio(folio, i * PAGE_SIZE); - if (!memchr_inv(kaddr, 0, PAGE_SIZE)) { - num_zero_pages++; - if (num_zero_pages > khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { + if (++num_zero_pages > khugepaged_max_ptes_none) return true; - } } else { /* * Another path for early exit once the number * of non-zero filled pages exceeds threshold. */ - num_filled_pages++; - if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) return false; - } } - kunmap_local(kaddr); } return false; } diff --git a/mm/migrate.c b/mm/migrate.c index aee61a980374..ce83c2c3c287 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -300,9 +300,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, unsigned long idx) { struct page *page = folio_page(folio, idx); - bool contains_data; pte_t newpte; - void *addr; if (PageCompound(page)) return false; @@ -319,11 +317,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, * this subpage has been non present. If the subpage is only zero-filled * then map it to the shared zeropage. */ - addr = kmap_local_page(page); - contains_data = memchr_inv(addr, 0, PAGE_SIZE); - kunmap_local(addr); - - if (contains_data) + if (!pages_identical(page, ZERO_PAGE(0))) return false; newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), -- 2.49.0

1 month, 2 weeks

6
21
0 0

Check this out at Amazon

by Votre Expert

THE HOUSEMAID UNDER CONTRACT https://rb.gy/2xfnv3

1 month, 2 weeks

1
0
0 0

Undelivered Mail Returned to Sender

by MAILER-DAEMON＠zihnyunrui.com

This is the mail system at host zihnyunrui.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <linux-stable-mirror(a)lists.linaro.org>: host lists.linaro.org[3.208.193.21] said: 554 5.7.1 Spam message rejected (in reply to end of DATA command)

1 month, 2 weeks

1
0
0 0

[PATCH] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- drivers/comedi/comedi_buf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..786f888299ce 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -321,6 +321,11 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, async->munge_count += num_bytes; return num_bytes; } + + if (async->cmd.chanlist_len == 0) { + async->munge_count += num_bytes; + return num_bytes; + } /* don't munge partial samples */ num_bytes -= num_bytes % num_sample_bytes; -- 2.43.0

1 month, 2 weeks

2
1
0 0

[PATCH v4] arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()

by Kaushlendra Kumar

Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq") Cc: stable(a)vger.kernel.org Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> --- Changes in v4: - recipient list adjustment as per kernel patch review process Changes in v3: - Used accurate "function call properties" terminology in commit description (suggested by Markus Elfring) - Added stable backport justification - Removed duplicate marker line per kernel documentation Changes in v2: - Refined description based on documented macro properties (suggested by Markus Elfring) - Added proper Fixes drivers/base/arch_topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/arch_topology.c b/drivers/base/arch_topology.c index 1037169abb45..e1eff05bea4a 100644 --- a/drivers/base/arch_topology.c +++ b/drivers/base/arch_topology.c @@ -292,7 +292,7 @@ bool __init topology_parse_cpu_capacity(struct device_node *cpu_node, int cpu) * frequency (by keeping the initial capacity_freq_ref value). */ cpu_clk = of_clk_get(cpu_node, 0); - if (!PTR_ERR_OR_ZERO(cpu_clk)) { + if (!IS_ERR_OR_NULL(cpu_clk)) { per_cpu(capacity_freq_ref, cpu) = clk_get_rate(cpu_clk) / HZ_PER_KHZ; clk_put(cpu_clk); -- 2.34.1

1 month, 2 weeks

2
1
0 0

[PATCH v3] arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()

by Kaushlendra Kumar

Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq") Cc: stable(a)vger.kernel.org Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> --- Changes in v3: - Used accurate "function call properties" terminology in commit description (suggested by Markus Elfring) - Added stable backport justification - Removed duplicate marker line per kernel documentation Changes in v2: - Refined description based on documented macro properties (suggested by Markus Elfring) - Added proper Fixes drivers/base/arch_topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/arch_topology.c b/drivers/base/arch_topology.c index 1037169abb45..e1eff05bea4a 100644 --- a/drivers/base/arch_topology.c +++ b/drivers/base/arch_topology.c @@ -292,7 +292,7 @@ bool __init topology_parse_cpu_capacity(struct device_node *cpu_node, int cpu) * frequency (by keeping the initial capacity_freq_ref value). */ cpu_clk = of_clk_get(cpu_node, 0); - if (!PTR_ERR_OR_ZERO(cpu_clk)) { + if (!IS_ERR_OR_NULL(cpu_clk)) { per_cpu(capacity_freq_ref, cpu) = clk_get_rate(cpu_clk) / HZ_PER_KHZ; clk_put(cpu_clk); -- 2.34.1

1 month, 2 weeks

3
3
0 0

[PATCH 6.6 00/70] 6.6.108-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.108 release. There are 70 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.108-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.108-rc1 Eric Hagberg <ehagberg(a)janestreet.com> Revert "loop: Avoid updating block size under exclusive owner" Linus Torvalds <torvalds(a)linux-foundation.org> minmax: add a few more MIN_T/MAX_T users Linus Torvalds <torvalds(a)linux-foundation.org> minmax: simplify and clarify min_t()/max_t() implementation Linus Torvalds <torvalds(a)linux-foundation.org> minmax: avoid overly complicated constant expressions in VM code Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Bruno Thomsen <bruno.thomsen(a)gmail.com> rtc: pcf2127: fix SPI command byte for PCF2131 backport Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd/pgtbl: Fix possible race while increase page table level Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Johan Hovold <johan(a)kernel.org> phy: ti: omap-usb2: fix device leak at unbind Rob Herring <robh(a)kernel.org> phy: Use device_get_match_data() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Sankararaman Jayaraman <sankararaman.jayaraman(a)broadcom.com> vmxnet3: unregister xdp rxq info in the reset path Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct PLL rate rounding Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Jens Axboe <axboe(a)kernel.dk> io_uring: backport io_should_terminate_tw() Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Update help info of ARCH_STRICT_ALIGN H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Harden uplink netdev access against device unbind Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Consider aggregated port speed during rate configuration Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Geliang Tang <tanggeliang(a)kylinos.cn> selftests: mptcp: sockopt: fix error messages Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: tfo: record 'deny join id0' info Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Hangbin Liu <liuhangbin(a)gmail.com> bonding: set random address only when slaves already exist Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Ajay.Kathat(a)microchip.com <Ajay.Kathat(a)microchip.com> wifi: wilc1000: avoid buffer overflow in WID string configuration ------------- Diffstat: Makefile | 4 +- arch/loongarch/Kconfig | 8 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/kernel/env.c | 2 + arch/um/drivers/virtio_uml.c | 6 +- arch/x86/kvm/svm/svm.c | 3 +- arch/x86/mm/pgtable.c | 2 +- crypto/af_alg.c | 10 ++- drivers/block/loop.c | 38 ++------- drivers/edac/sb_edac.c | 4 +- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 26 +++++- drivers/iommu/intel/iommu.c | 7 +- drivers/md/dm-integrity.c | 6 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 +++++-- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 85 ++++++++++++++++--- drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 +++- drivers/net/ethernet/natsemi/ns83820.c | 13 ++- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/vmxnet3/vmxnet3_drv.c | 10 +-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 39 ++++++--- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/phy/broadcom/phy-bcm-ns-usb3.c | 9 +-- drivers/phy/marvell/phy-berlin-usb.c | 7 +- drivers/phy/ralink/phy-ralink-usb.c | 10 +-- drivers/phy/rockchip/phy-rockchip-pcie.c | 11 +-- drivers/phy/rockchip/phy-rockchip-usb.c | 10 +-- drivers/phy/ti/phy-omap-control.c | 9 +-- drivers/phy/ti/phy-omap-usb2.c | 24 ++++-- drivers/phy/ti/phy-ti-pipe3.c | 14 +--- drivers/power/supply/bq27xxx_battery.c | 4 +- drivers/rtc/rtc-pcf2127.c | 10 +-- drivers/usb/host/xhci-dbgcap.c | 94 +++++++++++++++------- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/smbdirect.c | 4 +- fs/smb/server/transport_rdma.c | 26 ++++-- include/crypto/if_alg.h | 10 ++- include/linux/minmax.h | 26 ++++-- include/linux/mlx5/driver.h | 1 + include/linux/pageblock-flags.h | 2 +- include/uapi/linux/mptcp.h | 6 +- io_uring/io_uring.c | 7 +- io_uring/io_uring.h | 13 +++ io_uring/poll.c | 3 +- io_uring/timeout.c | 2 +- kernel/cgroup/cgroup.c | 43 ++++++++-- net/ipv4/proc.c | 2 +- net/ipv4/tcp.c | 5 ++ net/ipv6/proc.c | 2 +- net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 7 ++ net/mptcp/protocol.c | 16 ++++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 +++-- net/rfkill/rfkill-gpio.c | 4 +- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 ++-- net/tls/tls_sw.c | 3 +- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/wm8940.c | 9 ++- sound/soc/codecs/wm8974.c | 8 +- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 +- sound/soc/sof/intel/hda-stream.c | 2 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +-- tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 ++-- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 ++ tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +++- 87 files changed, 601 insertions(+), 300 deletions(-)

1 month, 2 weeks

10
79
0 0

[PATCH net RESEND] net/core : fix KMSAN: uninit value in tipc_rcv

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")' Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed. Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO". Reported-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> # 6.16 Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- RESEND: - added Cc stable as suggested from kernel test robot net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj; obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, -- 2.43.0

1 month, 2 weeks

2
1
0 0

[PATCH v2] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Tested-by: Masami Ichikawa <masami256(a)gmail.com> Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- Changes from v1 - Refactor the if statement as requested by Sumit - Adding Tested-by: Masami Ichikawa <masami256(a)gmail.com - Link to v1: https://lore.kernel.org/op-tee/20250919124217.2934718-1-jens.wiklander@lina… --- drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..76c54e1dc98c 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -319,6 +319,14 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, if (unlikely(len <= 0)) { ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; + } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + /* + * If we only got a few pages, update to release the + * correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; } /* -- 2.43.0

1 month, 2 weeks

2
2
0 0

[PATCH] lib/genalloc: fix device leak in of_gen_pool_get()

by Johan Hovold

Make sure to drop the reference taken when looking up the genpool platform device in of_gen_pool_get() before returning the pool. Note that holding a reference to a device does typically not prevent its devres managed resources from being released so there is no point in keeping the reference. Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device") Cc: stable(a)vger.kernel.org # 3.10 Cc: Philipp Zabel <p.zabel(a)pengutronix.de> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- lib/genalloc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/genalloc.c b/lib/genalloc.c index 4fa5635bf81b..841f29783833 100644 --- a/lib/genalloc.c +++ b/lib/genalloc.c @@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct device_node *np, if (!name) name = of_node_full_name(np_pool); } - if (pdev) + if (pdev) { pool = gen_pool_get(&pdev->dev, name); + put_device(&pdev->dev); + } + of_node_put(np_pool); return pool; -- 2.49.1

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092154-unnoticed-collide-5621@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092111-hedging-brunch-bdeb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

2
1
0 0

[PATCH v6 4/4] PCI: dwc: Don't return error when wait for link up in dw_pcie_resume_noirq()

by Richard Zhu

When waiting for the PCIe link to come up, both link up and link down are valid results depending on the device state. Since the link may come up later and to get rid of the following mis-reported PM errors. Do not return an -ETIMEDOUT error, as the outcome has already been reported in dw_pcie_wait_for_link(). PM error logs introduced by the -ETIMEDOUT error return. imx6q-pcie 33800000.pcie: Phy link never came up imx6q-pcie 33800000.pcie: PM: dpm_run_callback(): genpd_resume_noirq returns -110 imx6q-pcie 33800000.pcie: PM: failed to resume noirq: error -110 Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index b303a74b0fd7..c4386be38a07 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1084,10 +1084,9 @@ int dw_pcie_resume_noirq(struct dw_pcie *pci) if (ret) return ret; - ret = dw_pcie_wait_for_link(pci); - if (ret) - return ret; + /* Ignore errors, the link may come up later */ + dw_pcie_wait_for_link(pci); - return ret; + return 0; } EXPORT_SYMBOL_GPL(dw_pcie_resume_noirq); -- 2.37.1

1 month, 2 weeks

1
0
0 0

[PATCH v6 2/4] PCI: dwc: Don't poll L2 if QUIRK_NOL2POLL_IN_PM is existing in suspend

by Richard Zhu

Refer to PCIe r6.0, sec 5.2, fig 5-1 Link Power Management State Flow Diagram. Both L0 and L2/L3 Ready can be transferred to LDn directly. It's harmless to let dw_pcie_suspend_noirq() proceed suspend after the PME_Turn_Off is sent out, whatever the LTSSM state is in L2 or L3 after a recommended 10ms max wait refer to PCIe r6.0, sec 5.3.3.2.1 PME Synchronization. The LTSSM states are inaccessible on i.MX6QP and i.MX7D after the PME_Turn_Off is sent out. To support this case, don't poll L2 state and apply a simple delay of PCIE_PME_TO_L2_TIMEOUT_US(10ms) if the QUIRK_NOL2POLL_IN_PM flag is set in suspend. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pci-imx6.c | 4 +++ .../pci/controller/dwc/pcie-designware-host.c | 34 +++++++++++++------ drivers/pci/controller/dwc/pcie-designware.h | 4 +++ 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index 80e48746bbaf..a59b5282c3cc 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -125,6 +125,7 @@ struct imx_pcie_drvdata { enum imx_pcie_variants variant; enum dw_pcie_device_mode mode; u32 flags; + u32 quirk; int dbi_length; const char *gpr; const u32 ltssm_off; @@ -1765,6 +1766,7 @@ static int imx_pcie_probe(struct platform_device *pdev) if (ret) return ret; + pci->quirk_flag = imx_pcie->drvdata->quirk; pci->use_parent_dt_ranges = true; if (imx_pcie->drvdata->mode == DW_PCIE_EP_TYPE) { ret = imx_add_pcie_ep(imx_pcie, pdev); @@ -1849,6 +1851,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .enable_ref_clk = imx6q_pcie_enable_ref_clk, .core_reset = imx6qp_pcie_core_reset, .ops = &imx_pcie_host_ops, + .quirk = QUIRK_NOL2POLL_IN_PM, }, [IMX7D] = { .variant = IMX7D, @@ -1860,6 +1863,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .mode_mask[0] = IMX6Q_GPR12_DEVICE_TYPE, .enable_ref_clk = imx7d_pcie_enable_ref_clk, .core_reset = imx7d_pcie_core_reset, + .quirk = QUIRK_NOL2POLL_IN_PM, }, [IMX8MQ] = { .variant = IMX8MQ, diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 9d46d1f0334b..57a1ba08c427 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1016,15 +1016,29 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) return ret; } - ret = read_poll_timeout(dw_pcie_get_ltssm, val, - val == DW_PCIE_LTSSM_L2_IDLE || - val <= DW_PCIE_LTSSM_DETECT_WAIT, - PCIE_PME_TO_L2_TIMEOUT_US/10, - PCIE_PME_TO_L2_TIMEOUT_US, false, pci); - if (ret) { - /* Only log message when LTSSM isn't in DETECT or POLL */ - dev_err(pci->dev, "Timeout waiting for L2 entry! LTSSM: 0x%x\n", val); - return ret; + if (dwc_quirk(pci, QUIRK_NOL2POLL_IN_PM)) { + /* + * Add the QUIRK_NOL2_POLL_IN_PM case to avoid the read hang, + * when LTSSM is not powered in L2/L3/LDn properly. + * + * Refer to PCIe r6.0, sec 5.2, fig 5-1 Link Power Management + * State Flow Diagram. Both L0 and L2/L3 Ready can be + * transferred to LDn directly. On the LTSSM states poll broken + * platforms, add a max 10ms delay refer to PCIe r6.0, + * sec 5.3.3.2.1 PME Synchronization. + */ + mdelay(PCIE_PME_TO_L2_TIMEOUT_US/1000); + } else { + ret = read_poll_timeout(dw_pcie_get_ltssm, val, + val == DW_PCIE_LTSSM_L2_IDLE || + val <= DW_PCIE_LTSSM_DETECT_WAIT, + PCIE_PME_TO_L2_TIMEOUT_US/10, + PCIE_PME_TO_L2_TIMEOUT_US, false, pci); + if (ret) { + /* Only log message when LTSSM isn't in DETECT or POLL */ + dev_err(pci->dev, "Timeout waiting for L2 entry! LTSSM: 0x%x\n", val); + return ret; + } } /* @@ -1040,7 +1054,7 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) pci->suspended = true; - return ret; + return 0; } EXPORT_SYMBOL_GPL(dw_pcie_suspend_noirq); diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h index 00f52d472dcd..4e5bf6cb6ce8 100644 --- a/drivers/pci/controller/dwc/pcie-designware.h +++ b/drivers/pci/controller/dwc/pcie-designware.h @@ -295,6 +295,9 @@ /* Default eDMA LLP memory size */ #define DMA_LLP_MEM_SIZE PAGE_SIZE +#define QUIRK_NOL2POLL_IN_PM BIT(0) +#define dwc_quirk(pci, val) (pci->quirk_flag & val) + struct dw_pcie; struct dw_pcie_rp; struct dw_pcie_ep; @@ -504,6 +507,7 @@ struct dw_pcie { const struct dw_pcie_ops *ops; u32 version; u32 type; + u32 quirk_flag; unsigned long caps; int num_lanes; int max_link_speed; -- 2.37.1

1 month, 2 weeks

1
0
0 0

[PATCH v4 0/2] dc395x: fix compiler warnings and improve formatting of the macros

by Xinhui Yang

This series of patches clears the compiler warnings for the dc395x driver. The first patch introduces a new macro that casts the value returned by a read operation to void, since some values returned by some specific read operations (which just simply clears the FIFO buffer or resets the interrupt status) can be ignored. Creating a new macro that casts the return value to void to fix the warning. During the fix, checkpatch.pl complained about missing white space between macro arguments and missing parentheses around complex expressions. To align with the changes in the first patch, the formatting of macros above and below the introduced macro are also fixed. Since in Patch v2 [2] Bart pointed out that such change can't be made to the stable tree, the patch is split to two parts. --- Changes since v3 [1]: - Undo some mistakes in the patch 2 of the patch v2 where extra parentheses are added around function calls. - Remove the unnecessary casts from the inb(), inw() and inl() calls, so that extra parentheses are no longer required. They are now returns the type it was being casted to, as James pointed out. Changes since v2 [2]: - Split the patch into two parts, the first one fixes the warning, and the second one improves the formatting of the surrounding macros. - Make the description of the formatting changes more clear. Changes since v1 [3]: - Add Cc: tag to include this patch to the stable tree. - Add additional description about the formatting changes. [1]: https://lore.kernel.org/linux-scsi/20250923125226.1883391-1-cyan@cyano.uk/ [2]: https://lore.kernel.org/linux-scsi/20250922152609.827311-1-cyan@cyano.uk/ [3]: https://lore.kernel.org/linux-scsi/20250922143619.824129-1-cyan@cyano.uk/ --- Xinhui Yang (2): scsi: dc395x: correctly discard the return value in certain reads scsi: dc395x: improve code formatting for the macros drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) --- Xinhui Yang (2): scsi: dc395x: correctly discard the return value in certain reads scsi: dc395x: improve code formatting for the macros drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) -- 2.51.0

1 month, 2 weeks

2
3
0 0

ASSET TRANSFER

by Eslam Mohamed

Good day, I hope this email finds you well. Mr. Kostyantyn a Ukrainian Businessman and a Philanthropist, has asked me to reach out to you because he is in difficult situation and seeking to relocate some asset sum of US$41.5M out of Ukraine to overseas for safe keeping due to the current ongoing crisis (WAR) in Ukraine. He is looking for someone to help him receive and manage this asset into any business project over a period of 5-10 years till the crisis is over. Please reply to this email with your contact number for further discussion on this urgent matter.

1 month, 2 weeks

1
0
0 0

[PATCH] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- drivers/comedi/comedi_buf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..786f888299ce 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -321,6 +321,11 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, async->munge_count += num_bytes; return num_bytes; } + + if (async->cmd.chanlist_len == 0) { + async->munge_count += num_bytes; + return num_bytes; + } /* don't munge partial samples */ num_bytes -= num_bytes % num_sample_bytes; -- 2.43.0

1 month, 2 weeks

2
1
0 0

[PATCH] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- drivers/comedi/comedi_buf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..786f888299ce 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -321,6 +321,11 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, async->munge_count += num_bytes; return num_bytes; } + + if (async->cmd.chanlist_len == 0) { + async->munge_count += num_bytes; + return num_bytes; + } /* don't munge partial samples */ num_bytes -= num_bytes % num_sample_bytes; -- 2.43.0

1 month, 2 weeks

2
1
0 0

[PATCH 1/1] nouveau: On nvc0 membar between semaphore write and interrupt

by Mel Henning

This takes the fix from 2cb66ae604 ("nouveau: Membar before between semaphore writes and the interrupt") and applies it to nvc0_fence.c. If I force my ampere system down the nvc0_fence path then I reproduce the same issues with transfer queues + The Talos Principle that were fixed by the above commit. This fixes that issue in exactly the same way for the old code path. Fixes: 60cdadace320 ("drm/nouveau/fence: use NVIDIA's headers for emit()") Signed-off-by: Mel Henning <mhenning(a)darkrefraction.com> Cc: stable(a)vger.kernel.org --- .../drm/nouveau/include/nvhw/class/cl906f.h | 23 +++++ .../drm/nouveau/include/nvhw/class/clb06f.h | 54 +++++++++++ .../drm/nouveau/include/nvhw/class/clc06f.h | 93 +++++++++++++++++++ .../gpu/drm/nouveau/include/nvif/push906f.h | 2 + drivers/gpu/drm/nouveau/nvc0_fence.c | 31 ++++++- 5 files changed, 200 insertions(+), 3 deletions(-) create mode 100644 drivers/gpu/drm/nouveau/include/nvhw/class/clb06f.h create mode 100644 drivers/gpu/drm/nouveau/include/nvhw/class/clc06f.h diff --git a/drivers/gpu/drm/nouveau/include/nvhw/class/cl906f.h b/drivers/gpu/drm/nouveau/include/nvhw/class/cl906f.h index 673d668885bb..529c785b4651 100644 --- a/drivers/gpu/drm/nouveau/include/nvhw/class/cl906f.h +++ b/drivers/gpu/drm/nouveau/include/nvhw/class/cl906f.h @@ -47,6 +47,29 @@ #define NV906F_SEMAPHORED_RELEASE_SIZE_4BYTE 0x00000001 #define NV906F_NON_STALL_INTERRUPT (0x00000020) #define NV906F_NON_STALL_INTERRUPT_HANDLE 31:0 +#define NV906F_MEM_OP_A (0x00000028) +#define NV906F_MEM_OP_A_OPERAND_LOW 31:2 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_ADDR 29:2 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_TARGET 31:30 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_TARGET_VID_MEM 0x00000000 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_TARGET_SYS_MEM_COHERENT 0x00000002 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_TARGET_SYS_MEM_NONCOHERENT 0x00000003 +#define NV906F_MEM_OP_B (0x0000002c) +#define NV906F_MEM_OP_B_OPERAND_HIGH 7:0 +#define NV906F_MEM_OP_B_OPERATION 31:27 +#define NV906F_MEM_OP_B_OPERATION_SYSMEMBAR_FLUSH 0x00000005 +#define NV906F_MEM_OP_B_OPERATION_SOFT_FLUSH 0x00000006 +#define NV906F_MEM_OP_B_OPERATION_MMU_TLB_INVALIDATE 0x00000009 +#define NV906F_MEM_OP_B_OPERATION_L2_PEERMEM_INVALIDATE 0x0000000d +#define NV906F_MEM_OP_B_OPERATION_L2_SYSMEM_INVALIDATE 0x0000000e +#define NV906F_MEM_OP_B_OPERATION_L2_CLEAN_COMPTAGS 0x0000000f +#define NV906F_MEM_OP_B_OPERATION_L2_FLUSH_DIRTY 0x00000010 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_PDB 0:0 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_PDB_ONE 0x00000000 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_PDB_ALL 0x00000001 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_GPC 1:1 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_GPC_ENABLE 0x00000000 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_GPC_DISABLE 0x00000001 #define NV906F_SET_REFERENCE (0x00000050) #define NV906F_SET_REFERENCE_COUNT 31:0 diff --git a/drivers/gpu/drm/nouveau/include/nvhw/class/clb06f.h b/drivers/gpu/drm/nouveau/include/nvhw/class/clb06f.h new file mode 100644 index 000000000000..15edc9d8dcbe --- /dev/null +++ b/drivers/gpu/drm/nouveau/include/nvhw/class/clb06f.h @@ -0,0 +1,54 @@ +/******************************************************************************* + Copyright (c) 2020, NVIDIA CORPORATION. All rights reserved. + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. + +*******************************************************************************/ +#ifndef _clb06f_h_ +#define _clb06f_h_ + +/* fields and values */ +// NOTE - MEM_OP_A and MEM_OP_B have been removed for gm20x to make room for +// possible future MEM_OP features. MEM_OP_C/D have identical functionality +// to the previous MEM_OP_A/B methods. +#define NVB06F_MEM_OP_C (0x00000030) +#define NVB06F_MEM_OP_C_OPERAND_LOW 31:2 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_PDB 0:0 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_PDB_ONE 0x00000000 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_PDB_ALL 0x00000001 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_GPC 1:1 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_GPC_ENABLE 0x00000000 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_GPC_DISABLE 0x00000001 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_TARGET 11:10 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_TARGET_VID_MEM 0x00000000 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_TARGET_SYS_MEM_COHERENT 0x00000002 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_TARGET_SYS_MEM_NONCOHERENT 0x00000003 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_ADDR_LO 31:12 +#define NVB06F_MEM_OP_D (0x00000034) +#define NVB06F_MEM_OP_D_OPERAND_HIGH 7:0 +#define NVB06F_MEM_OP_D_OPERATION 31:27 +#define NVB06F_MEM_OP_D_OPERATION_MEMBAR 0x00000005 +#define NVB06F_MEM_OP_D_OPERATION_MMU_TLB_INVALIDATE 0x00000009 +#define NVB06F_MEM_OP_D_OPERATION_L2_PEERMEM_INVALIDATE 0x0000000d +#define NVB06F_MEM_OP_D_OPERATION_L2_SYSMEM_INVALIDATE 0x0000000e +#define NVB06F_MEM_OP_D_OPERATION_L2_CLEAN_COMPTAGS 0x0000000f +#define NVB06F_MEM_OP_D_OPERATION_L2_FLUSH_DIRTY 0x00000010 +#define NVB06F_MEM_OP_D_TLB_INVALIDATE_ADDR_HI 7:0 + +#endif /* _clb06f_h_ */ diff --git a/drivers/gpu/drm/nouveau/include/nvhw/class/clc06f.h b/drivers/gpu/drm/nouveau/include/nvhw/class/clc06f.h new file mode 100644 index 000000000000..4d0f13f79c17 --- /dev/null +++ b/drivers/gpu/drm/nouveau/include/nvhw/class/clc06f.h @@ -0,0 +1,93 @@ +/******************************************************************************* + Copyright (c) 2020, NVIDIA CORPORATION. All rights reserved. + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. + +*******************************************************************************/ +#ifndef _clc06f_h_ +#define _clc06f_h_ + +/* fields and values */ +// NOTE - MEM_OP_A and MEM_OP_B have been replaced in gp100 with methods for +// specifying the page address for a targeted TLB invalidate and the uTLB for +// a targeted REPLAY_CANCEL for UVM. +// The previous MEM_OP_A/B functionality is in MEM_OP_C/D, with slightly +// rearranged fields. +#define NVC06F_MEM_OP_A (0x00000028) +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_CANCEL_TARGET_CLIENT_UNIT_ID 5:0 // only relevant for REPLAY_CANCEL_TARGETED +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_CANCEL_TARGET_GPC_ID 10:6 // only relevant for REPLAY_CANCEL_TARGETED +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR 11:11 +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR_EN 0x00000001 +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR_DIS 0x00000000 +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_TARGET_ADDR_LO 31:12 +#define NVC06F_MEM_OP_B (0x0000002c) +#define NVC06F_MEM_OP_B_TLB_INVALIDATE_TARGET_ADDR_HI 31:0 +#define NVC06F_MEM_OP_C (0x00000030) +#define NVC06F_MEM_OP_C_MEMBAR_TYPE 2:0 +#define NVC06F_MEM_OP_C_MEMBAR_TYPE_SYS_MEMBAR 0x00000000 +#define NVC06F_MEM_OP_C_MEMBAR_TYPE_MEMBAR 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB 0:0 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_ONE 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_ALL 0x00000001 // Probably nonsensical for MMU_TLB_INVALIDATE_TARGETED +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_GPC 1:1 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_GPC_ENABLE 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_GPC_DISABLE 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY 4:2 // only relevant if GPC ENABLE +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_NONE 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_START 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_START_ACK_ALL 0x00000002 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_CANCEL_TARGETED 0x00000003 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_CANCEL_GLOBAL 0x00000004 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE 6:5 // only relevant if GPC ENABLE +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_NONE 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_GLOBALLY 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_INTRANODE 0x00000002 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL 9:7 // Invalidate affects this level and all below +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_ALL 0x00000000 // Invalidate tlb caches at all levels of the page table +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_PTE_ONLY 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE0 0x00000002 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE1 0x00000003 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE2 0x00000004 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE3 0x00000005 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE4 0x00000006 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE5 0x00000007 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE 11:10 // only relevant if PDB_ONE +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_VID_MEM 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_SYS_MEM_COHERENT 0x00000002 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_SYS_MEM_NONCOHERENT 0x00000003 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_ADDR_LO 31:12 // only relevant if PDB_ONE +// MEM_OP_D MUST be preceded by MEM_OPs A-C. +#define NVC06F_MEM_OP_D (0x00000034) +#define NVC06F_MEM_OP_D_TLB_INVALIDATE_PDB_ADDR_HI 26:0 // only relevant if PDB_ONE +#define NVC06F_MEM_OP_D_OPERATION 31:27 +#define NVC06F_MEM_OP_D_OPERATION_MEMBAR 0x00000005 +#define NVC06F_MEM_OP_D_OPERATION_MMU_TLB_INVALIDATE 0x00000009 +#define NVC06F_MEM_OP_D_OPERATION_MMU_TLB_INVALIDATE_TARGETED 0x0000000a +#define NVC06F_MEM_OP_D_OPERATION_L2_PEERMEM_INVALIDATE 0x0000000d +#define NVC06F_MEM_OP_D_OPERATION_L2_SYSMEM_INVALIDATE 0x0000000e +// CLEAN_LINES is an alias for Tegra/GPU IP usage +#define NVC06F_MEM_OP_D_OPERATION_L2_INVALIDATE_CLEAN_LINES 0x0000000e +// This B alias is confusing but it was missed as part of the update. Left here +// for compatibility. +#define NVC06F_MEM_OP_B_OPERATION_L2_INVALIDATE_CLEAN_LINES 0x0000000e +#define NVC06F_MEM_OP_D_OPERATION_L2_CLEAN_COMPTAGS 0x0000000f +#define NVC06F_MEM_OP_D_OPERATION_L2_FLUSH_DIRTY 0x00000010 +#define NVC06F_MEM_OP_D_OPERATION_L2_WAIT_FOR_SYS_PENDING_READS 0x00000015 + +#endif /* _clc06f_h_ */ diff --git a/drivers/gpu/drm/nouveau/include/nvif/push906f.h b/drivers/gpu/drm/nouveau/include/nvif/push906f.h index 79df71de98d2..3d506f4dc2c9 100644 --- a/drivers/gpu/drm/nouveau/include/nvif/push906f.h +++ b/drivers/gpu/drm/nouveau/include/nvif/push906f.h @@ -7,6 +7,8 @@ #ifndef PUSH906F_SUBC // Host methods #define PUSH906F_SUBC_NV906F 0 +#define PUSH906F_SUBC_NVB06F 0 +#define PUSH906F_SUBC_NVC06F 0 #define PUSH906F_SUBC_NVC36F 0 // Twod diff --git a/drivers/gpu/drm/nouveau/nvc0_fence.c b/drivers/gpu/drm/nouveau/nvc0_fence.c index a5e98d0d4217..8b36deaaf8cf 100644 --- a/drivers/gpu/drm/nouveau/nvc0_fence.c +++ b/drivers/gpu/drm/nouveau/nvc0_fence.c @@ -27,15 +27,18 @@ #include "nv50_display.h" +#include <nvif/class.h> #include <nvif/push906f.h> #include <nvhw/class/cl906f.h> +#include <nvhw/class/clb06f.h> +#include <nvhw/class/clc06f.h> static int nvc0_fence_emit32(struct nouveau_channel *chan, u64 virtual, u32 sequence) { struct nvif_push *push = &chan->chan.push; - int ret = PUSH_WAIT(push, 6); + int ret = PUSH_WAIT(push, 12); if (ret == 0) { PUSH_MTHD(push, NV906F, SEMAPHOREA, NVVAL(NV906F, SEMAPHOREA, OFFSET_UPPER, upper_32_bits(virtual)), @@ -46,9 +49,31 @@ nvc0_fence_emit32(struct nouveau_channel *chan, u64 virtual, u32 sequence) SEMAPHORED, NVDEF(NV906F, SEMAPHORED, OPERATION, RELEASE) | NVDEF(NV906F, SEMAPHORED, RELEASE_WFI, EN) | - NVDEF(NV906F, SEMAPHORED, RELEASE_SIZE, 16BYTE), + NVDEF(NV906F, SEMAPHORED, RELEASE_SIZE, 16BYTE)); + + if (chan->user.oclass >= PASCAL_CHANNEL_GPFIFO_A) { + PUSH_MTHD(push, NVC06F, MEM_OP_A, 0, + MEM_OP_B, 0, + + MEM_OP_C, + NVDEF(NVC06F, MEM_OP_C, MEMBAR_TYPE, SYS_MEMBAR), + + MEM_OP_D, + NVDEF(NVC06F, MEM_OP_D, OPERATION, MEMBAR)); + } else if (chan->user.oclass >= MAXWELL_CHANNEL_GPFIFO_A) { + PUSH_MTHD(push, NVB06F, MEM_OP_C, 0, + + MEM_OP_D, + NVDEF(NVC06F, MEM_OP_D, OPERATION, MEMBAR)); + } else { + PUSH_MTHD(push, NV906F, MEM_OP_A, 0, + + MEM_OP_B, + NVDEF(NV906F, MEM_OP_B, OPERATION, SYSMEMBAR_FLUSH)); + } + + PUSH_MTHD(push, NV906F, NON_STALL_INTERRUPT, 0); - NON_STALL_INTERRUPT, 0); PUSH_KICK(push); } return ret; -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH] PCI/sysfs: Ensure devices are powered for config reads

by Brian Norris

From: Brian Norris <briannorris(a)google.com> max_link_speed, max_link_width, current_link_speed, current_link_width, secondary_bus_number, and subordinate_bus_number all access config registers, but they don't check the runtime PM state. If the device is in D3cold, we may see -EINVAL or even bogus values. Wrap these access in pci_config_pm_runtime_{get,put}() like most of the rest of the similar sysfs attributes. Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") Cc: stable(a)vger.kernel.org Signed-off-by: Brian Norris <briannorris(a)google.com> Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- drivers/pci/pci-sysfs.c | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 5eea14c1f7f5..160df897dc5e 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -191,9 +191,16 @@ static ssize_t max_link_speed_show(struct device *dev, struct device_attribute *attr, char *buf) { struct pci_dev *pdev = to_pci_dev(dev); + ssize_t ret; + + pci_config_pm_runtime_get(pdev); - return sysfs_emit(buf, "%s\n", - pci_speed_string(pcie_get_speed_cap(pdev))); + ret = sysfs_emit(buf, "%s\n", + pci_speed_string(pcie_get_speed_cap(pdev))); + + pci_config_pm_runtime_put(pdev); + + return ret; } static DEVICE_ATTR_RO(max_link_speed); @@ -201,8 +208,15 @@ static ssize_t max_link_width_show(struct device *dev, struct device_attribute *attr, char *buf) { struct pci_dev *pdev = to_pci_dev(dev); + ssize_t ret; + + pci_config_pm_runtime_get(pdev); + + ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); - return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + pci_config_pm_runtime_put(pdev); + + return ret; } static DEVICE_ATTR_RO(max_link_width); @@ -214,7 +228,10 @@ static ssize_t current_link_speed_show(struct device *dev, int err; enum pci_bus_speed speed; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -231,7 +248,10 @@ static ssize_t current_link_width_show(struct device *dev, u16 linkstat; int err; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -247,7 +267,10 @@ static ssize_t secondary_bus_number_show(struct device *dev, u8 sec_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -263,7 +286,10 @@ static ssize_t subordinate_bus_number_show(struct device *dev, u8 sub_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; -- 2.51.0.rc1.193.gad69d77794-goog

1 month, 2 weeks

4
10
0 0

[PATCH 6.1] softirq: Add trace points for tasklet entry/exit

by Sumanth Gavini

commit f4bf3ca2e5cba655824b6e0893a98dfb33ed24e5 upstream. Tasklets are supposed to finish their work quickly and should not block the current running process, but it is not guaranteed that they do so. Currently softirq_entry/exit can be used to analyse the total tasklets execution time, but that's not helpful to track individual tasklets execution time. That makes it hard to identify tasklet functions, which take more time than expected. Add tasklet_entry/exit trace point support to track individual tasklet execution. Trivial usage example: # echo 1 > /sys/kernel/debug/tracing/events/irq/tasklet_entry/enable # echo 1 > /sys/kernel/debug/tracing/events/irq/tasklet_exit/enable # cat /sys/kernel/debug/tracing/trace # tracer: nop # # entries-in-buffer/entries-written: 4/4 #P:4 # # _-----=> irqs-off/BH-disabled # / _----=> need-resched # | / _---=> hardirq/softirq # || / _--=> preempt-depth # ||| / _-=> migrate-disable # |||| / delay # TASK-PID CPU# ||||| TIMESTAMP FUNCTION # | | | ||||| | | <idle>-0 [003] ..s1. 314.011428: tasklet_entry: tasklet=0xffffa01ef8db2740 function=tcp_tasklet_func <idle>-0 [003] ..s1. 314.011432: tasklet_exit: tasklet=0xffffa01ef8db2740 function=tcp_tasklet_func <idle>-0 [003] ..s1. 314.017369: tasklet_entry: tasklet=0xffffa01ef8db2740 function=tcp_tasklet_func <idle>-0 [003] ..s1. 314.017371: tasklet_exit: tasklet=0xffffa01ef8db2740 function=tcp_tasklet_func Signed-off-by: Lingutla Chandrasekhar <clingutla(a)codeaurora.org> Signed-off-by: J. Avila <elavila(a)google.com> Signed-off-by: John Stultz <jstultz(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Link: https://lore.kernel.org/r/20230407230526.1685443-1-jstultz@google.com [elavila: Port to android-mainline] [jstultz: Rebased to upstream, cut unused trace points, added comments for the tracepoints, reworded commit] Signed-off-by: Sumanth Gavini <sumanth.gavini(a)yahoo.com> --- include/trace/events/irq.h | 47 ++++++++++++++++++++++++++++++++++++++ kernel/softirq.c | 9 ++++++-- 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/include/trace/events/irq.h b/include/trace/events/irq.h index eeceafaaea4c..a07b4607b663 100644 --- a/include/trace/events/irq.h +++ b/include/trace/events/irq.h @@ -160,6 +160,53 @@ DEFINE_EVENT(softirq, softirq_raise, TP_ARGS(vec_nr) ); +DECLARE_EVENT_CLASS(tasklet, + + TP_PROTO(struct tasklet_struct *t, void *func), + + TP_ARGS(t, func), + + TP_STRUCT__entry( + __field( void *, tasklet) + __field( void *, func) + ), + + TP_fast_assign( + __entry->tasklet = t; + __entry->func = func; + ), + + TP_printk("tasklet=%ps function=%ps", __entry->tasklet, __entry->func) +); + +/** + * tasklet_entry - called immediately before the tasklet is run + * @t: tasklet pointer + * @func: tasklet callback or function being run + * + * Used to find individual tasklet execution time + */ +DEFINE_EVENT(tasklet, tasklet_entry, + + TP_PROTO(struct tasklet_struct *t, void *func), + + TP_ARGS(t, func) +); + +/** + * tasklet_exit - called immediately after the tasklet is run + * @t: tasklet pointer + * @func: tasklet callback or function being run + * + * Used to find individual tasklet execution time + */ +DEFINE_EVENT(tasklet, tasklet_exit, + + TP_PROTO(struct tasklet_struct *t, void *func), + + TP_ARGS(t, func) +); + #endif /* _TRACE_IRQ_H */ /* This part must be outside protection */ diff --git a/kernel/softirq.c b/kernel/softirq.c index 9ab5ca399a99..fadc6bbda27b 100644 --- a/kernel/softirq.c +++ b/kernel/softirq.c @@ -822,10 +822,15 @@ static void tasklet_action_common(struct softirq_action *a, if (tasklet_trylock(t)) { if (!atomic_read(&t->count)) { if (tasklet_clear_sched(t)) { - if (t->use_callback) + if (t->use_callback) { + trace_tasklet_entry(t, t->callback); t->callback(t); - else + trace_tasklet_exit(t, t->callback); + } else { + trace_tasklet_entry(t, t->func); t->func(t->data); + trace_tasklet_exit(t, t->func); + } } tasklet_unlock(t); continue; -- 2.43.0

1 month, 2 weeks

4
8
0 0

+ mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm/ksm: fix incorrect KSM counter handling in mm_struct during fork has been added to the -mm mm-unstable branch. Its filename is mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Donet Tom <donettom(a)linux.ibm.com> Subject: mm/ksm: fix incorrect KSM counter handling in mm_struct during fork Date: Wed, 24 Sep 2025 00:16:59 +0530 Patch series "mm/ksm: Fix incorrect accounting of KSM counters during fork", v3. The first patch in this series fixes the incorrect accounting of KSM counters such as ksm_merging_pages, ksm_rmap_items, and the global ksm_zero_pages during fork. The following patch add a selftest to verify the ksm_merging_pages counter was updated correctly during fork. Test Results ============ Without the first patch ----------------------- # [RUN] test_fork_ksm_merging_page_count not ok 10 ksm_merging_page in child: 32 With the first patch -------------------- # [RUN] test_fork_ksm_merging_page_count ok 10 ksm_merging_pages is not inherited after fork This patch (of 2): Currently, the KSM-related counters in `mm_struct`, such as `ksm_merging_pages`, `ksm_rmap_items`, and `ksm_zero_pages`, are inherited by the child process during fork. This results in inconsistent accounting. When a process uses KSM, identical pages are merged and an rmap item is created for each merged page. The `ksm_merging_pages` and `ksm_rmap_items` counters are updated accordingly. However, after a fork, these counters are copied to the child while the corresponding rmap items are not. As a result, when the child later triggers an unmerge, there are no rmap items present in the child, so the counters remain stale, leading to incorrect accounting. A similar issue exists with `ksm_zero_pages`, which maintains both a global counter and a per-process counter. During fork, the per-process counter is inherited by the child, but the global counter is not incremented. Since the child also references zero pages, the global counter should be updated as well. Otherwise, during zero-page unmerge, both the global and per-process counters are decremented, causing the global counter to become inconsistent. To fix this, ksm_merging_pages and ksm_rmap_items are reset to 0 during fork, and the global ksm_zero_pages counter is updated with the per-process ksm_zero_pages value inherited by the child. This ensures that KSM statistics remain accurate and reflect the activity of each process correctly. Link: https://lkml.kernel.org/r/cover.1758648700.git.donettom@linux.ibm.com Link: https://lkml.kernel.org/r/7b9870eb67ccc0d79593940d9dbd4a0b39b5d396.17586487… Fixes: 7609385337a4 ("ksm: count ksm merging pages for each process") Fixes: cb4df4cae4f2 ("ksm: count allocated ksm rmap_items for each process") Fixes: e2942062e01d ("ksm: count all zero pages placed by KSM") Signed-off-by: Donet Tom <donettom(a)linux.ibm.com> Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Aboorva Devarajan <aboorvad(a)linux.ibm.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Donet Tom <donettom(a)linux.ibm.com> Cc: "Ritesh Harjani (IBM)" <ritesh.list(a)gmail.com> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: xu xin <xu.xin16(a)zte.com.cn> Cc: <stable(a)vger.kernel.org> [6.6+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/ksm.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/include/linux/ksm.h~mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork +++ a/include/linux/ksm.h @@ -56,8 +56,14 @@ static inline long mm_ksm_zero_pages(str static inline void ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) { /* Adding mm to ksm is best effort on fork. */ - if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) + if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) { + long nr_ksm_zero_pages = atomic_long_read(&mm->ksm_zero_pages); + + mm->ksm_merging_pages = 0; + mm->ksm_rmap_items = 0; + atomic_long_add(nr_ksm_zero_pages, &ksm_zero_pages); __ksm_enter(mm); + } } static inline int ksm_execve(struct mm_struct *mm) _ Patches currently in -mm which might be from donettom(a)linux.ibm.com are drivers-base-node-fix-double-free-in-register_one_node.patch mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch selftests-mm-added-fork-inheritance-test-for-ksm_merging_pages-counter.patch

1 month, 2 weeks

1
0
0 0

[PATCH v2] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Guangshuo Li

devm_kcalloc() may fail. ndtest_probe() allocates three DMA address arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses them in ndtest_nvdimm_init(), which can lead to a NULL pointer dereference under low-memory conditions. Check all three allocations and return -ENOMEM if any allocation fails. Do not emit an extra error message since the allocator already warns on allocation failure. Fixes: 9399ab61ad82 ("ndtest: Add dimms to the two buses") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- Changes in v2: - Drop pr_err() on allocation failure; only NULL-check and return -ENOMEM. - No other changes. --- tools/testing/nvdimm/test/ndtest.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/testing/nvdimm/test/ndtest.c b/tools/testing/nvdimm/test/ndtest.c index 68a064ce598c..abdbe0c1cb63 100644 --- a/tools/testing/nvdimm/test/ndtest.c +++ b/tools/testing/nvdimm/test/ndtest.c @@ -855,6 +855,9 @@ static int ndtest_probe(struct platform_device *pdev) p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->dcr_dma || !p->label_dma || !p->dimm_dma) + return -ENOMEM; + rc = ndtest_nvdimm_init(p); if (rc) goto err; -- 2.43.0

1 month, 2 weeks

3
2
0 0

[PATCH v3 1/2] mm/ksm: Fix incorrect KSM counter handling in mm_struct during fork

by Donet Tom

Currently, the KSM-related counters in `mm_struct`, such as `ksm_merging_pages`, `ksm_rmap_items`, and `ksm_zero_pages`, are inherited by the child process during fork. This results in inconsistent accounting. When a process uses KSM, identical pages are merged and an rmap item is created for each merged page. The `ksm_merging_pages` and `ksm_rmap_items` counters are updated accordingly. However, after a fork, these counters are copied to the child while the corresponding rmap items are not. As a result, when the child later triggers an unmerge, there are no rmap items present in the child, so the counters remain stale, leading to incorrect accounting. A similar issue exists with `ksm_zero_pages`, which maintains both a global counter and a per-process counter. During fork, the per-process counter is inherited by the child, but the global counter is not incremented. Since the child also references zero pages, the global counter should be updated as well. Otherwise, during zero-page unmerge, both the global and per-process counters are decremented, causing the global counter to become inconsistent. To fix this, ksm_merging_pages and ksm_rmap_items are reset to 0 during fork, and the global ksm_zero_pages counter is updated with the per-process ksm_zero_pages value inherited by the child. This ensures that KSM statistics remain accurate and reflect the activity of each process correctly. Fixes: 7609385337a4 ("ksm: count ksm merging pages for each process") Fixes: cb4df4cae4f2 ("ksm: count allocated ksm rmap_items for each process") Fixes: e2942062e01d ("ksm: count all zero pages placed by KSM") cc: stable(a)vger.kernel.org # v6.6 Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Donet Tom <donettom(a)linux.ibm.com> --- include/linux/ksm.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/linux/ksm.h b/include/linux/ksm.h index 22e67ca7cba3..067538fc4d58 100644 --- a/include/linux/ksm.h +++ b/include/linux/ksm.h @@ -56,8 +56,14 @@ static inline long mm_ksm_zero_pages(struct mm_struct *mm) static inline void ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) { /* Adding mm to ksm is best effort on fork. */ - if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) + if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) { + long nr_ksm_zero_pages = atomic_long_read(&mm->ksm_zero_pages); + + mm->ksm_merging_pages = 0; + mm->ksm_rmap_items = 0; + atomic_long_add(nr_ksm_zero_pages, &ksm_zero_pages); __ksm_enter(mm); + } } static inline int ksm_execve(struct mm_struct *mm) -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH] remoteproc: Fix potential null pointer dereference in pru_rproc_set_ctable()

by Zhen Ni

pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL check, which could lead to a null pointer dereference. Move the pru assignment, ensuring we never dereference a NULL rproc pointer. Fixes: 102853400321 ("remoteproc: pru: Add pru_rproc_set_ctable() function") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- drivers/remoteproc/pru_rproc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/remoteproc/pru_rproc.c b/drivers/remoteproc/pru_rproc.c index 842e4b6cc5f9..5e3eb7b86a0e 100644 --- a/drivers/remoteproc/pru_rproc.c +++ b/drivers/remoteproc/pru_rproc.c @@ -340,7 +340,7 @@ EXPORT_SYMBOL_GPL(pru_rproc_put); */ int pru_rproc_set_ctable(struct rproc *rproc, enum pru_ctable_idx c, u32 addr) { - struct pru_rproc *pru = rproc->priv; + struct pru_rproc *pru; unsigned int reg; u32 mask, set; u16 idx; @@ -352,6 +352,7 @@ int pru_rproc_set_ctable(struct rproc *rproc, enum pru_ctable_idx c, u32 addr) if (!rproc->dev.parent || !is_pru_rproc(rproc->dev.parent)) return -ENODEV; + pru = rproc->priv; /* pointer is 16 bit and index is 8-bit so mask out the rest */ idx_mask = (c >= PRU_C28) ? 0xFFFF : 0xFF; -- 2.20.1

1 month, 2 weeks

3
5
0 0

[v2 PATCH] arm64: kprobes: call set_memory_rox() for kprobe page

by Yang Shi

The kprobe page is allocated by execmem allocator with ROX permission. It needs to call set_memory_rox() to set proper permission for the direct map too. It was missed. Fixes: 10d5e97c1bf8 ("arm64: use PAGE_KERNEL_ROX directly in alloc_insn_page") Cc: <stable(a)vger.kernel.org> Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> --- v2: Separated the patch from BBML2 series since it is an orthogonal bug fix per Ryan. Fixed the variable name nit per Catalin. Collected R-bs from Catalin. arch/arm64/kernel/probes/kprobes.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c index 0c5d408afd95..8ab6104a4883 100644 --- a/arch/arm64/kernel/probes/kprobes.c +++ b/arch/arm64/kernel/probes/kprobes.c @@ -10,6 +10,7 @@ #define pr_fmt(fmt) "kprobes: " fmt +#include <linux/execmem.h> #include <linux/extable.h> #include <linux/kasan.h> #include <linux/kernel.h> @@ -41,6 +42,17 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); static void __kprobes post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *); +void *alloc_insn_page(void) +{ + void *addr; + + addr = execmem_alloc(EXECMEM_KPROBES, PAGE_SIZE); + if (!addr) + return NULL; + set_memory_rox((unsigned long)addr, 1); + return addr; +} + static void __kprobes arch_prepare_ss_slot(struct kprobe *p) { kprobe_opcode_t *addr = p->ainsn.xol_insn; -- 2.47.0

1 month, 2 weeks

4
5
0 0

[PATCH v2] ACPI: battery: prevent sysfs_add_battery re-entry on rapid events

by GuangFei Luo

v2: - Fix missing mutex_unlock in acpi_battery_update() (Reported-by: kernel test robot) When removing and reinserting the laptop battery, ACPI can trigger two notifications in quick succession: - ACPI_BATTERY_NOTIFY_STATUS (0x80) - ACPI_BATTERY_NOTIFY_INFO (0x81) Both notifications call acpi_battery_update(). Because the events happen very close in time, sysfs_add_battery() can be re-entered before battery->bat is set, causing a duplicate sysfs entry error. This patch ensures that sysfs_add_battery() is not re-entered when battery->bat is already non-NULL, preventing the duplicate sysfs creation and stabilizing battery hotplug handling. [ 476.117945] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 476.118896] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 476.118903] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 476.118906] Workqueue: kacpi_notify acpi_os_execute_deferred [ 476.118917] Call Trace: [ 476.118922] <TASK> [ 476.118929] dump_stack_lvl+0x5d/0x80 [ 476.118938] sysfs_warn_dup.cold+0x17/0x23 [ 476.118943] sysfs_create_dir_ns+0xce/0xe0 [ 476.118952] kobject_add_internal+0xba/0x250 [ 476.118959] kobject_add+0x96/0xc0 [ 476.118964] ? get_device_parent+0xde/0x1e0 [ 476.118970] device_add+0xe2/0x870 [ 476.118975] __power_supply_register.part.0+0x20f/0x3f0 [ 476.118981] ? wake_up_q+0x4e/0x90 [ 476.118990] sysfs_add_battery+0xa4/0x1d0 [battery] [ 476.118998] acpi_battery_update+0x19e/0x290 [battery] [ 476.119002] acpi_battery_notify+0x50/0x120 [battery] [ 476.119006] acpi_ev_notify_dispatch+0x49/0x70 [ 476.119012] acpi_os_execute_deferred+0x1a/0x30 [ 476.119015] process_one_work+0x177/0x330 [ 476.119022] worker_thread+0x251/0x390 [ 476.119026] ? __pfx_worker_thread+0x10/0x10 [ 476.119030] kthread+0xd2/0x100 [ 476.119033] ? __pfx_kthread+0x10/0x10 [ 476.119035] ret_from_fork+0x34/0x50 [ 476.119040] ? __pfx_kthread+0x10/0x10 [ 476.119042] ret_from_fork_asm+0x1a/0x30 [ 476.119049] </TASK> [ 476.142552] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. [ 476.415022] ata1.00: unexpected _GTF length (8) [ 476.428076] sd 0:0:0:0: [sda] Starting disk [ 476.835035] ata1.00: unexpected _GTF length (8) [ 476.839720] ata1.00: configured for UDMA/133 [ 491.328831] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 491.329720] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 491.329727] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 491.329731] Workqueue: kacpi_notify acpi_os_execute_deferred [ 491.329741] Call Trace: [ 491.329745] <TASK> [ 491.329751] dump_stack_lvl+0x5d/0x80 [ 491.329758] sysfs_warn_dup.cold+0x17/0x23 [ 491.329762] sysfs_create_dir_ns+0xce/0xe0 [ 491.329770] kobject_add_internal+0xba/0x250 [ 491.329775] kobject_add+0x96/0xc0 [ 491.329779] ? get_device_parent+0xde/0x1e0 [ 491.329784] device_add+0xe2/0x870 [ 491.329790] __power_supply_register.part.0+0x20f/0x3f0 [ 491.329797] sysfs_add_battery+0xa4/0x1d0 [battery] [ 491.329805] acpi_battery_update+0x19e/0x290 [battery] [ 491.329809] acpi_battery_notify+0x50/0x120 [battery] [ 491.329812] acpi_ev_notify_dispatch+0x49/0x70 [ 491.329817] acpi_os_execute_deferred+0x1a/0x30 [ 491.329820] process_one_work+0x177/0x330 [ 491.329826] worker_thread+0x251/0x390 [ 491.329830] ? __pfx_worker_thread+0x10/0x10 [ 491.329833] kthread+0xd2/0x100 [ 491.329836] ? __pfx_kthread+0x10/0x10 [ 491.329838] ret_from_fork+0x34/0x50 [ 491.329842] ? __pfx_kthread+0x10/0x10 [ 491.329844] ret_from_fork_asm+0x1a/0x30 [ 491.329850] </TASK> [ 491.329855] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/r/202509101620.yI0HZ5gT-lkp@intel.com/ Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202509101620.yI0HZ5gT-lkp@intel.com/ Fixes: 508df92d1f8d ("ACPI: battery: register power_supply subdevice only when battery is present") Signed-off-by: GuangFei Luo <luogf2025(a)163.com> Cc: stable(a)vger.kernel.org --- drivers/acpi/battery.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 6905b56bf3e4..649185f7a3b1 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -1026,11 +1026,15 @@ static int acpi_battery_update(struct acpi_battery *battery, bool resume) return result; acpi_battery_quirks(battery); + mutex_lock(&battery->sysfs_lock); if (!battery->bat) { result = sysfs_add_battery(battery); - if (result) + if (result) { + mutex_unlock(&battery->sysfs_lock); return result; + } } + mutex_unlock(&battery->sysfs_lock); /* * Wakeup the system if battery is critical low -- 2.43.0

1 month, 2 weeks

3
14
0 0

[PATCH 5/5] drm/mediatek: ovl_adaptor: fix probe device leaks

by Johan Hovold

Make sure to drop the references taken to the component devices by of_find_device_by_node() during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 453c3364632a ("drm/mediatek: Add ovl_adaptor support for MT8195") Cc: stable(a)vger.kernel.org # 6.4 Cc: Nancy.Lin <nancy.lin(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c b/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c index fe97bb97e004..c0af3e3b51d5 100644 --- a/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c +++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c @@ -527,6 +527,13 @@ bool mtk_ovl_adaptor_is_comp_present(struct device_node *node) type == OVL_ADAPTOR_TYPE_PADDING; } +static void ovl_adaptor_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int ovl_adaptor_comp_init(struct device *dev, struct component_match **match) { struct mtk_disp_ovl_adaptor *priv = dev_get_drvdata(dev); @@ -560,6 +567,11 @@ static int ovl_adaptor_comp_init(struct device *dev, struct component_match **ma if (!comp_pdev) return -EPROBE_DEFER; + ret = devm_add_action_or_reset(dev, ovl_adaptor_put_device, + &comp_pdev->dev); + if (ret) + return ret; + priv->ovl_adaptor_comp[id] = &comp_pdev->dev; drm_of_component_match_add(dev, match, component_compare_of, node); -- 2.49.1

1 month, 2 weeks

1
0
0 0

[PATCH 4/5] drm/mediatek: mtk_hdmi: fix probe device leaks

by Johan Hovold

Make sure to drop the references to the DDC adapter and CEC device taken during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") Cc: stable(a)vger.kernel.org # 4.8 Cc: Jie Qiu <jie.qiu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_hdmi.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c index b766dd5e6c8d..306e2c907311 100644 --- a/drivers/gpu/drm/mediatek/mtk_hdmi.c +++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c @@ -1345,6 +1345,13 @@ static const struct drm_bridge_funcs mtk_hdmi_bridge_funcs = { .edid_read = mtk_hdmi_bridge_edid_read, }; +static void mtk_hdmi_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int mtk_hdmi_get_cec_dev(struct mtk_hdmi *hdmi, struct device *dev, struct device_node *np) { struct platform_device *cec_pdev; @@ -1369,6 +1376,10 @@ static int mtk_hdmi_get_cec_dev(struct mtk_hdmi *hdmi, struct device *dev, struc } of_node_put(cec_np); + ret = devm_add_action_or_reset(dev, mtk_hdmi_put_device, &cec_pdev->dev); + if (ret) + return ret; + /* * The mediatek,syscon-hdmi property contains a phandle link to the * MMSYS_CONFIG device and the register offset of the HDMI_SYS_CFG @@ -1423,6 +1434,10 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi, if (!hdmi->ddc_adpt) return dev_err_probe(dev, -EINVAL, "Failed to get ddc i2c adapter by node\n"); + ret = devm_add_action_or_reset(dev, mtk_hdmi_put_device, &hdmi->ddc_adpt->dev); + if (ret) + return ret; + ret = mtk_hdmi_get_cec_dev(hdmi, dev, np); if (ret) return ret; -- 2.49.1

1 month, 2 weeks

1
0
0 0

[PATCH 3/5] drm/mediatek: fix probe device leaks

by Johan Hovold

Make sure to drop the reference taken to each component device during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 6ea6f8276725 ("drm/mediatek: Use correct device pointer to get CMDQ client register") Cc: stable(a)vger.kernel.org # 5.12 Cc: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index 31d67a131c50..9672ea1f91a2 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -621,6 +621,13 @@ int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev) return ret; } +static void mtk_ddp_comp_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static void mtk_ddp_comp_clk_put(void *_clk) { struct clk *clk = _clk; @@ -656,6 +663,10 @@ int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_d } comp->dev = &comp_pdev->dev; + ret = devm_add_action_or_reset(dev, mtk_ddp_comp_put_device, comp->dev); + if (ret) + return ret; + if (type == MTK_DISP_AAL || type == MTK_DISP_BLS || type == MTK_DISP_CCORR || -- 2.49.1

1 month, 2 weeks

1
0
0 0

[PATCH 2/5] drm/mediatek: fix probe memory leak

by Johan Hovold

The Mediatek DRM driver allocates private data for components without a platform driver but as the lifetime is tied to each component device, the memory is never freed. Tie the allocation lifetime to the DRM platform device so that the memory is released on probe failure (e.g. probe deferral) and when the driver is unbound. Fixes: c0d36de868a6 ("drm/mediatek: Move clk info from struct mtk_ddp_comp to sub driver private data") Cc: stable(a)vger.kernel.org # 5.12 Cc: CK Hu <ck.hu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index 0264017806ad..31d67a131c50 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -671,7 +671,7 @@ int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_d type == MTK_DSI) return 0; - priv = devm_kzalloc(comp->dev, sizeof(*priv), GFP_KERNEL); + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); if (!priv) return -ENOMEM; -- 2.49.1

1 month, 2 weeks

1
0
0 0

[PATCH 1/5] drm/mediatek: fix probe resource leaks

by Johan Hovold

Make sure to unmap and release the component iomap and clock on probe failure (e.g. probe deferral) and on driver unbind. Note that unlike of_iomap(), devm_of_iomap() also checks whether the region is already mapped. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Cc: stable(a)vger.kernel.org # 4.7 Cc: CK Hu <ck.hu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 20 ++++++++++++++++---- drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 2 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 ++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index ac6620e10262..0264017806ad 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -621,15 +621,20 @@ int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev) return ret; } -int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp, +static void mtk_ddp_comp_clk_put(void *_clk) +{ + struct clk *clk = _clk; + + clk_put(clk); +} + +int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_ddp_comp *comp, unsigned int comp_id) { struct platform_device *comp_pdev; enum mtk_ddp_comp_type type; struct mtk_ddp_comp_dev *priv; -#if IS_REACHABLE(CONFIG_MTK_CMDQ) int ret; -#endif if (comp_id >= DDP_COMPONENT_DRM_ID_MAX) return -EINVAL; @@ -670,11 +675,18 @@ int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp, if (!priv) return -ENOMEM; - priv->regs = of_iomap(node, 0); + priv->regs = devm_of_iomap(dev, node, 0, NULL); + if (IS_ERR(priv->regs)) + return PTR_ERR(priv->regs); + priv->clk = of_clk_get(node, 0); if (IS_ERR(priv->clk)) return PTR_ERR(priv->clk); + ret = devm_add_action_or_reset(dev, mtk_ddp_comp_clk_put, priv->clk); + if (ret) + return ret; + #if IS_REACHABLE(CONFIG_MTK_CMDQ) ret = cmdq_dev_get_client_reg(comp->dev, &priv->cmdq_reg, 0); if (ret) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h index 7289b3dcf22f..3f3d43f4330d 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h @@ -350,7 +350,7 @@ static inline void mtk_ddp_comp_encoder_index_set(struct mtk_ddp_comp *comp) int mtk_ddp_comp_get_id(struct device_node *node, enum mtk_ddp_comp_type comp_type); int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev); -int mtk_ddp_comp_init(struct device_node *comp_node, struct mtk_ddp_comp *comp, +int mtk_ddp_comp_init(struct device *dev, struct device_node *comp_node, struct mtk_ddp_comp *comp, unsigned int comp_id); enum mtk_ddp_comp_type mtk_ddp_comp_get_type(unsigned int comp_id); void mtk_ddp_write(struct cmdq_pkt *cmdq_pkt, unsigned int value, diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index eb5537f0ac90..384b0510272c 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -1133,7 +1133,7 @@ static int mtk_drm_probe(struct platform_device *pdev) (void *)private->mmsys_dev, sizeof(*private->mmsys_dev)); private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR].dev = &ovl_adaptor->dev; - mtk_ddp_comp_init(NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR], + mtk_ddp_comp_init(dev, NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR], DDP_COMPONENT_DRM_OVL_ADAPTOR); component_match_add(dev, &match, compare_dev, &ovl_adaptor->dev); } @@ -1199,7 +1199,7 @@ static int mtk_drm_probe(struct platform_device *pdev) node); } - ret = mtk_ddp_comp_init(node, &private->ddp_comp[comp_id], comp_id); + ret = mtk_ddp_comp_init(dev, node, &private->ddp_comp[comp_id], comp_id); if (ret) { of_node_put(node); goto err_node; -- 2.49.1

1 month, 2 weeks

1
0
0 0

[PATCH] fbcon: fix buffer overflow in fbcon_set_font

by Simon Richter

Commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe introduced overflow checking for the font allocation size calculation, but in doing so moved the addition of the size for font housekeeping data out of the kmalloc call. As a result, the calculated size now includes those extra bytes, which marks the same number of bytes beyond the allocation as valid font data. The crc32() call and the later memcmp() in fbcon_set_font() already perform an out-of-bounds read, the latter is flagged on ppc64el: memcmp: detected buffer overflow: 4112 byte read of buffer size 4096 when loading Lat15-Fixed16.psf.gz. Since the addition of the extra size should only go into the kmalloc() call, calculate this size in a separate variable. Signed-off-by: Simon Richter <Simon.Richter(a)hogyros.de> Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") Cc: stable <stable(a)vger.kernel.org> #v5.9+ --- drivers/video/fbdev/core/fbcon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 5fade44931b8..a3fbf42c57d9 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, unsigned charcount = font->charcount; int w = font->width; int h = font->height; - int size; + int size, allocsize; int i, csum; u8 *new_data, *data = font->data; int pitch = PITCH(font->width); @@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, return -EINVAL; /* Check for overflow in allocation size calculation */ - if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &allocsize)) return -EINVAL; - new_data = kmalloc(size, GFP_USER); + new_data = kmalloc(allocsize, GFP_USER); if (!new_data) return -ENOMEM; -- 2.47.3

1 month, 2 weeks

2
1
0 0

[PATCH v2] irqchip/sifive-plic: avoid interrupt ID 0 handling during suspend/resume

by Lucas Zampieri

According to the PLIC specification[1], global interrupt sources are assigned small unsigned integer identifiers beginning at the value 1. An interrupt ID of 0 is reserved to mean "no interrupt". The current plic_irq_resume() and plic_irq_suspend() functions incorrectly start the loop from index 0, which accesses the register space for the reserved interrupt ID 0. Change the loop to start from index 1, skipping the reserved interrupt ID 0 as per the PLIC specification. This prevents potential undefined behavior when accessing the reserved register space during suspend/resume cycles. Link: https://github.com/riscv/riscv-plic-spec/releases/tag/1.0.0 Fixes: e80f0b6a2cf3 ("irqchip/irq-sifive-plic: Add syscore callbacks for hibernation") Co-developed-by: Jia Wang <wangjia(a)ultrarisc.com> Signed-off-by: Jia Wang <wangjia(a)ultrarisc.com> Co-developed-by: Charles Mirabile <cmirabil(a)redhat.com> Signed-off-by: Charles Mirabile <cmirabil(a)redhat.com> Signed-off-by: Lucas Zampieri <lzampier(a)redhat.com> --- drivers/irqchip/irq-sifive-plic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c index bf69a4802b71e..9c4af7d588463 100644 --- a/drivers/irqchip/irq-sifive-plic.c +++ b/drivers/irqchip/irq-sifive-plic.c @@ -252,7 +252,8 @@ static int plic_irq_suspend(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + /* irq ID 0 is reserved */ + for (i = 1; i < priv->nr_irqs; i++) { __assign_bit(i, priv->prio_save, readl(priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID)); } @@ -283,7 +284,8 @@ static void plic_irq_resume(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + /* irq ID 0 is reserved */ + for (i = 1; i < priv->nr_irqs; i++) { index = BIT_WORD(i); writel((priv->prio_save[index] & BIT_MASK(i)) ? 1 : 0, priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID); -- 2.51.0

1 month, 2 weeks

2
1
0 0

[PATCH] tpm: Use -EPERM as fallback error code in tpm_ret_to_err

by Jarkko Sakkinen

From: Jarkko Sakkinen <jarkko.sakkinen(a)opinsys.com> Using -EFAULT here was not the best idea for tpm_ret_to_err as the fallback error code as it is no concise with trusted keys. Change the fallback as -EPERM, process TPM_RC_HASH also in tpm_ret_to_err, and by these changes make the helper applicable for trusted keys. Cc: stable(a)vger.kernel.org # v6.15+ Fixes: 539fbab37881 ("tpm: Mask TPM RC in tpm2_start_auth_session()") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)opinsys.com> --- include/linux/tpm.h | 9 +++++--- security/keys/trusted-keys/trusted_tpm2.c | 26 ++++++----------------- 2 files changed, 13 insertions(+), 22 deletions(-) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index dc0338a783f3..667d290789ca 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -449,13 +449,16 @@ static inline ssize_t tpm_ret_to_err(ssize_t ret) if (ret < 0) return ret; - switch (tpm2_rc_value(ret)) { - case TPM2_RC_SUCCESS: + if (!ret) return 0; + + switch (tpm2_rc_value(ret)) { case TPM2_RC_SESSION_MEMORY: return -ENOMEM; + case TPM2_RC_HASH: + return -EINVAL; default: - return -EFAULT; + return -EPERM; } } diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 024be262702f..e165b117bbca 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -348,25 +348,19 @@ int tpm2_seal_trusted(struct tpm_chip *chip, } blob_len = tpm2_key_encode(payload, options, &buf.data[offset], blob_len); + if (blob_len < 0) + rc = blob_len; out: tpm_buf_destroy(&sized); tpm_buf_destroy(&buf); - if (rc > 0) { - if (tpm2_rc_value(rc) == TPM2_RC_HASH) - rc = -EINVAL; - else - rc = -EPERM; - } - if (blob_len < 0) - rc = blob_len; - else + if (!rc) payload->blob_len = blob_len; out_put: tpm_put_ops(chip); - return rc; + return tpm_ret_to_err(rc); } /** @@ -468,10 +462,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, kfree(blob); tpm_buf_destroy(&buf); - if (rc > 0) - rc = -EPERM; - - return rc; + return tpm_ret_to_err(rc); } /** @@ -534,8 +525,6 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, tpm_buf_fill_hmac_session(chip, &buf); rc = tpm_transmit_cmd(chip, &buf, 6, "unsealing"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); - if (rc > 0) - rc = -EPERM; if (!rc) { data_len = be16_to_cpup( @@ -568,7 +557,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, out: tpm_buf_destroy(&buf); - return rc; + return tpm_ret_to_err(rc); } /** @@ -600,6 +589,5 @@ int tpm2_unseal_trusted(struct tpm_chip *chip, out: tpm_put_ops(chip); - - return rc; + return tpm_ret_to_err(rc); } -- 2.39.5

1 month, 2 weeks

2
2
0 0

[PATCH v3] powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org Reviewed-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- changelog: v3: - Move Signed-off-by above the '---' separator. - No code changes. changelog: v2: - Return -ENOMEM directly on allocation failure. --- arch/powerpc/kernel/smp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..cfccb9389760 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,8 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

1 month, 2 weeks

1
0
0 0

[PATCH v3 0/2] dc395x: fix compiler warnings and improve formatting of the macros

by Xinhui Yang

This series of patches clears the compiler warnings for the dc395x driver. The first patch introduces a new macro that casts the value returned by a read operation to void, since some values returned by some specific read operations (which just simply clears the FIFO buffer or resets the interrupt status) can be ignored. Creating a new macro that casts the return value to void to fix the warning. During the fix, checkpatch.pl complained about missing whitespace between macro arguments and missing parentheses around complex expressions. To align with the changes in the first patch, the formatting of macros above and below the introduced macro are also fixed. Since in Patch v2 [1] Bart pointed out that such change can't be made to the stable tree, the patch is splitted to two parts. --- Changes since v2 [1]: - Split the patch into two parts, the first one fixes the warning, and the second one improves the formatting of the surrounding macros. - Make the description of the formatting changes more clear. Changes since v1 [2]: - Add Cc: tag to include this patch to the stable tree. - Add additional description about the formatting changes. [1]: https://lore.kernel.org/linux-scsi/20250922152609.827311-1-cyan@cyano.uk/ [2]: https://lore.kernel.org/linux-scsi/20250922143619.824129-1-cyan@cyano.uk/ --- Xinhui Yang (2): scsi: dc395x: correctly discard the return value in certain reads scsi: dc395x: improve code formatting for the macros drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) -- 2.51.0

1 month, 2 weeks

3
5
0 0

[PATCH v4] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data() and add devm_add_action_or_reset() in the probe function, which ensures that the reference count of the device is correctly managed. Memory leak in regmap_init_slimbus() as the allocated regmap is not released when the device is removed. Using devm_regmap_init_slimbus() instead of regmap_init_slimbus() to ensure automatic regmap cleanup on device removal. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v4: - removed the redundant NULL check as put_device() can handle the NULL dev; Changes in v3: - added a wrapper function due to the warning report from kernel test robot; Changes in v2: - modified the handling in the success path and fixed the memory leak for regmap as suggestions. --- sound/soc/codecs/wcd934x.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..e92939068bf7 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5831,6 +5831,13 @@ static const struct snd_soc_component_driver wcd934x_component_drv = { .endianness = 1, }; +static void wcd934x_put_device_action(void *data) +{ + struct device *dev = data; + + put_device(dev); +} + static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) { struct device *dev = &wcd->sdev->dev; @@ -5847,11 +5854,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) return dev_err_probe(dev, -EINVAL, "Unable to get SLIM Interface device\n"); slim_get_logical_addr(wcd->sidev); - wcd->if_regmap = regmap_init_slimbus(wcd->sidev, + wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); @@ -5893,6 +5902,10 @@ static int wcd934x_codec_probe(struct platform_device *pdev) if (ret) return ret; + ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev); + if (ret) + return ret; + /* set default rate 9P6MHz */ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, -- 2.17.1

1 month, 2 weeks

3
2
0 0

[PATCH 0/2] media: verisilicon: Fix Hantro G2 handling of invalid DPB index

by Nicolas Dufresne

First patch hardens the IRQ handler so the driver can resume after hitting bus errors (presumably AXI errors). This will reduce the risk of having to reboot the system in order to recover. The second patch actually fix the issue, ensuring the decoder won't be instructed to use address 0x0 as a reference anymore. The issues was discovered using GStreamer. A bug in the userspace lead to skippable (RASL) frames not being skipped if its past reference are missing. This will happen when seeking inside a video that makes use of this GOP configuration. The probably could also have been hit in lossy streaming use cases, such as WebRTC. The JCT-VC-HEVC_V1 ITU tests still results in 141/147 with two concurrent decoders. Signed-off-by: Nicolas Dufresne <nicolas.dufresne(a)collabora.com> --- Nicolas Dufresne (2): media: verisilicon: Fix CPU stalls on G2 bus error media: verisilicon: Protect G2 HEVC decoder against invalid DPB index drivers/media/platform/verisilicon/hantro_g2.c | 88 +++++++++++++++++----- .../platform/verisilicon/hantro_g2_hevc_dec.c | 17 ++++- .../media/platform/verisilicon/hantro_g2_regs.h | 13 ++++ .../media/platform/verisilicon/hantro_g2_vp9_dec.c | 2 - drivers/media/platform/verisilicon/hantro_hw.h | 1 + drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 + 6 files changed, 98 insertions(+), 25 deletions(-) --- base-commit: 40b7a19f321e65789612ebaca966472055dab48c change-id: 20250919-imx8mq-hantro-g2-hang-cb04dcd07a84 Best regards, -- Nicolas Dufresne <nicolas.dufresne(a)collabora.com>

1 month, 2 weeks

2
4
0 0

[PATCH v3] ASoC: mediatek: mt8365: Add check for devm_kcalloc() in mt8365_afe_suspend()

by Guangshuo Li

devm_kcalloc() may fail. mt8365_afe_suspend() uses afe->reg_back_up unconditionally after allocation and writes afe->reg_back_up[i], which can lead to a NULL pointer dereference under low-memory conditions. Add a NULL check and bail out with -ENOMEM, making sure to disable the main clock before returning to keep clock state balanced. Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- changelog: v3: - Move the Signed-off-by line above the '---' separator. - Restore the original spacing/indentation in the devm_kcalloc() continuation line. - No functional changes. v2: - Return -ENOMEM directly on allocation failure without goto/label. - Disable the main clock before returning to keep clock state balanced. --- sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c index 10793bbe9275..570fb10c306d 100644 --- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c @@ -1975,11 +1975,15 @@ static int mt8365_afe_suspend(struct device *dev) mt8365_afe_enable_main_clk(afe); - if (!afe->reg_back_up) + if (!afe->reg_back_up) { afe->reg_back_up = devm_kcalloc(dev, afe->reg_back_up_list_num, sizeof(unsigned int), GFP_KERNEL); - + if (!afe->reg_back_up) { + mt8365_afe_disable_main_clk(afe); + return -ENOMEM; + } + } for (i = 0; i < afe->reg_back_up_list_num; i++) regmap_read(regmap, afe->reg_back_up_list[i], &afe->reg_back_up[i]); -- 2.43.0

1 month, 2 weeks

1
0
0 0

patch "iio: imu: inv_icm42600: Avoid configuring if already pm_runtime" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Avoid configuring if already pm_runtime to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev); -- 2.51.0

1 month, 2 weeks

1
0
0 0

patch "iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From a95a0b4e471a6d8860f40c6ac8f1cad9dde3189a Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:14 +0200 Subject: iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume Remove unnecessary calls to pm_runtime_disable(), pm_runtime_set_active(), and pm_runtime_enable() from the resume path. These operations are not required here and can interfere with proper pm_runtime state handling, especially when resuming from a pm_runtime suspended state. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-2-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 76d8e4f14d87..41b275ecc7e2 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -917,10 +917,6 @@ static int inv_icm42600_resume(struct device *dev) goto out_unlock; } - pm_runtime_disable(dev); - pm_runtime_set_active(dev); - pm_runtime_enable(dev); - /* restore sensors state */ ret = inv_icm42600_set_pwr_mgmt0(st, st->suspended.gyro, st->suspended.accel, -- 2.51.0

1 month, 2 weeks

1
0
0 0

patch "iio: imu: inv_icm42600: Simplify pm_runtime setup" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Simplify pm_runtime setup to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- .../iio/imu/inv_icm42600/inv_icm42600_core.c | 24 ++++++------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600"); -- 2.51.0

1 month, 2 weeks

1
0
0 0

patch "iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From a95a0b4e471a6d8860f40c6ac8f1cad9dde3189a Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:14 +0200 Subject: iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume Remove unnecessary calls to pm_runtime_disable(), pm_runtime_set_active(), and pm_runtime_enable() from the resume path. These operations are not required here and can interfere with proper pm_runtime state handling, especially when resuming from a pm_runtime suspended state. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-2-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 76d8e4f14d87..41b275ecc7e2 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -917,10 +917,6 @@ static int inv_icm42600_resume(struct device *dev) goto out_unlock; } - pm_runtime_disable(dev); - pm_runtime_set_active(dev); - pm_runtime_enable(dev); - /* restore sensors state */ ret = inv_icm42600_set_pwr_mgmt0(st, st->suspended.gyro, st->suspended.accel, -- 2.51.0

1 month, 2 weeks

1
0
0 0

patch "iio: imu: inv_icm42600: Avoid configuring if already pm_runtime" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Avoid configuring if already pm_runtime to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev); -- 2.51.0

1 month, 2 weeks

1
0
0 0

patch "iio: imu: inv_icm42600: Simplify pm_runtime setup" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Simplify pm_runtime setup to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- .../iio/imu/inv_icm42600/inv_icm42600_core.c | 24 ++++++------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600"); -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCHSET RFC v5 1/8] fuse: general bug fixes

by Darrick J. Wong

Hi all, Here's a collection of fixes that I *think* are bugs in fuse, along with some scattered improvements. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. This has been running on the djcloud for months with no problems. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=fu… --- Commits in this patchset: * fuse: fix livelock in synchronous file put from fuseblk workers * fuse: flush pending fuse events before aborting the connection * fuse: capture the unique id of fuse commands being sent * fuse: signal that a fuse filesystem should exhibit local fs behaviors * fuse: implement file attributes mask for statx * fuse: update file mode when updating acls * fuse: propagate default and file acls on creation * fuse: enable FUSE_SYNCFS for all fuseblk servers --- fs/fuse/fuse_i.h | 55 +++++++++++++++++++++++++++ fs/fuse/acl.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++ fs/fuse/dev.c | 60 +++++++++++++++++++++++++++-- fs/fuse/dev_uring.c | 4 +- fs/fuse/dir.c | 96 +++++++++++++++++++++++++++++++++++------------ fs/fuse/file.c | 8 +++- fs/fuse/inode.c | 17 ++++++++ fs/fuse/virtio_fs.c | 3 - 8 files changed, 314 insertions(+), 34 deletions(-)

1 month, 2 weeks

2
2
0 0

[PATCH v2] crypto: caam: Add check for kcalloc() in test_len()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing the buffer to rng->read(). Fixes: 2be0d806e25e ("crypto: caam - add a test for the RNG") Cc: stable(a)vger.kernel.org --- changelog: v2: - Return -ENOMEM directly on allocation failure. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- drivers/crypto/caam/caamrng.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c index b3d14a7f4dd1..357860ee532c 100644 --- a/drivers/crypto/caam/caamrng.c +++ b/drivers/crypto/caam/caamrng.c @@ -182,6 +182,9 @@ static inline void test_len(struct hwrng *rng, size_t len, bool wait) buf = kcalloc(CAAM_RNG_MAX_FIFO_STORE_SIZE, sizeof(u8), GFP_KERNEL); + if (!buf) { + return -ENOMEM; + } while (len > 0) { read_len = rng->read(rng, buf, len, wait); -- 2.43.0

1 month, 2 weeks

2
2
0 0

[PATCH] crypto: zero initialize memory allocated via sock_kmalloc

by Shivani Agarwal

Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations") Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support") Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code") Fixes: 99bd99d3e3a7 ("crypto: algif_skcipher - Fix stream cipher chaining") Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Cc: stable(a)vger.kernel.org Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- crypto/af_alg.c | 5 ++--- crypto/algif_hash.c | 3 +-- crypto/algif_rng.c | 3 +-- crypto/algif_skcipher.c | 1 + 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index ca6fdcc6c54a..6c271e55f44d 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -1212,15 +1212,14 @@ struct af_alg_async_req *af_alg_alloc_areq(struct sock *sk, if (unlikely(!areq)) return ERR_PTR(-ENOMEM); + memset(areq, 0, areqlen); + ctx->inflight = true; areq->areqlen = areqlen; areq->sk = sk; areq->first_rsgl.sgl.sgt.sgl = areq->first_rsgl.sgl.sgl; - areq->last_rsgl = NULL; INIT_LIST_HEAD(&areq->rsgl_list); - areq->tsgl = NULL; - areq->tsgl_entries = 0; return areq; } diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index e3f1a4852737..4d3dfc60a16a 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -416,9 +416,8 @@ static int hash_accept_parent_nokey(void *private, struct sock *sk) if (!ctx) return -ENOMEM; - ctx->result = NULL; + memset(ctx, 0, len); ctx->len = len; - ctx->more = false; crypto_init_wait(&ctx->wait); ask->private = ctx; diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c index 10c41adac3b1..1a86e40c8372 100644 --- a/crypto/algif_rng.c +++ b/crypto/algif_rng.c @@ -248,9 +248,8 @@ static int rng_accept_parent(void *private, struct sock *sk) if (!ctx) return -ENOMEM; + memset(ctx, 0, len); ctx->len = len; - ctx->addtl = NULL; - ctx->addtl_len = 0; /* * No seeding done at that point -- if multiple accepts are diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 125d395c5e00..f4ce5473324f 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -70,6 +70,7 @@ static int algif_skcipher_export(struct sock *sk, struct skcipher_request *req) if (!ctx->state) return -ENOMEM; + memset(ctx->state, 0, statesize); err = crypto_skcipher_export(req, ctx->state); if (err) { sock_kzfree_s(sk, ctx->state, statesize); -- 2.40.4

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092142-easiness-blatancy-23af@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

5
6
0 0

[PATCH v5 1/3] drm/buddy: Optimize free block management with RB tree

by Arunpravin Paneer Selvam

Replace the freelist (O(n)) used for free block management with a red-black tree, providing more efficient O(log n) search, insert, and delete operations. This improves scalability and performance when managing large numbers of free blocks per order (e.g., hundreds or thousands). In the VK-CTS memory stress subtest, the buddy manager merges fragmented memory and inserts freed blocks into the freelist. Since freelist insertion is O(n), this becomes a bottleneck as fragmentation increases. Benchmarking shows list_insert_sorted() consumes ~52.69% CPU with the freelist, compared to just 0.03% with the RB tree (rbtree_insert.isra.0), despite performing the same sorted insert. This also improves performance in heavily fragmented workloads, such as games or graphics tests that stress memory. As the buddy allocator evolves with new features such as clear-page tracking, the resulting fragmentation and complexity have grown. These RB-tree based design changes are introduced to address that growth and ensure the allocator continues to perform efficiently under fragmented conditions. The RB tree implementation with separate clear/dirty trees provides: - O(n log n) aggregate complexity for all operations instead of O(n^2) - Elimination of soft lockups and system instability - Improved code maintainability and clarity - Better scalability for large memory systems - Predictable performance under fragmentation v3(Matthew): - Remove RB_EMPTY_NODE check in force_merge function. - Rename rb for loop macros to have less generic names and move to .c file. - Make the rb node rb and link field as union. v4(Jani Nikula): - The kernel-doc comment should be "/**" - Move all the rbtree macros to rbtree.h and add parens to ensure correct precedence. v5: - Remove the inline in a .c file (Jani Nikula). Cc: stable(a)vger.kernel.org Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 142 ++++++++++++++++++++++-------------- include/drm/drm_buddy.h | 9 ++- include/linux/rbtree.h | 56 ++++++++++++++ 3 files changed, 152 insertions(+), 55 deletions(-) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a94061f373de..8b340f47f73d 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -31,6 +31,8 @@ static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm, block->header |= order; block->parent = parent; + RB_CLEAR_NODE(&block->rb); + BUG_ON(block->header & DRM_BUDDY_HEADER_UNUSED); return block; } @@ -41,23 +43,53 @@ static void drm_block_free(struct drm_buddy *mm, kmem_cache_free(slab_blocks, block); } -static void list_insert_sorted(struct drm_buddy *mm, - struct drm_buddy_block *block) +static void rbtree_insert(struct drm_buddy *mm, + struct drm_buddy_block *block) { + struct rb_root *root = &mm->free_tree[drm_buddy_block_order(block)]; + struct rb_node **link = &root->rb_node; + struct rb_node *parent = NULL; struct drm_buddy_block *node; - struct list_head *head; + u64 offset; + + offset = drm_buddy_block_offset(block); - head = &mm->free_list[drm_buddy_block_order(block)]; - if (list_empty(head)) { - list_add(&block->link, head); - return; + while (*link) { + parent = *link; + node = rb_entry(parent, struct drm_buddy_block, rb); + + if (offset < drm_buddy_block_offset(node)) + link = &parent->rb_left; + else + link = &parent->rb_right; } - list_for_each_entry(node, head, link) - if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node)) - break; + rb_link_node(&block->rb, parent, link); + rb_insert_color(&block->rb, root); +} + +static void rbtree_remove(struct drm_buddy *mm, + struct drm_buddy_block *block) +{ + struct rb_root *root; + + root = &mm->free_tree[drm_buddy_block_order(block)]; + rb_erase(&block->rb, root); + + RB_CLEAR_NODE(&block->rb); +} + +static struct drm_buddy_block * +rbtree_last_entry(struct drm_buddy *mm, unsigned int order) +{ + struct rb_node *node = rb_last(&mm->free_tree[order]); - __list_add(&block->link, node->link.prev, &node->link); + return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL; +} + +static bool rbtree_is_empty(struct drm_buddy *mm, unsigned int order) +{ + return RB_EMPTY_ROOT(&mm->free_tree[order]); } static void clear_reset(struct drm_buddy_block *block) @@ -70,12 +102,13 @@ static void mark_cleared(struct drm_buddy_block *block) block->header |= DRM_BUDDY_HEADER_CLEAR; } -static void mark_allocated(struct drm_buddy_block *block) +static void mark_allocated(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_ALLOCATED; - list_del(&block->link); + rbtree_remove(mm, block); } static void mark_free(struct drm_buddy *mm, @@ -84,15 +117,16 @@ static void mark_free(struct drm_buddy *mm, block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_FREE; - list_insert_sorted(mm, block); + rbtree_insert(mm, block); } -static void mark_split(struct drm_buddy_block *block) +static void mark_split(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_SPLIT; - list_del(&block->link); + rbtree_remove(mm, block); } static inline bool overlaps(u64 s1, u64 e1, u64 s2, u64 e2) @@ -148,7 +182,7 @@ static unsigned int __drm_buddy_free(struct drm_buddy *mm, mark_cleared(parent); } - list_del(&buddy->link); + rbtree_remove(mm, buddy); if (force_merge && drm_buddy_block_is_clear(buddy)) mm->clear_avail -= drm_buddy_block_size(mm, buddy); @@ -179,9 +213,11 @@ static int __force_merge(struct drm_buddy *mm, return -EINVAL; for (i = min_order - 1; i >= 0; i--) { - struct drm_buddy_block *block, *prev; + struct drm_buddy_block *block, *prev_block, *first_block; + + first_block = rb_entry(rb_first(&mm->free_tree[i]), struct drm_buddy_block, rb); - list_for_each_entry_safe_reverse(block, prev, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry_safe(block, prev_block, &mm->free_tree[i], rb) { struct drm_buddy_block *buddy; u64 block_start, block_end; @@ -206,10 +242,14 @@ static int __force_merge(struct drm_buddy *mm, * block in the next iteration as we would free the * buddy block as part of the free function. */ - if (prev == buddy) - prev = list_prev_entry(prev, link); + if (prev_block && prev_block == buddy) { + if (prev_block != first_block) + prev_block = rb_entry(rb_prev(&prev_block->rb), + struct drm_buddy_block, + rb); + } - list_del(&block->link); + rbtree_remove(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -258,14 +298,14 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) BUG_ON(mm->max_order > DRM_BUDDY_MAX_ORDER); - mm->free_list = kmalloc_array(mm->max_order + 1, - sizeof(struct list_head), + mm->free_tree = kmalloc_array(mm->max_order + 1, + sizeof(struct rb_root), GFP_KERNEL); - if (!mm->free_list) + if (!mm->free_tree) return -ENOMEM; for (i = 0; i <= mm->max_order; ++i) - INIT_LIST_HEAD(&mm->free_list[i]); + mm->free_tree[i] = RB_ROOT; mm->n_roots = hweight64(size); @@ -273,7 +313,7 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) sizeof(struct drm_buddy_block *), GFP_KERNEL); if (!mm->roots) - goto out_free_list; + goto out_free_tree; offset = 0; i = 0; @@ -312,8 +352,8 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) while (i--) drm_block_free(mm, mm->roots[i]); kfree(mm->roots); -out_free_list: - kfree(mm->free_list); +out_free_tree: + kfree(mm->free_tree); return -ENOMEM; } EXPORT_SYMBOL(drm_buddy_init); @@ -323,7 +363,7 @@ EXPORT_SYMBOL(drm_buddy_init); * * @mm: DRM buddy manager to free * - * Cleanup memory manager resources and the freelist + * Cleanup memory manager resources and the freetree */ void drm_buddy_fini(struct drm_buddy *mm) { @@ -350,7 +390,7 @@ void drm_buddy_fini(struct drm_buddy *mm) WARN_ON(mm->avail != mm->size); kfree(mm->roots); - kfree(mm->free_list); + kfree(mm->free_tree); } EXPORT_SYMBOL(drm_buddy_fini); @@ -383,7 +423,7 @@ static int split_block(struct drm_buddy *mm, clear_reset(block); } - mark_split(block); + mark_split(mm, block); return 0; } @@ -412,7 +452,7 @@ EXPORT_SYMBOL(drm_get_buddy); * @is_clear: blocks clear state * * Reset the clear state based on @is_clear value for each block - * in the freelist. + * in the freetree. */ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) { @@ -433,7 +473,7 @@ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) for (i = 0; i <= mm->max_order; ++i) { struct drm_buddy_block *block; - list_for_each_entry_reverse(block, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry(block, &mm->free_tree[i], rb) { if (is_clear != drm_buddy_block_is_clear(block)) { if (is_clear) { mark_cleared(block); @@ -641,7 +681,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, for (i = order; i <= mm->max_order; ++i) { struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[i], rb) { if (block_incompatible(tmp_block, flags)) continue; @@ -667,7 +707,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, } static struct drm_buddy_block * -alloc_from_freelist(struct drm_buddy *mm, +alloc_from_freetree(struct drm_buddy *mm, unsigned int order, unsigned long flags) { @@ -684,7 +724,7 @@ alloc_from_freelist(struct drm_buddy *mm, for (tmp = order; tmp <= mm->max_order; ++tmp) { struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[tmp], link) { + rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[tmp], rb) { if (block_incompatible(tmp_block, flags)) continue; @@ -700,10 +740,8 @@ alloc_from_freelist(struct drm_buddy *mm, if (!block) { /* Fallback method */ for (tmp = order; tmp <= mm->max_order; ++tmp) { - if (!list_empty(&mm->free_list[tmp])) { - block = list_last_entry(&mm->free_list[tmp], - struct drm_buddy_block, - link); + if (!rbtree_is_empty(mm, tmp)) { + block = rbtree_last_entry(mm, tmp); if (block) break; } @@ -771,7 +809,7 @@ static int __alloc_range(struct drm_buddy *mm, if (contains(start, end, block_start, block_end)) { if (drm_buddy_block_is_free(block)) { - mark_allocated(block); + mark_allocated(mm, block); total_allocated += drm_buddy_block_size(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) @@ -849,7 +887,6 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, { u64 rhs_offset, lhs_offset, lhs_size, filled; struct drm_buddy_block *block; - struct list_head *list; LIST_HEAD(blocks_lhs); unsigned long pages; unsigned int order; @@ -862,11 +899,10 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, if (order == 0) return -ENOSPC; - list = &mm->free_list[order]; - if (list_empty(list)) + if (rbtree_is_empty(mm, order)) return -ENOSPC; - list_for_each_entry_reverse(block, list, link) { + rbtree_reverse_for_each_entry(block, &mm->free_tree[order], rb) { /* Allocate blocks traversing RHS */ rhs_offset = drm_buddy_block_offset(block); err = __drm_buddy_alloc_range(mm, rhs_offset, size, @@ -976,7 +1012,7 @@ int drm_buddy_block_trim(struct drm_buddy *mm, list_add(&block->tmp_link, &dfs); err = __alloc_range(mm, &dfs, new_start, new_size, blocks, NULL); if (err) { - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -999,8 +1035,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, return __drm_buddy_alloc_range_bias(mm, start, end, order, flags); else - /* Allocate from freelist */ - return alloc_from_freelist(mm, order, flags); + /* Allocate from freetree */ + return alloc_from_freetree(mm, order, flags); } /** @@ -1017,8 +1053,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, * alloc_range_bias() called on range limitations, which traverses * the tree and returns the desired block. * - * alloc_from_freelist() called when *no* range restrictions - * are enforced, which picks the block from the freelist. + * alloc_from_freetree() called when *no* range restrictions + * are enforced, which picks the block from the freetree. * * Returns: * 0 on success, error code on failure. @@ -1120,7 +1156,7 @@ int drm_buddy_alloc_blocks(struct drm_buddy *mm, } } while (1); - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -1204,7 +1240,7 @@ void drm_buddy_print(struct drm_buddy *mm, struct drm_printer *p) struct drm_buddy_block *block; u64 count = 0, free; - list_for_each_entry(block, &mm->free_list[order], link) { + rbtree_for_each_entry(block, &mm->free_tree[order], rb) { BUG_ON(!drm_buddy_block_is_free(block)); count++; } diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 513837632b7d..091823592034 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -10,6 +10,7 @@ #include <linux/list.h> #include <linux/slab.h> #include <linux/sched.h> +#include <linux/rbtree.h> #include <drm/drm_print.h> @@ -53,7 +54,11 @@ struct drm_buddy_block { * a list, if so desired. As soon as the block is freed with * drm_buddy_free* ownership is given back to the mm. */ - struct list_head link; + union { + struct rb_node rb; + struct list_head link; + }; + struct list_head tmp_link; }; @@ -68,7 +73,7 @@ struct drm_buddy_block { */ struct drm_buddy { /* Maintain a free list for each order. */ - struct list_head *free_list; + struct rb_root *free_tree; /* * Maintain explicit binary tree(s) to track the allocation of the diff --git a/include/linux/rbtree.h b/include/linux/rbtree.h index 8d2ba3749866..17190bb4837c 100644 --- a/include/linux/rbtree.h +++ b/include/linux/rbtree.h @@ -79,6 +79,62 @@ static inline void rb_link_node_rcu(struct rb_node *node, struct rb_node *parent ____ptr ? rb_entry(____ptr, type, member) : NULL; \ }) +/** + * rbtree_for_each_entry - iterate in-order over rb_root of given type + * + * @pos: the 'type *' to use as a loop cursor. + * @root: 'rb_root *' of the rbtree. + * @member: the name of the rb_node field within 'type'. + */ +#define rbtree_for_each_entry(pos, root, member) \ + for ((pos) = rb_entry_safe(rb_first(root), typeof(*(pos)), member); \ + (pos); \ + (pos) = rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member)) + +/** + * rbtree_reverse_for_each_entry - iterate in reverse in-order over rb_root + * of given type + * + * @pos: the 'type *' to use as a loop cursor. + * @root: 'rb_root *' of the rbtree. + * @member: the name of the rb_node field within 'type'. + */ +#define rbtree_reverse_for_each_entry(pos, root, member) \ + for ((pos) = rb_entry_safe(rb_last(root), typeof(*(pos)), member); \ + (pos); \ + (pos) = rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member)) + +/** + * rbtree_for_each_entry_safe - iterate in-order over rb_root safe against removal + * + * @pos: the 'type *' to use as a loop cursor + * @n: another 'type *' to use as temporary storage + * @root: 'rb_root *' of the rbtree + * @member: the name of the rb_node field within 'type' + */ +#define rbtree_for_each_entry_safe(pos, n, root, member) \ + for ((pos) = rb_entry_safe(rb_first(root), typeof(*(pos)), member), \ + (n) = (pos) ? rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member) : NULL; \ + (pos); \ + (pos) = (n), \ + (n) = (pos) ? rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member) : NULL) + +/** + * rbtree_reverse_for_each_entry_safe - iterate in reverse in-order over rb_root + * safe against removal + * + * @pos: the struct type * to use as a loop cursor. + * @n: another struct type * to use as temporary storage. + * @root: pointer to struct rb_root to iterate. + * @member: name of the rb_node field within the struct. + */ +#define rbtree_reverse_for_each_entry_safe(pos, n, root, member) \ + for ((pos) = rb_entry_safe(rb_last(root), typeof(*(pos)), member), \ + (n) = (pos) ? rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member) : NULL; \ + (pos); \ + (pos) = (n), \ + (n) = (pos) ? rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member) : NULL) + /** * rbtree_postorder_for_each_entry_safe - iterate in post-order over rb_root of * given type allowing the backing memory of @pos to be invalidated base-commit: 7156602d56e5ad689ae11e03680ab6326238b5e3 -- 2.34.1

1 month, 2 weeks

4
7
0 0

[PATCH] ASoC: mediatek: mt8365: Add check for devm_kcalloc() in mt8365_afe_suspend()

by Guangshuo Li

devm_kcalloc() may fail. mt8365_afe_suspend() uses afe->reg_back_up unconditionally after allocation and writes afe->reg_back_up[i], which can lead to a NULL pointer dereference under low-memory conditions. Add a NULL check and bail out with -ENOMEM, making sure to disable the main clock via the existing error path to keep clock state balanced. Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c index 10793bbe9275..eaeb14e1fce9 100644 --- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c @@ -1979,6 +1979,10 @@ static int mt8365_afe_suspend(struct device *dev) afe->reg_back_up = devm_kcalloc(dev, afe->reg_back_up_list_num, sizeof(unsigned int), GFP_KERNEL); + if (!afe->reg_back_up) { + mt8365_afe_disable_main_clk(afe); + return -ENOMEM; + } for (i = 0; i < afe->reg_back_up_list_num; i++) regmap_read(regmap, afe->reg_back_up_list[i], -- 2.43.0

1 month, 2 weeks

3
3
0 0

[PATCH v3] staging: gpib: Fix device reference leak in fmh_gpib driver

by Ma Ke

The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - deleted the redundant put_device() to avoid double free as suggestions; Changes in v2: - modified the free operations as suggestions. Thanks for dan carpenter's instructions. --- drivers/staging/gpib/fmh_gpib/fmh_gpib.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c index 4138f3d2bae7..efce01b39b9b 100644 --- a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c +++ b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c @@ -1517,6 +1517,11 @@ void fmh_gpib_detach(struct gpib_board *board) resource_size(e_priv->gpib_iomem_res)); } fmh_gpib_generic_detach(board); + + if (board->dev) { + put_device(board->dev); + board->dev = NULL; + } } static int fmh_gpib_pci_attach_impl(struct gpib_board *board, -- 2.17.1

1 month, 2 weeks

2
1
0 0

[PATCH v3] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data() and add devm_add_action_or_reset() in the probe function, which ensures that the reference count of the device is correctly managed. Memory leak in regmap_init_slimbus() as the allocated regmap is not released when the device is removed. Using devm_regmap_init_slimbus() instead of regmap_init_slimbus() to ensure automatic regmap cleanup on device removal. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - added a wrapper function due to the warning report from kernel test robot; Changes in v2: - modified the handling in the success path and fixed the memory leak for regmap as suggestions. --- sound/soc/codecs/wcd934x.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..d9d8cf64977a 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5831,6 +5831,15 @@ static const struct snd_soc_component_driver wcd934x_component_drv = { .endianness = 1, }; +static void wcd934x_put_device_action(void *data) +{ + struct device *dev = data; + + if (dev) { + put_device(dev); + } +} + static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) { struct device *dev = &wcd->sdev->dev; @@ -5847,11 +5856,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) return dev_err_probe(dev, -EINVAL, "Unable to get SLIM Interface device\n"); slim_get_logical_addr(wcd->sidev); - wcd->if_regmap = regmap_init_slimbus(wcd->sidev, + wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); @@ -5893,6 +5904,10 @@ static int wcd934x_codec_probe(struct platform_device *pdev) if (ret) return ret; + ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev); + if (ret) + return ret; + /* set default rate 9P6MHz */ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, -- 2.17.1

1 month, 2 weeks

2
1
0 0

[merged mm-stable] selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is disabled has been removed from the -mm tree. Its filename was selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lance Yang <lance.yang(a)linux.dev> Subject: selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is disabled Date: Wed, 17 Sep 2025 21:31:37 +0800 The madv_populate and soft-dirty kselftests currently fail on systems where CONFIG_MEM_SOFT_DIRTY is disabled. Introduce a new helper softdirty_supported() into vm_util.c/h to ensure tests are properly skipped when the feature is not enabled. Link: https://lkml.kernel.org/r/20250917133137.62802-1-lance.yang@linux.dev Fixes: 9f3265db6ae8 ("selftests: vm: add test for Soft-Dirty PTE bit") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Acked-by: David Hildenbrand <david(a)redhat.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Gabriel Krisman Bertazi <krisman(a)collabora.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/madv_populate.c | 21 +------------------ tools/testing/selftests/mm/soft-dirty.c | 5 +++- tools/testing/selftests/mm/vm_util.c | 17 +++++++++++++++ tools/testing/selftests/mm/vm_util.h | 1 4 files changed, 24 insertions(+), 20 deletions(-) --- a/tools/testing/selftests/mm/madv_populate.c~selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled +++ a/tools/testing/selftests/mm/madv_populate.c @@ -264,23 +264,6 @@ static void test_softdirty(void) munmap(addr, SIZE); } -static int system_has_softdirty(void) -{ - /* - * There is no way to check if the kernel supports soft-dirty, other - * than by writing to a page and seeing if the bit was set. But the - * tests are intended to check that the bit gets set when it should, so - * doing that check would turn a potentially legitimate fail into a - * skip. Fortunately, we know for sure that arm64 does not support - * soft-dirty. So for now, let's just use the arch as a corse guide. - */ -#if defined(__aarch64__) - return 0; -#else - return 1; -#endif -} - int main(int argc, char **argv) { int nr_tests = 16; @@ -288,7 +271,7 @@ int main(int argc, char **argv) pagesize = getpagesize(); - if (system_has_softdirty()) + if (softdirty_supported()) nr_tests += 5; ksft_print_header(); @@ -300,7 +283,7 @@ int main(int argc, char **argv) test_holes(); test_populate_read(); test_populate_write(); - if (system_has_softdirty()) + if (softdirty_supported()) test_softdirty(); err = ksft_get_fail_cnt(); --- a/tools/testing/selftests/mm/soft-dirty.c~selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled +++ a/tools/testing/selftests/mm/soft-dirty.c @@ -200,8 +200,11 @@ int main(int argc, char **argv) int pagesize; ksft_print_header(); - ksft_set_plan(15); + if (!softdirty_supported()) + ksft_exit_skip("soft-dirty is not support\n"); + + ksft_set_plan(15); pagemap_fd = open(PAGEMAP_FILE_PATH, O_RDONLY); if (pagemap_fd < 0) ksft_exit_fail_msg("Failed to open %s\n", PAGEMAP_FILE_PATH); --- a/tools/testing/selftests/mm/vm_util.c~selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled +++ a/tools/testing/selftests/mm/vm_util.c @@ -449,6 +449,23 @@ bool check_vmflag_pfnmap(void *addr) return check_vmflag(addr, "pf"); } +bool softdirty_supported(void) +{ + char *addr; + bool supported = false; + const size_t pagesize = getpagesize(); + + /* New mappings are expected to be marked with VM_SOFTDIRTY (sd). */ + addr = mmap(0, pagesize, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); + if (!addr) + ksft_exit_fail_msg("mmap failed\n"); + + supported = check_vmflag(addr, "sd"); + munmap(addr, pagesize); + return supported; +} + /* * Open an fd at /proc/$pid/maps and configure procmap_out ready for * PROCMAP_QUERY query. Returns 0 on success, or an error code otherwise. --- a/tools/testing/selftests/mm/vm_util.h~selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled +++ a/tools/testing/selftests/mm/vm_util.h @@ -104,6 +104,7 @@ bool find_vma_procmap(struct procmap_fd int close_procmap(struct procmap_fd *procmap); int write_sysfs(const char *file_path, unsigned long val); int read_sysfs(const char *file_path, unsigned long *val); +bool softdirty_supported(void); static inline int open_self_procmap(struct procmap_fd *procmap_out) { _ Patches currently in -mm which might be from lance.yang(a)linux.dev are hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch

1 month, 2 weeks

1
0
0 0

[merged mm-nonmm-stable] fix-the-racy-usage-of-task_locktsk-group_leader-in-sys_prlimit64-paths.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths has been removed from the -mm tree. Its filename was fix-the-racy-usage-of-task_locktsk-group_leader-in-sys_prlimit64-paths.patch This patch was dropped because it was merged into the mm-nonmm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oleg Nesterov <oleg(a)redhat.com> Subject: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths Date: Mon, 15 Sep 2025 14:09:17 +0200 The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock(). Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don't see a better fix for -stable. Link: https://lkml.kernel.org/r/20250915120917.GA27702@redhat.com Fixes: 18c91bb2d872 ("prlimit: do not grab the tasklist_lock") Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jiri Slaby <jirislaby(a)kernel.org> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/sys.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) --- a/kernel/sys.c~fix-the-racy-usage-of-task_locktsk-group_leader-in-sys_prlimit64-paths +++ a/kernel/sys.c @@ -1734,6 +1734,7 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, u struct rlimit old, new; struct task_struct *tsk; unsigned int checkflags = 0; + bool need_tasklist; int ret; if (old_rlim) @@ -1760,8 +1761,25 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, u get_task_struct(tsk); rcu_read_unlock(); - ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, - old_rlim ? &old : NULL); + need_tasklist = !same_thread_group(tsk, current); + if (need_tasklist) { + /* + * Ensure we can't race with group exit or de_thread(), + * so tsk->group_leader can't be freed or changed until + * read_unlock(tasklist_lock) below. + */ + read_lock(&tasklist_lock); + if (!pid_alive(tsk)) + ret = -ESRCH; + } + + if (!ret) { + ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, + old_rlim ? &old : NULL); + } + + if (need_tasklist) + read_unlock(&tasklist_lock); if (!ret && old_rlim) { rlim_to_rlim64(&old, &old64); _ Patches currently in -mm which might be from oleg(a)redhat.com are

1 month, 2 weeks

1
0
0 0

[PATCH] fbcon: Fix OOB access in font allocation

by Thomas Zimmermann

Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") introduced an out-of-bounds access by storing data and allocation sizes in the same variable. Restore the old size calculation and use the new variable 'alloc_size' for the allocation. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") Reported-by: Jani Nikula <jani.nikula(a)linux.intel.com> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020 Cc: Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: George Kennedy <george.kennedy(a)oracle.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Simona Vetter <simona(a)ffwll.ch> Cc: Helge Deller <deller(a)gmx.de> Cc: "Ville Syrjälä" <ville.syrjala(a)linux.intel.com> Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Qianqiang Liu <qianqiang.liu(a)163.com> Cc: Shixiong Ou <oushixiong(a)kylinos.cn> Cc: Kees Cook <kees(a)kernel.org> Cc: <stable(a)vger.kernel.org> # v5.9+ Cc: Zsolt Kajtar <soci(a)c64.rulez.org> --- drivers/video/fbdev/core/fbcon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 5fade44931b8..c1c0cdd7597c 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, unsigned charcount = font->charcount; int w = font->width; int h = font->height; - int size; + int size, alloc_size; int i, csum; u8 *new_data, *data = font->data; int pitch = PITCH(font->width); @@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, return -EINVAL; /* Check for overflow in allocation size calculation */ - if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size)) return -EINVAL; - new_data = kmalloc(size, GFP_USER); + new_data = kmalloc(alloc_size, GFP_USER); if (!new_data) return -ENOMEM; -- 2.51.0

1 month, 2 weeks

3
2
0 0

[PATCH v3] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again

by Muhammad Usama Anjum

Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Clear essential fields as they may have stale data Changes since v2: - Add comment and reviewed by tag --- drivers/net/wireless/ath/ath11k/core.c | 6 +----- drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++ drivers/net/wireless/ath/ath11k/hal.h | 1 + 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index 4488e4cdc5e9e..34b27711ed00f 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2213,14 +2213,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index b32de563d453a..e8ebf963f195c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1359,6 +1359,22 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + /* No need to memset rdp and wrp memory since each individual + * segment would get cleared ath11k_hal_srng_src_hw_init() and + * ath11k_hal_srng_dst_hw_init(). + */ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c752..839095af9267e 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len); -- 2.39.5

1 month, 2 weeks

3
6
0 0

[PATCH net 0/8][pull request] i40e: virtchnl improvements

by Tony Nguyen

Przemek Kitszel says: Improvements hardening PF-VF communication for i40e driver. This patchset targets several issues that can cause undefined behavior or be exploited in some other way. --- IWL: https://lore.kernel.org/intel-wired-lan/20250813104552.61027-1-przemyslaw.k… The following are changes since commit cbf658dd09419f1ef9de11b9604e950bdd5c170b: Merge tag 'net-6.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net and are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue 40GbE Lukasz Czapnik (8): i40e: add validation for ring_len param i40e: fix idx validation in i40e_validate_queue_map i40e: fix idx validation in config queues msg i40e: fix input validation logic for action_meta i40e: fix validation of VF state in get resources i40e: add max boundary check for VF filters i40e: add mask to apply valid bits for itr_idx i40e: improve VF MAC filters accounting drivers/net/ethernet/intel/i40e/i40e.h | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 26 ++++- .../ethernet/intel/i40e/i40e_virtchnl_pf.c | 110 ++++++++++-------- .../ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 +- 4 files changed, 90 insertions(+), 52 deletions(-) -- 2.47.1

1 month, 2 weeks

2
9
0 0

[PATCH stable 6.6] ARM: bcm: Select ARM_GIC_V3 for ARCH_BRCMSTB

by Florian Fainelli

commit 2b28fe75c7dbe7ec322e706eed4622964409e21d upstream A number of recent Broadcom STB SoCs utilize a GIC-600 interrupt controller thus requiring the use of the GICv3 driver. Link: https://lore.kernel.org/r/20240726233414.2305526-1-florian.fainelli@broadco… Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> --- While technically not a bug fix, this allows me to properly build test 6.6 on additional platforms within our test rack. Thanks! arch/arm/mach-bcm/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/mach-bcm/Kconfig b/arch/arm/mach-bcm/Kconfig index 8789d93a7c04..c705bec1410c 100644 --- a/arch/arm/mach-bcm/Kconfig +++ b/arch/arm/mach-bcm/Kconfig @@ -186,6 +186,7 @@ config ARCH_BRCMSTB select ARCH_HAS_RESET_CONTROLLER select ARM_AMBA select ARM_GIC + select ARM_GIC_V3 select ARM_ERRATA_798181 if SMP select HAVE_ARM_ARCH_TIMER select ZONE_DMA if ARM_LPAE -- 2.34.1

1 month, 2 weeks

1
0
0 0

+ mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Akinobu Mita <akinobu.mita(a)gmail.com> Subject: mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() Date: Sat, 20 Sep 2025 22:25:46 +0900 The callback return value is ignored in damon_sysfs_damon_call(), which means that it is not possible to detect invalid user input when writing commands such as 'commit' to /sys/kernel/mm/damon/admin/kdamonds/<K>/state. Fix it. Link: https://lkml.kernel.org/r/20250920132546.5822-1-akinobu.mita@gmail.com Fixes: f64539dcdb87 ("mm/damon/sysfs: use damon_call() for update_schemes_stats") Signed-off-by: Akinobu Mita <akinobu.mita(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/sysfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/damon/sysfs.c~mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call +++ a/mm/damon/sysfs.c @@ -1592,12 +1592,14 @@ static int damon_sysfs_damon_call(int (* struct damon_sysfs_kdamond *kdamond) { struct damon_call_control call_control = {}; + int err; if (!kdamond->damon_ctx) return -EINVAL; call_control.fn = fn; call_control.data = kdamond; - return damon_call(kdamond->damon_ctx, &call_control); + err = damon_call(kdamond->damon_ctx, &call_control); + return err ? err : call_control.return_code; } struct damon_sysfs_schemes_walk_data { _ Patches currently in -mm which might be from akinobu.mita(a)gmail.com are mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch

1 month, 2 weeks

1
0
0 0

+ mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/thp: fix MTE tag mismatch when replacing zero-filled subpages has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lance Yang <lance.yang(a)linux.dev> Subject: mm/thp: fix MTE tag mismatch when replacing zero-filled subpages Date: Mon, 22 Sep 2025 10:14:58 +0800 When both THP and MTE are enabled, splitting a THP and replacing its zero-filled subpages with the shared zeropage can cause MTE tag mismatch faults in userspace. Remapping zero-filled subpages to the shared zeropage is unsafe, as the zeropage has a fixed tag of zero, which may not match the tag expected by the userspace pointer. KSM already avoids this problem by using memcmp_pages(), which on arm64 intentionally reports MTE-tagged pages as non-identical to prevent unsafe merging. As suggested by David[1], this patch adopts the same pattern, replacing the memchr_inv() byte-level check with a call to pages_identical(). This leverages existing architecture-specific logic to determine if a page is truly identical to the shared zeropage. Having both the THP shrinker and KSM rely on pages_identical() makes the design more future-proof, IMO. Instead of handling quirks in generic code, we just let the architecture decide what makes two pages identical. [1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com Link: https://lkml.kernel.org/r/20250922021458.68123-1-lance.yang@linux.dev Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Reported-by: Qun-wei Lin <Qun-wei.Lin(a)mediatek.com> Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@… Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Usama Arif <usamaarif642(a)gmail.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: andrew.yang <andrew.yang(a)mediatek.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Charlie Jenkins <charlie(a)rivosinc.com> Cc: Chinwen Chang <chinwen.chang(a)mediatek.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Domenico Cerasuolo <cerasuolodomenico(a)gmail.com> Cc: Gregory Price <gourry(a)gourry.net> Cc: "Huang, Ying" <ying.huang(a)linux.alibaba.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: Kairui Song <ryncsn(a)gmail.com> Cc: Kalesh Singh <kaleshsingh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Mathew Brost <matthew.brost(a)intel.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Palmer Dabbelt <palmer(a)rivosinc.com> Cc: Rakie Kim <rakie.kim(a)sk.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Samuel Holland <samuel.holland(a)sifive.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 15 +++------------ mm/migrate.c | 8 +------- 2 files changed, 4 insertions(+), 19 deletions(-) --- a/mm/huge_memory.c~mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages +++ a/mm/huge_memory.c @@ -4115,32 +4115,23 @@ static unsigned long deferred_split_coun static bool thp_underused(struct folio *folio) { int num_zero_pages = 0, num_filled_pages = 0; - void *kaddr; int i; if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1) return false; for (i = 0; i < folio_nr_pages(folio); i++) { - kaddr = kmap_local_folio(folio, i * PAGE_SIZE); - if (!memchr_inv(kaddr, 0, PAGE_SIZE)) { - num_zero_pages++; - if (num_zero_pages > khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { + if (++num_zero_pages > khugepaged_max_ptes_none) return true; - } } else { /* * Another path for early exit once the number * of non-zero filled pages exceeds threshold. */ - num_filled_pages++; - if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) return false; - } } - kunmap_local(kaddr); } return false; } --- a/mm/migrate.c~mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages +++ a/mm/migrate.c @@ -301,9 +301,7 @@ static bool try_to_map_unused_to_zeropag unsigned long idx) { struct page *page = folio_page(folio, idx); - bool contains_data; pte_t newpte; - void *addr; if (PageCompound(page)) return false; @@ -320,11 +318,7 @@ static bool try_to_map_unused_to_zeropag * this subpage has been non present. If the subpage is only zero-filled * then map it to the shared zeropage. */ - addr = kmap_local_page(page); - contains_data = memchr_inv(addr, 0, PAGE_SIZE); - kunmap_local(addr); - - if (contains_data) + if (!pages_identical(page, ZERO_PAGE(0))) return false; newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), _ Patches currently in -mm which might be from lance.yang(a)linux.dev are hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled.patch

1 month, 2 weeks

1
0
0 0

+ fs-proc-task_mmu-check-p-vec_buf-for-null.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/proc/task_mmu: check p->vec_buf for NULL has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-proc-task_mmu-check-p-vec_buf-for-null.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jakub Acs <acsjakub(a)amazon.de> Subject: fs/proc/task_mmu: check p->vec_buf for NULL Date: Mon, 22 Sep 2025 08:22:05 +0000 When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Link: https://lkml.kernel.org/r/20250922082206.6889-1-acsjakub@amazon.de Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Reviewed-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Micha�� Miros��aw" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-check-p-vec_buf-for-null +++ a/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(s { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else _ Patches currently in -mm which might be from acsjakub(a)amazon.de are fs-proc-task_mmu-check-p-vec_buf-for-null.patch

1 month, 2 weeks

1
0
0 0

[PATCH 6.6 ONLY] s390/cpum_cf: Fix uninitialized warning after backport of ce971233242b

by Nathan Chancellor

Upstream commit ce971233242b ("s390/cpum_cf: Deny all sampling events by counter PMU"), backported to 6.6 as commit d660c8d8142e ("s390/cpum_cf: Deny all sampling events by counter PMU"), implicitly depends on the unconditional initialization of err to -ENOENT added by upstream commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()"). The latter change is missing from 6.6, resulting in an instance of -Wuninitialized, which is fairly obvious from looking at the actual diff. arch/s390/kernel/perf_cpum_cf.c:858:10: warning: variable 'err' is uninitialized when used here [-Wuninitialized] 858 | return err; | ^~~ Commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()") depends on commit c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path"), which is a part of a much larger series unsuitable for stable. Extract the unconditional initialization of err to -ENOENT from commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()") and apply it to 6.6 as a standalone change to resolve the warning. Fixes: d660c8d8142e ("s390/cpum_cf: Deny all sampling events by counter PMU") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- This was reported on 6.1 and the offending commit was dropped but 6.6 suffered from the same issue (I am surprised LKFT's testing caught it in the 6.1 case but not 6.6...): https://lore.kernel.org/CADYN=9Li3gHMJ+weE0khMBmpS1Wcj-XaUeaUZg2Nxdz0qY9sdg… As it is already released, I figured I would just submit a fixup patch, which could also be used to fix the issue in 6.1. --- arch/s390/kernel/perf_cpum_cf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c index 771e1cb17540..e590b4c09625 100644 --- a/arch/s390/kernel/perf_cpum_cf.c +++ b/arch/s390/kernel/perf_cpum_cf.c @@ -852,7 +852,7 @@ static int cpumf_pmu_event_type(struct perf_event *event) static int cpumf_pmu_event_init(struct perf_event *event) { unsigned int type = event->attr.type; - int err; + int err = -ENOENT; if (is_sampling_event(event)) /* No sampling support */ return err; @@ -861,8 +861,6 @@ static int cpumf_pmu_event_init(struct perf_event *event) else if (event->pmu->type == type) /* Registered as unknown PMU */ err = __hw_perf_event_init(event, cpumf_pmu_event_type(event)); - else - return -ENOENT; if (unlikely(err) && event->destroy) event->destroy(event); --- base-commit: af1544b5d072514b219695b0a9fba0b1e0d5e289 change-id: 20250922-6-6-s390-cpum_cf-fix-uninit-err-010876c3d58c Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 month, 2 weeks

1
0
0 0

[tip: x86/urgent] x86/topology: Implement topology_is_core_online() to address SMT regression

by tip-bot2 for Thomas Gleixner

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 2066f00e5b2dc061fb6d8c88fadaebc97f11feaa Gitweb: https://git.kernel.org/tip/2066f00e5b2dc061fb6d8c88fadaebc97f11feaa Author: Thomas Gleixner <tglx(a)linutronix.de> AuthorDate: Sun, 21 Sep 2025 10:56:40 +02:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Mon, 22 Sep 2025 21:25:36 +02:00 x86/topology: Implement topology_is_core_online() to address SMT regression Christian reported that commit a430c11f4015 ("intel_idle: Rescan "dead" SMT siblings during initialization") broke the use case in which both 'nosmt' and 'maxcpus' are on the kernel command line because it onlines primary threads, which were offline due to the maxcpus limit. The initially proposed fix to skip primary threads in the loop is inconsistent. While it prevents the primary thread to be onlined, it then onlines the corresponding hyperthread(s), which does not really make sense. The CPU iterator in cpuhp_smt_enable() contains a check which excludes all threads of a core, when the primary thread is offline. The default implementation is a NOOP and therefore not effective on x86. Implement topology_is_core_online() on x86 to address this issue. This makes the behaviour consistent between x86 and PowerPC. Fixes: a430c11f4015 ("intel_idle: Rescan "dead" SMT siblings during initialization") Fixes: f694481b1d31 ("ACPI: processor: Rescan "dead" SMT siblings during initialization") Closes: https://lore.kernel.org/linux-pm/724616a2-6374-4ba3-8ce3-ea9c45e2ae3b@arm.c… Reported-by: Christian Loehle <christian.loehle(a)arm.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Rafael J. Wysocki (Intel) <rafael(a)kernel.org> Tested-by: Christian Loehle <christian.loehle(a)arm.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/12740505.O9o76ZdvQC@rafael.j.wysocki --- arch/x86/include/asm/topology.h | 10 ++++++++++ arch/x86/kernel/cpu/topology.c | 13 +++++++++++++ 2 files changed, 23 insertions(+) diff --git a/arch/x86/include/asm/topology.h b/arch/x86/include/asm/topology.h index 6c79ee7..2104189 100644 --- a/arch/x86/include/asm/topology.h +++ b/arch/x86/include/asm/topology.h @@ -231,6 +231,16 @@ static inline bool topology_is_primary_thread(unsigned int cpu) } #define topology_is_primary_thread topology_is_primary_thread +int topology_get_primary_thread(unsigned int cpu); + +static inline bool topology_is_core_online(unsigned int cpu) +{ + int pcpu = topology_get_primary_thread(cpu); + + return pcpu >= 0 ? cpu_online(pcpu) : false; +} +#define topology_is_core_online topology_is_core_online + #else /* CONFIG_SMP */ static inline int topology_phys_to_logical_pkg(unsigned int pkg) { return 0; } static inline int topology_max_smt_threads(void) { return 1; } diff --git a/arch/x86/kernel/cpu/topology.c b/arch/x86/kernel/cpu/topology.c index e35ccdc..6073a16 100644 --- a/arch/x86/kernel/cpu/topology.c +++ b/arch/x86/kernel/cpu/topology.c @@ -372,6 +372,19 @@ unsigned int topology_unit_count(u32 apicid, enum x86_topology_domains which_uni return topo_unit_count(lvlid, at_level, apic_maps[which_units].map); } +#ifdef CONFIG_SMP +int topology_get_primary_thread(unsigned int cpu) +{ + u32 apic_id = cpuid_to_apicid[cpu]; + + /* + * Get the core domain level APIC id, which is the primary thread + * and return the CPU number assigned to it. + */ + return topo_lookup_cpuid(topo_apicid(apic_id, TOPO_CORE_DOMAIN)); +} +#endif + #ifdef CONFIG_ACPI_HOTPLUG_CPU /** * topology_hotplug_apic - Handle a physical hotplugged APIC after boot

1 month, 2 weeks

1
0
0 0

[PATCH] of: unittest: Fix device reference count leak in of_unittest_pci_node_verify

by Ma Ke

In of_unittest_pci_node_verify(), when the add parameter is false, device_find_any_child() obtains a reference to a child device. This function implicitly calls get_device() to increment the device's reference count before returning the pointer. However, the caller fails to properly release this reference by calling put_device(), leading to a device reference count leak. As the comment of device_find_any_child states: "NOTE: you will need to drop the reference with put_device() after use". Cc: stable(a)vger.kernel.org Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/of/unittest.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c index e3503ec20f6c..d225e73781fe 100644 --- a/drivers/of/unittest.c +++ b/drivers/of/unittest.c @@ -4271,7 +4271,7 @@ static struct platform_driver unittest_pci_driver = { static int of_unittest_pci_node_verify(struct pci_dev *pdev, bool add) { struct device_node *pnp, *np = NULL; - struct device *child_dev; + struct device *child_dev = NULL; char *path = NULL; const __be32 *reg; int rc = 0; @@ -4306,6 +4306,8 @@ static int of_unittest_pci_node_verify(struct pci_dev *pdev, bool add) kfree(path); if (np) of_node_put(np); + if (child_dev) + put_device(child_dev); return rc; } -- 2.17.1

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092107-making-cough-9671@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

1 month, 2 weeks

2
2
0 0

[PATCH v6] ACPI: battery: prevent sysfs_add_battery re-entry on rapid events

by GuangFei Luo

When removing and reinserting the laptop battery, ACPI can trigger two notifications in quick succession: - ACPI_BATTERY_NOTIFY_STATUS (0x80) - ACPI_BATTERY_NOTIFY_INFO (0x81) Both notifications call acpi_battery_update(). Because the events happen very close in time, sysfs_add_battery() can be re-entered before battery->bat is set, causing a duplicate sysfs entry error. When the ACPI battery driver uses acpi_dev_install_notify_handler() to register acpi_battery_notify, the callback may be triggered twice in a very short period of time. This patch ensures that sysfs_add_battery() is not re-entered when battery->bat is already non-NULL, preventing the duplicate sysfs creation and stabilizing battery hotplug handling. [ 476.117945] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 476.118896] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 476.118903] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 476.118906] Workqueue: kacpi_notify acpi_os_execute_deferred [ 476.118917] Call Trace: [ 476.118922] <TASK> [ 476.118929] dump_stack_lvl+0x5d/0x80 [ 476.118938] sysfs_warn_dup.cold+0x17/0x23 [ 476.118943] sysfs_create_dir_ns+0xce/0xe0 [ 476.118952] kobject_add_internal+0xba/0x250 [ 476.118959] kobject_add+0x96/0xc0 [ 476.118964] ? get_device_parent+0xde/0x1e0 [ 476.118970] device_add+0xe2/0x870 [ 476.118975] __power_supply_register.part.0+0x20f/0x3f0 [ 476.118981] ? wake_up_q+0x4e/0x90 [ 476.118990] sysfs_add_battery+0xa4/0x1d0 [battery] [ 476.118998] acpi_battery_update+0x19e/0x290 [battery] [ 476.119002] acpi_battery_notify+0x50/0x120 [battery] [ 476.119006] acpi_ev_notify_dispatch+0x49/0x70 [ 476.119012] acpi_os_execute_deferred+0x1a/0x30 [ 476.119015] process_one_work+0x177/0x330 [ 476.119022] worker_thread+0x251/0x390 [ 476.119026] ? __pfx_worker_thread+0x10/0x10 [ 476.119030] kthread+0xd2/0x100 [ 476.119033] ? __pfx_kthread+0x10/0x10 [ 476.119035] ret_from_fork+0x34/0x50 [ 476.119040] ? __pfx_kthread+0x10/0x10 [ 476.119042] ret_from_fork_asm+0x1a/0x30 [ 476.119049] </TASK> [ 476.142552] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. [ 476.415022] ata1.00: unexpected _GTF length (8) [ 476.428076] sd 0:0:0:0: [sda] Starting disk [ 476.835035] ata1.00: unexpected _GTF length (8) [ 476.839720] ata1.00: configured for UDMA/133 [ 491.328831] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 491.329720] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 491.329727] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 491.329731] Workqueue: kacpi_notify acpi_os_execute_deferred [ 491.329741] Call Trace: [ 491.329745] <TASK> [ 491.329751] dump_stack_lvl+0x5d/0x80 [ 491.329758] sysfs_warn_dup.cold+0x17/0x23 [ 491.329762] sysfs_create_dir_ns+0xce/0xe0 [ 491.329770] kobject_add_internal+0xba/0x250 [ 491.329775] kobject_add+0x96/0xc0 [ 491.329779] ? get_device_parent+0xde/0x1e0 [ 491.329784] device_add+0xe2/0x870 [ 491.329790] __power_supply_register.part.0+0x20f/0x3f0 [ 491.329797] sysfs_add_battery+0xa4/0x1d0 [battery] [ 491.329805] acpi_battery_update+0x19e/0x290 [battery] [ 491.329809] acpi_battery_notify+0x50/0x120 [battery] [ 491.329812] acpi_ev_notify_dispatch+0x49/0x70 [ 491.329817] acpi_os_execute_deferred+0x1a/0x30 [ 491.329820] process_one_work+0x177/0x330 [ 491.329826] worker_thread+0x251/0x390 [ 491.329830] ? __pfx_worker_thread+0x10/0x10 [ 491.329833] kthread+0xd2/0x100 [ 491.329836] ? __pfx_kthread+0x10/0x10 [ 491.329838] ret_from_fork+0x34/0x50 [ 491.329842] ? __pfx_kthread+0x10/0x10 [ 491.329844] ret_from_fork_asm+0x1a/0x30 [ 491.329850] </TASK> [ 491.329855] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. Fixes: 10666251554c ("ACPI: battery: Install Notify() handler directly") Signed-off-by: GuangFei Luo <luogf2025(a)163.com> Cc: stable(a)vger.kernel.org --- v6: - Update Fixes tag: point to commit 10666251554c ("ACPI: battery: Install Notify() handler directly"), which introduced the sysfs_add_battery() re-entry issue when acpi_battery_notify is registered via acpi_dev_install_notify_handler(). The problem does not occur with acpi_bus_register_driver(). v5: - Move changelog above the '---' line as per submission guidelines. v4: - Uses guard(mutex) for battery->sysfs_lock in sysfs_add_battery(). - Since sysfs_add_battery() now handles the battery->bat check with proper locking,the extra if (!battery->bat) check at the call site has become redundant. v3: - Modified the earlier approach: since sysfs_add_battery() is invoked from multiple places, the most reliable way is to add the lock inside the function itself. - sysfs_remove_battery() had a similar race issue in the past, which was fixed by adding a lock as well. Reference: https://lore.kernel.org/all/9c921c22a7f33397a6774d7fa076db9b6a0fd669 .1312318300.git.len.brown(a)intel.com/ v2: - Fix missing mutex_unlock in acpi_battery_update() (Reported-by: kernel test robot) v1: - Initial patch to handle race when hotplugging battery, preventing duplicate sysfs entries. --- drivers/acpi/battery.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 6905b56bf3e4..20d68f3e881f 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -850,6 +850,10 @@ static void __exit battery_hook_exit(void) static int sysfs_add_battery(struct acpi_battery *battery) { + guard(mutex)(&battery->sysfs_lock); + if (battery->bat) + return 0; + struct power_supply_config psy_cfg = { .drv_data = battery, .attr_grp = acpi_battery_groups, @@ -1026,11 +1030,9 @@ static int acpi_battery_update(struct acpi_battery *battery, bool resume) return result; acpi_battery_quirks(battery); - if (!battery->bat) { - result = sysfs_add_battery(battery); - if (result) - return result; - } + result = sysfs_add_battery(battery); + if (result) + return result; /* * Wakeup the system if battery is critical low @@ -1112,12 +1114,12 @@ static int battery_notify(struct notifier_block *nb, result = acpi_battery_get_info(battery); if (result) return result; - - result = sysfs_add_battery(battery); - if (result) - return result; } + result = sysfs_add_battery(battery); + if (result) + return result; + acpi_battery_init_alarm(battery); acpi_battery_get_state(battery); break; -- 2.43.0

1 month, 2 weeks

2
1
0 0

[PATCH] Revert "loop: Avoid updating block size under exclusive owner"

by Eric Hagberg

This reverts commit ce8da5d13d8c ("loop: Avoid updating block size under exclusive owner") for the 6.6 kernel, because if the LTP ioctl_loop06 test is run with this patch in place, the test will fail, it leaves the host unable to kexec into the kernel again (hangs forever) and "losetup -a" will hang on attempting to access the /dev/loopN device that the test has set up. The patch doesn't need to be reverted from 6.12, as it works fine there. Cc: stable(a)vger.kernel.org # 6.6.x Signed-off-by: Eric Hagberg <ehagberg(a)janestreet.com> --- --- b/drivers/block/loop.c +++ a/drivers/block/loop.c @@ -1472,36 +1472,19 @@ return error; } +static int loop_set_block_size(struct loop_device *lo, unsigned long arg) -static int loop_set_block_size(struct loop_device *lo, blk_mode_t mode, - struct block_device *bdev, unsigned long arg) { int err = 0; + if (lo->lo_state != Lo_bound) + return -ENXIO; - /* - * If we don't hold exclusive handle for the device, upgrade to it - * here to avoid changing device under exclusive owner. - */ - if (!(mode & BLK_OPEN_EXCL)) { - err = bd_prepare_to_claim(bdev, loop_set_block_size, NULL); - if (err) - return err; - } - - err = mutex_lock_killable(&lo->lo_mutex); - if (err) - goto abort_claim; - - if (lo->lo_state != Lo_bound) { - err = -ENXIO; - goto unlock; - } err = blk_validate_block_size(arg); if (err) return err; if (lo->lo_queue->limits.logical_block_size == arg) + return 0; - goto unlock; sync_blockdev(lo->lo_device); invalidate_bdev(lo->lo_device); @@ -1513,11 +1496,6 @@ loop_update_dio(lo); blk_mq_unfreeze_queue(lo->lo_queue); -unlock: - mutex_unlock(&lo->lo_mutex); -abort_claim: - if (!(mode & BLK_OPEN_EXCL)) - bd_abort_claiming(bdev, loop_set_block_size); return err; } @@ -1536,6 +1514,9 @@ case LOOP_SET_DIRECT_IO: err = loop_set_dio(lo, arg); break; + case LOOP_SET_BLOCK_SIZE: + err = loop_set_block_size(lo, arg); + break; default: err = -EINVAL; } @@ -1590,12 +1571,9 @@ break; case LOOP_GET_STATUS64: return loop_get_status64(lo, argp); - case LOOP_SET_BLOCK_SIZE: - if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN)) - return -EPERM; - return loop_set_block_size(lo, mode, bdev, arg); case LOOP_SET_CAPACITY: case LOOP_SET_DIRECT_IO: + case LOOP_SET_BLOCK_SIZE: if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN)) return -EPERM; fallthrough;

1 month, 2 weeks

1
0
0 0

[PATCH v2] scsi: dc395x: correctly discard the return value in certain reads

by Xinhui Yang

There are certain read operations performed in this code which doesn't really don't need its return value. Those read operations either clears the FIFO buffer, or clears the interruption status. However, unused read triggers compiler warnings. With CONFIG_WERROR on, these warnings get converted into errors: drivers/scsi/dc395x.c: In function ‘__dc395x_eh_bus_reset’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:1003:9: note: in expansion of macro ‘DC395x_read8’ 1003 | DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); | ^~~~~~~~~~~~ drivers/scsi/dc395x.c: In function ‘data_io_transfer’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:2032:33: note: in expansion of macro ‘DC395x_read8’ 2032 | DC395x_read8(acb, TRM_S1040_SCSI_FIFO); Create a new macro DC395x_peek8() to deliberately cast the return value to void, which tells the compiler we really don't need the return value of such read operations. Other changes: * Also slightly modify the formatting of the DC395x_* macros. Cc: stable(a)vger.kernel.org Signed-off-by: Xinhui Yang <cyan(a)cyano.uk> --- Changes since v1 [1]: - Add Cc: tag to include this patch to the stable tree. - Add additional description about the formatting changes. [1]: https://lore.kernel.org/linux-scsi/20250922143619.824129-1-cyan@cyano.uk --- drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c index 386c8359e1cc..013d0d5277d6 100644 --- a/drivers/scsi/dc395x.c +++ b/drivers/scsi/dc395x.c @@ -91,15 +91,21 @@ #endif -#define DC395x_LOCK_IO(dev,flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_UNLOCK_IO(dev,flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_LOCK_IO(dev, flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_UNLOCK_IO(dev, flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) -#define DC395x_read16(acb,address) (u16)(inw(acb->io_port_base + (address))) -#define DC395x_read32(acb,address) (u32)(inl(acb->io_port_base + (address))) -#define DC395x_write8(acb,address,value) outb((value), acb->io_port_base + (address)) -#define DC395x_write16(acb,address,value) outw((value), acb->io_port_base + (address)) -#define DC395x_write32(acb,address,value) outl((value), acb->io_port_base + (address)) +/* + * read operations that may trigger side effects in the hardware, + * but the value can or should be discarded. + */ +#define DC395x_peek8(acb, address) ((void)(inb(acb->io_port_base + (address)))) +/* Normal read write operations goes here. */ +#define DC395x_read8(acb, address) ((u8) (inb(acb->io_port_base + (address)))) +#define DC395x_read16(acb, address) ((u16) (inw(acb->io_port_base + (address)))) +#define DC395x_read32(acb, address) ((u32) (inl(acb->io_port_base + (address)))) +#define DC395x_write8(acb, address, value) (outb((value), acb->io_port_base + (address))) +#define DC395x_write16(acb, address, value) (outw((value), acb->io_port_base + (address))) +#define DC395x_write32(acb, address, value) (outl((value), acb->io_port_base + (address))) #define TAG_NONE 255 @@ -1000,7 +1006,7 @@ static int __dc395x_eh_bus_reset(struct scsi_cmnd *cmd) DC395x_write8(acb, TRM_S1040_DMA_CONTROL, CLRXFIFO); clear_fifo(acb, "eh_bus_reset"); /* Delete pending IRQ */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); set_basic_config(acb); reset_dev_param(acb); @@ -2029,8 +2035,8 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, DC395x_write8(acb, TRM_S1040_SCSI_CONFIG2, CFG2_WIDEFIFO); if (io_dir & DMACMD_DIR) { - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); } else { /* Danger, Robinson: If you find KGs * scattered over the wide disk, the driver @@ -2044,7 +2050,7 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, /* Danger, Robinson: If you find a collection of Ks on your disk * something broke :-( */ if (io_dir & DMACMD_DIR) - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); else DC395x_write8(acb, TRM_S1040_SCSI_FIFO, 'K'); } @@ -2892,7 +2898,7 @@ static void set_basic_config(struct AdapterCtlBlk *acb) DMA_FIFO_HALF_HALF | DMA_ENHANCE /*| DMA_MEM_MULTI_READ */ ; DC395x_write16(acb, TRM_S1040_DMA_CONFIG, wval); /* Clear pending interrupt status */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); /* Enable SCSI interrupt */ DC395x_write8(acb, TRM_S1040_SCSI_INTEN, 0x7F); DC395x_write8(acb, TRM_S1040_DMA_INTEN, EN_SCSIINTR | EN_DMAXFERERROR @@ -3799,7 +3805,7 @@ static void adapter_uninit_chip(struct AdapterCtlBlk *acb) reset_scsi_bus(acb); /* clear any pending interrupt state */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); } -- 2.51.0

1 month, 2 weeks

2
1
0 0

[PATCH v2] powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org --- changelog: v2: - Return -ENOMEM directly on allocation failure. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- arch/powerpc/kernel/smp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..cfccb9389760 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,8 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

1 month, 2 weeks

3
4
0 0

[PATCH 6.17 REGRESSION FIX] gpiolib: acpi: Make set debounce errors non fatal

by Hans de Goede

Commit 16c07342b542 ("gpiolib: acpi: Program debounce when finding GPIO") adds a gpio_set_debounce_timeout() call to acpi_find_gpio() and makes acpi_find_gpio() fail if this fails. But gpio_set_debounce_timeout() failing is a somewhat normal occurrence, since not all debounce values are supported on all GPIO/pinctrl chips. Making this an error for example break getting the card-detect GPIO for the micro-sd slot found on many Bay Trail tablets, breaking support for the micro-sd slot on these tablets. acpi_request_own_gpiod() already treats gpio_set_debounce_timeout() failures as non-fatal, just warning about them. Add a acpi_gpio_set_debounce_timeout() helper which wraps gpio_set_debounce_timeout() and warns on failures and replace both existing gpio_set_debounce_timeout() calls with the helper. Since the helper only warns on failures this fixes the card-detect issue. Fixes: 16c07342b542 ("gpiolib: acpi: Program debounce when finding GPIO") Cc: stable(a)vger.kernel.org Cc: Mario Limonciello <superm1(a)kernel.org> Signed-off-by: Hans de Goede <hansg(a)kernel.org> --- drivers/gpio/gpiolib-acpi-core.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c index 284e762d92c4..67c4c38afb86 100644 --- a/drivers/gpio/gpiolib-acpi-core.c +++ b/drivers/gpio/gpiolib-acpi-core.c @@ -291,6 +291,19 @@ acpi_gpio_to_gpiod_flags(const struct acpi_resource_gpio *agpio, int polarity) return GPIOD_ASIS; } +static void acpi_gpio_set_debounce_timeout(struct gpio_desc *desc, + unsigned int acpi_debounce) +{ + int ret; + + /* ACPI uses hundredths of milliseconds units */ + acpi_debounce *= 10; + ret = gpio_set_debounce_timeout(desc, acpi_debounce); + if (ret) + gpiod_warn(desc, "Failed to set debounce-timeout %u: %d\n", + acpi_debounce, ret); +} + static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip, struct acpi_resource_gpio *agpio, unsigned int index, @@ -300,18 +313,12 @@ static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip, enum gpiod_flags flags = acpi_gpio_to_gpiod_flags(agpio, polarity); unsigned int pin = agpio->pin_table[index]; struct gpio_desc *desc; - int ret; desc = gpiochip_request_own_desc(chip, pin, label, polarity, flags); if (IS_ERR(desc)) return desc; - /* ACPI uses hundredths of milliseconds units */ - ret = gpio_set_debounce_timeout(desc, agpio->debounce_timeout * 10); - if (ret) - dev_warn(chip->parent, - "Failed to set debounce-timeout for pin 0x%04X, err %d\n", - pin, ret); + acpi_gpio_set_debounce_timeout(desc, agpio->debounce_timeout); return desc; } @@ -944,7 +951,6 @@ struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode, bool can_fallback = acpi_can_fallback_to_crs(adev, con_id); struct acpi_gpio_info info = {}; struct gpio_desc *desc; - int ret; desc = __acpi_find_gpio(fwnode, con_id, idx, can_fallback, &info); if (IS_ERR(desc)) @@ -959,10 +965,7 @@ struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode, acpi_gpio_update_gpiod_flags(dflags, &info); acpi_gpio_update_gpiod_lookup_flags(lookupflags, &info); - /* ACPI uses hundredths of milliseconds units */ - ret = gpio_set_debounce_timeout(desc, info.debounce * 10); - if (ret) - return ERR_PTR(ret); + acpi_gpio_set_debounce_timeout(desc, info.debounce); return desc; } -- 2.51.0

1 month, 2 weeks

4
6
0 0

[PATCH v2] ASoC: mediatek: mt8365: Add check for devm_kcalloc() in mt8365_afe_suspend()

by Guangshuo Li

devm_kcalloc() may fail. mt8365_afe_suspend() uses afe->reg_back_up unconditionally after allocation and writes afe->reg_back_up[i], which can lead to a NULL pointer dereference under low-memory conditions. Add a NULL check and bail out with -ENOMEM, making sure to disable the main clock via the existing error path to keep clock state balanced. Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support") Cc: stable(a)vger.kernel.org --- changelog: v2: - Return -ENOMEM directly on allocation failure without goto/label. - Disable the main clock before returning to keep clock state balanced. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c index 10793bbe9275..55d832e05072 100644 --- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c @@ -1975,11 +1975,15 @@ static int mt8365_afe_suspend(struct device *dev) mt8365_afe_enable_main_clk(afe); - if (!afe->reg_back_up) + if (!afe->reg_back_up) { afe->reg_back_up = devm_kcalloc(dev, afe->reg_back_up_list_num, - sizeof(unsigned int), GFP_KERNEL); - + sizeof(unsigned int), GFP_KERNEL); + if (!afe->reg_back_up) { + mt8365_afe_disable_main_clk(afe); + return -ENOMEM; + } + } for (i = 0; i < afe->reg_back_up_list_num; i++) regmap_read(regmap, afe->reg_back_up_list[i], &afe->reg_back_up[i]); -- 2.43.0

1 month, 2 weeks

2
1
0 0

[tip: x86/urgent] x86/Kconfig: Reenable PTDUMP on i386

by tip-bot2 for Alexander Popov

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 4f115596133fa168bac06bb34c6efd8f4d84c22e Gitweb: https://git.kernel.org/tip/4f115596133fa168bac06bb34c6efd8f4d84c22e Author: Alexander Popov <alex.popov(a)linux.com> AuthorDate: Sun, 21 Sep 2025 23:58:15 +03:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Mon, 22 Sep 2025 14:40:17 +02:00 x86/Kconfig: Reenable PTDUMP on i386 The commit f9aad622006bd64c ("mm: rename GENERIC_PTDUMP and PTDUMP_CORE") has broken PTDUMP and the Kconfig options that use it on ARCH=i386, including CONFIG_DEBUG_WX. CONFIG_GENERIC_PTDUMP was renamed into CONFIG_ARCH_HAS_PTDUMP, but it was mistakenly moved from "config X86" to "config X86_64". That made PTDUMP unavailable for i386. Move CONFIG_ARCH_HAS_PTDUMP back to "config X86" to fix it. [ bp: Massage commit message. ] Fixes: f9aad622006bd64c ("mm: rename GENERIC_PTDUMP and PTDUMP_CORE") Signed-off-by: Alexander Popov <alex.popov(a)linux.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org --- arch/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 52c8910..0588030 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -26,7 +26,6 @@ config X86_64 depends on 64BIT # Options that are inherently 64-bit kernel only: select ARCH_HAS_GIGANTIC_PAGE - select ARCH_HAS_PTDUMP select ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS select ARCH_SUPPORTS_INT128 if CC_HAS_INT128 select ARCH_SUPPORTS_PER_VMA_LOCK @@ -99,6 +98,7 @@ config X86 select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE select ARCH_HAS_PMEM_API if X86_64 select ARCH_HAS_PREEMPT_LAZY + select ARCH_HAS_PTDUMP select ARCH_HAS_PTE_SPECIAL select ARCH_HAS_HW_PTE_YOUNG select ARCH_HAS_NONLEAF_PMD_YOUNG if PGTABLE_LEVELS > 2

1 month, 2 weeks

1
0
0 0

[PATCH] powerpc/smp: Add check for kcalloc() in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- arch/powerpc/kernel/smp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..2da064e00d0d 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,9 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; + ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

1 month, 2 weeks

1
0
0 0

[PATCH] scsi: dc395x: correctly discard the return value in certain reads

by Xinhui Yang

There are certain read operations performed in this code which doesn't really don't need its return value. Those read operations either clears the FIFO buffer, or clears the interruption status. However, unused read triggers compiler warnings. With CONFIG_WERROR on, these warnings get converted into errors: drivers/scsi/dc395x.c: In function ‘__dc395x_eh_bus_reset’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:1003:9: note: in expansion of macro ‘DC395x_read8’ 1003 | DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); | ^~~~~~~~~~~~ drivers/scsi/dc395x.c: In function ‘data_io_transfer’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:2032:33: note: in expansion of macro ‘DC395x_read8’ 2032 | DC395x_read8(acb, TRM_S1040_SCSI_FIFO); Create a new macro DC395x_peek8() to deliberately cast the return value to void, which tells the compiler we really don't need the return value of such read operations. Signed-off-by: Xinhui Yang <cyan(a)cyano.uk> --- drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c index 386c8359e1cc..013d0d5277d6 100644 --- a/drivers/scsi/dc395x.c +++ b/drivers/scsi/dc395x.c @@ -91,15 +91,21 @@ #endif -#define DC395x_LOCK_IO(dev,flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_UNLOCK_IO(dev,flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_LOCK_IO(dev, flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_UNLOCK_IO(dev, flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) -#define DC395x_read16(acb,address) (u16)(inw(acb->io_port_base + (address))) -#define DC395x_read32(acb,address) (u32)(inl(acb->io_port_base + (address))) -#define DC395x_write8(acb,address,value) outb((value), acb->io_port_base + (address)) -#define DC395x_write16(acb,address,value) outw((value), acb->io_port_base + (address)) -#define DC395x_write32(acb,address,value) outl((value), acb->io_port_base + (address)) +/* + * read operations that may trigger side effects in the hardware, + * but the value can or should be discarded. + */ +#define DC395x_peek8(acb, address) ((void)(inb(acb->io_port_base + (address)))) +/* Normal read write operations goes here. */ +#define DC395x_read8(acb, address) ((u8) (inb(acb->io_port_base + (address)))) +#define DC395x_read16(acb, address) ((u16) (inw(acb->io_port_base + (address)))) +#define DC395x_read32(acb, address) ((u32) (inl(acb->io_port_base + (address)))) +#define DC395x_write8(acb, address, value) (outb((value), acb->io_port_base + (address))) +#define DC395x_write16(acb, address, value) (outw((value), acb->io_port_base + (address))) +#define DC395x_write32(acb, address, value) (outl((value), acb->io_port_base + (address))) #define TAG_NONE 255 @@ -1000,7 +1006,7 @@ static int __dc395x_eh_bus_reset(struct scsi_cmnd *cmd) DC395x_write8(acb, TRM_S1040_DMA_CONTROL, CLRXFIFO); clear_fifo(acb, "eh_bus_reset"); /* Delete pending IRQ */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); set_basic_config(acb); reset_dev_param(acb); @@ -2029,8 +2035,8 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, DC395x_write8(acb, TRM_S1040_SCSI_CONFIG2, CFG2_WIDEFIFO); if (io_dir & DMACMD_DIR) { - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); } else { /* Danger, Robinson: If you find KGs * scattered over the wide disk, the driver @@ -2044,7 +2050,7 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, /* Danger, Robinson: If you find a collection of Ks on your disk * something broke :-( */ if (io_dir & DMACMD_DIR) - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); else DC395x_write8(acb, TRM_S1040_SCSI_FIFO, 'K'); } @@ -2892,7 +2898,7 @@ static void set_basic_config(struct AdapterCtlBlk *acb) DMA_FIFO_HALF_HALF | DMA_ENHANCE /*| DMA_MEM_MULTI_READ */ ; DC395x_write16(acb, TRM_S1040_DMA_CONFIG, wval); /* Clear pending interrupt status */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); /* Enable SCSI interrupt */ DC395x_write8(acb, TRM_S1040_SCSI_INTEN, 0x7F); DC395x_write8(acb, TRM_S1040_DMA_INTEN, EN_SCSIINTR | EN_DMAXFERERROR @@ -3799,7 +3805,7 @@ static void adapter_uninit_chip(struct AdapterCtlBlk *acb) reset_scsi_bus(acb); /* clear any pending interrupt state */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); } -- 2.51.0

1 month, 2 weeks

2
1
0 0

[PATCH v2] gpiolib: Extend software-node support to support secondary software-nodes

by Hans de Goede

When a software-node gets added to a device which already has another fwnode as primary node it will become the secondary fwnode for that device. Currently if a software-node with GPIO properties ends up as the secondary fwnode then gpiod_find_by_fwnode() will fail to find the GPIOs. Add a new gpiod_fwnode_lookup() helper which falls back to calling gpiod_find_by_fwnode() with the secondary fwnode if the GPIO was not found in the primary fwnode. Fixes: e7f9ff5dc90c ("gpiolib: add support for software nodes") Cc: stable(a)vger.kernel.org Cc: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> --- Changes in v2: - Add a new gpiod_fwnode_lookup() helper instead of putting the secondary fwnode check inside gpiod_find_by_fwnode() --- drivers/gpio/gpiolib.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 0d2b470a252e..74d54513730a 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -4604,6 +4604,23 @@ static struct gpio_desc *gpiod_find_by_fwnode(struct fwnode_handle *fwnode, return desc; } +static struct gpio_desc *gpiod_fwnode_lookup(struct fwnode_handle *fwnode, + struct device *consumer, + const char *con_id, + unsigned int idx, + enum gpiod_flags *flags, + unsigned long *lookupflags) +{ + struct gpio_desc *desc; + + desc = gpiod_find_by_fwnode(fwnode, consumer, con_id, idx, flags, lookupflags); + if (gpiod_not_found(desc) && !IS_ERR_OR_NULL(fwnode)) + desc = gpiod_find_by_fwnode(fwnode->secondary, consumer, con_id, + idx, flags, lookupflags); + + return desc; +} + struct gpio_desc *gpiod_find_and_request(struct device *consumer, struct fwnode_handle *fwnode, const char *con_id, @@ -4622,8 +4639,8 @@ struct gpio_desc *gpiod_find_and_request(struct device *consumer, int ret = 0; scoped_guard(srcu, &gpio_devices_srcu) { - desc = gpiod_find_by_fwnode(fwnode, consumer, con_id, idx, - &flags, &lookupflags); + desc = gpiod_fwnode_lookup(fwnode, consumer, con_id, idx, + &flags, &lookupflags); if (gpiod_not_found(desc) && platform_lookup_allowed) { /* * Either we are not using DT or ACPI, or their lookup -- 2.51.0

1 month, 2 weeks

4
4
0 0

Re: "loop: Avoid updating block size under exclusive owner" breaks on 6.6.103

by Jan Kara

On Wed 17-09-25 11:18:50, Eric Hagberg wrote: > I stumbled across a problem where the 6.6.103 kernel will fail when > running the ioctl_loop06 test from the LTP test suite... and worse > than failing the test, it leaves the system in a state where you can't > run "losetup -a" again because the /dev/loopN device that the test > created and failed the test on... hangs in a LOOP_GET_STATUS64 ioctl. > > It also leaves the system in a state where you can't re-kexec into a > copy of the kernel as it gets completely hung at the point where it > says "starting Reboot via kexec"... Thanks for the report! Please report issues with stable kernels to stable(a)vger.kernel.org (CCed now) because they can act on them. > If I revert just that patch from 6.6.103 (or newer) kernels, then the > test succeeds and doesn't leave the host in a bad state. The patch > applied to 6.12 doesn't cause this problem, but I also see that there > are quite a few other changes to the loop subsystem in 6.12 that never > made it to 6.6. > > For now, I'll probably just revert your patch in my 6.6 kernel builds, > but I wouldn't be surprised if others stumble across this issue as > well, so maybe it should be reverted or fixed some other way. Yes, I think revert from 6.6 stable kernel is warranted (unless somebody has time to figure out what else is missing to make the patch work with that stable branch). Honza -- Jan Kara <jack(a)suse.com> SUSE Labs, CR

1 month, 2 weeks

3
3
0 0

Check this out at Amazon

by Info Marketing

THE HOUSEMAID UNDER CONTRACT https://rb.gy/2xfnv3

1 month, 2 weeks

1
0
0 0

Re: Patch "x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" has been added to the 6.12-stable tree

by Tom Lendacky

On 9/22/25 00:52, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag to indicate that the patch only applied to 6.16 and above. Before 6.16, there isn't a stub version of the function, so all off those releases are fine. So this patch doesn't need to be part of the 6.12 stable tree. Thanks, Tom > > > From stable+bounces-180849-greg=kroah.com(a)vger.kernel.org Mon Sep 22 01:18:07 2025 > From: Sasha Levin <sashal(a)kernel.org> > Date: Sun, 21 Sep 2025 19:17:59 -0400 > Subject: x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT > To: stable(a)vger.kernel.org > Cc: Tom Lendacky <thomas.lendacky(a)amd.com>, "Borislav Petkov (AMD)" <bp(a)alien8.de>, stable(a)kernel.org, Sasha Levin <sashal(a)kernel.org> > Message-ID: <20250921231759.3033314-1-sashal(a)kernel.org> > > From: Tom Lendacky <thomas.lendacky(a)amd.com> > > [ Upstream commit 7f830e126dc357fc086905ce9730140fd4528d66 ] > > The sev_evict_cache() is guest-related code and should be guarded by > CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. > > CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP > guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub > function of sev_evict_cache() instead of the version that performs the actual > eviction. Move the function declarations under the appropriate #ifdef. > > Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") > Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> > Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> > Cc: stable(a)kernel.org # 6.16.x > Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… > [ Move sev_evict_cache() out of shared.c ] > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > arch/x86/coco/sev/shared.c | 18 ------------------ > arch/x86/include/asm/sev.h | 19 +++++++++++++++++++ > 2 files changed, 19 insertions(+), 18 deletions(-) > > --- a/arch/x86/coco/sev/shared.c > +++ b/arch/x86/coco/sev/shared.c > @@ -1243,24 +1243,6 @@ static void svsm_pval_terminate(struct s > __pval_terminate(pfn, action, page_size, ret, svsm_ret); > } > > -static inline void sev_evict_cache(void *va, int npages) > -{ > - volatile u8 val __always_unused; > - u8 *bytes = va; > - int page_idx; > - > - /* > - * For SEV guests, a read from the first/last cache-lines of a 4K page > - * using the guest key is sufficient to cause a flush of all cache-lines > - * associated with that 4K page without incurring all the overhead of a > - * full CLFLUSH sequence. > - */ > - for (page_idx = 0; page_idx < npages; page_idx++) { > - val = bytes[page_idx * PAGE_SIZE]; > - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; > - } > -} > - > static void svsm_pval_4k_page(unsigned long paddr, bool validate) > { > struct svsm_pvalidate_call *pc; > --- a/arch/x86/include/asm/sev.h > +++ b/arch/x86/include/asm/sev.h > @@ -400,6 +400,24 @@ u64 sev_get_status(void); > void sev_show_status(void); > void snp_update_svsm_ca(void); > > +static inline void sev_evict_cache(void *va, int npages) > +{ > + volatile u8 val __always_unused; > + u8 *bytes = va; > + int page_idx; > + > + /* > + * For SEV guests, a read from the first/last cache-lines of a 4K page > + * using the guest key is sufficient to cause a flush of all cache-lines > + * associated with that 4K page without incurring all the overhead of a > + * full CLFLUSH sequence. > + */ > + for (page_idx = 0; page_idx < npages; page_idx++) { > + val = bytes[page_idx * PAGE_SIZE]; > + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; > + } > +} > + > #else /* !CONFIG_AMD_MEM_ENCRYPT */ > > #define snp_vmpl 0 > @@ -435,6 +453,7 @@ static inline u64 snp_get_unsupported_fe > static inline u64 sev_get_status(void) { return 0; } > static inline void sev_show_status(void) { } > static inline void snp_update_svsm_ca(void) { } > +static inline void sev_evict_cache(void *va, int npages) {} > > #endif /* CONFIG_AMD_MEM_ENCRYPT */ > > > > Patches currently in stable-queue which might be from sashal(a)kernel.org are > > queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch > queue-6.12/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch > queue-6.12/asoc-wm8940-correct-pll-rate-rounding.patch > queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch > queue-6.12/x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch > queue-6.12/mptcp-pm-nl-announce-deny-join-id0-flag.patch > queue-6.12/drm-bridge-anx7625-fix-null-pointer-dereference-with.patch > queue-6.12/asoc-sof-intel-hda-stream-fix-incorrect-variable-use.patch > queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch > queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch > queue-6.12/nvme-fix-pi-insert-on-write.patch > queue-6.12/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch > queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch > queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch > queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch > queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch > queue-6.12/usb-xhci-remove-option-to-change-a-default-ring-s-trb-cycle-bit.patch > queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch > queue-6.12/io_uring-fix-incorrect-io_kiocb-reference-in-io_link.patch > queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch > queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch > queue-6.12/drm-xe-tile-release-kobject-for-the-failure-path.patch > queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch > queue-6.12/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch > queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch > queue-6.12/usb-xhci-introduce-macro-for-ring-segment-list-iteration.patch > queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch > queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch > queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch > queue-6.12/drm-bridge-cdns-mhdp8546-fix-missing-mutex-unlock-on.patch > queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch > queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch > queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch > queue-6.12/drm-xe-fix-a-null-vs-is_err-in-xe_vm_add_compute_exe.patch > queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch > queue-6.12/mm-gup-check-ref_count-instead-of-lru-before-migration.patch > queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch > queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch > queue-6.12/smb-client-let-smbd_destroy-call-disable_work_sync-i.patch > queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch > queue-6.12/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch > queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch > queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch > queue-6.12/smb-client-fix-filename-matching-of-deferred-files.patch > queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch > queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch > queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch > queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch > queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch > queue-6.12/asoc-wm8974-correct-pll-rate-rounding.patch > queue-6.12/mm-add-folio_expected_ref_count-for-reference-count-calculation.patch > queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch > queue-6.12/asoc-intel-catpt-expose-correct-bit-depth-to-userspa.patch > queue-6.12/asoc-wm8940-correct-typo-in-control-name.patch > queue-6.12/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch

1 month, 2 weeks

2
1
0 0

[PATCH v2 3/3] PCI: tegra194: Handle errors in BPMP response

by Niklas Cassel

From: Vidya Sagar <vidyas(a)nvidia.com> The return value from tegra_bpmp_transfer() indicates the success or failure of the IPC transaction with BPMP. If the transaction succeeded, we also need to check the actual command's result code. If we don't have error handling for tegra_bpmp_transfer(), we will set the pcie->ep_state to EP_STATE_ENABLED (even though the tegra_bpmp_transfer() command failed). Thus, the pcie->ep_state will get out of sync with reality, and any further PERST# assert + deassert will be a no-op (will not trigger the hardware initialization sequence). This is because pex_ep_event_pex_rst_deassert() checks the current pcie->ep_state, and does nothing if the current state is already EP_STATE_ENABLED. Thus, it is important to have error handling for tegra_bpmp_transfer(), such that the pcie->ep_state can not get out of sync with reality, so that we will try to initialize the hardware not only during the first PERST# assert + deassert, but also during any succeeding PERST# assert + deassert. One example where this fix is needed is when using a rock5b as host. During the initial PERST# assert + deassert (triggered by the bootloader on the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails. Once Linux has been loaded on the rock5b, the PCIe driver will once again assert + deassert PERST#. However, without tegra_bpmp_transfer() error handling, this second PERST# assert + deassert will not trigger the hardware initialization sequence. With tegra_bpmp_transfer() error handling, the second PERST# assert + deassert will once again trigger the hardware to be initialized and this time the tegra_bpmp_transfer() succeeds. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Vidya Sagar <vidyas(a)nvidia.com> [cassel: improve commit log] Reviewed-by: Jon Hunter <jonathanh(a)nvidia.com> Acked-by: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 7eb48cc13648e..c4265b3f72048 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1223,6 +1223,7 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; /* * Controller-5 doesn't need to have its state set by BPMP-FW in @@ -1245,7 +1246,13 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, @@ -1254,6 +1261,7 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; memset(&req, 0, sizeof(req)); memset(&resp, 0, sizeof(resp)); @@ -1273,7 +1281,13 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie) -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH v2 2/3] PCI: tegra194: Reset BARs when running in PCIe endpoint mode

by Niklas Cassel

Tegra already defines all BARs expect for BAR0 as BAR_RESERVED. This is sufficient for pci-epf-test to not allocate backing memory and to not call set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not mean that the BAR get disabled. The host side driver, pci_endpoint_test, simply does an ioremap for all enabled BARs, and will run tests against all enabled BARs. (I.e. it will run tests also against the BARs marked as BAR_RESERVED.) After running the BARs tests (which will write to all enabled BARs), the inbound address translation is broken. This is because the tegra controller exposes the ATU Port Logic Structure in BAR4. So when BAR4 is written, the inbound address translation settings get overwritten. To avoid this, implement the dw_pcie_ep_ops .init() callback and start off by disabling all BARs (pci-epf-test will later enable/configure BARs that are not defined as BAR_RESERVED). This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6, layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep. With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which was specifically made to detect address translation issues) passes. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 63d310e5335f4..7eb48cc13648e 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1955,6 +1955,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst_irq(int irq, void *arg) return IRQ_HANDLED; } +static void tegra_pcie_ep_init(struct dw_pcie_ep *ep) +{ + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + enum pci_barno bar; + + for (bar = 0; bar < PCI_STD_NUM_BARS; bar++) + dw_pcie_ep_reset_bar(pci, bar); +}; + static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) { /* Tegra194 supports only INTA */ @@ -2030,6 +2039,7 @@ tegra_pcie_ep_get_features(struct dw_pcie_ep *ep) } static const struct dw_pcie_ep_ops pcie_ep_ops = { + .init = tegra_pcie_ep_init, .raise_irq = tegra_pcie_ep_raise_irq, .get_features = tegra_pcie_ep_get_features, }; -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH] powerpc/Makefile: use $(objtree) for crtsavres.o

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> ... otherwise it could be problematic to build external modules: make[2]: Entering directory '.../kernel-module-hello-world' | CC [M] hello-world.o | MODPOST Module.symvers | CC [M] hello-world.mod.o | CC [M] .module-common.o | LD [M] hello-world.ko | powerpc-poky-linux-ld.bfd: cannot find arch/powerpc/lib/crtsavres.o: No such file or directory Fixes: da3de6df33f5 ("[POWERPC] Fix -Os kernel builds with newer gcc versions") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- arch/powerpc/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile index 9753fb87217c3..a58b1029592ce 100644 --- a/arch/powerpc/Makefile +++ b/arch/powerpc/Makefile @@ -58,7 +58,7 @@ ifeq ($(CONFIG_PPC64)$(CONFIG_LD_IS_BFD),yy) # There is a corresponding test in arch/powerpc/lib/Makefile KBUILD_LDFLAGS_MODULE += --save-restore-funcs else -KBUILD_LDFLAGS_MODULE += arch/powerpc/lib/crtsavres.o +KBUILD_LDFLAGS_MODULE += $(objtree)/arch/powerpc/lib/crtsavres.o endif ifdef CONFIG_CPU_LITTLE_ENDIAN -- 2.51.0

1 month, 2 weeks

3
2
0 0

[PATCH v2] staging: gpib: Fix device reference leak in fmh_gpib driver

by Ma Ke

The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_attach_impl() and add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the free operations as suggestions. Thanks for dan carpenter's instructions. --- drivers/staging/gpib/fmh_gpib/fmh_gpib.c | 66 +++++++++++++++++++----- 1 file changed, 54 insertions(+), 12 deletions(-) diff --git a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c index 4138f3d2bae7..f5be24b44238 100644 --- a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c +++ b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c @@ -1396,7 +1396,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar retval = fmh_gpib_generic_attach(board); if (retval) - return retval; + goto err_put_device; e_priv = board->private_data; nec_priv = &e_priv->nec7210_priv; @@ -1404,14 +1404,16 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpib_control_status"); if (!res) { dev_err(board->dev, "Unable to locate mmio resource\n"); - return -ENODEV; + retval = -ENODEV; + goto err_generic_detach; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { dev_err(board->dev, "cannot claim registers\n"); - return -ENXIO; + retval = -ENXIO; + goto err_generic_detach; } e_priv->gpib_iomem_res = res; @@ -1419,7 +1421,8 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar resource_size(e_priv->gpib_iomem_res)); if (!nec_priv->mmiobase) { dev_err(board->dev, "Could not map I/O memory\n"); - return -ENOMEM; + retval = -ENOMEM; + goto err_release_mmio_region; } dev_dbg(board->dev, "iobase %pr remapped to %p\n", e_priv->gpib_iomem_res, nec_priv->mmiobase); @@ -1427,34 +1430,41 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dma_fifos"); if (!res) { dev_err(board->dev, "Unable to locate mmio resource for gpib dma port\n"); - return -ENODEV; + retval = -ENODEV; + goto err_iounmap_mmio; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { dev_err(board->dev, "cannot claim registers\n"); - return -ENXIO; + retval = -ENXIO; + goto err_iounmap_mmio; } e_priv->dma_port_res = res; + e_priv->fifo_base = ioremap(e_priv->dma_port_res->start, resource_size(e_priv->dma_port_res)); if (!e_priv->fifo_base) { dev_err(board->dev, "Could not map I/O memory for fifos\n"); - return -ENOMEM; + retval = -ENOMEM; + goto err_release_dma_region; } dev_dbg(board->dev, "dma fifos 0x%lx remapped to %p, length=%ld\n", (unsigned long)e_priv->dma_port_res->start, e_priv->fifo_base, (unsigned long)resource_size(e_priv->dma_port_res)); irq = platform_get_irq(pdev, 0); - if (irq < 0) - return -EBUSY; + if (irq < 0) { + retval = -EBUSY; + goto err_iounmap_fifo; + } + retval = request_irq(irq, fmh_gpib_interrupt, IRQF_SHARED, pdev->name, board); if (retval) { dev_err(board->dev, "cannot register interrupt handler err=%d\n", retval); - return retval; + goto err_iounmap_fifo; } e_priv->irq = irq; @@ -1462,9 +1472,11 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->dma_channel = dma_request_slave_channel(board->dev, "rxtx"); if (!e_priv->dma_channel) { dev_err(board->dev, "failed to acquire dma channel \"rxtx\".\n"); - return -EIO; + retval = -EIO; + goto err_free_irq; } } + /* * in the future we might want to know the half-fifo size * (dma_burst_length) even when not using dma, so go ahead an @@ -1473,7 +1485,32 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->dma_burst_length = fifos_read(e_priv, FIFO_MAX_BURST_LENGTH_REG) & fifo_max_burst_length_mask; - return fmh_gpib_init(e_priv, board, handshake_mode); + retval = fmh_gpib_init(e_priv, board, handshake_mode); + if (retval) + goto err_release_dma; + + return 0; + +err_release_dma: + if (acquire_dma && e_priv->dma_channel) + dma_release_channel(e_priv->dma_channel); +err_free_irq: + free_irq(irq, board); +err_iounmap_fifo: + iounmap(e_priv->fifo_base); +err_release_dma_region: + release_mem_region(e_priv->dma_port_res->start, + resource_size(e_priv->dma_port_res)); +err_iounmap_mmio: + iounmap(nec_priv->mmiobase); +err_release_mmio_region: + release_mem_region(e_priv->gpib_iomem_res->start, + resource_size(e_priv->gpib_iomem_res)); +err_generic_detach: + fmh_gpib_generic_detach(board); +err_put_device: + put_device(board->dev); + return retval; } int fmh_gpib_attach_holdoff_all(struct gpib_board *board, const struct gpib_board_config *config) @@ -1517,6 +1554,11 @@ void fmh_gpib_detach(struct gpib_board *board) resource_size(e_priv->gpib_iomem_res)); } fmh_gpib_generic_detach(board); + + if (board->dev) { + put_device(board->dev); + board->dev = NULL; + } } static int fmh_gpib_pci_attach_impl(struct gpib_board *board, -- 2.17.1

1 month, 2 weeks

2
2
0 0

[PATCH] fs: udf: fix OOB read in lengthAllocDescs handling

by Larshin Sergey

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8743fca924afed42f93e(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> --- fs/udf/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index f24aa98e6869..a79d73f28aa7 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2272,6 +2272,9 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos, if (check_add_overflow(sizeof(struct allocExtDesc), le32_to_cpu(header->lengthAllocDescs), &alen)) return -1; + + if (alen > epos->bh->b_size) + return -1; } switch (iinfo->i_alloc_type) { -- 2.39.5

1 month, 2 weeks

2
1
0 0

[PATCH 00/27 5.10.y] Backport minmax.h updates from v6.17-rc6

by Eliav Farber

This series includes a total of 27 patches, to align minmax.h of v5.15.y with v6.17-rc6. The set consists of 24 commits that directly update minmax.h: 1) 92d23c6e9415 ("overflow, tracing: Define the is_signed_type() macro once") 2) 5efcecd9a3b1 ("minmax: sanity check constant bounds when clamping") 3) 2122e2a4efc2 ("minmax: clamp more efficiently by avoiding extra comparison") 4) f9bff0e31881 ("minmax: add in_range() macro") 5) c952c748c7a9 ("minmax: Introduce {min,max}_array()") 6) 5e57418a2031 ("minmax: deduplicate __unconst_integer_typeof()") 7) f6e9d38f8eb0 ("minmax: fix header inclusions") 8) d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness.") 9) f4b84b2ff851 ("minmax: fix indentation of __cmp_once() and __clamp_once()") 10) 4ead534fba42 ("minmax: allow comparisons of 'int' against 'unsigned char/short'") 11) 867046cc7027 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") 12) 3a7e02c040b1 ("minmax: avoid overly complicated constant expressions in VM code") 14) 017fa3e89187 ("minmax: simplify and clarify min_t()/max_t() implementation") 15) 1a251f52cfdc ("minmax: make generic MIN() and MAX() macros available everywhere") 18) dc1c8034e31b ("minmax: simplify min()/max()/clamp() implementation") 19) 22f546873149 ("minmax: improve macro expansion and type checking") 20) 21b136cc63d2 ("minmax: fix up min3() and max3() too") 21) 71ee9b16251e ("minmax.h: add whitespace around operators and after commas") 22) 10666e992048 ("minmax.h: update some comments") 23) b280bb27a9f7 ("minmax.h: reduce the #define expansion of min(), max() and clamp()") 24) a5743f32baec ("minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()") 25) c3939872ee4a ("minmax.h: move all the clamp() definitions after the min/max() ones") 26) 495bba17cdf9 ("minmax.h: simplify the variants of clamp()") 27) 2b97aaf74ed5 ("minmax.h: remove some #defines that are only expanded once") 2 prerequisite commits that adjust users of MIN and MAX macros (to prevent compilation issues): 13) 4477b39c32fd ("minmax: add a few more MIN_T/MAX_T users") 17) cb04e8b1d2f2 ("minmax: don't use max() in situations that want a C constant expression") 1 additional commit introduced to resolve a build failures during the backport: 16) lib: zstd: drop local MIN/MAX macros in favor of generic ones The primary motivation is to bring in commit (8). In mainline, this change allows min()/max()/clamp() to accept mixed argument types when both share the same signedness. Backported patches to v5.10.y that use such forms trigger compiler warnings, which in turn cause build failures when -Werror is enabled. Originaly I aligned 5.10.y to 5.15.y, but David Laight commented that I need to pick up the later changes (from Linus) as well. Andy Shevchenko (2): minmax: deduplicate __unconst_integer_typeof() minmax: fix header inclusions Bart Van Assche (1): overflow, tracing: Define the is_signed_type() macro once David Laight (11): minmax: allow min()/max()/clamp() if the arguments have the same signedness. minmax: fix indentation of __cmp_once() and __clamp_once() minmax: allow comparisons of 'int' against 'unsigned char/short' minmax: relax check to allow comparison between unsigned arguments and signed constants minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once Eliav Farber (1): lib: zstd: drop local MIN/MAX macros in favor of generic ones Herve Codina (1): minmax: Introduce {min,max}_array() Jason A. Donenfeld (2): minmax: sanity check constant bounds when clamping minmax: clamp more efficiently by avoiding extra comparison Linus Torvalds (8): minmax: avoid overly complicated constant expressions in VM code minmax: add a few more MIN_T/MAX_T users minmax: simplify and clarify min_t()/max_t() implementation minmax: make generic MIN() and MAX() macros available everywhere minmax: don't use max() in situations that want a C constant expression minmax: simplify min()/max()/clamp() implementation minmax: improve macro expansion and type checking minmax: fix up min3() and max3() too Matthew Wilcox (Oracle) (1): minmax: add in_range() macro arch/arm/mm/pageattr.c | 6 +- arch/um/drivers/mconsole_user.c | 2 + arch/x86/mm/pgtable.c | 2 +- drivers/edac/sb_edac.c | 4 +- drivers/edac/skx_common.h | 1 - .../drm/amd/display/modules/hdcp/hdcp_ddc.c | 2 + .../drm/amd/pm/powerplay/hwmgr/ppevvmath.h | 14 +- .../drm/arm/display/include/malidp_utils.h | 2 +- .../display/komeda/komeda_pipeline_state.c | 24 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 6 - drivers/gpu/drm/radeon/evergreen_cs.c | 2 + drivers/hwmon/adt7475.c | 24 +- drivers/input/touchscreen/cyttsp4_core.c | 2 +- drivers/md/dm-integrity.c | 2 +- drivers/media/dvb-frontends/stv0367_priv.h | 3 + .../net/ethernet/chelsio/cxgb3/cxgb3_main.c | 18 +- .../net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/fjes/fjes_main.c | 4 +- drivers/nfc/pn544/i2c.c | 2 - drivers/platform/x86/sony-laptop.c | 1 - drivers/scsi/isci/init.c | 6 +- .../pci/hive_isp_css_include/math_support.h | 5 - fs/btrfs/misc.h | 2 - fs/btrfs/tree-checker.c | 2 +- fs/ext2/balloc.c | 2 - fs/ext4/ext4.h | 2 - fs/ufs/util.h | 6 - include/linux/compiler.h | 15 + include/linux/minmax.h | 267 ++++++++++++++---- include/linux/overflow.h | 1 - include/linux/trace_events.h | 2 - kernel/trace/preemptirq_delay_test.c | 2 - lib/btree.c | 1 - lib/decompress_unlzma.c | 2 + lib/logic_pio.c | 3 - lib/vsprintf.c | 2 +- lib/zstd/zstd_internal.h | 2 - mm/zsmalloc.c | 1 - net/ipv4/proc.c | 2 +- net/ipv6/proc.c | 2 +- net/netfilter/nf_nat_core.c | 6 +- net/tipc/core.h | 2 +- net/tipc/link.c | 10 +- 44 files changed, 306 insertions(+), 164 deletions(-) -- 2.47.3

1 month, 2 weeks

6
35
0 0

[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level

by Vasant Hegde

The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> --- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE; -- 2.31.1

1 month, 2 weeks

3
5
0 0

[PATCH 0/7 6.12.y] Backport minmax.h updates from v6.17-rc7

by Eliav Farber

This series backports 7 patches to update minmax.h in the 6.12.y branch, aligning it with v6.17-rc7. The ultimate goal is to synchronize all longterm branches so that they include the full set of minmax.h changes. The key motivation is to bring in commit d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness"), which is missing in older kernels. In mainline, this change enables min()/max()/clamp() to accept mixed argument types, provided both have the same signedness. Without it, backported patches that use these forms may trigger compiler warnings, which escalate to build failures when -Werror is enabled. David Laight (7): minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once include/linux/minmax.h | 205 +++++++++++++++++++---------------------- 1 file changed, 95 insertions(+), 110 deletions(-) -- 2.47.3

1 month, 2 weeks

2
9
0 0

FAILED: patch "[PATCH] x86/cpu/topology: Always try cpu_parse_topology_ext() on" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x cba4262a19afae21665ee242b3404bcede5a94d7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091431-craftily-size-46c6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cba4262a19afae21665ee242b3404bcede5a94d7 Mon Sep 17 00:00:00 2001 From: K Prateek Nayak <kprateek.nayak(a)amd.com> Date: Mon, 1 Sep 2025 17:04:15 +0000 Subject: [PATCH] x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon Support for parsing the topology on AMD/Hygon processors using CPUID leaf 0xb was added in 3986a0a805e6 ("x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available"). In an effort to keep all the topology parsing bits in one place, this commit also introduced a pseudo dependency on the TOPOEXT feature to parse the CPUID leaf 0xb. The TOPOEXT feature (CPUID 0x80000001 ECX[22]) advertises the support for Cache Properties leaf 0x8000001d and the CPUID leaf 0x8000001e EAX for "Extended APIC ID" however support for 0xb was introduced alongside the x2APIC support not only on AMD [1], but also historically on x86 [2]. Similar to 0xb, the support for extended CPU topology leaf 0x80000026 too does not depend on the TOPOEXT feature. The support for these leaves is expected to be confirmed by ensuring leaf <= {extended_}cpuid_level and then parsing the level 0 of the respective leaf to confirm EBX[15:0] (LogProcAtThisLevel) is non-zero as stated in the definition of "CPUID_Fn0000000B_EAX_x00 [Extended Topology Enumeration] (Core::X86::Cpuid::ExtTopEnumEax0)" in Processor Programming Reference (PPR) for AMD Family 19h Model 01h Rev B1 Vol1 [3] Sec. 2.1.15.1 "CPUID Instruction Functions". This has not been a problem on baremetal platforms since support for TOPOEXT (Fam 0x15 and later) predates the support for CPUID leaf 0xb (Fam 0x17[Zen2] and later), however, for AMD guests on QEMU, the "x2apic" feature can be enabled independent of the "topoext" feature where QEMU expects topology and the initial APICID to be parsed using the CPUID leaf 0xb (especially when number of cores > 255) which is populated independent of the "topoext" feature flag. Unconditionally call cpu_parse_topology_ext() on AMD and Hygon processors to first parse the topology using the XTOPOLOGY leaves (0x80000026 / 0xb) before using the TOPOEXT leaf (0x8000001e). While at it, break down the single large comment in parse_topology_amd() to better highlight the purpose of each CPUID leaf. Fixes: 3986a0a805e6 ("x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available") Suggested-by: Naveen N Rao (AMD) <naveen(a)kernel.org> Signed-off-by: K Prateek Nayak <kprateek.nayak(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org # Only v6.9 and above; depends on x86 topology rewrite Link: https://lore.kernel.org/lkml/1529686927-7665-1-git-send-email-suravee.suthi… [1] Link: https://lore.kernel.org/lkml/20080818181435.523309000@linux-os.sc.intel.com/ [2] Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 [3] diff --git a/arch/x86/kernel/cpu/topology_amd.c b/arch/x86/kernel/cpu/topology_amd.c index 827dd0dbb6e9..c79ebbb639cb 100644 --- a/arch/x86/kernel/cpu/topology_amd.c +++ b/arch/x86/kernel/cpu/topology_amd.c @@ -175,27 +175,30 @@ static void topoext_fixup(struct topo_scan *tscan) static void parse_topology_amd(struct topo_scan *tscan) { - bool has_topoext = false; - /* - * If the extended topology leaf 0x8000_001e is available - * try to get SMT, CORE, TILE, and DIE shifts from extended + * Try to get SMT, CORE, TILE, and DIE shifts from extended * CPUID leaf 0x8000_0026 on supported processors first. If * extended CPUID leaf 0x8000_0026 is not supported, try to - * get SMT and CORE shift from leaf 0xb first, then try to - * get the CORE shift from leaf 0x8000_0008. + * get SMT and CORE shift from leaf 0xb. If either leaf is + * available, cpu_parse_topology_ext() will return true. */ - if (cpu_feature_enabled(X86_FEATURE_TOPOEXT)) - has_topoext = cpu_parse_topology_ext(tscan); + bool has_xtopology = cpu_parse_topology_ext(tscan); if (cpu_feature_enabled(X86_FEATURE_AMD_HTR_CORES)) tscan->c->topo.cpu_type = cpuid_ebx(0x80000026); - if (!has_topoext && !parse_8000_0008(tscan)) + /* + * If XTOPOLOGY leaves (0x26/0xb) are not available, try to + * get the CORE shift from leaf 0x8000_0008 first. + */ + if (!has_xtopology && !parse_8000_0008(tscan)) return; - /* Prefer leaf 0x8000001e if available */ - if (parse_8000_001e(tscan, has_topoext)) + /* + * Prefer leaf 0x8000001e if available to get the SMT shift and + * the initial APIC ID if XTOPOLOGY leaves are not available. + */ + if (parse_8000_001e(tscan, has_xtopology)) return; /* Try the NODEID MSR */

1 month, 2 weeks

3
4
0 0

[PATCH v2] media: pci: intel: ivsc: fix error handling in mei_ace driver

by Ma Ke

The mei_ace driver contains a device reference count leak in mei_ace_setup_dev_link() where device_find_child_by_name() increases the reference count of the found device but this reference is not properly decreased in the success path. Add put_device() in mei_ace_setup_dev_link() and delete put_device() in mei_ace_remove(), which ensures that the reference count of the device is correctly managed regardless of whether the probe is successful or fails. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the put_device() operations and the patch title as suggestions. --- drivers/media/pci/intel/ivsc/mei_ace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/pci/intel/ivsc/mei_ace.c b/drivers/media/pci/intel/ivsc/mei_ace.c index 98310b8511b1..bb57656fc85a 100644 --- a/drivers/media/pci/intel/ivsc/mei_ace.c +++ b/drivers/media/pci/intel/ivsc/mei_ace.c @@ -420,6 +420,7 @@ static int mei_ace_setup_dev_link(struct mei_ace *ace) goto err_put; } + put_device(csi_dev); ace->csi_dev = csi_dev; return 0; @@ -522,7 +523,6 @@ static void mei_ace_remove(struct mei_cl_device *cldev) cancel_work_sync(&ace->work); device_link_del(ace->csi_link); - put_device(ace->csi_dev); pm_runtime_disable(&cldev->dev); pm_runtime_set_suspended(&cldev->dev); -- 2.17.1

1 month, 2 weeks

2
1
0 0

[PATCH 00/15 v6.6.y] Backport minmax.h updates from v6.17-rc7

by Eliav Farber

This series backports 15 patches to update minmax.h in the 6.6.y branch, aligning it with v6.17-rc7. The ultimate goal is to synchronize all longterm branches so that they include the full set of minmax.h changes. The key motivation is to bring in commit d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness"), which is missing in older kernels. In mainline, this change enables min()/max()/clamp() to accept mixed argument types, provided both have the same signedness. Without it, backported patches that use these forms may trigger compiler warnings, which escalate to build failures when -Werror is enabled. David Laight (7): minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once Linus Torvalds (8): minmax: avoid overly complicated constant expressions in VM code minmax: simplify and clarify min_t()/max_t() implementation minmax: add a few more MIN_T/MAX_T users minmax: make generic MIN() and MAX() macros available everywhere minmax: simplify min()/max()/clamp() implementation minmax: don't use max() in situations that want a C constant expression minmax: improve macro expansion and type checking minmax: fix up min3() and max3() too arch/um/drivers/mconsole_user.c | 2 + arch/x86/mm/pgtable.c | 2 +- drivers/edac/sb_edac.c | 4 +- drivers/edac/skx_common.h | 1 - .../drm/amd/display/modules/hdcp/hdcp_ddc.c | 2 + .../drm/amd/pm/powerplay/hwmgr/ppevvmath.h | 14 +- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/radeon/evergreen_cs.c | 2 + drivers/hwmon/adt7475.c | 24 +- drivers/input/touchscreen/cyttsp4_core.c | 2 +- drivers/irqchip/irq-sun6i-r.c | 2 +- drivers/md/dm-integrity.c | 6 +- drivers/media/dvb-frontends/stv0367_priv.h | 3 + .../net/can/usb/etas_es58x/es58x_devlink.c | 2 +- .../net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/fjes/fjes_main.c | 4 +- drivers/nfc/pn544/i2c.c | 2 - drivers/platform/x86/sony-laptop.c | 1 - drivers/scsi/isci/init.c | 6 +- .../pci/hive_isp_css_include/math_support.h | 5 - fs/btrfs/tree-checker.c | 2 +- include/linux/compiler.h | 9 + include/linux/minmax.h | 228 +++++++++++------- include/linux/pageblock-flags.h | 2 +- kernel/trace/preemptirq_delay_test.c | 2 - lib/btree.c | 1 - lib/decompress_unlzma.c | 2 + lib/vsprintf.c | 2 +- mm/zsmalloc.c | 2 - net/ipv4/proc.c | 2 +- net/ipv6/proc.c | 2 +- tools/testing/selftests/mm/mremap_test.c | 2 + tools/testing/selftests/seccomp/seccomp_bpf.c | 2 + 34 files changed, 202 insertions(+), 146 deletions(-) -- 2.47.3

1 month, 2 weeks

1
15
0 0

[PATCH v3] fs/proc/task_mmu: check p->vec_buf for NULL

by Jakub Acs

When PAGEMAP_SCAN ioctl invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Michał Mirosław" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: linux-kernel(a)vger.kernel.org Cc: linux-fsdevel(a)vger.kernel.org Cc: stable(a)vger.kernel.org --- v1 -> v2: check p->vec_buf instead of cur_buf v2 -> v3: fix commit title v1: https://lore.kernel.org/all/20250919142106.43527-1-acsjakub@amazon.de/ v2: https://lore.kernel.org/all/20250922081713.77303-1-acsjakub@amazon.de/ fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 29cca0e6d0ff..b26ae556b446 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(struct pagemap_scan_private *p, { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 month, 2 weeks

3
2
0 0

[PATCH] fs/proc/task_mmu: check cur_buf for NULL

by Jakub Acs

When PAGEMAP_SCAN ioctl invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking cur_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Michał Mirosław" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> linux-kernel(a)vger.kernel.org linux-fsdevel(a)vger.kernel.org Cc: stable(a)vger.kernel.org Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 29cca0e6d0ff..8c10a8135e74 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(struct pagemap_scan_private *p, { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!cur_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 month, 2 weeks

3
4
0 0

Fruit Attraction 2025 Contacts — Now 20% OFF

by Natalie Foster

Hi, We’re offering verified business contact data for the upcoming Fruit Attraction 2025 (FA), tailored for effective outreach before and after the event. Place:  Madrid, Spain Date:SEP 30 - OCT 02, 2025 Contact Overview: 1,01,351 Attendees 2,179 Exhibiting Companies 6,537 Verified Exhibitor Contacts Total: 107,885 Business Contacts Each entry includes: Name, Job Title, Company, Website, Address, Phone, Official Email, LinkedIn Profile, and more. 100% GDPR-compliant Data with 20% Off Now. If you'd like more details, just reply: “Send me pricing” Best regards, Natalie Foster Sr. Marketing Manager To opt out reply “Not Interested.”

1 month, 2 weeks

1
0
0 0

[PATCH v2] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data() and add devm_add_action_or_reset() in the probe function, which ensures that the reference count of the device is correctly managed. Memory leak in regmap_init_slimbus() as the allocated regmap is not released when the device is removed. Using devm_regmap_init_slimbus() instead of regmap_init_slimbus() to ensure automatic regmap cleanup on device removal. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the handling in the success path and fixed the memory leak for regmap as suggestions. --- sound/soc/codecs/wcd934x.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..b472320d1ca4 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5847,11 +5847,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) return dev_err_probe(dev, -EINVAL, "Unable to get SLIM Interface device\n"); slim_get_logical_addr(wcd->sidev); - wcd->if_regmap = regmap_init_slimbus(wcd->sidev, + wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); @@ -5893,6 +5895,10 @@ static int wcd934x_codec_probe(struct platform_device *pdev) if (ret) return ret; + ret = devm_add_action_or_reset(dev, (void (*)(void *))put_device, &wcd->sidev->dev); + if (ret) + return ret; + /* set default rate 9P6MHz */ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, -- 2.17.1

1 month, 2 weeks

2
1
0 0

[PATCH net v1 1/1] net: usb: asix: forbid runtime PM to avoid PM/MDIO + RTNL deadlock

by Oleksij Rempel

Forbid USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM by default in probe, so disabling it via the usb_driver flag is ineffective. For AX88772B, autosuspend shows no measurable power saving in my tests (no link partner, admin up/down). The ~0.453 W -> ~0.248 W reduction on 6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. With autosuspend active, resume paths may require calling phylink/phylib (caller must hold RTNL) and doing MDIO I/O. Taking RTNL from a USB PM resume can deadlock (RTNL may already be held), and MDIO can attempt a runtime-wake while the USB PM lock is held. Given the lack of benefit and poor test coverage (autosuspend is usually disabled by default in distros), forbid runtime PM here to avoid these hazards. This affects only AX88772* devices (per-interface in bind). System sleep/resume is unchanged. Fixes: 4a2c7217cd5a ("net: usb: asix: ax88772: manage PHY PM from MAC") Reported-by: Hubert Wiśniewski <hubert.wisniewski.25632(a)gmail.com> Closes: https://lore.kernel.org/all/20220622141638.GE930160@montezuma.acc.umu.se Reported-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Closes: https://lore.kernel.org/all/b5ea8296-f981-445d-a09a-2f389d7f6fdd@samsung.com Cc: stable(a)vger.kernel.org Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> --- Link to the measurement results: https://lore.kernel.org/all/aMkPMa650kfKfmF4@pengutronix.de/ --- drivers/net/usb/asix_devices.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c index 792ddda1ad49..0d341d7e6154 100644 --- a/drivers/net/usb/asix_devices.c +++ b/drivers/net/usb/asix_devices.c @@ -625,6 +625,22 @@ static void ax88772_suspend(struct usbnet *dev) asix_read_medium_status(dev, 1)); } +/* + * Notes on PM callbacks and locking context: + * + * - asix_suspend()/asix_resume() are invoked for both runtime PM and + * system-wide suspend/resume. For struct usb_driver the ->resume() + * callback does not receive pm_message_t, so the resume type cannot + * be distinguished here. + * + * - The MAC driver must hold RTNL when calling phylink interfaces such as + * phylink_suspend()/resume(). Those calls will also perform MDIO I/O. + * + * - Taking RTNL and doing MDIO from a runtime-PM resume callback (while + * the USB PM lock is held) is fragile. Since autosuspend brings no + * measurable power saving for this device with current driver version, it is + * disabled below. + */ static int asix_suspend(struct usb_interface *intf, pm_message_t message) { struct usbnet *dev = usb_get_intfdata(intf); @@ -919,6 +935,16 @@ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) if (ret) goto initphy_err; + /* Disable USB runtime PM (autosuspend) for this interface. + * Rationale: + * - No measurable power saving from autosuspend for this device. + * - phylink/phylib calls require caller-held RTNL and do MDIO I/O, + * which is unsafe from USB PM resume paths (possible RTNL already + * held, USB PM lock held). + * System suspend/resume is unaffected. + */ + pm_runtime_forbid(&intf->dev); + return 0; initphy_err: @@ -948,6 +974,10 @@ static void ax88772_unbind(struct usbnet *dev, struct usb_interface *intf) phylink_destroy(priv->phylink); ax88772_mdio_unregister(priv); asix_rx_fixup_common_free(dev->driver_priv); + /* Re-allow runtime PM on disconnect for tidiness. The interface + * goes away anyway, but this balances forbid for debug sanity. + */ + pm_runtime_allow(&intf->dev); } static void ax88178_unbind(struct usbnet *dev, struct usb_interface *intf) @@ -1600,6 +1630,10 @@ static struct usb_driver asix_driver = { .resume = asix_resume, .reset_resume = asix_resume, .disconnect = usbnet_disconnect, + /* usbnet will force supports_autosuspend=1; we explicitly forbid RPM + * per-interface in bind to keep autosuspend disabled for this driver + * by using pm_runtime_forbid(). + */ .supports_autosuspend = 1, .disable_hub_initiated_lpm = 1, }; -- 2.47.3

1 month, 2 weeks

5
9
0 0

[PATCH] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..6ed7d030f4ed 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -316,7 +316,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off); - if (unlikely(len <= 0)) { + if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + if (len > 0) { + /* + * If we only got a few pages, update to release + * the correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; + } ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; } -- 2.43.0

1 month, 2 weeks

3
3
0 0

[PATCH] staging: gpib: Fix device reference leak in fmh_gpib driver

by Ma Ke

The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_attach_impl() and add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/staging/gpib/fmh_gpib/fmh_gpib.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c index 4138f3d2bae7..245c8fe87eaa 100644 --- a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c +++ b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c @@ -1395,14 +1395,17 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar pdev = to_platform_device(board->dev); retval = fmh_gpib_generic_attach(board); - if (retval) + if (retval) { + put_device(board->dev); return retval; + } e_priv = board->private_data; nec_priv = &e_priv->nec7210_priv; res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpib_control_status"); if (!res) { + put_device(board->dev); dev_err(board->dev, "Unable to locate mmio resource\n"); return -ENODEV; } @@ -1410,6 +1413,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { + put_device(board->dev); dev_err(board->dev, "cannot claim registers\n"); return -ENXIO; } @@ -1418,6 +1422,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar nec_priv->mmiobase = ioremap(e_priv->gpib_iomem_res->start, resource_size(e_priv->gpib_iomem_res)); if (!nec_priv->mmiobase) { + put_device(board->dev); dev_err(board->dev, "Could not map I/O memory\n"); return -ENOMEM; } @@ -1426,12 +1431,14 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dma_fifos"); if (!res) { + put_device(board->dev); dev_err(board->dev, "Unable to locate mmio resource for gpib dma port\n"); return -ENODEV; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { + put_device(board->dev); dev_err(board->dev, "cannot claim registers\n"); return -ENXIO; } @@ -1439,6 +1446,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->fifo_base = ioremap(e_priv->dma_port_res->start, resource_size(e_priv->dma_port_res)); if (!e_priv->fifo_base) { + put_device(board->dev); dev_err(board->dev, "Could not map I/O memory for fifos\n"); return -ENOMEM; } @@ -1447,10 +1455,14 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar (unsigned long)resource_size(e_priv->dma_port_res)); irq = platform_get_irq(pdev, 0); - if (irq < 0) + if (irq < 0) { + put_device(board->dev); return -EBUSY; + } + retval = request_irq(irq, fmh_gpib_interrupt, IRQF_SHARED, pdev->name, board); if (retval) { + put_device(board->dev); dev_err(board->dev, "cannot register interrupt handler err=%d\n", retval); @@ -1461,6 +1473,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar if (acquire_dma) { e_priv->dma_channel = dma_request_slave_channel(board->dev, "rxtx"); if (!e_priv->dma_channel) { + put_device(board->dev); dev_err(board->dev, "failed to acquire dma channel \"rxtx\".\n"); return -EIO; } @@ -1517,6 +1530,12 @@ void fmh_gpib_detach(struct gpib_board *board) resource_size(e_priv->gpib_iomem_res)); } fmh_gpib_generic_detach(board); + + if (board->dev) { + dev_set_drvdata(board->dev, NULL); + put_device(board->dev); + board->dev = NULL; + } } static int fmh_gpib_pci_attach_impl(struct gpib_board *board, -- 2.17.1

1 month, 2 weeks

2
1
0 0

[PATCH 2/2] eventpoll: Fix epoll_wait() report false negative

by Nam Cao

ep_events_available() checks for available events by looking at ep->rdllist and ep->ovflist. However, this is done without a lock, therefore the returned value is not reliable. Because it is possible that both checks on ep->rdllist and ep->ovflist are false while ep_start_scan() or ep_done_scan() is being executed on other CPUs, despite events are available. This bug can be observed by: 1. Create an eventpoll with at least one ready level-triggered event 2. Create multiple threads who do epoll_wait() with zero timeout. The threads do not consume the events, therefore all epoll_wait() should return at least one event. If one thread is executing ep_events_available() while another thread is executing ep_start_scan() or ep_done_scan(), epoll_wait() may wrongly return no event for the former thread. This reproducer is implemented as TEST(epoll65) in tools/testing/selftests/filesystems/epoll/epoll_wakeup_test.c Fix it by skipping ep_events_available(), just call ep_try_send_events() directly. epoll_sendevents() (io_uring) suffers the same problem, fix that as well. There is still ep_busy_loop() who uses ep_events_available() without lock, but it is probably okay (?) for busy-polling. Fixes: c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") Fixes: e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") Fixes: ae3a4f1fdc2c ("eventpoll: add epoll_sendevents() helper") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- fs/eventpoll.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 0fbf5dfedb24..541481eafc20 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -2022,7 +2022,7 @@ static int ep_schedule_timeout(ktime_t *to) static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, int maxevents, struct timespec64 *timeout) { - int res, eavail, timed_out = 0; + int res, eavail = 1, timed_out = 0; u64 slack = 0; wait_queue_entry_t wait; ktime_t expires, *to = NULL; @@ -2041,16 +2041,6 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, timed_out = 1; } - /* - * This call is racy: We may or may not see events that are being added - * to the ready list under the lock (e.g., in IRQ callbacks). For cases - * with a non-zero timeout, this thread will check the ready list under - * lock and will add to the wait queue. For cases with a zero - * timeout, the user by definition should not care and will have to - * recheck again. - */ - eavail = ep_events_available(ep); - while (1) { if (eavail) { res = ep_try_send_events(ep, events, maxevents); @@ -2496,9 +2486,7 @@ int epoll_sendevents(struct file *file, struct epoll_event __user *events, * Racy call, but that's ok - it should get retried based on * poll readiness anyway. */ - if (ep_events_available(ep)) - return ep_try_send_events(ep, events, maxevents); - return 0; + return ep_try_send_events(ep, events, maxevents); } /* -- 2.39.5

1 month, 2 weeks

5
12
0 0

FAILED: patch "[PATCH] io_uring: include dying ring in task_work "should cancel"" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 3539b1467e94336d5854ebf976d9627bfb65d6c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092127-synthetic-squash-4d57@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3539b1467e94336d5854ebf976d9627bfb65d6c3 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 18 Sep 2025 10:21:14 -0600 Subject: [PATCH] io_uring: include dying ring in task_work "should cancel" state When running task_work for an exiting task, rather than perform the issue retry attempt, the task_work is canceled. However, this isn't done for a ring that has been closed. This can lead to requests being successfully completed post the ring being closed, which is somewhat confusing and surprising to an application. Rather than just check the task exit state, also include the ring ref state in deciding whether or not to terminate a given request when run from task_work. Cc: stable(a)vger.kernel.org # 6.1+ Link: https://github.com/axboe/liburing/discussions/1459 Reported-by: Benedek Thaler <thaler(a)thaler.hu> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 93633613a165..bcec12256f34 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1406,8 +1406,10 @@ static void io_req_task_cancel(struct io_kiocb *req, io_tw_token_t tw) void io_req_task_submit(struct io_kiocb *req, io_tw_token_t tw) { - io_tw_lock(req->ctx, tw); - if (unlikely(io_should_terminate_tw())) + struct io_ring_ctx *ctx = req->ctx; + + io_tw_lock(ctx, tw); + if (unlikely(io_should_terminate_tw(ctx))) io_req_defer_failed(req, -EFAULT); else if (req->flags & REQ_F_FORCE_ASYNC) io_queue_iowq(req); diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h index abc6de227f74..1880902be6fd 100644 --- a/io_uring/io_uring.h +++ b/io_uring/io_uring.h @@ -476,9 +476,9 @@ static inline bool io_allowed_run_tw(struct io_ring_ctx *ctx) * 2) PF_KTHREAD is set, in which case the invoker of the task_work is * our fallback task_work. */ -static inline bool io_should_terminate_tw(void) +static inline bool io_should_terminate_tw(struct io_ring_ctx *ctx) { - return current->flags & (PF_KTHREAD | PF_EXITING); + return (current->flags & (PF_KTHREAD | PF_EXITING)) || percpu_ref_is_dying(&ctx->refs); } static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) diff --git a/io_uring/poll.c b/io_uring/poll.c index c786e587563b..6090a26975d4 100644 --- a/io_uring/poll.c +++ b/io_uring/poll.c @@ -224,7 +224,7 @@ static int io_poll_check_events(struct io_kiocb *req, io_tw_token_t tw) { int v; - if (unlikely(io_should_terminate_tw())) + if (unlikely(io_should_terminate_tw(req->ctx))) return -ECANCELED; do { diff --git a/io_uring/timeout.c b/io_uring/timeout.c index 7f13bfa9f2b6..17e3aab0af36 100644 --- a/io_uring/timeout.c +++ b/io_uring/timeout.c @@ -324,7 +324,7 @@ static void io_req_task_link_timeout(struct io_kiocb *req, io_tw_token_t tw) int ret; if (prev) { - if (!io_should_terminate_tw()) { + if (!io_should_terminate_tw(req->ctx)) { struct io_cancel_data cd = { .ctx = req->ctx, .data = prev->cqe.user_data, diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index 053bac89b6c0..213716e10d70 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -118,7 +118,7 @@ static void io_uring_cmd_work(struct io_kiocb *req, io_tw_token_t tw) struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); unsigned int flags = IO_URING_F_COMPLETE_DEFER; - if (io_should_terminate_tw()) + if (io_should_terminate_tw(req->ctx)) flags |= IO_URING_F_TASK_DEAD; /* task_work executor checks the deffered list completion */

1 month, 2 weeks

3
4
0 0

[PATCH] media: pci: intel: ivsc: fix error handling in scan_one_device()

by Ma Ke

The mei_ace driver contains a device reference count leak in mei_ace_setup_dev_link() where device_find_child_by_name() increases the reference count of the found device but this reference is not properly decreased in the success path. Add put_device() in mei_ace_setup_dev_link() and delete put_device() in mei_ace_remove(), which ensures that the reference count of the device is correctly managed regardless of whether the probe is successful or fails. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/media/pci/intel/ivsc/mei_ace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/pci/intel/ivsc/mei_ace.c b/drivers/media/pci/intel/ivsc/mei_ace.c index 98310b8511b1..261b30788118 100644 --- a/drivers/media/pci/intel/ivsc/mei_ace.c +++ b/drivers/media/pci/intel/ivsc/mei_ace.c @@ -421,6 +421,7 @@ static int mei_ace_setup_dev_link(struct mei_ace *ace) } ace->csi_dev = csi_dev; + put_device(csi_dev); return 0; @@ -522,7 +523,6 @@ static void mei_ace_remove(struct mei_cl_device *cldev) cancel_work_sync(&ace->work); device_link_del(ace->csi_link); - put_device(ace->csi_dev); pm_runtime_disable(&cldev->dev); pm_runtime_set_suspended(&cldev->dev); -- 2.17.1

1 month, 2 weeks

2
1
0 0

[PATCH] riscv: Use an atomic xchg in pudp_huge_get_and_clear()

by Alexandre Ghiti

Make sure we return the right pud value and not a value that could have been overwritten in between by a different core. Fixes: c3cc2a4a3a23 ("riscv: Add support for PUD THP") Cc: stable(a)vger.kernel.org Signed-off-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> --- Note that this will conflict with https://lore.kernel.org/linux-riscv/20250625063753.77511-1-ajd@linux.ibm.co… if applied after 6.17. --- arch/riscv/include/asm/pgtable.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 91697fbf1f9013005800f713797e4b6b1fc8d312..e69346307e78608dd98d8b7a77b7063c333448ee 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -942,6 +942,17 @@ static inline int pudp_test_and_clear_young(struct vm_area_struct *vma, return ptep_test_and_clear_young(vma, address, (pte_t *)pudp); } +#define __HAVE_ARCH_PUDP_HUGE_GET_AND_CLEAR +static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm, + unsigned long address, pud_t *pudp) +{ + pud_t pud = __pud(atomic_long_xchg((atomic_long_t *)pudp, 0)); + + page_table_check_pud_clear(mm, pud); + + return pud; +} + static inline int pud_young(pud_t pud) { return pte_young(pud_pte(pud)); --- base-commit: 62950c35a515743739e3d863eac25c20a5bd1613 change-id: 20250814-dev-alex-thp_pud_xchg-8153c313d946 Best regards, -- Alexandre Ghiti <alexghiti(a)rivosinc.com>

1 month, 2 weeks

3
2
0 0

[PATCH rtw-next v5 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()

by Fedor Pchelkin

There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] Use-after-free write at 0x0000000020309d9d (in kfence-#251): rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): __alloc_skb net/core/skbuff.c:659 __netdev_alloc_skb net/core/skbuff.c:734 ieee80211_nullfunc_get net/mac80211/tx.c:5844 rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): ieee80211_tx_status_skb net/mac80211/status.c:1117 rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651 rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 __napi_poll net/core/dev.c:7495 net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 handle_softirqs kernel/softirq.c:580 do_softirq.part.0 kernel/softirq.c:480 __local_bh_enable_ip kernel/softirq.c:407 rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 irq_thread_fn kernel/irq/manage.c:1133 irq_thread kernel/irq/manage.c:1257 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 It is a consequence of a race between the waiting and the signaling side of the completion: Waiting thread Completing thread rtw89_core_tx_kick_off_and_wait() rcu_assign_pointer(skb_data->wait, wait) /* start waiting */ wait_for_completion_timeout() rtw89_pci_tx_status() rtw89_core_tx_wait_complete() rcu_read_lock() /* signals completion and * proceeds further */ complete(&wait->completion) rcu_read_unlock() ... /* frees skb_data */ ieee80211_tx_status_ni() /* returns (exit status doesn't matter) */ wait_for_completion_timeout() ... /* accesses the already freed skb_data */ rcu_assign_pointer(skb_data->wait, NULL) The completing side might proceed and free the underlying skb even before the waiting side is fully awoken and run to execution. Actually the race happens regardless of wait_for_completion_timeout() exit status, e.g. the waiting side may hit a timeout and the concurrent completing side is still able to free the skb. Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the driver. They don't come from core ieee80211 stack so no need to pass them to ieee80211_tx_status_ni() on completing side. Introduce a work function which will act as a garbage collector for rtw89_tx_wait_info objects and the associated skbs. Thus no potentially heavy locks are required on the completing side. Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Suggested-by: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v5: - use completion_done() and delayed work (Ping-Ke) v4: - fill wait's fields before publishing (Zong-Zhe) - leave dev_kfree_skb_any + kfree_rcu for tx_wait release (Zong-Zhe) v3: - decrease waiting timeout in rtw89_tx_wait_work() (Zong-Zhe) - clear tx_waits list from rtw89_hci_reset(), too (Zong-Zhe) - keep RCU updating for skb_data->wait (Zong-Zhe) - keep the old order of calls in rtw89_pci_tx_status() (Zong-Zhe) - drop wait->finished as complete_all() would make the completion be done permanently v2: - use a work function to manage release of tx_waits and associated skbs (Zong-Zhe) drivers/net/wireless/realtek/rtw89/core.c | 30 +++++++++++++++---- drivers/net/wireless/realtek/rtw89/core.h | 35 +++++++++++++++++++++-- drivers/net/wireless/realtek/rtw89/pci.c | 3 +- drivers/net/wireless/realtek/rtw89/ser.c | 2 ++ 4 files changed, 61 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index fe059c4a6b55..ec467ae0e9e6 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1135,6 +1135,14 @@ rtw89_core_tx_update_desc_info(struct rtw89_dev *rtwdev, } } +static void rtw89_tx_wait_work(struct wiphy *wiphy, struct wiphy_work *work) +{ + struct rtw89_dev *rtwdev = container_of(work, struct rtw89_dev, + tx_wait_work.work); + + rtw89_tx_wait_list_clear(rtwdev); +} + void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) { u8 ch_dma; @@ -1152,6 +1160,8 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk unsigned long time_left; int ret = 0; + lockdep_assert_wiphy(rtwdev->hw->wiphy); + wait = kzalloc(sizeof(*wait), GFP_KERNEL); if (!wait) { rtw89_core_tx_kick_off(rtwdev, qsel); @@ -1159,18 +1169,23 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk } init_completion(&wait->completion); + wait->skb = skb; rcu_assign_pointer(skb_data->wait, wait); rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); - if (time_left == 0) - ret = -ETIMEDOUT; - else if (!wait->tx_done) - ret = -EAGAIN; - rcu_assign_pointer(skb_data->wait, NULL); - kfree_rcu(wait, rcu_head); + if (time_left == 0) { + ret = -ETIMEDOUT; + list_add_tail(&wait->list, &rtwdev->tx_waits); + wiphy_delayed_work_queue(rtwdev->hw->wiphy, &rtwdev->tx_wait_work, + RTW89_TX_WAIT_WORK_TIMEOUT); + } else { + if (!wait->tx_done) + ret = -EAGAIN; + rtw89_tx_wait_release(wait); + } return ret; } @@ -5548,6 +5563,7 @@ void rtw89_core_stop(struct rtw89_dev *rtwdev) wiphy_work_cancel(wiphy, &btc->dhcp_notify_work); wiphy_work_cancel(wiphy, &btc->icmp_notify_work); cancel_delayed_work_sync(&rtwdev->txq_reinvoke_work); + wiphy_delayed_work_cancel(wiphy, &rtwdev->tx_wait_work); wiphy_delayed_work_cancel(wiphy, &rtwdev->track_work); wiphy_delayed_work_cancel(wiphy, &rtwdev->track_ps_work); wiphy_delayed_work_cancel(wiphy, &rtwdev->chanctx_work); @@ -5773,6 +5789,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) INIT_LIST_HEAD(&rtwdev->scan_info.pkt_list[band]); } INIT_LIST_HEAD(&rtwdev->scan_info.chan_list); + INIT_LIST_HEAD(&rtwdev->tx_waits); INIT_WORK(&rtwdev->ba_work, rtw89_core_ba_work); INIT_WORK(&rtwdev->txq_work, rtw89_core_txq_work); INIT_DELAYED_WORK(&rtwdev->txq_reinvoke_work, rtw89_core_txq_reinvoke_work); @@ -5784,6 +5801,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) wiphy_delayed_work_init(&rtwdev->coex_rfk_chk_work, rtw89_coex_rfk_chk_work); wiphy_delayed_work_init(&rtwdev->cfo_track_work, rtw89_phy_cfo_track_work); wiphy_delayed_work_init(&rtwdev->mcc_prepare_done_work, rtw89_mcc_prepare_done_work); + wiphy_delayed_work_init(&rtwdev->tx_wait_work, rtw89_tx_wait_work); INIT_DELAYED_WORK(&rtwdev->forbid_ba_work, rtw89_forbid_ba_work); wiphy_delayed_work_init(&rtwdev->antdiv_work, rtw89_phy_antdiv_work); rtwdev->txq_wq = alloc_workqueue("rtw89_tx_wq", WQ_UNBOUND | WQ_HIGHPRI, 0); diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index 3d4ad2ffb75c..d15fa70eb4dc 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -3507,9 +3507,12 @@ struct rtw89_phy_rate_pattern { bool enable; }; +#define RTW89_TX_WAIT_WORK_TIMEOUT msecs_to_jiffies(500) struct rtw89_tx_wait_info { struct rcu_head rcu_head; + struct list_head list; struct completion completion; + struct sk_buff *skb; bool tx_done; }; @@ -6000,6 +6003,9 @@ struct rtw89_dev { /* used to protect rpwm */ spinlock_t rpwm_lock; + struct list_head tx_waits; + struct wiphy_delayed_work tx_wait_work; + struct rtw89_cam_info cam_info; struct sk_buff_head c2h_queue; @@ -6256,6 +6262,26 @@ rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid) list_first_entry_or_null(&p->dlink_pool, typeof(*p->links_inst), dlink_schd); \ }) +static inline void rtw89_tx_wait_release(struct rtw89_tx_wait_info *wait) +{ + dev_kfree_skb_any(wait->skb); + kfree_rcu(wait, rcu_head); +} + +static inline void rtw89_tx_wait_list_clear(struct rtw89_dev *rtwdev) +{ + struct rtw89_tx_wait_info *wait, *tmp; + + lockdep_assert_wiphy(rtwdev->hw->wiphy); + + list_for_each_entry_safe(wait, tmp, &rtwdev->tx_waits, list) { + if (!completion_done(&wait->completion)) + continue; + list_del(&wait->list); + rtw89_tx_wait_release(wait); + } +} + static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, struct rtw89_core_tx_request *tx_req) { @@ -6265,6 +6291,7 @@ static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, static inline void rtw89_hci_reset(struct rtw89_dev *rtwdev) { rtwdev->hci.ops->reset(rtwdev); + rtw89_tx_wait_list_clear(rtwdev); } static inline int rtw89_hci_start(struct rtw89_dev *rtwdev) @@ -7345,11 +7372,12 @@ static inline struct sk_buff *rtw89_alloc_skb_for_rx(struct rtw89_dev *rtwdev, return dev_alloc_skb(length); } -static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, +static inline bool rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data, bool tx_done) { struct rtw89_tx_wait_info *wait; + bool ret = false; rcu_read_lock(); @@ -7357,11 +7385,14 @@ static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, if (!wait) goto out; + ret = true; wait->tx_done = tx_done; - complete(&wait->completion); + /* Don't access skb anymore after completion */ + complete_all(&wait->completion); out: rcu_read_unlock(); + return ret; } static inline bool rtw89_is_mlo_1_1(struct rtw89_dev *rtwdev) diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index c8286eb84276..8dd91d867ea6 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -464,7 +464,8 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct ieee80211_tx_info *info; - rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE); + if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE)) + return; info = IEEE80211_SKB_CB(skb); ieee80211_tx_info_clear_status(info); diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireless/realtek/rtw89/ser.c index bb39fdbcba0d..fe7beff8c424 100644 --- a/drivers/net/wireless/realtek/rtw89/ser.c +++ b/drivers/net/wireless/realtek/rtw89/ser.c @@ -502,7 +502,9 @@ static void ser_reset_trx_st_hdl(struct rtw89_ser *ser, u8 evt) } drv_stop_rx(ser); + wiphy_lock(wiphy); drv_trx_reset(ser); + wiphy_unlock(wiphy); /* wait m3 */ hal_send_m2_event(ser); -- 2.51.0

1 month, 2 weeks

2
2
0 0

[PATCH v3] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - also fixed the same problem in arch/sparc/kernel/of_device_32.c as suggestions. Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_32.c | 1 + arch/sparc/kernel/of_device_64.c | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/sparc/kernel/of_device_32.c b/arch/sparc/kernel/of_device_32.c index 06012e68bdca..284a4cafa432 100644 --- a/arch/sparc/kernel/of_device_32.c +++ b/arch/sparc/kernel/of_device_32.c @@ -387,6 +387,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.17.1

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] ksmbd: smbdirect: verify remaining_data_length respects" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e1868ba37fd27c6a68e31565402b154beaa65df0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092135-estate-gander-564d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e1868ba37fd27c6a68e31565402b154beaa65df0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze(a)samba.org> Date: Thu, 11 Sep 2025 10:05:23 +0900 Subject: [PATCH] ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size This is inspired by the check for data_offset + data_length. Cc: Steve French <smfrench(a)gmail.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: linux-cifs(a)vger.kernel.org Cc: samba-technical(a)lists.samba.org Cc: stable(a)vger.kernel.org Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct") Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c index d52f37578276..6550bd9f002c 100644 --- a/fs/smb/server/transport_rdma.c +++ b/fs/smb/server/transport_rdma.c @@ -554,7 +554,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) case SMB_DIRECT_MSG_DATA_TRANSFER: { struct smb_direct_data_transfer *data_transfer = (struct smb_direct_data_transfer *)recvmsg->packet; - unsigned int data_offset, data_length; + u32 remaining_data_length, data_offset, data_length; int avail_recvmsg_count, receive_credits; if (wc->byte_len < @@ -564,6 +564,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) return; } + remaining_data_length = le32_to_cpu(data_transfer->remaining_data_length); data_length = le32_to_cpu(data_transfer->data_length); data_offset = le32_to_cpu(data_transfer->data_offset); if (wc->byte_len < data_offset || @@ -572,6 +573,14 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) smb_direct_disconnect_rdma_connection(t); return; } + if (remaining_data_length > t->max_fragmented_recv_size || + data_length > t->max_fragmented_recv_size || + (u64)remaining_data_length + (u64)data_length > + (u64)t->max_fragmented_recv_size) { + put_recvmsg(t, recvmsg); + smb_direct_disconnect_rdma_connection(t); + return; + } if (data_length) { if (t->full_packet_received)

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092143-trench-expiring-9a2f@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 month, 2 weeks

2
1
0 0

[PATCH rtw-next v5 2/4] wifi: rtw89: avoid possible TX wait initialization race

by Fedor Pchelkin

The value of skb_data->wait indicates whether skb is passed on to the core mac80211 stack or released by the driver itself. Make sure that by the time skb is added to txwd queue and becomes visible to the completing side, it has already allocated and initialized TX wait related data (in case it's needed). This is found by code review and addresses a possible race scenario described below: Waiting thread Completing thread rtw89_core_send_nullfunc() rtw89_core_tx_write_link() ... rtw89_pci_txwd_submit() skb_data->wait = NULL /* add skb to the queue */ skb_queue_tail(&txwd->queue, skb) /* another thread (e.g. rtw89_ops_tx) performs TX kick off for the same queue */ rtw89_pci_napi_poll() ... rtw89_pci_release_txwd_skb() /* get skb from the queue */ skb_unlink(skb, &txwd->queue) rtw89_pci_tx_status() rtw89_core_tx_wait_complete() /* use incorrect skb_data->wait */ rtw89_core_tx_kick_off_and_wait() /* assign skb_data->wait but too late */ Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v5: - update the changelog to reflect that the potential race scenario was found by code review - pass wait as an argument to rtw89_core_tx_kick_off_and_wait() v4: - use wiphy_dereference (Zong-Zhe) - move wait->skb assignment place drivers/net/wireless/realtek/rtw89/core.c | 39 +++++++++++++---------- drivers/net/wireless/realtek/rtw89/core.h | 3 +- drivers/net/wireless/realtek/rtw89/pci.c | 2 -- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index ec467ae0e9e6..1f44c7fc1c5e 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1153,25 +1153,14 @@ void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) } int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, - int qsel, unsigned int timeout) + struct rtw89_tx_wait_info *wait, int qsel, + unsigned int timeout) { - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); - struct rtw89_tx_wait_info *wait; unsigned long time_left; int ret = 0; lockdep_assert_wiphy(rtwdev->hw->wiphy); - wait = kzalloc(sizeof(*wait), GFP_KERNEL); - if (!wait) { - rtw89_core_tx_kick_off(rtwdev, qsel); - return 0; - } - - init_completion(&wait->completion); - wait->skb = skb; - rcu_assign_pointer(skb_data->wait, wait); - rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); @@ -1234,10 +1223,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rtwvif_link, struct rtw89_sta_link *rtwsta_link, - struct sk_buff *skb, int *qsel, bool sw_mld) + struct sk_buff *skb, int *qsel, bool sw_mld, + struct rtw89_tx_wait_info *wait) { struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link); struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct rtw89_vif *rtwvif = rtwvif_link->rtwvif; struct rtw89_core_tx_request tx_req = {}; int ret; @@ -1254,6 +1245,8 @@ static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, rtw89_core_tx_update_desc_info(rtwdev, &tx_req); rtw89_core_tx_wake(rtwdev, &tx_req); + rcu_assign_pointer(skb_data->wait, wait); + ret = rtw89_hci_tx_write(rtwdev, &tx_req); if (ret) { rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); @@ -1290,7 +1283,8 @@ int rtw89_core_tx_write(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, } } - return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false); + return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false, + NULL); } static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) @@ -3928,6 +3922,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; struct rtw89_sta_link *rtwsta_link; + struct rtw89_tx_wait_info *wait; struct ieee80211_sta *sta; struct ieee80211_hdr *hdr; struct rtw89_sta *rtwsta; @@ -3937,6 +3932,12 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) return 0; + wait = kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) + return -ENOMEM; + + init_completion(&wait->completion); + rcu_read_lock(); sta = ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { @@ -3951,6 +3952,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } + wait->skb = skb; + hdr = (struct ieee80211_hdr *)skb->data; if (ps) hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); @@ -3961,7 +3964,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } - ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true); + ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true, + wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); dev_kfree_skb_any(skb); @@ -3970,10 +3974,11 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt rcu_read_unlock(); - return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, qsel, + return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, wait, qsel, timeout); out: rcu_read_unlock(); + kfree(wait); return ret; } diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index d15fa70eb4dc..928c8c84c964 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -7476,7 +7476,8 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, struct sk_buff *skb, bool fwdl); void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel); int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, - int qsel, unsigned int timeout); + struct rtw89_tx_wait_info *wait, int qsel, + unsigned int timeout); void rtw89_core_fill_txdesc(struct rtw89_dev *rtwdev, struct rtw89_tx_desc_info *desc_info, void *txdesc); diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index 8dd91d867ea6..0ee5f8579447 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1494,7 +1494,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, struct pci_dev *pdev = rtwpci->pdev; struct sk_buff *skb = tx_req->skb; struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb); - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); bool en_wd_info = desc_info->en_wd_info; u32 txwd_len; u32 txwp_len; @@ -1510,7 +1509,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, } tx_data->dma = dma; - rcu_assign_pointer(skb_data->wait, NULL); txwp_len = sizeof(*txwp_info); txwd_len = chip->txwd_body_size; -- 2.51.0

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092143-detonator-snowcap-57d7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 month, 2 weeks

2
1
0 0

WTF: patch "[PATCH] LoongArch: Replace sprintf() with sysfs_emit()" was seriously submitted to be applied to the 6.16-stable tree?

by gregkh＠linuxfoundation.org

The patch below was submitted to be applied to the 6.16-stable tree. I fail to see how this patch meets the stable kernel rules as found at Documentation/process/stable-kernel-rules.rst. I could be totally wrong, and if so, please respond to <stable(a)vger.kernel.org> and let me know why this patch should be applied. Otherwise, it is now dropped from my patch queues, never to be seen again. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d6d69f0edde63b553345d4efaceb7daed89fe04c Mon Sep 17 00:00:00 2001 From: Tao Cui <cuitao(a)kylinos.cn> Date: Thu, 18 Sep 2025 19:44:04 +0800 Subject: [PATCH] LoongArch: Replace sprintf() with sysfs_emit() As Documentation/filesystems/sysfs.rst suggested, show() should only use sysfs_emit() or sysfs_emit_at() when formatting the value to be returned to user space. No functional change intended. Cc: stable(a)vger.kernel.org Signed-off-by: Tao Cui <cuitao(a)kylinos.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> diff --git a/arch/loongarch/kernel/env.c b/arch/loongarch/kernel/env.c index be309a71f204..23bd5ae2212c 100644 --- a/arch/loongarch/kernel/env.c +++ b/arch/loongarch/kernel/env.c @@ -86,7 +86,7 @@ late_initcall(fdt_cpu_clk_init); static ssize_t boardinfo_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) { - return sprintf(buf, + return sysfs_emit(buf, "BIOS Information\n" "Vendor\t\t\t: %s\n" "Version\t\t\t: %s\n"

1 month, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092142-stingily-broadside-f761@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] selftests: mptcp: connect: catch IO errors on listen side" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 14e22b43df25dbd4301351b882486ea38892ae4f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092157-mullets-tweed-dee4@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 14e22b43df25dbd4301351b882486ea38892ae4f Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:51 +0200 Subject: [PATCH] selftests: mptcp: connect: catch IO errors on listen side IO errors were correctly printed to stderr, and propagated up to the main loop for the server side, but the returned value was ignored. As a consequence, the program for the listener side was no longer exiting with an error code in case of IO issues. Because of that, some issues might not have been seen. But very likely, most issues either had an effect on the client side, or the file transfer was not the expected one, e.g. the connection got reset before the end. Still, it is better to fix this. The main consequence of this issue is the error that was reported by the selftests: the received and sent files were different, and the MIB counters were not printed. Also, when such errors happened during the 'disconnect' tests, the program tried to continue until the timeout. Now when an IO error is detected, the program exits directly with an error. Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-2-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.c b/tools/testing/selftests/net/mptcp/mptcp_connect.c index 4f07ac9fa207..1408698df099 100644 --- a/tools/testing/selftests/net/mptcp/mptcp_connect.c +++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c @@ -1093,6 +1093,7 @@ int main_loop_s(int listensock) struct pollfd polls; socklen_t salen; int remotesock; + int err = 0; int fd = 0; again: @@ -1125,7 +1126,7 @@ int main_loop_s(int listensock) SOCK_TEST_TCPULP(remotesock, 0); memset(&winfo, 0, sizeof(winfo)); - copyfd_io(fd, remotesock, 1, true, &winfo); + err = copyfd_io(fd, remotesock, 1, true, &winfo); } else { perror("accept"); return 1; @@ -1134,10 +1135,10 @@ int main_loop_s(int listensock) if (cfg_input) close(fd); - if (--cfg_repeat > 0) + if (!err && --cfg_repeat > 0) goto again; - return 0; + return err; } static void init_rng(void)

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 225d1ee0f5ba3218d1814d36564fdb5f37b50474 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092125-thigh-immerse-6abd@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 225d1ee0f5ba3218d1814d36564fdb5f37b50474 Mon Sep 17 00:00:00 2001 From: Antheas Kapenekakis <lkml(a)antheas.dev> Date: Tue, 16 Sep 2025 09:28:18 +0200 Subject: [PATCH] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It turns out that the dual screen models use 0x5E for attaching and detaching the keyboard instead of 0x5F. So, re-add the codes by reverting commit cf3940ac737d ("platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk"). For our future reference, add a comment next to 0x5E indicating that it is used for that purpose. Fixes: cf3940ac737d ("platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk") Reported-by: Rahul Chandra <rahul(a)chandra.net> Closes: https://lore.kernel.org/all/10020-68c90c80-d-4ac6c580@106290038/ Cc: stable(a)kernel.org Signed-off-by: Antheas Kapenekakis <lkml(a)antheas.dev> Link: https://patch.msgid.link/20250916072818.196462-1-lkml@antheas.dev Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c index 3a488cf9ca06..6a62bc5b02fd 100644 --- a/drivers/platform/x86/asus-nb-wmi.c +++ b/drivers/platform/x86/asus-nb-wmi.c @@ -673,6 +673,8 @@ static void asus_nb_wmi_key_filter(struct asus_wmi_driver *asus_wmi, int *code, if (atkbd_reports_vol_keys) *code = ASUS_WMI_KEY_IGNORE; break; + case 0x5D: /* Wireless console Toggle */ + case 0x5E: /* Wireless console Enable / Keyboard Attach, Detach */ case 0x5F: /* Wireless console Disable / Special Key */ if (quirks->key_wlan_event) *code = quirks->key_wlan_event;

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092141-slashing-postal-be15@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x d02e48830e3fce9701265f6c5a58d9bdaf906a76 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092122-popper-small-d970@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d02e48830e3fce9701265f6c5a58d9bdaf906a76 Mon Sep 17 00:00:00 2001 From: "Maciej S. Szmigiero" <maciej.szmigiero(a)oracle.com> Date: Mon, 25 Aug 2025 18:44:28 +0200 Subject: [PATCH] KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Commit 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC") inhibited pre-VMRUN sync of TPR from LAPIC into VMCB::V_TPR in sync_lapic_to_cr8() when AVIC is active. AVIC does automatically sync between these two fields, however it does so only on explicit guest writes to one of these fields, not on a bare VMRUN. This meant that when AVIC is enabled host changes to TPR in the LAPIC state might not get automatically copied into the V_TPR field of VMCB. This is especially true when it is the userspace setting LAPIC state via KVM_SET_LAPIC ioctl() since userspace does not have access to the guest VMCB. Practice shows that it is the V_TPR that is actually used by the AVIC to decide whether to issue pending interrupts to the CPU (not TPR in TASKPRI), so any leftover value in V_TPR will cause serious interrupt delivery issues in the guest when AVIC is enabled. Fix this issue by doing pre-VMRUN TPR sync from LAPIC into VMCB::V_TPR even when AVIC is enabled. Fixes: 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC") Cc: stable(a)vger.kernel.org Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> Reviewed-by: Naveen N Rao (AMD) <naveen(a)kernel.org> Link: https://lore.kernel.org/r/c231be64280b1461e854e1ce3595d70cde3a2e9d.17561396… [sean: tag for stable@] Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d9931c6c4bc6..1bfebe40854f 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -4046,8 +4046,7 @@ static inline void sync_lapic_to_cr8(struct kvm_vcpu *vcpu) struct vcpu_svm *svm = to_svm(vcpu); u64 cr8; - if (nested_svm_virtualize_tpr(vcpu) || - kvm_vcpu_apicv_active(vcpu)) + if (nested_svm_virtualize_tpr(vcpu)) return; cr8 = kvm_get_cr8(vcpu);

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] net: rfkill: gpio: Fix crash due to dereferencering" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b6f56a44e4c1014b08859dcf04ed246500e310e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092157-imagines-darkroom-e5c5@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hansg(a)kernel.org> Date: Sat, 13 Sep 2025 13:35:15 +0200 Subject: [PATCH] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table))

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] net: rfkill: gpio: Fix crash due to dereferencering" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b6f56a44e4c1014b08859dcf04ed246500e310e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092156-postal-sappiness-e1ac@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hansg(a)kernel.org> Date: Sat, 13 Sep 2025 13:35:15 +0200 Subject: [PATCH] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table))

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] net: rfkill: gpio: Fix crash due to dereferencering" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b6f56a44e4c1014b08859dcf04ed246500e310e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092155-familiar-divisible-9535@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hansg(a)kernel.org> Date: Sat, 13 Sep 2025 13:35:15 +0200 Subject: [PATCH] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table))

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] net: rfkill: gpio: Fix crash due to dereferencering" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b6f56a44e4c1014b08859dcf04ed246500e310e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092155-evacuate-condition-525e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hansg(a)kernel.org> Date: Sat, 13 Sep 2025 13:35:15 +0200 Subject: [PATCH] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table))

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 7f830e126dc357fc086905ce9730140fd4528d66 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092125-resurface-hypertext-5ca5@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f830e126dc357fc086905ce9730140fd4528d66 Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky(a)amd.com> Date: Mon, 15 Sep 2025 11:04:12 -0500 Subject: [PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT The sev_evict_cache() is guest-related code and should be guarded by CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub function of sev_evict_cache() instead of the version that performs the actual eviction. Move the function declarations under the appropriate #ifdef. Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)kernel.org # 6.16.x Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 02236962fdb1..465b19fd1a2d 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -562,6 +562,24 @@ enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb, extern struct ghcb *boot_ghcb; +static inline void sev_evict_cache(void *va, int npages) +{ + volatile u8 val __always_unused; + u8 *bytes = va; + int page_idx; + + /* + * For SEV guests, a read from the first/last cache-lines of a 4K page + * using the guest key is sufficient to cause a flush of all cache-lines + * associated with that 4K page without incurring all the overhead of a + * full CLFLUSH sequence. + */ + for (page_idx = 0; page_idx < npages; page_idx++) { + val = bytes[page_idx * PAGE_SIZE]; + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; + } +} + #else /* !CONFIG_AMD_MEM_ENCRYPT */ #define snp_vmpl 0 @@ -605,6 +623,7 @@ static inline int snp_send_guest_request(struct snp_msg_desc *mdesc, static inline int snp_svsm_vtpm_send_command(u8 *buffer) { return -ENODEV; } static inline void __init snp_secure_tsc_prepare(void) { } static inline void __init snp_secure_tsc_init(void) { } +static inline void sev_evict_cache(void *va, int npages) {} #endif /* CONFIG_AMD_MEM_ENCRYPT */ @@ -619,24 +638,6 @@ int rmp_make_shared(u64 pfn, enum pg_level level); void snp_leak_pages(u64 pfn, unsigned int npages); void kdump_sev_callback(void); void snp_fixup_e820_tables(void); - -static inline void sev_evict_cache(void *va, int npages) -{ - volatile u8 val __always_unused; - u8 *bytes = va; - int page_idx; - - /* - * For SEV guests, a read from the first/last cache-lines of a 4K page - * using the guest key is sufficient to cause a flush of all cache-lines - * associated with that 4K page without incurring all the overhead of a - * full CLFLUSH sequence. - */ - for (page_idx = 0; page_idx < npages; page_idx++) { - val = bytes[page_idx * PAGE_SIZE]; - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; - } -} #else static inline bool snp_probe_rmptable_info(void) { return false; } static inline int snp_rmptable_init(void) { return -ENOSYS; } @@ -652,7 +653,6 @@ static inline int rmp_make_shared(u64 pfn, enum pg_level level) { return -ENODEV static inline void snp_leak_pages(u64 pfn, unsigned int npages) {} static inline void kdump_sev_callback(void) { } static inline void snp_fixup_e820_tables(void) {} -static inline void sev_evict_cache(void *va, int npages) {} #endif #endif

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 68f27f7c7708183e7873c585ded2f1b057ac5b97 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092104-booting-overstate-c9cf@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 68f27f7c7708183e7873c585ded2f1b057ac5b97 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Thu, 4 Sep 2025 12:18:50 +0200 Subject: [PATCH] ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed If earlier opening of source graph fails (e.g. ADSP rejects due to incorrect audioreach topology), the graph is closed and "dai_data->graph[dai->id]" is assigned NULL. Preparing the DAI for sink graph continues though and next call to q6apm_lpass_dai_prepare() receives dai_data->graph[dai->id]=NULL leading to NULL pointer exception: qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1 q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78 q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22 Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 ... Call trace: q6apm_graph_media_format_pcm+0x48/0x120 (P) q6apm_lpass_dai_prepare+0x110/0x1b4 snd_soc_pcm_dai_prepare+0x74/0x108 __soc_pcm_prepare+0x44/0x160 dpcm_be_dai_prepare+0x124/0x1c0 Fixes: 30ad723b93ad ("ASoC: qdsp6: audioreach: add q6apm lpass dai support") Cc: stable(a)vger.kernel.org Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> Message-ID: <20250904101849.121503-2-krzysztof.kozlowski(a)linaro.org> Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c index a0d90462fd6a..20974f10406b 100644 --- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c +++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c @@ -213,8 +213,10 @@ static int q6apm_lpass_dai_prepare(struct snd_pcm_substream *substream, struct s return 0; err: - q6apm_graph_close(dai_data->graph[dai->id]); - dai_data->graph[dai->id] = NULL; + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { + q6apm_graph_close(dai_data->graph[dai->id]); + dai_data->graph[dai->id] = NULL; + } return rc; }

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] btrfs: tree-checker: fix the incorrect inode ref size check" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092135-stinky-correct-5051@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Tue, 16 Sep 2025 07:54:06 +0930 Subject: [PATCH] btrfs: tree-checker: fix the incorrect inode ref size check [BUG] Inside check_inode_ref(), we need to make sure every structure, including the btrfs_inode_extref header, is covered by the item. But our code is incorrectly using "sizeof(iref)", where @iref is just a pointer. This means "sizeof(iref)" will always be "sizeof(void *)", which is much smaller than "sizeof(struct btrfs_inode_extref)". This will allow some bad inode extrefs to sneak in, defeating tree-checker. [FIX] Fix the typo by calling "sizeof(*iref)", which is the same as "sizeof(struct btrfs_inode_extref)", and will be the correct behavior we want. Fixes: 71bf92a9b877 ("btrfs: tree-checker: Add check for INODE_REF") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index 0f556f4de3f9..a997c7cc35a2 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -1756,10 +1756,10 @@ static int check_inode_ref(struct extent_buffer *leaf, while (ptr < end) { u16 namelen; - if (unlikely(ptr + sizeof(iref) > end)) { + if (unlikely(ptr + sizeof(*iref) > end)) { inode_ref_err(leaf, slot, "inode ref overflow, ptr %lu end %lu inode_ref_size %zu", - ptr, end, sizeof(iref)); + ptr, end, sizeof(*iref)); return -EUCLEAN; }

1 month, 2 weeks

2
1
0 0

[PATCH v2 1/9] btrfs: fix the incorrect @max_bytes value for find_lock_delalloc_range()

by Qu Wenruo

[BUG] With my local branch to enable bs > ps support for btrfs, sometimes I hit the following ASSERT() inside submit_one_sector(): ASSERT(block_start != EXTENT_MAP_HOLE); Please note that it's not yet possible to hit this ASSERT() in the wild yet, as it requires btrfs bs > ps support, which is not even in the development branch. But on the other hand, there is also a very low chance to hit above ASSERT() with bs < ps cases, so this is an existing bug affect not only the incoming bs > ps support but also the existing bs < ps support. [CAUSE] Firstly that ASSERT() means we're trying to submit a dirty block but without a real extent map nor ordered extent map backing it. Furthermore with extra debugging, the folio triggering such ASSERT() is always larger than the fs block size in my bs > ps case. (8K block size, 4K page size) After some more debugging, the ASSERT() is trigger by the following sequence: extent_writepage() | We got a 32K folio (4 fs blocks) at file offset 0, and the fs block | size is 8K, page size is 4K. | And there is another 8K folio at file offset 32K, which is also | dirty. | So the filemap layout looks like the following: | | "||" is the filio boundary in the filemap. | "//| is the dirty range. | | 0 8K 16K 24K 32K 40K | |////////| |//////////////////////||////////| | |- writepage_delalloc() | |- find_lock_delalloc_range() for [0, 8K) | | Now range [0, 8K) is properly locked. | | | |- find_lock_delalloc_range() for [16K, 40K) | | |- btrfs_find_delalloc_range() returned range [0, 8K) | | |- lock_delalloc_folios() succeeded. | | | | | | The filemap range [32K, 40K) got dropped from filemap. | | | | | |- lock_delalloc_folios() failed with -EAGAIN. | | | As it failed to lock the folio at [32K, 40K). | | | | | |- loops = 1; | | |- max_bytes = PAGE_SIZE; | | |- goto again; | | | This will re-do the lookup for dirty delalloc ranges. | | | | | |- btrfs_find_delalloc_range() called with @max_bytes == 4K | | | This is smaller than block size, so | | | btrfs_find_delalloc_range() is unable to return any range. | | \- return false; | | | \- Now only range [0, 8K) has an OE for it, but for dirty range | [16K, 32K) it's dirty without an OE. | This breaks the assumption that writepage_delalloc() will find | and lock all dirty ranges inside the folio. | |- extent_writepage_io() |- submit_one_sector() for [0, 8K) | Succeeded | |- submit_one_sector() for [16K, 24K) Triggering the ASSERT(), as there is no OE, and the original extent map is a hole. Please note that, this also exposed the same problem for bs < ps support. E.g. with 64K page size and 4K block size. If we failed to lock a folio, and falls back into the "loops = 1;" branch, we will re-do the search using 64K as max_bytes. Which may fail again to lock the next folio, and exit early without handling all dirty blocks inside the folio. [FIX] Instead of using the fixed size PAGE_SIZE as @max_bytes, use @sectorsize, so that we are ensured to find and lock any remaining blocks inside the folio. And since we're here, add an extra ASSERT() to before calling btrfs_find_delalloc_range() to make sure the @max_bytes is at least no smaller than a block to avoid false negative. Cc: stable(a)vger.kernel.org #5.15+ Signed-off-by: Qu Wenruo <wqu(a)suse.com> --- fs/btrfs/extent_io.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index ca7174fa0240..2fd82055a779 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -393,6 +393,13 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, /* step one, find a bunch of delalloc bytes starting at start */ delalloc_start = *start; delalloc_end = 0; + + /* + * If @max_bytes is smaller than a block, btrfs_find_delalloc_range() can + * return early without handling any dirty ranges. + */ + ASSERT(max_bytes >= fs_info->sectorsize); + found = btrfs_find_delalloc_range(tree, &delalloc_start, &delalloc_end, max_bytes, &cached_state); if (!found || delalloc_end <= *start || delalloc_start > orig_end) { @@ -423,13 +430,14 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, delalloc_end); ASSERT(!ret || ret == -EAGAIN); if (ret == -EAGAIN) { - /* some of the folios are gone, lets avoid looping by - * shortening the size of the delalloc range we're searching + /* + * Some of the folios are gone, lets avoid looping by + * shortening the size of the delalloc range we're searching. */ btrfs_free_extent_state(cached_state); cached_state = NULL; if (!loops) { - max_bytes = PAGE_SIZE; + max_bytes = fs_info->sectorsize; loops = 1; goto again; } else { -- 2.50.1

1 month, 2 weeks

1
1
0 0

[merged mm-stable] mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/lru_sort: use param_ctx for damon_attrs staging has been removed from the -mm tree. Its filename was mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/lru_sort: use param_ctx for damon_attrs staging Date: Mon, 15 Sep 2025 20:15:49 -0700 damon_lru_sort_apply_parameters() allocates a new DAMON context, stages user-specified DAMON parameters on it, and commits to running DAMON context at once, using damon_commit_ctx(). The code is, however, directly updating the monitoring attributes of the running context. And the attributes are over-written by later damon_commit_ctx() call. This means that the monitoring attributes parameters are not really working. Fix the wrong use of the parameter context. Link: https://lkml.kernel.org/r/20250916031549.115326-1-sj@kernel.org Fixes: a30969436428 ("mm/damon/lru_sort: use damon_commit_ctx()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Reviewed-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: <stable(a)vger.kernel.org> [6.11+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/lru_sort.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/damon/lru_sort.c~mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging +++ a/mm/damon/lru_sort.c @@ -219,7 +219,7 @@ static int damon_lru_sort_apply_paramete goto out; } - err = damon_set_attrs(ctx, &damon_lru_sort_mon_attrs); + err = damon_set_attrs(param_ctx, &damon_lru_sort_mon_attrs); if (err) goto out; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-sysfs-set-damon_ctx-min_sz_region-only-for-paddr-use-case.patch

1 month, 2 weeks

1
0
0 0

[PATCH] rtc: pcf2127: fix SPI command byte for PCF2131 backport

by Bruno Thomsen

When commit fa78e9b606a472495ef5b6b3d8b45c37f7727f9d upstream was backported to LTS branches linux-6.12.y and linux-6.6.y, the SPI regmap config fix got applied to the I2C regmap config. Most likely due to a new RTC get/set parm feature introduced in 6.14 causing regmap config sections in the buttom of the driver to move. LTS branch linux-6.1.y and earlier does not have PCF2131 device support. Issue can be seen in buttom of this diff in stable/linux.git tree: git diff master..linux-6.12.y -- drivers/rtc/rtc-pcf2127.c Fixes: ee61aec8529e ("rtc: pcf2127: fix SPI command byte for PCF2131") Fixes: 5cdd1f73401d ("rtc: pcf2127: fix SPI command byte for PCF2131") Cc: stable(a)vger.kernel.org Cc: Alexandre Belloni <alexandre.belloni(a)bootlin.com> Cc: Elena Popa <elena.popa(a)nxp.com> Cc: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Signed-off-by: Bruno Thomsen <bruno.thomsen(a)gmail.com> --- drivers/rtc/rtc-pcf2127.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/rtc/rtc-pcf2127.c b/drivers/rtc/rtc-pcf2127.c index fc079b9dcf71..502571f0c203 100644 --- a/drivers/rtc/rtc-pcf2127.c +++ b/drivers/rtc/rtc-pcf2127.c @@ -1383,11 +1383,6 @@ static int pcf2127_i2c_probe(struct i2c_client *client) variant = &pcf21xx_cfg[type]; } - if (variant->type == PCF2131) { - config.read_flag_mask = 0x0; - config.write_flag_mask = 0x0; - } - config.max_register = variant->max_register, regmap = devm_regmap_init(&client->dev, &pcf2127_i2c_regmap, @@ -1461,6 +1456,11 @@ static int pcf2127_spi_probe(struct spi_device *spi) variant = &pcf21xx_cfg[type]; } + if (variant->type == PCF2131) { + config.read_flag_mask = 0x0; + config.write_flag_mask = 0x0; + } + config.max_register = variant->max_register; regmap = devm_regmap_init_spi(spi, &config); base-commit: 880e4ff5d6c8dc6b660f163a0e9b68b898cc6310 -- 2.50.1

1 month, 2 weeks

3
3
0 0

[PATCH 0/7 5.10.y] Cherry pick of minmax.h commits from 5.15.y

by Eliav Farber

This series backports seven commits from v5.15.y that update minmax.h and related code: - ed6e37e30826 ("tracing: Define the is_signed_type() macro once") - 998f03984e25 ("minmax: sanity check constant bounds when clamping") - d470787b25e6 ("minmax: clamp more efficiently by avoiding extra comparison") - 1c2ee5bc9f11 ("minmax: fix header inclusions") - d53b5d862acd ("minmax: allow min()/max()/clamp() if the arguments have the same signedness.") - 7ed91c5560df ("minmax: allow comparisons of 'int' against 'unsigned char/short'") - 22f7794ef5a3 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") The main motivation is commit d53b5d862acd, which removes the strict type check in min()/max() when both arguments have the same signedness. Without this, kernel 5.10 builds can emit warnings that become build failures when -Werror is used. Additionally, commit ed6e37e30826 from tracing is required as a dependency; without it, compilation fails. Andy Shevchenko (1): minmax: fix header inclusions Bart Van Assche (1): tracing: Define the is_signed_type() macro once David Laight (3): minmax: allow min()/max()/clamp() if the arguments have the same signedness. minmax: allow comparisons of 'int' against 'unsigned char/short' minmax: relax check to allow comparison between unsigned arguments and signed constants Jason A. Donenfeld (2): minmax: sanity check constant bounds when clamping minmax: clamp more efficiently by avoiding extra comparison include/linux/compiler.h | 6 +++ include/linux/minmax.h | 89 ++++++++++++++++++++++++++---------- include/linux/overflow.h | 1 - include/linux/trace_events.h | 2 - 4 files changed, 70 insertions(+), 28 deletions(-) -- 2.47.3

1 month, 2 weeks

4
9
0 0

[PATCH 6.1 000/198] 6.1.132-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.132 release. There are 198 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 27 Mar 2025 12:21:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.132-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.132-rc1 Acs, Jakub <acsjakub(a)amazon.de> block, bfq: fix re-introduced UAF in bic_set_bfqq() Zi Yan <ziy(a)nvidia.com> mm/migrate: fix shmem xarray update during migration Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: mvm: ensure offloading TID queue exists Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Change new sparse cluster processing Vitaly Prosyak <vitaly.prosyak(a)amd.com> drm/amdgpu: fix use-after-free bug Justin Klaassen <justin(a)tidylabs.net> arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Yunfei Dong <yunfei.dong(a)mediatek.com> media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Fix coverity issue with unintentional integer overflow Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Use u64_stats_t for statistic. Arthur Mongodin <amongodin(a)randorisec.fr> mptcp: Fix data stream corruption in the address announcement Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix incorrect validation for num_aces field of smb_acl David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Saranya R <quic_sarar(a)quicinc.com> soc: qcom: pdr: Fix the potential deadlock Sven Eckelmann <sven(a)narfation.org> batman-adv: Ignore own maximum aggregation size during RX Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> xsk: fix an integer overflow in xp_create_and_assign_umem() Ard Biesheuvel <ardb(a)kernel.org> efi/libstub: Avoid physical address 0x0 when doing random allocation Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: shmobile: smp: Enforce shmobile_smp_* alignment Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Ye Bin <yebin10(a)huawei.com> proc: fix UAF in proc_get_inode() Gu Bowen <gubowen5(a)huawei.com> mmc: atmel-mci: Add missing clk_disable_unprepare() Kamal Dasu <kamal.dasu(a)broadcom.com> mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card Christian Eggers <ceggers(a)arri.de> regulator: check that dummy regulator has been probed before using it Maíra Canal <mcanal(a)igalia.com> drm/v3d: Don't run jobs that have errors flagged in its fence Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: disable transceiver during system PM Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: only change CAN state when link up in system PM Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix page entries in the AFL list Andreas Kemnade <andreas(a)kemnade.info> i2c: omap: fix IRQ storms Guillaume Nault <gnault(a)redhat.com> Revert "gre: Fix IPv6 link-local address generation." Lin Ma <linma(a)zju.edu.cn> net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: fix recursion loops Dan Carpenter <dan.carpenter(a)linaro.org> net: atm: fix use after free in lec_send() Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: Fix error code in chan_alloc_skb_cb() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix wrong value of max_sge_rd Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix soft lockup during bt pages loop Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: Don't mark timer regs unconfigured Arnd Bergmann <arnd(a)arndb.de> ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Peng Fan <peng.fan(a)nxp.com> soc: imx8m: Unregister cpufreq and soc dev in cleanup path Marek Vasut <marex(a)denx.de> soc: imx8m: Use devm_* to simplify probe failure handling Marek Vasut <marex(a)denx.de> soc: imx8m: Remove global soc_uid Cosmin Ratiu <cratiu(a)nvidia.com> xfrm_output: Force software GSO only in tunnel mode Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> firmware: imx-scu: fix OF node leak in .probe() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential UAF in cifs_dump_full_key() Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: Fix a C2HTermReq error message Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: disable Fn key handling on the Omoton KB066 Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Fix match_session bug preventing session reuse Steve French <stfrench(a)microsoft.com> smb3: add support for IAKerb Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Populate vmemmap at the page level if not section aligned Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: sis630: Fix an error handling path in sis630_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali15x3: Fix an error handling path in ali15x3_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali1535: Fix an error handling path in ali1535_probe() Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing closetimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing actimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acdirmax mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acregmax mount option Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing macros deps Martin Rodriguez Reboredo <yakoyoku(a)gmail.com> scripts: generate_rust_analyzer: provide `cfg`s for `core` and `alloc` Vinay Varma <varmavinaym(a)gmail.com> scripts: `make rust-analyzer` for out-of-tree modules Asahi Lina <lina(a)asahilina.net> scripts: generate_rust_analyzer: Handle sub-modules with no Makefile Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Ivan Abramov <i.abramov(a)mt-integration.ru> drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: ops: Consistently treat platform_max as control value George Stark <gnstark(a)salutedevices.com> leds: mlxreg: Use devm_mutex_init() for mutex initialization Xueming Feng <kuro(a)kuroa.me> tcp: fix forever orphan socket caused by tcp_abort Eric Dumazet <edumazet(a)google.com> tcp: fix races in tcp_abort() Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: Handle memfd_secret() files in build_id_parse() Matthew Maurer <mmaurer(a)google.com> rust: Disallow BTF generation with Rust + LTO Haoxiang Li <haoxiang_li2024(a)163.com> qlcnic: fix memory leak issues in qlcnic_sriov_common.c Thomas Mizrahi <thomasmizra(a)gmail.com> ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Varada Pavani <v.pavani(a)samsung.com> clk: samsung: update PLL locktime for PLL142XX used on FSD platform Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix slab-use-after-free on hdcp_work Alex Hung <alex.hung(a)amd.com> drm/amd/display: Assign normalized_pix_clk when color depth = 14 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Restore correct backlight brightness after a GPU reset Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Fix locking when skipping CSN before topology probing Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Filter out redundant DPMS calls Florent Revest <revest(a)chromium.org> x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Johan Hovold <johan(a)kernel.org> USB: serial: option: match on interface class for Telit FN990B Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FE990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE990B compositions Boon Khai Ng <boon.khai.ng(a)intel.com> USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for more devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for several devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add required quirks for missing old boardnames Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Darrick J. Wong <djwong(a)kernel.org> xfs: remove conditional building of rt geometry validator functions Andrey Albershteyn <aalbersh(a)redhat.com> xfs: reset XFS_ATTR_INCOMPLETE filter on node removal Zhang Tianci <zhangtianci.1997(a)bytedance.com> xfs: update dir3 leaf block metadata after swap Jiachen Zhang <zhangjiachen.jaycee(a)bytedance.com> xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real Long Li <leo.lilong(a)huawei.com> xfs: fix perag leak when growfs fails Long Li <leo.lilong(a)huawei.com> xfs: add lock protection when remove perag from radix tree Dave Chinner <dchinner(a)redhat.com> xfs: initialise di_crc in xfs_log_dinode Darrick J. Wong <djwong(a)kernel.org> xfs: force all buffers to be written during btree bulk load Darrick J. Wong <djwong(a)kernel.org> xfs: recompute growfsrtfree transaction reservation while growing rt volume Darrick J. Wong <djwong(a)kernel.org> xfs: remove unused fields from struct xbtree_ifakeroot Darrick J. Wong <djwong(a)kernel.org> xfs: don't allow overly small or large realtime volumes Darrick J. Wong <djwong(a)kernel.org> xfs: fix 32-bit truncation in xfs_compute_rextslog Darrick J. Wong <djwong(a)kernel.org> xfs: make rextslog computation consistent with mkfs Darrick J. Wong <djwong(a)kernel.org> xfs: don't leak recovered attri intent items Christoph Hellwig <hch(a)lst.de> xfs: consider minlen sized extents in xfs_rtallocate_extent_block Darrick J. Wong <djwong(a)kernel.org> xfs: convert rt bitmap extent lengths to xfs_rtbxlen_t Darrick J. Wong <djwong(a)kernel.org> xfs: move the xfs_rtbitmap.c declarations to xfs_rtbitmap.h Darrick J. Wong <djwong(a)kernel.org> xfs: reserve less log space when recovering log intent items Dave Chinner <dchinner(a)redhat.com> xfs: use deferred frees for btree block freeing Dave Chinner <dchinner(a)redhat.com> xfs: fix bounds check in xfs_defer_agfl_block() Dave Chinner <dchinner(a)redhat.com> xfs: validate block number being freed before adding to xefi Darrick J. Wong <djwong(a)kernel.org> xfs: pass per-ag references to xfs_free_extent Darrick J. Wong <djwong(a)kernel.org> xfs: pass the xfs_bmbt_irec directly through the log intent code Darrick J. Wong <djwong(a)kernel.org> xfs: fix confusing xfs_extent_item variable names Darrick J. Wong <djwong(a)kernel.org> xfs: pass xfs_extent_free_item directly through the log intent code Darrick J. Wong <djwong(a)kernel.org> xfs: pass refcount intent directly through the log intent code Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix corner case forgetting to vunmap Jens Axboe <axboe(a)kernel.dk> io_uring: don't attempt to mmap larger than what the user asks for Jens Axboe <axboe(a)kernel.dk> io_uring: get rid of remap_pfn_range() for mapping rings/sqes Jens Axboe <axboe(a)kernel.dk> mm: add nommu variant of vm_insert_pages() Jens Axboe <axboe(a)kernel.dk> io_uring: add ring freeing helper Jens Axboe <axboe(a)kernel.dk> io_uring: return error pointer from io_mem_alloc() Ming Lei <ming.lei(a)redhat.com> block: fix 'kmem_cache of name 'bio-108' already exists' Thomas Zimmermann <tzimmermann(a)suse.de> drm/nouveau: Do not override forced connector status Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: safety check before fallback Arnd Bergmann <arnd(a)arndb.de> x86/irq: Define trace events conditionally Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Use better start period for frequency mode Miklos Szeredi <mszeredi(a)redhat.com> fuse: don't truncate cached, mutated symlink Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Set the SDOUT polarity correctly Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Fix power control mask Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Fix volume scale Daniel Wagner <wagi(a)kernel.org> nvme: only allow entering LIVE from CONNECTING state Yu-Chun Lin <eleanor15x(a)gmail.com> sctp: Fix undefined behavior in left shift operation Ruozhu Li <david.li(a)jaguarmicro.com> nvmet-rdma: recheck queue state is LIVE in state lock in recv done Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: add basic support for the C2HTermReq PDU Christopher Lentocha <christopherericlentocha(a)gmail.com> nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Stephan Gerhold <stephan.gerhold(a)linaro.org> net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Terry Cheong <htcheong(a)chromium.org> ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Vitaly Rodionov <vitalyr(a)opensource.cirrus.com> ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: adjust convert rate limitation Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Jan Beulich <jbeulich(a)suse.com> Xen/swiotlb: mark xen_swiotlb_fixup() __init Daniel Lezcano <daniel.lezcano(a)linaro.org> thermal/cpufreq_cooling: Remove structure member documentation Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: Fix CHPID "configure" attribute caching Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Sybil Isabel Dorsett <sybdorsett(a)proton.me> platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Jann Horn <jannh(a)google.com> sched: Clarify wake_up_q()'s write to task->wake_q.next Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: fix up the F6 key on the Omoton KB066 keyboard Ievgen Vovk <YevgenVovk(a)ukr.net> HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: ignore non-functional sensor in HP 5MP Camera Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Send clock sync message immediately after reset Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Brahmajit Das <brahmajit.xyz(a)gmail.com> vboxsf: fix building with GCC 15 Eric W. Biederman <ebiederm(a)xmission.com> alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Paulo Alcantara <pc(a)manguebit.com> smb: client: fix noisy when tree connecting to DFS interlink targets Gannon Kolding <gannon.kolding(a)gmail.com> ACPI: resource: IRQ override for Eluktronics MECH-17 Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix kernel oops when debug level > 2 Rik van Riel <riel(a)surriel.com> scsi: core: Use GFP_NOIO to avoid circular locking dependency Chengen Du <chengen.du(a)canonical.com> iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> powercap: call put_device() on an error path in powercap_register_control_type() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> hrtimers: Mark is_migration_base() with __always_inline Daniel Wagner <wagi(a)kernel.org> nvme-fc: go straight to connecting state when initializing Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Jianbo Liu <jianbol(a)nvidia.com> net/mlx5: Bridge, fix the crash caused by LAG state check Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove misbehaving actions length check Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 link-local address generation. Alexey Kashavkin <akashavkin(a)gmail.com> netfilter: nft_exthdr: fix offset with ipv4_find_option() Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: Prevent creation of classes with TC_H_ROOT Dan Carpenter <dan.carpenter(a)linaro.org> ipvs: prevent integer overflow in do_ip_vs_get_ctl() Kohei Enju <enjuk(a)amazon.com> netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Hangbin Liu <liuhangbin(a)gmail.com> bonding: fix incorrect MAC address setting to receive NS messages Amit Cohen <amcohen(a)nvidia.com> net: switchdev: Convert blocking notification chain to a raw one Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: handle errors in mlx5_chains_create_table() Michael Kelley <mhklinux(a)outlook.com> Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Michael Kelley <mhklinux(a)outlook.com> drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Breno Leitao <leitao(a)debian.org> netpoll: hold rcu read lock in __netpoll_send_skb() Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i2c: Copy headers if cloned Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Verify after ATU Load ops Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix enabling passive scanning Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: cfg80211: cancel wiphy_work before freeing wiphy Jun Yang <juny24602(a)gmail.com> sched: address a potential NULL pointer dereference in the GRED scheduler. Nicklas Bo Jensen <njensen(a)akamai.com> netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix memory leak in aRFS after reset Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Fix incorrect regmap max_registers value Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: iounmap() the correct memory when removing a device Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super Felix Moessbauer <felix.moessbauer(a)siemens.com> hrtimer: Use and report correct timerslack values for realtime tasks Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Prevent boot crash when the boot CPU is nohz_full David Woodhouse <dwmw(a)amazon.co.uk> clockevents/drivers/i8253: Fix stop sequence for timer 0 ------------- Diffstat: Documentation/timers/no_hz.rst | 7 +- Makefile | 15 +- arch/alpha/include/asm/elf.h | 6 +- arch/alpha/include/asm/pgtable.h | 2 +- arch/alpha/include/asm/processor.h | 8 +- arch/alpha/kernel/osf_sys.c | 11 +- arch/arm/boot/dts/bcm2711.dtsi | 11 +- arch/arm/mach-omap1/Kconfig | 1 + arch/arm/mach-shmobile/headsmp.S | 1 + .../boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +- .../arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 +- arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 2 + arch/arm64/mm/mmu.c | 5 +- arch/x86/events/intel/core.c | 85 ++++++++++ arch/x86/kernel/cpu/microcode/amd.c | 2 +- arch/x86/kernel/cpu/mshyperv.c | 11 -- arch/x86/kernel/irq.c | 2 + block/bfq-cgroup.c | 2 +- block/bio.c | 2 +- drivers/acpi/resource.c | 6 + drivers/clk/samsung/clk-pll.c | 7 +- drivers/clocksource/i8253.c | 36 +++-- drivers/firmware/efi/libstub/randomalloc.c | 4 + drivers/firmware/imx/imx-scu.c | 1 + drivers/firmware/iscsi_ibft.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c | 20 ++- drivers/gpu/drm/amd/amdgpu/nv.c | 2 +- drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 ++ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 12 ++ drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 +++-- drivers/gpu/drm/drm_atomic_uapi.c | 4 + drivers/gpu/drm/drm_connector.c | 4 + drivers/gpu/drm/gma500/mid_bios.c | 5 + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 9 +- drivers/gpu/drm/mediatek/mtk_drm_plane.c | 13 +- drivers/gpu/drm/nouveau/nouveau_connector.c | 1 - drivers/gpu/drm/radeon/radeon_vce.c | 2 +- drivers/gpu/drm/v3d/v3d_sched.c | 9 +- drivers/hid/hid-apple.c | 13 +- drivers/hid/hid-ids.h | 2 + drivers/hid/hid-quirks.c | 1 + drivers/hid/intel-ish-hid/ipc/ipc.c | 15 +- drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 + drivers/hv/vmbus_drv.c | 13 ++ drivers/i2c/busses/i2c-ali1535.c | 12 +- drivers/i2c/busses/i2c-ali15x3.c | 12 +- drivers/i2c/busses/i2c-omap.c | 26 +-- drivers/i2c/busses/i2c-sis630.c | 12 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 - drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 16 +- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 10 +- drivers/input/serio/i8042-acpipnpio.h | 111 +++++++------ drivers/leds/leds-mlxreg.c | 16 +- .../mediatek/vcodec/vdec/vdec_vp8_req_if.c | 10 +- drivers/mmc/host/atmel-mci.c | 4 +- drivers/mmc/host/sdhci-brcmstb.c | 10 ++ drivers/net/bonding/bond_options.c | 55 ++++++- drivers/net/can/flexcan/flexcan-core.c | 18 ++- drivers/net/can/rcar/rcar_canfd.c | 28 ++-- drivers/net/dsa/mv88e6xxx/chip.c | 59 +++++-- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +- .../ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +- .../ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 + .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 +- drivers/net/mctp/mctp-i2c.c | 5 + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 ++++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 +- drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvme/host/core.c | 2 - drivers/nvme/host/fc.c | 3 +- drivers/nvme/host/pci.c | 2 + drivers/nvme/host/tcp.c | 43 +++++ drivers/nvme/target/rdma.c | 33 ++-- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 50 ++++-- drivers/powercap/powercap_sys.c | 3 +- drivers/regulator/core.c | 12 +- drivers/s390/cio/chp.c | 3 +- drivers/scsi/qla1280.c | 2 +- drivers/scsi/scsi_scan.c | 2 +- drivers/soc/imx/soc-imx8m.c | 151 ++++++++---------- drivers/soc/qcom/pdr_interface.c | 8 +- drivers/thermal/cpufreq_cooling.c | 2 - drivers/usb/serial/ftdi_sio.c | 14 ++ drivers/usb/serial/ftdi_sio_ids.h | 13 ++ drivers/usb/serial/option.c | 48 ++++-- drivers/video/fbdev/hyperv_fb.c | 2 +- drivers/xen/swiotlb-xen.c | 2 +- fs/fuse/dir.c | 2 +- fs/namei.c | 24 ++- fs/ntfs3/attrib.c | 176 ++++++++++++++------- fs/ntfs3/file.c | 151 ++++-------------- fs/ntfs3/frecord.c | 2 +- fs/ntfs3/index.c | 4 +- fs/ntfs3/inode.c | 12 +- fs/ntfs3/ntfs_fs.h | 9 +- fs/ntfs3/super.c | 68 +++++--- fs/proc/base.c | 9 +- fs/proc/generic.c | 10 +- fs/proc/inode.c | 6 +- fs/proc/internal.h | 14 ++ fs/select.c | 11 +- fs/smb/client/asn1.c | 2 + fs/smb/client/cifs_spnego.c | 4 +- fs/smb/client/cifsglob.h | 4 + fs/smb/client/connect.c | 16 +- fs/smb/client/fs_context.c | 14 +- fs/smb/client/ioctl.c | 6 +- fs/smb/client/sess.c | 3 +- fs/smb/client/smb2pdu.c | 4 +- fs/smb/server/smbacl.c | 5 +- fs/vboxsf/super.c | 3 +- fs/xfs/libxfs/xfs_ag.c | 45 ++++-- fs/xfs/libxfs/xfs_ag.h | 3 + fs/xfs/libxfs/xfs_alloc.c | 70 ++++---- fs/xfs/libxfs/xfs_alloc.h | 20 ++- fs/xfs/libxfs/xfs_attr.c | 6 +- fs/xfs/libxfs/xfs_bmap.c | 121 +++++++------- fs/xfs/libxfs/xfs_bmap.h | 5 +- fs/xfs/libxfs/xfs_bmap_btree.c | 8 +- fs/xfs/libxfs/xfs_btree_staging.c | 4 +- fs/xfs/libxfs/xfs_btree_staging.h | 6 - fs/xfs/libxfs/xfs_da_btree.c | 7 + fs/xfs/libxfs/xfs_format.h | 2 +- fs/xfs/libxfs/xfs_ialloc.c | 24 ++- fs/xfs/libxfs/xfs_ialloc_btree.c | 6 +- fs/xfs/libxfs/xfs_log_recover.h | 22 +++ fs/xfs/libxfs/xfs_refcount.c | 116 +++++++------- fs/xfs/libxfs/xfs_refcount.h | 4 +- fs/xfs/libxfs/xfs_refcount_btree.c | 9 +- fs/xfs/libxfs/xfs_rtbitmap.c | 2 + fs/xfs/libxfs/xfs_rtbitmap.h | 83 ++++++++++ fs/xfs/libxfs/xfs_sb.c | 20 ++- fs/xfs/libxfs/xfs_sb.h | 2 + fs/xfs/libxfs/xfs_types.h | 13 ++ fs/xfs/scrub/repair.c | 3 +- fs/xfs/scrub/rtbitmap.c | 3 +- fs/xfs/xfs_attr_item.c | 16 +- fs/xfs/xfs_bmap_item.c | 85 ++++------ fs/xfs/xfs_buf.c | 44 +++++- fs/xfs/xfs_buf.h | 1 + fs/xfs/xfs_extfree_item.c | 108 +++++++------ fs/xfs/xfs_fsmap.c | 2 +- fs/xfs/xfs_fsops.c | 5 +- fs/xfs/xfs_inode_item.c | 3 + fs/xfs/xfs_refcount_item.c | 68 ++++---- fs/xfs/xfs_reflink.c | 7 +- fs/xfs/xfs_rmap_item.c | 6 +- fs/xfs/xfs_rtalloc.c | 14 +- fs/xfs/xfs_rtalloc.h | 73 --------- fs/xfs/xfs_trace.h | 15 +- include/linux/fs.h | 2 + include/linux/i8253.h | 1 - include/linux/io_uring_types.h | 5 + include/linux/nvme-tcp.h | 2 + include/linux/proc_fs.h | 7 +- include/net/bluetooth/hci_core.h | 108 +++++-------- include/sound/soc.h | 5 +- include/uapi/linux/io_uring.h | 1 + init/Kconfig | 2 +- io_uring/io_uring.c | 163 ++++++++++++++++--- io_uring/io_uring.h | 2 + kernel/sched/core.c | 13 +- kernel/sys.c | 2 + kernel/time/hrtimer.c | 40 ++--- lib/buildid.c | 5 + mm/memcontrol.c | 9 ++ mm/migrate.c | 16 +- mm/nommu.c | 7 + net/atm/lec.c | 3 +- net/batman-adv/bat_iv_ogm.c | 3 +- net/batman-adv/bat_v_ogm.c | 3 +- net/bluetooth/6lowpan.c | 7 +- net/bluetooth/hci_core.c | 10 +- net/bluetooth/hci_event.c | 37 +++-- net/bluetooth/iso.c | 6 - net/bluetooth/l2cap_core.c | 12 +- net/bluetooth/rfcomm/core.c | 6 - net/bluetooth/sco.c | 12 +- net/core/lwtunnel.c | 65 ++++++-- net/core/neighbour.c | 1 + net/core/netpoll.c | 9 +- net/ipv4/tcp.c | 19 ++- net/ipv6/route.c | 5 +- net/mptcp/options.c | 6 +- net/mptcp/protocol.h | 2 + net/netfilter/ipvs/ip_vs_ctl.c | 8 +- net/netfilter/nf_conncount.c | 6 +- net/netfilter/nft_counter.c | 90 +++++------ net/netfilter/nft_ct.c | 6 +- net/netfilter/nft_exthdr.c | 10 +- net/openvswitch/flow_netlink.c | 15 +- net/sched/sch_api.c | 6 + net/sched/sch_gred.c | 3 +- net/sctp/stream.c | 2 +- net/switchdev/switchdev.c | 25 ++- net/wireless/core.c | 7 + net/xdp/xsk_buff_pool.c | 2 +- net/xfrm/xfrm_output.c | 2 +- rust/Makefile | 7 +- scripts/generate_rust_analyzer.py | 64 ++++++-- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/arizona.c | 14 +- sound/soc/codecs/madera.c | 10 +- sound/soc/codecs/tas2764.c | 10 +- sound/soc/codecs/tas2764.h | 8 +- sound/soc/codecs/tas2770.c | 2 +- sound/soc/codecs/wm0010.c | 13 +- sound/soc/codecs/wm5110.c | 8 +- sound/soc/sh/rcar/core.c | 14 -- sound/soc/sh/rcar/rsnd.h | 1 - sound/soc/sh/rcar/src.c | 116 +++++++++++--- sound/soc/soc-ops.c | 15 +- sound/soc/sof/intel/hda-codec.c | 1 + 227 files changed, 2513 insertions(+), 1511 deletions(-)

1 month, 2 weeks

12
213
0 0

[PATCH 6.6.y 0/2] mptcp: fix recent failed backports (20250919)

by Matthieu Baerts (NGI0)

The following patches could not be applied without conflicts in this tree: - 2293c57484ae ("mptcp: pm: nl: announce deny-join-id0 flag") - 24733e193a0d ("selftests: mptcp: userspace pm: validate deny-join-id0 flag") Conflicts have been resolved, and documented in each patch. Matthieu Baerts (NGI0) (2): mptcp: pm: nl: announce deny-join-id0 flag selftests: mptcp: userspace pm: validate deny-join-id0 flag include/uapi/linux/mptcp.h | 6 ++++-- net/mptcp/pm_netlink.c | 7 +++++++ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 +++++++ tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +++++++++++--- 4 files changed, 29 insertions(+), 5 deletions(-) -- 2.51.0

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 225d1ee0f5ba3218d1814d36564fdb5f37b50474 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092126-upstream-favorite-2f89@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 225d1ee0f5ba3218d1814d36564fdb5f37b50474 Mon Sep 17 00:00:00 2001 From: Antheas Kapenekakis <lkml(a)antheas.dev> Date: Tue, 16 Sep 2025 09:28:18 +0200 Subject: [PATCH] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It turns out that the dual screen models use 0x5E for attaching and detaching the keyboard instead of 0x5F. So, re-add the codes by reverting commit cf3940ac737d ("platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk"). For our future reference, add a comment next to 0x5E indicating that it is used for that purpose. Fixes: cf3940ac737d ("platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk") Reported-by: Rahul Chandra <rahul(a)chandra.net> Closes: https://lore.kernel.org/all/10020-68c90c80-d-4ac6c580@106290038/ Cc: stable(a)kernel.org Signed-off-by: Antheas Kapenekakis <lkml(a)antheas.dev> Link: https://patch.msgid.link/20250916072818.196462-1-lkml@antheas.dev Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c index 3a488cf9ca06..6a62bc5b02fd 100644 --- a/drivers/platform/x86/asus-nb-wmi.c +++ b/drivers/platform/x86/asus-nb-wmi.c @@ -673,6 +673,8 @@ static void asus_nb_wmi_key_filter(struct asus_wmi_driver *asus_wmi, int *code, if (atkbd_reports_vol_keys) *code = ASUS_WMI_KEY_IGNORE; break; + case 0x5D: /* Wireless console Toggle */ + case 0x5E: /* Wireless console Enable / Keyboard Attach, Detach */ case 0x5F: /* Wireless console Disable / Special Key */ if (quirks->key_wlan_event) *code = quirks->key_wlan_event;

1 month, 2 weeks

3
4
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092102-unbutton-entire-9371@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] ksmbd: smbdirect: validate data_offset and data_length field" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5282491fc49d5614ac6ddcd012e5743eecb6a67c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092118-portside-cheesy-44d2@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5282491fc49d5614ac6ddcd012e5743eecb6a67c Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Wed, 10 Sep 2025 11:22:52 +0900 Subject: [PATCH] ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer If data_offset and data_length of smb_direct_data_transfer struct are invalid, out of bounds issue could happen. This patch validate data_offset and data_length field in recv_done. Cc: stable(a)vger.kernel.org Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct") Reviewed-by: Stefan Metzmacher <metze(a)samba.org> Reported-by: Luigino Camastra, Aisle Research <luigino.camastra(a)aisle.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c index cc4322bfa1d6..d52f37578276 100644 --- a/fs/smb/server/transport_rdma.c +++ b/fs/smb/server/transport_rdma.c @@ -554,7 +554,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) case SMB_DIRECT_MSG_DATA_TRANSFER: { struct smb_direct_data_transfer *data_transfer = (struct smb_direct_data_transfer *)recvmsg->packet; - unsigned int data_length; + unsigned int data_offset, data_length; int avail_recvmsg_count, receive_credits; if (wc->byte_len < @@ -565,14 +565,15 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) } data_length = le32_to_cpu(data_transfer->data_length); - if (data_length) { - if (wc->byte_len < sizeof(struct smb_direct_data_transfer) + - (u64)data_length) { - put_recvmsg(t, recvmsg); - smb_direct_disconnect_rdma_connection(t); - return; - } + data_offset = le32_to_cpu(data_transfer->data_offset); + if (wc->byte_len < data_offset || + wc->byte_len < (u64)data_offset + data_length) { + put_recvmsg(t, recvmsg); + smb_direct_disconnect_rdma_connection(t); + return; + } + if (data_length) { if (t->full_packet_received) recvmsg->first_segment = true;

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092158-payee-omega-5893@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] samples/damon/mtier: avoid starting DAMON before" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x c62cff40481c037307a13becbda795f7afdcfebd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092116-ceramics-stratus-5d18@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c62cff40481c037307a13becbda795f7afdcfebd Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Mon, 8 Sep 2025 19:22:38 -0700 Subject: [PATCH] samples/damon/mtier: avoid starting DAMON before initialization Commit 964314344eab ("samples/damon/mtier: support boot time enable setup") is somehow incompletely applying the origin patch [1]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-4-sj@kernel.org Link: https://lore.kernel.org/20250706193207.39810-4-sj@kernel.org [1] Fixes: 964314344eab ("samples/damon/mtier: support boot time enable setup") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/samples/damon/mtier.c b/samples/damon/mtier.c index 7ebd352138e4..beaf36657dea 100644 --- a/samples/damon/mtier.c +++ b/samples/damon/mtier.c @@ -208,6 +208,9 @@ static int damon_sample_mtier_enable_store( if (enabled == is_enabled) return 0; + if (!init_called) + return 0; + if (enabled) { err = damon_sample_mtier_start(); if (err)

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] samples/damon/wsse: avoid starting DAMON before" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x f826edeb888c5a8bd1b6e95ae6a50b0db2b21902 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092111-specked-enviably-906d@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f826edeb888c5a8bd1b6e95ae6a50b0db2b21902 Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Mon, 8 Sep 2025 19:22:36 -0700 Subject: [PATCH] samples/damon/wsse: avoid starting DAMON before initialization Patch series "samples/damon: fix boot time enable handling fixup merge mistakes". First three patches of the patch series "mm/damon: fix misc bugs in DAMON modules" [1] were trying to fix boot time DAMON sample modules enabling issues. The issues are the modules can crash if those are enabled before DAMON is enabled, like using boot time parameter options. The three patches were fixing the issues by avoiding starting DAMON before the module initialization phase. However, probably by a mistake during a merge, only half of the change is merged, and the part for avoiding the starting of DAMON before the module initialized is missed. So the problem is not solved and thus the modules can still crash if enabled before DAMON is initialized. Fix those by applying the unmerged parts again. Note that the broken commits are merged into 6.17-rc1, but also backported to relevant stable kernels. So this series also needs to be merged into the stable kernels. Hence Cc-ing stable@. This patch (of 3): Commit 0ed1165c3727 ("samples/damon/wsse: fix boot time enable handling") is somehow incompletely applying the origin patch [2]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-1-sj@kernel.org Link: https://lkml.kernel.org/r/20250909022238.2989-2-sj@kernel.org Link: https://lkml.kernel.org/r/20250706193207.39810-1-sj@kernel.org [1] Link: https://lore.kernel.org/20250706193207.39810-2-sj@kernel.org [2] Fixes: 0ed1165c3727 ("samples/damon/wsse: fix boot time enable handling") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/samples/damon/wsse.c b/samples/damon/wsse.c index da052023b099..21eaf15f987d 100644 --- a/samples/damon/wsse.c +++ b/samples/damon/wsse.c @@ -118,6 +118,9 @@ static int damon_sample_wsse_enable_store( return 0; if (enabled) { + if (!init_called) + return 0; + err = damon_sample_wsse_start(); if (err) enabled = false;

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] io_uring: include dying ring in task_work "should cancel"" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 3539b1467e94336d5854ebf976d9627bfb65d6c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092128-embassy-flyable-e3fb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3539b1467e94336d5854ebf976d9627bfb65d6c3 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 18 Sep 2025 10:21:14 -0600 Subject: [PATCH] io_uring: include dying ring in task_work "should cancel" state When running task_work for an exiting task, rather than perform the issue retry attempt, the task_work is canceled. However, this isn't done for a ring that has been closed. This can lead to requests being successfully completed post the ring being closed, which is somewhat confusing and surprising to an application. Rather than just check the task exit state, also include the ring ref state in deciding whether or not to terminate a given request when run from task_work. Cc: stable(a)vger.kernel.org # 6.1+ Link: https://github.com/axboe/liburing/discussions/1459 Reported-by: Benedek Thaler <thaler(a)thaler.hu> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 93633613a165..bcec12256f34 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1406,8 +1406,10 @@ static void io_req_task_cancel(struct io_kiocb *req, io_tw_token_t tw) void io_req_task_submit(struct io_kiocb *req, io_tw_token_t tw) { - io_tw_lock(req->ctx, tw); - if (unlikely(io_should_terminate_tw())) + struct io_ring_ctx *ctx = req->ctx; + + io_tw_lock(ctx, tw); + if (unlikely(io_should_terminate_tw(ctx))) io_req_defer_failed(req, -EFAULT); else if (req->flags & REQ_F_FORCE_ASYNC) io_queue_iowq(req); diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h index abc6de227f74..1880902be6fd 100644 --- a/io_uring/io_uring.h +++ b/io_uring/io_uring.h @@ -476,9 +476,9 @@ static inline bool io_allowed_run_tw(struct io_ring_ctx *ctx) * 2) PF_KTHREAD is set, in which case the invoker of the task_work is * our fallback task_work. */ -static inline bool io_should_terminate_tw(void) +static inline bool io_should_terminate_tw(struct io_ring_ctx *ctx) { - return current->flags & (PF_KTHREAD | PF_EXITING); + return (current->flags & (PF_KTHREAD | PF_EXITING)) || percpu_ref_is_dying(&ctx->refs); } static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) diff --git a/io_uring/poll.c b/io_uring/poll.c index c786e587563b..6090a26975d4 100644 --- a/io_uring/poll.c +++ b/io_uring/poll.c @@ -224,7 +224,7 @@ static int io_poll_check_events(struct io_kiocb *req, io_tw_token_t tw) { int v; - if (unlikely(io_should_terminate_tw())) + if (unlikely(io_should_terminate_tw(req->ctx))) return -ECANCELED; do { diff --git a/io_uring/timeout.c b/io_uring/timeout.c index 7f13bfa9f2b6..17e3aab0af36 100644 --- a/io_uring/timeout.c +++ b/io_uring/timeout.c @@ -324,7 +324,7 @@ static void io_req_task_link_timeout(struct io_kiocb *req, io_tw_token_t tw) int ret; if (prev) { - if (!io_should_terminate_tw()) { + if (!io_should_terminate_tw(req->ctx)) { struct io_cancel_data cd = { .ctx = req->ctx, .data = prev->cqe.user_data, diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index 053bac89b6c0..213716e10d70 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -118,7 +118,7 @@ static void io_uring_cmd_work(struct io_kiocb *req, io_tw_token_t tw) struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); unsigned int flags = IO_URING_F_COMPLETE_DEFER; - if (io_should_terminate_tw()) + if (io_should_terminate_tw(req->ctx)) flags |= IO_URING_F_TASK_DEAD; /* task_work executor checks the deffered list completion */

1 month, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] io_uring: include dying ring in task_work "should cancel"" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 3539b1467e94336d5854ebf976d9627bfb65d6c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092127-emit-dean-5272@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3539b1467e94336d5854ebf976d9627bfb65d6c3 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 18 Sep 2025 10:21:14 -0600 Subject: [PATCH] io_uring: include dying ring in task_work "should cancel" state When running task_work for an exiting task, rather than perform the issue retry attempt, the task_work is canceled. However, this isn't done for a ring that has been closed. This can lead to requests being successfully completed post the ring being closed, which is somewhat confusing and surprising to an application. Rather than just check the task exit state, also include the ring ref state in deciding whether or not to terminate a given request when run from task_work. Cc: stable(a)vger.kernel.org # 6.1+ Link: https://github.com/axboe/liburing/discussions/1459 Reported-by: Benedek Thaler <thaler(a)thaler.hu> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 93633613a165..bcec12256f34 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1406,8 +1406,10 @@ static void io_req_task_cancel(struct io_kiocb *req, io_tw_token_t tw) void io_req_task_submit(struct io_kiocb *req, io_tw_token_t tw) { - io_tw_lock(req->ctx, tw); - if (unlikely(io_should_terminate_tw())) + struct io_ring_ctx *ctx = req->ctx; + + io_tw_lock(ctx, tw); + if (unlikely(io_should_terminate_tw(ctx))) io_req_defer_failed(req, -EFAULT); else if (req->flags & REQ_F_FORCE_ASYNC) io_queue_iowq(req); diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h index abc6de227f74..1880902be6fd 100644 --- a/io_uring/io_uring.h +++ b/io_uring/io_uring.h @@ -476,9 +476,9 @@ static inline bool io_allowed_run_tw(struct io_ring_ctx *ctx) * 2) PF_KTHREAD is set, in which case the invoker of the task_work is * our fallback task_work. */ -static inline bool io_should_terminate_tw(void) +static inline bool io_should_terminate_tw(struct io_ring_ctx *ctx) { - return current->flags & (PF_KTHREAD | PF_EXITING); + return (current->flags & (PF_KTHREAD | PF_EXITING)) || percpu_ref_is_dying(&ctx->refs); } static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) diff --git a/io_uring/poll.c b/io_uring/poll.c index c786e587563b..6090a26975d4 100644 --- a/io_uring/poll.c +++ b/io_uring/poll.c @@ -224,7 +224,7 @@ static int io_poll_check_events(struct io_kiocb *req, io_tw_token_t tw) { int v; - if (unlikely(io_should_terminate_tw())) + if (unlikely(io_should_terminate_tw(req->ctx))) return -ECANCELED; do { diff --git a/io_uring/timeout.c b/io_uring/timeout.c index 7f13bfa9f2b6..17e3aab0af36 100644 --- a/io_uring/timeout.c +++ b/io_uring/timeout.c @@ -324,7 +324,7 @@ static void io_req_task_link_timeout(struct io_kiocb *req, io_tw_token_t tw) int ret; if (prev) { - if (!io_should_terminate_tw()) { + if (!io_should_terminate_tw(req->ctx)) { struct io_cancel_data cd = { .ctx = req->ctx, .data = prev->cqe.user_data, diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index 053bac89b6c0..213716e10d70 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -118,7 +118,7 @@ static void io_uring_cmd_work(struct io_kiocb *req, io_tw_token_t tw) struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); unsigned int flags = IO_URING_F_COMPLETE_DEFER; - if (io_should_terminate_tw()) + if (io_should_terminate_tw(req->ctx)) flags |= IO_URING_F_TASK_DEAD; /* task_work executor checks the deffered list completion */

1 month, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] mm/gup: local lru_add_drain() to avoid lru_add_drain_all()" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x a09a8a1fbb374e0053b97306da9dbc05bd384685 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092110-music-knoll-828f@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a09a8a1fbb374e0053b97306da9dbc05bd384685 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:16:53 -0700 Subject: [PATCH] mm/gup: local lru_add_drain() to avoid lru_add_drain_all() In many cases, if collect_longterm_unpinnable_folios() does need to drain the LRU cache to release a reference, the cache in question is on this same CPU, and much more efficiently drained by a preliminary local lru_add_drain(), than the later cross-CPU lru_add_drain_all(). Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Note for clean backports: can take 6.16 commit a03db236aebf ("gup: optimize longterm pin_user_pages() for large folio") first. Link: https://lkml.kernel.org/r/66f2751f-283e-816d-9530-765db7edc465@google.com Signed-off-by: Hugh Dickins <hughd(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index 82aec6443c0a..b47066a54f52 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2287,8 +2287,8 @@ static unsigned long collect_longterm_unpinnable_folios( struct pages_or_folios *pofs) { unsigned long collected = 0; - bool drain_allow = true; struct folio *folio; + int drained = 0; long i = 0; for (folio = pofs_get_folio(pofs, i); folio; @@ -2307,10 +2307,17 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drain_allow && folio_ref_count(folio) != - folio_expected_ref_count(folio) + 1) { + if (drained == 0 && + folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { + lru_add_drain(); + drained = 1; + } + if (drained == 1 && + folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); - drain_allow = false; + drained = 2; } if (!folio_isolate_lru(folio))

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092108-drinking-sloped-1caa@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092108-unmarked-tropical-1899@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092107-crowbar-posting-c6ba@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 7f830e126dc357fc086905ce9730140fd4528d66 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092126-fabulous-despair-ac21@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f830e126dc357fc086905ce9730140fd4528d66 Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky(a)amd.com> Date: Mon, 15 Sep 2025 11:04:12 -0500 Subject: [PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT The sev_evict_cache() is guest-related code and should be guarded by CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub function of sev_evict_cache() instead of the version that performs the actual eviction. Move the function declarations under the appropriate #ifdef. Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)kernel.org # 6.16.x Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 02236962fdb1..465b19fd1a2d 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -562,6 +562,24 @@ enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb, extern struct ghcb *boot_ghcb; +static inline void sev_evict_cache(void *va, int npages) +{ + volatile u8 val __always_unused; + u8 *bytes = va; + int page_idx; + + /* + * For SEV guests, a read from the first/last cache-lines of a 4K page + * using the guest key is sufficient to cause a flush of all cache-lines + * associated with that 4K page without incurring all the overhead of a + * full CLFLUSH sequence. + */ + for (page_idx = 0; page_idx < npages; page_idx++) { + val = bytes[page_idx * PAGE_SIZE]; + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; + } +} + #else /* !CONFIG_AMD_MEM_ENCRYPT */ #define snp_vmpl 0 @@ -605,6 +623,7 @@ static inline int snp_send_guest_request(struct snp_msg_desc *mdesc, static inline int snp_svsm_vtpm_send_command(u8 *buffer) { return -ENODEV; } static inline void __init snp_secure_tsc_prepare(void) { } static inline void __init snp_secure_tsc_init(void) { } +static inline void sev_evict_cache(void *va, int npages) {} #endif /* CONFIG_AMD_MEM_ENCRYPT */ @@ -619,24 +638,6 @@ int rmp_make_shared(u64 pfn, enum pg_level level); void snp_leak_pages(u64 pfn, unsigned int npages); void kdump_sev_callback(void); void snp_fixup_e820_tables(void); - -static inline void sev_evict_cache(void *va, int npages) -{ - volatile u8 val __always_unused; - u8 *bytes = va; - int page_idx; - - /* - * For SEV guests, a read from the first/last cache-lines of a 4K page - * using the guest key is sufficient to cause a flush of all cache-lines - * associated with that 4K page without incurring all the overhead of a - * full CLFLUSH sequence. - */ - for (page_idx = 0; page_idx < npages; page_idx++) { - val = bytes[page_idx * PAGE_SIZE]; - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; - } -} #else static inline bool snp_probe_rmptable_info(void) { return false; } static inline int snp_rmptable_init(void) { return -ENOSYS; } @@ -652,7 +653,6 @@ static inline int rmp_make_shared(u64 pfn, enum pg_level level) { return -ENODEV static inline void snp_leak_pages(u64 pfn, unsigned int npages) {} static inline void kdump_sev_callback(void) { } static inline void snp_fixup_e820_tables(void) {} -static inline void sev_evict_cache(void *va, int npages) {} #endif #endif

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7f830e126dc357fc086905ce9730140fd4528d66 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092125-stitch-starting-35cb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f830e126dc357fc086905ce9730140fd4528d66 Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky(a)amd.com> Date: Mon, 15 Sep 2025 11:04:12 -0500 Subject: [PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT The sev_evict_cache() is guest-related code and should be guarded by CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub function of sev_evict_cache() instead of the version that performs the actual eviction. Move the function declarations under the appropriate #ifdef. Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)kernel.org # 6.16.x Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 02236962fdb1..465b19fd1a2d 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -562,6 +562,24 @@ enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb, extern struct ghcb *boot_ghcb; +static inline void sev_evict_cache(void *va, int npages) +{ + volatile u8 val __always_unused; + u8 *bytes = va; + int page_idx; + + /* + * For SEV guests, a read from the first/last cache-lines of a 4K page + * using the guest key is sufficient to cause a flush of all cache-lines + * associated with that 4K page without incurring all the overhead of a + * full CLFLUSH sequence. + */ + for (page_idx = 0; page_idx < npages; page_idx++) { + val = bytes[page_idx * PAGE_SIZE]; + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; + } +} + #else /* !CONFIG_AMD_MEM_ENCRYPT */ #define snp_vmpl 0 @@ -605,6 +623,7 @@ static inline int snp_send_guest_request(struct snp_msg_desc *mdesc, static inline int snp_svsm_vtpm_send_command(u8 *buffer) { return -ENODEV; } static inline void __init snp_secure_tsc_prepare(void) { } static inline void __init snp_secure_tsc_init(void) { } +static inline void sev_evict_cache(void *va, int npages) {} #endif /* CONFIG_AMD_MEM_ENCRYPT */ @@ -619,24 +638,6 @@ int rmp_make_shared(u64 pfn, enum pg_level level); void snp_leak_pages(u64 pfn, unsigned int npages); void kdump_sev_callback(void); void snp_fixup_e820_tables(void); - -static inline void sev_evict_cache(void *va, int npages) -{ - volatile u8 val __always_unused; - u8 *bytes = va; - int page_idx; - - /* - * For SEV guests, a read from the first/last cache-lines of a 4K page - * using the guest key is sufficient to cause a flush of all cache-lines - * associated with that 4K page without incurring all the overhead of a - * full CLFLUSH sequence. - */ - for (page_idx = 0; page_idx < npages; page_idx++) { - val = bytes[page_idx * PAGE_SIZE]; - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; - } -} #else static inline bool snp_probe_rmptable_info(void) { return false; } static inline int snp_rmptable_init(void) { return -ENOSYS; } @@ -652,7 +653,6 @@ static inline int rmp_make_shared(u64 pfn, enum pg_level level) { return -ENODEV static inline void snp_leak_pages(u64 pfn, unsigned int npages) {} static inline void kdump_sev_callback(void) { } static inline void snp_fixup_e820_tables(void) {} -static inline void sev_evict_cache(void *va, int npages) {} #endif #endif

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: tree-checker: fix the incorrect inode ref size check" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092135-breeding-chrome-585a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Tue, 16 Sep 2025 07:54:06 +0930 Subject: [PATCH] btrfs: tree-checker: fix the incorrect inode ref size check [BUG] Inside check_inode_ref(), we need to make sure every structure, including the btrfs_inode_extref header, is covered by the item. But our code is incorrectly using "sizeof(iref)", where @iref is just a pointer. This means "sizeof(iref)" will always be "sizeof(void *)", which is much smaller than "sizeof(struct btrfs_inode_extref)". This will allow some bad inode extrefs to sneak in, defeating tree-checker. [FIX] Fix the typo by calling "sizeof(*iref)", which is the same as "sizeof(struct btrfs_inode_extref)", and will be the correct behavior we want. Fixes: 71bf92a9b877 ("btrfs: tree-checker: Add check for INODE_REF") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index 0f556f4de3f9..a997c7cc35a2 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -1756,10 +1756,10 @@ static int check_inode_ref(struct extent_buffer *leaf, while (ptr < end) { u16 namelen; - if (unlikely(ptr + sizeof(iref) > end)) { + if (unlikely(ptr + sizeof(*iref) > end)) { inode_ref_err(leaf, slot, "inode ref overflow, ptr %lu end %lu inode_ref_size %zu", - ptr, end, sizeof(iref)); + ptr, end, sizeof(*iref)); return -EUCLEAN; }

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092105-gawk-armful-317b@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092104-flashcard-deepness-5002@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092103-skilled-expand-23a8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092102-landfill-panorama-3049@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] samples/damon/prcl: avoid starting DAMON before" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x e6b733ca2f99e968d696c2e812c8eb8e090bf37b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092121-boned-marbles-55ea@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e6b733ca2f99e968d696c2e812c8eb8e090bf37b Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Mon, 8 Sep 2025 19:22:37 -0700 Subject: [PATCH] samples/damon/prcl: avoid starting DAMON before initialization Commit 2780505ec2b4 ("samples/damon/prcl: fix boot time enable crash") is somehow incompletely applying the origin patch [1]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-3-sj@kernel.org Link: https://lore.kernel.org/20250706193207.39810-3-sj@kernel.org [1] Fixes: 2780505ec2b4 ("samples/damon/prcl: fix boot time enable crash") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/samples/damon/prcl.c b/samples/damon/prcl.c index 1b839c06a612..0226652f94d5 100644 --- a/samples/damon/prcl.c +++ b/samples/damon/prcl.c @@ -137,6 +137,9 @@ static int damon_sample_prcl_enable_store( if (enabled == is_enabled) return 0; + if (!init_called) + return 0; + if (enabled) { err = damon_sample_prcl_start(); if (err)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092147-truck-ceremony-311d@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092146-exhume-krypton-1383@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092145-system-superjet-a0fb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092144-angler-cuddly-30db@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092143-defrost-backboned-d1ea@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092156-candied-rogue-bf08@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092154-canon-user-98b7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092152-bobtail-scarring-ffff@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

1
0
0 0

[PATCH] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data(), which ensures that the reference count of the device is correctly managed. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- sound/soc/codecs/wcd934x.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..9ffa65329934 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5849,10 +5849,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) slim_get_logical_addr(wcd->sidev); wcd->if_regmap = regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } + put_device(&wcd->sidev->dev); of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); -- 2.17.1

1 month, 2 weeks

2
1
0 0

[PATCH v2] RDMA/rxe: Fix race in do_task() when draining

by Gui-Dong Han

When do_task() exhausts its iteration budget (!ret), it sets the state to TASK_STATE_IDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASK_STATE_DRAINING state set by a concurrent call to rxe_cleanup_task() or rxe_disable_task(). While state changes are protected by a spinlock, both rxe_cleanup_task() and rxe_disable_task() release the lock while waiting for the task to finish draining in the while(!is_done(task)) loop. The race occurs if do_task() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free. This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost. Fix this by restoring the original pre-migration behavior. If the state is TASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to force a new loop iteration. This allows the task to finish its work, so that a subsequent iteration can reach the switch statement and correctly transition the state to TASK_STATE_DRAINED, stopping the task as intended. Fixes: 9b4b7c1f9f54 ("RDMA/rxe: Add workqueue support for rxe tasks") Cc: stable(a)vger.kernel.org Reviewed-by: Zhu Yanjun <yanjun.zhu(a)linux.dev> Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> --- v2: * Rewrite commit message for clarity. Thanks to Zhu Yanjun for the review. --- drivers/infiniband/sw/rxe/rxe_task.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c index 6f8f353e9583..f522820b950c 100644 --- a/drivers/infiniband/sw/rxe/rxe_task.c +++ b/drivers/infiniband/sw/rxe/rxe_task.c @@ -132,8 +132,12 @@ static void do_task(struct rxe_task *task) * yield the cpu and reschedule the task */ if (!ret) { - task->state = TASK_STATE_IDLE; - resched = 1; + if (task->state != TASK_STATE_DRAINING) { + task->state = TASK_STATE_IDLE; + resched = 1; + } else { + cont = 1; + } goto exit; } -- 2.25.1

1 month, 2 weeks

3
3
0 0

Fwd: [Bug 220457] Using -march=native on linux 6.16.1 causes: can't find jump dest instruction error.

by SMF Linux

https://bugzilla.kernel.org/show_bug.cgi?id=220457 Refined my work around to: KBUILD_CFLAGS += -march=native -mno-tbm KBUILD_RUSTFLAGS += -Ctarget-cpu=native Ctarget-feature=-tbm

1 month, 2 weeks

1
0
0 0

[PATCH] irqchip/sifive-plic: avoid interrupt ID 0 handling during suspend/resume

by Lucas Zampieri

To: linux-kernel(a)vger.kernel.org Cc: Paul Walmsley <paul.walmsley(a)sifive.com> Cc: Samuel Holland <samuel.holland(a)sifive.com> Cc: stable(a)vger.kernel.org Cc: linux-riscv(a)lists.infradead.org Cc: Thomas Gleixner <tglx(a)linutronix.de> According to the PLIC specification[1], global interrupt sources are assigned small unsigned integer identifiers beginning at the value 1. An interrupt ID of 0 is reserved to mean "no interrupt". The current plic_irq_resume() and plic_irq_suspend() functions incorrectly starts the loop from index 0, which could access the reserved interrupt ID 0 register space. This fix changes the loop to start from index 1, skipping the reserved interrupt ID 0 as per the PLIC specification. This prevents potential undefined behavior when accessing the reserved register space during suspend/resume cycles. Fixes: e80f0b6a2cf3 ("irqchip/irq-sifive-plic: Add syscore callbacks for hibernation") Co-developed-by: Jia Wang <wangjia(a)ultrarisc.com> Signed-off-by: Jia Wang <wangjia(a)ultrarisc.com> Signed-off-by: Lucas Zampieri <lzampier(a)redhat.com> [1] https://github.com/riscv/riscv-plic-spec/releases/tag/1.0.0 --- drivers/irqchip/irq-sifive-plic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c index bf69a4802b71..1c2b4d2575ac 100644 --- a/drivers/irqchip/irq-sifive-plic.c +++ b/drivers/irqchip/irq-sifive-plic.c @@ -252,7 +252,7 @@ static int plic_irq_suspend(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + for (i = 1; i < priv->nr_irqs; i++) { __assign_bit(i, priv->prio_save, readl(priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID)); } @@ -283,7 +283,7 @@ static void plic_irq_resume(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + for (i = 1; i < priv->nr_irqs; i++) { index = BIT_WORD(i); writel((priv->prio_save[index] & BIT_MASK(i)) ? 1 : 0, priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID); -- 2.51.0

1 month, 2 weeks

2
1
0 0

New September Order. 02318 Sunday, September 21, 2025 at 06:25:09 AM

by Info - Albinayah 086

Hi Stable, Please provide a quote for your products: Include: 1.Pricing (per unit) 2.Delivery cost & timeline 3.Quote expiry date Deadline: September Thanks! Kamal Prasad Albinayah Trading

1 month, 2 weeks

1
0
0 0

Qualcomm Snapdragon <SM6375>

by Alan Ye

The Qualcomm SM6375 processor is a 7nm process SoC for the mid-range market with the following features: CPU: Eight-core design, including high-performance Kryo 670 core and efficient Kryo 265 core, optimized performance and energy efficiency. GPU: Equipped with Adreno 642L GPU, supporting high-quality graphics and gaming experience. AI Engine: Integrated Qualcomm AI engine to enhance intelligent features such as voice recognition and image processing. Connectivity: Supports modern wireless standards such as 5G, Wi-Fi 6 and Bluetooth 5.2. Multimedia: Supports 4K video encoding and decoding Mainly used in mid-to-high-end smartphones, tablets and some IoT devices, suitable for users who need to balance cost performance and performance. .# Part Number Manufacturer Date Code Quantity Unit Price Lead Time Condition (PCS) USD/Each one 1 SM-6375-1-PSP837-TR-00-0-AB QUALCOMM 2023+ 12000pcs US$18.00/pcs 7days New & original - stock 2 PM-6375-0-FOWNSP144-TR-01-0；TR-01-1 QUALCOMM 2023+ 12000pcs US$1.00/pcs 3 PMR-735A-0-WLNSP48-TR-05-0,TR-05-1 QUALCOMM 2023+ 12000pcs US$0.85/pcs 4 PMK-8003-0-FOWPSP36-TR-01-0 QUALCOMM 2023+ 12000pcs US$0.24/pcs 5 SDR-735-0-PSP219B-TR-01-0；TR-01-1 QUALCOMM 2023+ 12000pcs US$2.50/pcs 6 WCD-9370-0-WLPSP55-TR-01-0;TR-01-4 QUALCOMM 2023+ 12000pcs US$0.50/pcs 7 WCN-3988-0-82BWLPSP-TR-00-0 QUALCOMM 2023+ 12000pcs US$3.50/pcs 8 QET-6105-0-WLNSP24B-TR-00-1 QUALCOMM 2023+ 12000pcs US$1.20/pcs 9 QET4101-0-12WLNSP-TR-00-0 QUALCOMM 2022+ 12000pcs US$0.21/pcs These materials are sold as a set for $28/usd, and are guaranteed to be authentic. If you need other Qualcomm materials, please feel free to contact me Stay in tune with product evolutions—tap . Keep Receiving Notices Feel like taking a break? Select Configure Your Mailing.

1 month, 2 weeks

1
0
0 0

Elpat Loan Promotional Offer at 5% interest rate Apply now!!

by Elpat Finance Loan

Good Day, Elpat Financial Services is here to support the SME market across South Africa with fast, affordable funding— no credit checks required. We offer: 1. Business Loans – Up to R10 million, approved within 72 hours. 2. Personal Loans – Up to R5 million, approved within 48 hours. 3. Home, Farmers & Construction Loans – Up to R20 million, approved within 3–5 working days. As a trusted financial partner, we have already helped many businesses—whether you’re self-employed, a contractor, retailer, restaurant owner, engineer, cleaning service, child-care provider, or web designer. Your time is valuable, and our goal is to provide flexible finance that works with your cash flow needs. That’s why we cut out the red tape: no branches, no queues, no endless paperwork. Just quick, reliable access to the funding you need to grow. How to Apply: * Prepare the required documents * Please submit your application via email to [ mailto:applycashloan@elaptfinanceloan.co.za | applycashloan @ elaptfinanceloan.co.za ] . For a quicker response, you may also send it directly to [ mailto:helpdeskelephantloan@outlook.com | helpdeskelephantloan @ outlook.com ] TO APPLY KINDLY SEND 1. A clear copy of your valid ID 2. Pay Slip OR 3 Months Bank Statement 3. Cell No. / Office No................... 4. Whatsapp No (Optional).................. 5. Email............... 6. Loan Amount........................ ...... NOTE : (minimum loan amount R50,000.00 to R50,000,000.00 ) only. 7. Loan Repayment Duration............... 8. Loan Type.......................... .... 5% Repayment Schedule Table for Guide to Application Loan Amount Duration (Year) Repayment Period Loan Amount Duration (Year) Repayment Period Loan Amount Duration (Year) Repayment Period R 50,000 2 R2, 193.57 R 50,000 3 R1, 498.54 R 50,000 5 R 943.56 R 100,000 3 R2, 997.09 R 100,000 4 R2, 302.93 R 100,000 6 R1,610.49 R 150,000 3 R 4,495.63 R150,000 5 R2, 830.69 R150,000 7 R2,120.09 R 300,000 4 R 6,908.79 R 300,000 6 R 4,831.48 R 300,000 8 R3,797.98 R 400,000 5 R 7,548.49 R 400,000 7 R 5,653.56 R 400,000 9 R4,606.91 R 600,000 6 R9, 662.96 R 600,000 8 R 7,595.95 R 600,000 10 R6,363.93 R 800,000 7 R11,307.13 R 800,000 9 R 9,213.82 R 800,000 11 R7,891.59 R1,000,000 8 R12,659.92 R1,000,000 10 R10,606.55 R1,000,000 12 R9,248.90 Please Note: * Loan amounts range from R50,000.00 to R20,000,000.00 . Kindly indicate the amount you are applying for in your application. * Credit decision within 24–48 hours. * Funds available in your account within 24–48 hours of approval. * Fast and hassle-free process. * Free monthly statements sent directly to your email. * Customer Protection Insurance included for your peace of mind. * Immediate access to funds once transferred. For quick assistance, you can reach us via WhatsApp: +27 (0)63 348 1211 Or call us directly on +27 (0)635725001 for more information. Thanks for Choosing Direct Elpat Financial Services Elpat Financial Services Loan adviser Louw Anita (Mrs) [ mailto:applycashloan@elaptfinanceloan.co.za | applycashloan @ elaptfinanceloan.co.za ] Tel: +27 (0) 61015588 Elpat Financial Services - 43 Long street, cape town city centre cape town 800 south Africa, Cape Town. And Our Direct Connection to Financial Services. Registered Credit Provider. Elpat Financial Services SA (Pty) Ltd (Registration No 2015/085124/07 / NCRCP/119387 is an authorised Financial Services Provider. © Copyright 2025

1 month, 2 weeks

1
0
0 0

[PATCH v2] mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call()

by Akinobu Mita

The callback return value is ignored in damon_sysfs_damon_call(), which means that it is not possible to detect invalid user input when writing commands such as 'commit' to /sys/kernel/mm/damon/admin/kdamonds/<K>/state. Fix it. Signed-off-by: Akinobu Mita <akinobu.mita(a)gmail.com> Fixes: f64539dcdb87 ("mm/damon/sysfs: use damon_call() for update_schemes_stats") Cc: <stable(a)vger.kernel.org> # v6.14.x Reviewed-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/sysfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c index fe4e73d0ebbb..3ffe3a77b5db 100644 --- a/mm/damon/sysfs.c +++ b/mm/damon/sysfs.c @@ -1627,12 +1627,14 @@ static int damon_sysfs_damon_call(int (*fn)(void *data), struct damon_sysfs_kdamond *kdamond) { struct damon_call_control call_control = {}; + int err; if (!kdamond->damon_ctx) return -EINVAL; call_control.fn = fn; call_control.data = kdamond; - return damon_call(kdamond->damon_ctx, &call_control); + err = damon_call(kdamond->damon_ctx, &call_control); + return err ? err : call_control.return_code; } struct damon_sysfs_schemes_walk_data { -- 2.43.0

1 month, 2 weeks

1
0
0 0

[PATCH v2] crypto: aspeed - Fix dma_unmap_sg() direction

by Thomas Fourier

It seems like everywhere in this file, when the request is not bidirectionala, req->src is mapped with DMA_TO_DEVICE and req->dst is mapped with DMA_FROM_DEVICE. Fixes: 62f58b1637b7 ("crypto: aspeed - add HACE crypto driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> --- v1->v2: - fix confusion between dst and src in commit message drivers/crypto/aspeed/aspeed-hace-crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/aspeed/aspeed-hace-crypto.c b/drivers/crypto/aspeed/aspeed-hace-crypto.c index a72dfebc53ff..fa201dae1f81 100644 --- a/drivers/crypto/aspeed/aspeed-hace-crypto.c +++ b/drivers/crypto/aspeed/aspeed-hace-crypto.c @@ -346,7 +346,7 @@ static int aspeed_sk_start_sg(struct aspeed_hace_dev *hace_dev) } else { dma_unmap_sg(hace_dev->dev, req->dst, rctx->dst_nents, - DMA_TO_DEVICE); + DMA_FROM_DEVICE); dma_unmap_sg(hace_dev->dev, req->src, rctx->src_nents, DMA_TO_DEVICE); } -- 2.43.0

1 month, 2 weeks

2
1
0 0

Website Development, Mobile Apps & more.

by Bard India

Greetings!! We are a 24+ yr old high tech Web Development firm with presence of over 18+ yrs in Mauritius; partners of RV Tec hAdvisora Ltd and headquartered in India We have catered to over 7000 customers. You may visit https://www.mirackle.com for more information about our company. We create designs that help businesses and individuals attract and engage readers. We work with all the latest technologies. We are Authorized Google Workspace Reseller Partner for Asia Pacific region including Mauritius. Our Services: Domain Registrations, Web hosting, Google Workspace, Mobile Responsive Website Designing, Wordpress Websites, Mobile Apps, Web Apps, E-commerce websites, Google Ads, SEO, Catalogue design & affiliated services We create beautiful designs. Our brief website portfolio: http://www.mirackle.com/portfolio.html Note: We are also looking for tie-ups with IT/Web design cos. who would want to outsource work for high end Websites/Mobile APP requirements etc. We have a team of highly skilled php coders who can cater to any complex requirement. Get in touch with to get the best prices & offers India Whatsapp: +91 9323272846 / 9323551195; Mauritius WharsApp: +230 5758 5497; Email: business(a)mirackle.com ; Web: http://www.mirackle.com Regards, Nishith Patel

1 month, 2 weeks

1
0
0 0

[PATCH 0/2] Fix riscv sparse warnings

by Alexandre Ghiti

This series simply fixes 2 recently introduced sparse warnings. Signed-off-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> --- Alexandre Ghiti (2): riscv: Fix sparse warning in __get_user_error() riscv: Fix sparse warning about different address spaces arch/riscv/include/asm/uaccess.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- base-commit: ae9a687664d965b13eeab276111b2f97dd02e090 change-id: 20250903-dev-alex-sparse_warnings_v1-ecb4a333afdd Best regards, -- Alexandre Ghiti <alexghiti(a)rivosinc.com>

1 month, 2 weeks

5
11
0 0

[PATCH 5.15.y] mptcp: set remote_deny_join_id0 on SYN recv

by Matthieu Baerts (NGI0)

commit 96939cec994070aa5df852c10fad5fc303a97ea3 upstream. When a SYN containing the 'C' flag (deny join id0) was received, this piece of information was not propagated to the path-manager. Even if this flag is mainly set on the server side, a client can also tell the server it cannot try to establish new subflows to the client's initial IP address and port. The server's PM should then record such info when received, and before sending events about the new connection. Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-1-40… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflicts in subflow.c, because of differences in the context, e.g. introduced by commit 3a236aef280e ("mptcp: refactor passive socket initialization"), which is not in this version. The same lines -- using 'mptcp_sk(new_msk)' instead of 'owner' -- can still be added approximately at the same place, before calling mptcp_pm_new_connection(). ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/subflow.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 6bc36132d490..f67d8c98d58a 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -758,6 +758,9 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, */ WRITE_ONCE(mptcp_sk(new_msk)->first, child); + if (mp_opt.deny_join_id0) + WRITE_ONCE(mptcp_sk(new_msk)->pm.remote_deny_join_id0, true); + /* new mpc subflow takes ownership of the newly * created mptcp socket */ -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH] drm/xe/uapi: loosen used tracking restriction

by Matthew Auld

Currently this is hidden behind perfmon_capable() since this is technically an info leak, given that this is a system wide metric. However the granularity reported here is always PAGE_SIZE aligned, which matches what the core kernel is already willing to expose to userspace if querying how many free RAM pages there are on the system, and that doesn't need any special privileges. In addition other drm drivers seem happy to expose this. The motivation here if with oneAPI where they want to use the system wide 'used' reporting here, so not the per-client fdinfo stats. This has also come up with some perf overlay applications wanting this information. Fixes: 1105ac15d2a1 ("drm/xe/uapi: restrict system wide accounting") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Cc: Joshua Santosh <joshua.santosh.ranjan(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_query.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_query.c b/drivers/gpu/drm/xe/xe_query.c index e1b603aba61b..2e9ff33ed2fe 100644 --- a/drivers/gpu/drm/xe/xe_query.c +++ b/drivers/gpu/drm/xe/xe_query.c @@ -276,8 +276,7 @@ static int query_mem_regions(struct xe_device *xe, mem_regions->mem_regions[0].instance = 0; mem_regions->mem_regions[0].min_page_size = PAGE_SIZE; mem_regions->mem_regions[0].total_size = man->size << PAGE_SHIFT; - if (perfmon_capable()) - mem_regions->mem_regions[0].used = ttm_resource_manager_usage(man); + mem_regions->mem_regions[0].used = ttm_resource_manager_usage(man); mem_regions->num_mem_regions = 1; for (i = XE_PL_VRAM0; i <= XE_PL_VRAM1; ++i) { @@ -293,13 +292,11 @@ static int query_mem_regions(struct xe_device *xe, mem_regions->mem_regions[mem_regions->num_mem_regions].total_size = man->size; - if (perfmon_capable()) { - xe_ttm_vram_get_used(man, - &mem_regions->mem_regions - [mem_regions->num_mem_regions].used, - &mem_regions->mem_regions - [mem_regions->num_mem_regions].cpu_visible_used); - } + xe_ttm_vram_get_used(man, + &mem_regions->mem_regions + [mem_regions->num_mem_regions].used, + &mem_regions->mem_regions + [mem_regions->num_mem_regions].cpu_visible_used); mem_regions->mem_regions[mem_regions->num_mem_regions].cpu_visible_size = xe_ttm_vram_get_cpu_visible_size(man); -- 2.51.0

1 month, 2 weeks

3
2
0 0

[PATCH 6.1.y 0/2] mptcp: fix recent failed backports (20250919)

by Matthieu Baerts (NGI0)

The following patches could not be applied without conflicts in this tree: - 2293c57484ae ("mptcp: pm: nl: announce deny-join-id0 flag") - 24733e193a0d ("selftests: mptcp: userspace pm: validate deny-join-id0 flag") Conflicts have been resolved, and documented in each patch. Matthieu Baerts (NGI0) (2): mptcp: pm: nl: announce deny-join-id0 flag selftests: mptcp: userspace pm: validate deny-join-id0 flag include/uapi/linux/mptcp.h | 6 ++++-- net/mptcp/pm_netlink.c | 7 +++++++ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 +++++++ tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 ++++++++++++-- 4 files changed, 30 insertions(+), 4 deletions(-) -- 2.51.0

1 month, 2 weeks

1
2
0 0

[PATCH 6.12.y] mptcp: pm: nl: announce deny-join-id0 flag

by Matthieu Baerts (NGI0)

commit 2293c57484ae64c9a3c847c8807db8c26a3a4d41 upstream. During the connection establishment, a peer can tell the other one that it cannot establish new subflows to the initial IP address and port by setting the 'C' flag [1]. Doing so makes sense when the sender is behind a strict NAT, operating behind a legacy Layer 4 load balancer, or using anycast IP address for example. When this 'C' flag is set, the path-managers must then not try to establish new subflows to the other peer's initial IP address and port. The in-kernel PM has access to this info, but the userspace PM didn't. The RFC8684 [1] is strict about that: (...) therefore the receiver MUST NOT try to open any additional subflows toward this address and port. So it is important to tell the userspace about that as it is responsible for the respect of this flag. When a new connection is created and established, the Netlink events now contain the existing but not currently used 'flags' attribute. When MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 is set, it means no other subflows to the initial IP address and port -- info that are also part of the event -- can be established. Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.1-20.6 [1] Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") Reported-by: Marek Majkowski <marek(a)cloudflare.com> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/532 Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-2-40… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflicts in mptcp_pm.yaml, because the indentation has been modified in commit ec362192aa9e ("netlink: specs: fix up indentation errors"), which is not in this version. Applying the same modifications, but at a different level. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Documentation/netlink/specs/mptcp_pm.yaml | 4 ++-- include/uapi/linux/mptcp.h | 2 ++ include/uapi/linux/mptcp_pm.h | 4 ++-- net/mptcp/pm_netlink.c | 7 +++++++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/Documentation/netlink/specs/mptcp_pm.yaml b/Documentation/netlink/specs/mptcp_pm.yaml index 7e295bad8b29..a670a9bbe01b 100644 --- a/Documentation/netlink/specs/mptcp_pm.yaml +++ b/Documentation/netlink/specs/mptcp_pm.yaml @@ -28,13 +28,13 @@ definitions: traffic-patterns it can take a long time until the MPTCP_EVENT_ESTABLISHED is sent. Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, sport, - dport, server-side. + dport, server-side, [flags]. - name: established doc: >- A MPTCP connection is established (can start new subflows). Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, sport, - dport, server-side. + dport, server-side, [flags]. - name: closed doc: >- diff --git a/include/uapi/linux/mptcp.h b/include/uapi/linux/mptcp.h index 67d015df8893..5fd5b4cf75ca 100644 --- a/include/uapi/linux/mptcp.h +++ b/include/uapi/linux/mptcp.h @@ -31,6 +31,8 @@ #define MPTCP_INFO_FLAG_FALLBACK _BITUL(0) #define MPTCP_INFO_FLAG_REMOTE_KEY_RECEIVED _BITUL(1) +#define MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 _BITUL(0) + #define MPTCP_PM_ADDR_FLAG_SIGNAL (1 << 0) #define MPTCP_PM_ADDR_FLAG_SUBFLOW (1 << 1) #define MPTCP_PM_ADDR_FLAG_BACKUP (1 << 2) diff --git a/include/uapi/linux/mptcp_pm.h b/include/uapi/linux/mptcp_pm.h index 6ac84b2f636c..7359d34da446 100644 --- a/include/uapi/linux/mptcp_pm.h +++ b/include/uapi/linux/mptcp_pm.h @@ -16,10 +16,10 @@ * good time to allocate memory and send ADD_ADDR if needed. Depending on the * traffic-patterns it can take a long time until the MPTCP_EVENT_ESTABLISHED * is sent. Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, - * sport, dport, server-side. + * sport, dport, server-side, [flags]. * @MPTCP_EVENT_ESTABLISHED: A MPTCP connection is established (can start new * subflows). Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, - * sport, dport, server-side. + * sport, dport, server-side, [flags]. * @MPTCP_EVENT_CLOSED: A MPTCP connection has stopped. Attribute: token. * @MPTCP_EVENT_ANNOUNCED: A new address has been announced by the peer. * Attributes: token, rem_id, family, daddr4 | daddr6 [, dport]. diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index b763729b85e0..463c2e7956d5 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -2211,6 +2211,7 @@ static int mptcp_event_created(struct sk_buff *skb, const struct sock *ssk) { int err = nla_put_u32(skb, MPTCP_ATTR_TOKEN, READ_ONCE(msk->token)); + u16 flags = 0; if (err) return err; @@ -2218,6 +2219,12 @@ static int mptcp_event_created(struct sk_buff *skb, if (nla_put_u8(skb, MPTCP_ATTR_SERVER_SIDE, READ_ONCE(msk->pm.server_side))) return -EMSGSIZE; + if (READ_ONCE(msk->pm.remote_deny_join_id0)) + flags |= MPTCP_PM_EV_FLAG_DENY_JOIN_ID0; + + if (flags && nla_put_u16(skb, MPTCP_ATTR_FLAGS, flags)) + return -EMSGSIZE; + return mptcp_event_add_subflow(skb, ssk); } -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH 6.16.y] mptcp: pm: nl: announce deny-join-id0 flag

by Matthieu Baerts (NGI0)

commit 2293c57484ae64c9a3c847c8807db8c26a3a4d41 upstream. During the connection establishment, a peer can tell the other one that it cannot establish new subflows to the initial IP address and port by setting the 'C' flag [1]. Doing so makes sense when the sender is behind a strict NAT, operating behind a legacy Layer 4 load balancer, or using anycast IP address for example. When this 'C' flag is set, the path-managers must then not try to establish new subflows to the other peer's initial IP address and port. The in-kernel PM has access to this info, but the userspace PM didn't. The RFC8684 [1] is strict about that: (...) therefore the receiver MUST NOT try to open any additional subflows toward this address and port. So it is important to tell the userspace about that as it is responsible for the respect of this flag. When a new connection is created and established, the Netlink events now contain the existing but not currently used 'flags' attribute. When MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 is set, it means no other subflows to the initial IP address and port -- info that are also part of the event -- can be established. Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.1-20.6 [1] Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") Reported-by: Marek Majkowski <marek(a)cloudflare.com> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/532 Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-2-40… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflicts in mptcp_pm.yaml, because the indentation has been modified in commit ec362192aa9e ("netlink: specs: fix up indentation errors"), which is not in this version. Applying the same modifications, but at a different level. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Documentation/netlink/specs/mptcp_pm.yaml | 4 ++-- include/uapi/linux/mptcp.h | 2 ++ include/uapi/linux/mptcp_pm.h | 4 ++-- net/mptcp/pm_netlink.c | 7 +++++++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/Documentation/netlink/specs/mptcp_pm.yaml b/Documentation/netlink/specs/mptcp_pm.yaml index ecfe5ee33de2..c77f32cfcae9 100644 --- a/Documentation/netlink/specs/mptcp_pm.yaml +++ b/Documentation/netlink/specs/mptcp_pm.yaml @@ -28,13 +28,13 @@ definitions: traffic-patterns it can take a long time until the MPTCP_EVENT_ESTABLISHED is sent. Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, sport, - dport, server-side. + dport, server-side, [flags]. - name: established doc: >- A MPTCP connection is established (can start new subflows). Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, sport, - dport, server-side. + dport, server-side, [flags]. - name: closed doc: >- diff --git a/include/uapi/linux/mptcp.h b/include/uapi/linux/mptcp.h index 67d015df8893..5fd5b4cf75ca 100644 --- a/include/uapi/linux/mptcp.h +++ b/include/uapi/linux/mptcp.h @@ -31,6 +31,8 @@ #define MPTCP_INFO_FLAG_FALLBACK _BITUL(0) #define MPTCP_INFO_FLAG_REMOTE_KEY_RECEIVED _BITUL(1) +#define MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 _BITUL(0) + #define MPTCP_PM_ADDR_FLAG_SIGNAL (1 << 0) #define MPTCP_PM_ADDR_FLAG_SUBFLOW (1 << 1) #define MPTCP_PM_ADDR_FLAG_BACKUP (1 << 2) diff --git a/include/uapi/linux/mptcp_pm.h b/include/uapi/linux/mptcp_pm.h index 6ac84b2f636c..7359d34da446 100644 --- a/include/uapi/linux/mptcp_pm.h +++ b/include/uapi/linux/mptcp_pm.h @@ -16,10 +16,10 @@ * good time to allocate memory and send ADD_ADDR if needed. Depending on the * traffic-patterns it can take a long time until the MPTCP_EVENT_ESTABLISHED * is sent. Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, - * sport, dport, server-side. + * sport, dport, server-side, [flags]. * @MPTCP_EVENT_ESTABLISHED: A MPTCP connection is established (can start new * subflows). Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, - * sport, dport, server-side. + * sport, dport, server-side, [flags]. * @MPTCP_EVENT_CLOSED: A MPTCP connection has stopped. Attribute: token. * @MPTCP_EVENT_ANNOUNCED: A new address has been announced by the peer. * Attributes: token, rem_id, family, daddr4 | daddr6 [, dport]. diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 50aaf259959a..ce7d42d3bd00 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -408,6 +408,7 @@ static int mptcp_event_created(struct sk_buff *skb, const struct sock *ssk) { int err = nla_put_u32(skb, MPTCP_ATTR_TOKEN, READ_ONCE(msk->token)); + u16 flags = 0; if (err) return err; @@ -415,6 +416,12 @@ static int mptcp_event_created(struct sk_buff *skb, if (nla_put_u8(skb, MPTCP_ATTR_SERVER_SIDE, READ_ONCE(msk->pm.server_side))) return -EMSGSIZE; + if (READ_ONCE(msk->pm.remote_deny_join_id0)) + flags |= MPTCP_PM_EV_FLAG_DENY_JOIN_ID0; + + if (flags && nla_put_u16(skb, MPTCP_ATTR_FLAGS, flags)) + return -EMSGSIZE; + return mptcp_event_add_subflow(skb, ssk); } -- 2.51.0

1 month, 2 weeks

1
0
0 0

stable: queue/* branches no longer updated

by Matthieu Baerts

Hi Sasha, Thank you for maintaining the stable versions with Greg! If I remember well, you run some scripts on your side to maintain the queue/* branches in the linux-stable-rc Git tree [1], is that correct? These branches have not been updated for a bit more than 3 weeks. Is it normal? Personally, I find them useful. But if it is just me, I can work without them. [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/… Cheers, Matt -- Sponsored by the NGI0 Core fund.

1 month, 2 weeks

2
3
0 0

+ kmsan-fix-out-of-bounds-access-to-shadow-memory.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kmsan: Fix out-of-bounds access to shadow memory has been added to the -mm mm-hotfixes-unstable branch. Its filename is kmsan-fix-out-of-bounds-access-to-shadow-memory.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Eric Biggers <ebiggers(a)kernel.org> Subject: kmsan: Fix out-of-bounds access to shadow memory Date: Thu, 11 Sep 2025 12:58:58 -0700 Running sha224_kunit on a KMSAN-enabled kernel results in a crash in kmsan_internal_set_shadow_origin(): BUG: unable to handle page fault for address: ffffbc3840291000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) Tainted: [N]=TEST Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 [...] Call Trace: <TASK> __msan_memset+0xee/0x1a0 sha224_final+0x9e/0x350 test_hash_buffer_overruns+0x46f/0x5f0 ? kmsan_get_shadow_origin_ptr+0x46/0xa0 ? __pfx_test_hash_buffer_overruns+0x10/0x10 kunit_try_run_case+0x198/0xa00 This occurs when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page, i.e. the next page is unmapped. The bug is that the loop at the end of kmsan_internal_set_shadow_origin() accesses the wrong shadow memory bytes when the address is not 4-byte aligned. Since each 4 bytes are associated with an origin, it rounds the address and size so that it can access all the origins that contain the buffer. However, when it checks the corresponding shadow bytes for a particular origin, it incorrectly uses the original unrounded shadow address. This results in reads from shadow memory beyond the end of the buffer's shadow memory, which crashes when that memory is not mapped. To fix this, correctly align the shadow address before accessing the 4 shadow bytes corresponding to each origin. Link: https://lkml.kernel.org/r/20250911195858.394235-1-ebiggers@kernel.org Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning") Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Tested-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: Alexander Potapenko <glider(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kmsan/core.c | 10 +++++++--- mm/kmsan/kmsan_test.c | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) --- a/mm/kmsan/core.c~kmsan-fix-out-of-bounds-access-to-shadow-memory +++ a/mm/kmsan/core.c @@ -195,7 +195,8 @@ void kmsan_internal_set_shadow_origin(vo u32 origin, bool checked) { u64 address = (u64)addr; - u32 *shadow_start, *origin_start; + void *shadow_start; + u32 *aligned_shadow, *origin_start; size_t pad = 0; KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); @@ -214,9 +215,12 @@ void kmsan_internal_set_shadow_origin(vo } __memset(shadow_start, b, size); - if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + aligned_shadow = shadow_start; + } else { pad = address % KMSAN_ORIGIN_SIZE; address -= pad; + aligned_shadow = shadow_start - pad; size += pad; } size = ALIGN(size, KMSAN_ORIGIN_SIZE); @@ -230,7 +234,7 @@ void kmsan_internal_set_shadow_origin(vo * corresponding shadow slot is zero. */ for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) { - if (origin || !shadow_start[i]) + if (origin || !aligned_shadow[i]) origin_start[i] = origin; } } --- a/mm/kmsan/kmsan_test.c~kmsan-fix-out-of-bounds-access-to-shadow-memory +++ a/mm/kmsan/kmsan_test.c @@ -556,6 +556,21 @@ DEFINE_TEST_MEMSETXX(16) DEFINE_TEST_MEMSETXX(32) DEFINE_TEST_MEMSETXX(64) +/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */ +static void test_memset_on_guarded_buffer(struct kunit *test) +{ + void *buf = vmalloc(PAGE_SIZE); + + kunit_info(test, + "memset() on ends of guarded buffer should not crash\n"); + + for (size_t size = 0; size <= 128; size++) { + memset(buf, 0xff, size); + memset(buf + PAGE_SIZE - size, 0xff, size); + } + vfree(buf); +} + static noinline void fibonacci(int *array, int size, int start) { if (start < 2 || (start == size)) @@ -677,6 +692,7 @@ static struct kunit_case kmsan_test_case KUNIT_CASE(test_memset16), KUNIT_CASE(test_memset32), KUNIT_CASE(test_memset64), + KUNIT_CASE(test_memset_on_guarded_buffer), KUNIT_CASE(test_long_origin_chain), KUNIT_CASE(test_stackdepot_roundtrip), KUNIT_CASE(test_unpoison_memory), _ Patches currently in -mm which might be from ebiggers(a)kernel.org are kmsan-fix-out-of-bounds-access-to-shadow-memory.patch

1 month, 2 weeks

1
0
0 0

+ squashfs-fix-uninit-value-in-squashfs_get_parent.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: Squashfs: fix uninit-value in squashfs_get_parent has been added to the -mm mm-nonmm-unstable branch. Its filename is squashfs-fix-uninit-value-in-squashfs_get_parent.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Phillip Lougher <phillip(a)squashfs.org.uk> Subject: Squashfs: fix uninit-value in squashfs_get_parent Date: Fri, 19 Sep 2025 00:33:08 +0100 Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. unsigned int parent_ino = squashfs_i(inode)->parent; Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access. The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned. Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0. Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk Fixes: 122601408d20 ("Squashfs: export operations") Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: syzbot+157bdef5cf596ad0da2c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/ Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/squashfs/inode.c | 7 +++++++ fs/squashfs/squashfs_fs_i.h | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) --- a/fs/squashfs/inode.c~squashfs-fix-uninit-value-in-squashfs_get_parent +++ a/fs/squashfs/inode.c @@ -169,6 +169,7 @@ int squashfs_read_inode(struct inode *in squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block); squashfs_i(inode)->block_list_start = block; squashfs_i(inode)->offset = offset; + squashfs_i(inode)->parent = 0; inode->i_data.a_ops = &squashfs_aops; TRACE("File inode %x:%x, start_block %llx, block_list_start " @@ -216,6 +217,7 @@ int squashfs_read_inode(struct inode *in squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block); squashfs_i(inode)->block_list_start = block; squashfs_i(inode)->offset = offset; + squashfs_i(inode)->parent = 0; inode->i_data.a_ops = &squashfs_aops; TRACE("File inode %x:%x, start_block %llx, block_list_start " @@ -296,6 +298,7 @@ int squashfs_read_inode(struct inode *in inode->i_mode |= S_IFLNK; squashfs_i(inode)->start = block; squashfs_i(inode)->offset = offset; + squashfs_i(inode)->parent = 0; if (type == SQUASHFS_LSYMLINK_TYPE) { __le32 xattr; @@ -333,6 +336,7 @@ int squashfs_read_inode(struct inode *in set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); rdev = le32_to_cpu(sqsh_ino->rdev); init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); + squashfs_i(inode)->parent = 0; TRACE("Device inode %x:%x, rdev %x\n", SQUASHFS_INODE_BLK(ino), offset, rdev); @@ -357,6 +361,7 @@ int squashfs_read_inode(struct inode *in set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); rdev = le32_to_cpu(sqsh_ino->rdev); init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); + squashfs_i(inode)->parent = 0; TRACE("Device inode %x:%x, rdev %x\n", SQUASHFS_INODE_BLK(ino), offset, rdev); @@ -377,6 +382,7 @@ int squashfs_read_inode(struct inode *in inode->i_mode |= S_IFSOCK; set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); init_special_inode(inode, inode->i_mode, 0); + squashfs_i(inode)->parent = 0; break; } case SQUASHFS_LFIFO_TYPE: @@ -396,6 +402,7 @@ int squashfs_read_inode(struct inode *in inode->i_op = &squashfs_inode_ops; set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); init_special_inode(inode, inode->i_mode, 0); + squashfs_i(inode)->parent = 0; break; } default: --- a/fs/squashfs/squashfs_fs_i.h~squashfs-fix-uninit-value-in-squashfs_get_parent +++ a/fs/squashfs/squashfs_fs_i.h @@ -16,6 +16,7 @@ struct squashfs_inode_info { u64 xattr; unsigned int xattr_size; int xattr_count; + int parent; union { struct { u64 fragment_block; @@ -27,7 +28,6 @@ struct squashfs_inode_info { u64 dir_idx_start; int dir_idx_offset; int dir_idx_cnt; - int parent; }; }; struct inode vfs_inode; _ Patches currently in -mm which might be from phillip(a)squashfs.org.uk are squashfs-fix-uninit-value-in-squashfs_get_parent.patch

1 month, 2 weeks

1
0
0 0

+ fs-proc-task_mmu-check-cur_buf-for-null.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/proc/task_mmu: check cur_buf for NULL has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-proc-task_mmu-check-cur_buf-for-null.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jakub Acs <acsjakub(a)amazon.de> Subject: fs/proc/task_mmu: check cur_buf for NULL Date: Fri, 19 Sep 2025 14:21:04 +0000 When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking cur_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Link: https://lkml.kernel.org/r/20250919142106.43527-1-acsjakub@amazon.de Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Micha�� Miros��aw" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-check-cur_buf-for-null +++ a/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(s { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!cur_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else _ Patches currently in -mm which might be from acsjakub(a)amazon.de are fs-proc-task_mmu-check-cur_buf-for-null.patch

1 month, 2 weeks

1
0
0 0

[PATCH 6.12.y 0/3] Fix a backport of VMSCAPE enumeration fix

by Harshit Mogalapalli

Bug-report: https://lore.kernel.org/all/915c0e00-b92d-4e37-9d4b-0f6a4580da97@oracle.com/ Summary: While backporting commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug") to 6.12.y --> VULNBL_AMD(0x1a, SRSO | VMSCAPE) was added even when 6.12.y doesn't have commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support"). Boris Ostrovsky suggested backporting three commits to 6.12.y: 1. commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") 2. commit: 8442df2b49ed ("x86/bugs: KVM: Add support for SRSO_MSR_FIX") and its fix 3. commit: e3417ab75ab2 ("KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions") -- Maybe optional Which changes current mitigation status on turin for 6.12.48 from Safe RET to Reduced Speculation, leaving it with Safe RET liely causes heavy performance regressions. This three patches together change mitigation status from Safe RET to Reduced Speculation Tested on Turin: [ 3.188134] Speculative Return Stack Overflow: Mitigation: Reduced Speculation Backports: 1. Patch 1 had minor conflict as VMSCAPE commit added VULNBL_AMD(0x1a, SRSO | VMSCAPE), and resolution is to skip that line. 2. Patch 2 and 3 are clean cherry-picks, 3 is a fix for 2. Note: I verified if this problem is also on other stable trees like (6.6 --> 5.10, no they don't have this backport problem) Thanks, Harshit Borislav Petkov (1): x86/bugs: KVM: Add support for SRSO_MSR_FIX Borislav Petkov (AMD) (1): x86/bugs: Add SRSO_USER_KERNEL_NO support Sean Christopherson (1): KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions Documentation/admin-guide/hw-vuln/srso.rst | 13 +++++ arch/x86/include/asm/cpufeatures.h | 5 ++ arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/bugs.c | 28 ++++++++-- arch/x86/kvm/svm/svm.c | 65 ++++++++++++++++++++++ arch/x86/kvm/svm/svm.h | 2 + arch/x86/lib/msr.c | 2 + 7 files changed, 112 insertions(+), 4 deletions(-) -- 2.50.1

1 month, 2 weeks

2
4
0 0

[tip: x86/cpu] x86/umip: Check that the instruction opcode is at least two bytes

by tip-bot2 for Sean Christopherson

The following commit has been merged into the x86/cpu branch of tip: Commit-ID: 32278c677947ae2f042c9535674a7fff9a245dd3 Gitweb: https://git.kernel.org/tip/32278c677947ae2f042c9535674a7fff9a245dd3 Author: Sean Christopherson <seanjc(a)google.com> AuthorDate: Fri, 08 Aug 2025 10:23:56 -07:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 19 Sep 2025 20:21:12 +02:00 x86/umip: Check that the instruction opcode is at least two bytes When checking for a potential UMIP violation on #GP, verify the decoder found at least two opcode bytes to avoid false positives when the kernel encounters an unknown instruction that starts with 0f. Because the array of opcode.bytes is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret garbage as a potential SLDT or STR instruction, and can incorrectly trigger emulation. E.g. if a VPALIGNR instruction 62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts the userspace code stream). Arguably the check should look for exactly two bytes, but no three byte opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be impossible to get a false positive if the first two opcode bytes match '0f 00' or '0f 01'. Go with a more conservative check with respect to the existing code to minimize the chances of breaking userspace, e.g. due to decoder weirdness. Analyzed by Nick Bray <ncbray(a)google.com>. Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") Reported-by: Dan Snyder <dansnyder(a)google.com> Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/umip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index 5a4b213..406ac01 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -156,8 +156,8 @@ static int identify_insn(struct insn *insn) if (!insn->modrm.nbytes) return -EINVAL; - /* All the instructions of interest start with 0x0f. */ - if (insn->opcode.bytes[0] != 0xf) + /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */ + if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf) return -EINVAL; if (insn->opcode.bytes[1] == 0x1) {

1 month, 2 weeks

1
0
0 0

[tip: x86/cpu] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)

by tip-bot2 for Sean Christopherson

The following commit has been merged into the x86/cpu branch of tip: Commit-ID: 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Gitweb: https://git.kernel.org/tip/27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Author: Sean Christopherson <seanjc(a)google.com> AuthorDate: Fri, 08 Aug 2025 10:23:57 -07:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 19 Sep 2025 21:34:48 +02:00 x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Filter out the register forms of 0F 01 when determining whether or not to emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only accept memory operands. The register variants of 0F 01 are used to encode instructions for things like VMX and SGX, i.e. not checking the Mod field would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL violation on VMLAUNCH. Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/umip.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index 406ac01..d432f38 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -163,8 +163,19 @@ static int identify_insn(struct insn *insn) if (insn->opcode.bytes[1] == 0x1) { switch (X86_MODRM_REG(insn->modrm.value)) { case 0: + /* The reg form of 0F 01 /0 encodes VMX instructions. */ + if (X86_MODRM_MOD(insn->modrm.value) == 3) + return -EINVAL; + return UMIP_INST_SGDT; case 1: + /* + * The reg form of 0F 01 /1 encodes MONITOR/MWAIT, + * STAC/CLAC, and ENCLS. + */ + if (X86_MODRM_MOD(insn->modrm.value) == 3) + return -EINVAL; + return UMIP_INST_SIDT; case 4: return UMIP_INST_SMSW;

1 month, 2 weeks

1
0
0 0

[PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")' Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed. Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO". Reported-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj; obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, -- 2.43.0

1 month, 2 weeks

3
2
0 0

[PATCH net v3] net: nfc: nci: Add parameter validation for packet data

by Deepak Sharma

Syzbot reported an uninit-value bug at nci_init_req for commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16'..). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers). Reported-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8 Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation) Tested-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Signed-off-by: Deepak Sharma <deepak.sharma.472935(a)gmail.com> --- v3: - Move the checks inside the packet data handlers - Improvements to the commit message v2: - Fix the release of skb in case of the early return v1: - Add checks in `nci_ntf_packet` on the skb->len and do early return on failure net/nfc/nci/ntf.c | 139 +++++++++++++++++++++++++++++++++------------- 1 file changed, 101 insertions(+), 38 deletions(-) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index a818eff27e6b..c0edf8242e22 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -27,11 +27,16 @@ /* Handle NCI Notification packets */ -static void nci_core_reset_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_reset_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { /* Handle NCI 2.x core reset notification */ - const struct nci_core_reset_ntf *ntf = (void *)skb->data; + const struct nci_core_reset_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_reset_ntf)) + return -EINVAL; + + ntf = (struct nci_core_reset_ntf *)skb->data; ndev->nci_ver = ntf->nci_ver; pr_debug("nci_ver 0x%x, config_status 0x%x\n", @@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(struct nci_dev *ndev, __le32_to_cpu(ntf->manufact_specific_info); nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_conn_credit_ntf *ntf = (void *) skb->data; + struct nci_core_conn_credit_ntf *ntf; struct nci_conn_info *conn_info; int i; + if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + return -EINVAL; + + ntf = (struct nci_core_conn_credit_ntf *)skb->data; + pr_debug("num_entries %d\n", ntf->num_entries); if (ntf->num_entries > NCI_MAX_NUM_CONN) @@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, conn_info = nci_get_conn_info_by_conn_id(ndev, ntf->conn_entries[i].conn_id); if (!conn_info) - return; + return 0; atomic_add(ntf->conn_entries[i].credits, &conn_info->credits_cnt); @@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, /* trigger the next tx */ if (!skb_queue_empty(&ndev->tx_q)) queue_work(ndev->tx_wq, &ndev->tx_work); + + return 0; } -static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { - __u8 status = skb->data[0]; + __u8 status; + + if (skb->len < 1) + return -EINVAL; + + status = skb->data[0]; pr_debug("status 0x%x\n", status); @@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, (the state remains the same) */ nci_req_complete(ndev, status); } + + return 0; } -static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_intf_error_ntf *ntf = (void *) skb->data; + struct nci_core_intf_error_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_intf_error_ntf)) + return -EINVAL; + + ntf = (struct nci_core_intf_error_ntf *)skb->data; ntf->conn_id = nci_conn_id(&ntf->conn_id); @@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, /* complete the data exchange transaction, if exists */ if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags)) nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO); + + return 0; } static const __u8 * @@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_dev *ndev) ndev->n_targets = 0; } -static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_rf_discover_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; bool add_target = true; + if (skb->len < sizeof(struct nci_rf_discover_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_protocol = *data++; ntf.rf_tech_and_mode = *data++; @@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets); } + + return 0; } static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, @@ -501,7 +536,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_POLL_MODE: case NCI_NFC_F_PASSIVE_POLL_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.poll_nfc_dep.atr_res_len + (ntf->activation_params.poll_nfc_dep.atr_res_len - NFC_ATR_RES_GT_OFFSET), NFC_ATR_RES_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -513,7 +548,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_LISTEN_MODE: case NCI_NFC_F_PASSIVE_LISTEN_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.listen_nfc_dep.atr_req_len + (ntf->activation_params.listen_nfc_dep.atr_req_len - NFC_ATR_REQ_GT_OFFSET), NFC_ATR_REQ_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -553,14 +588,19 @@ static int nci_store_ats_nfc_iso_dep(struct nci_dev *ndev, return NCI_STATUS_OK; } -static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_conn_info *conn_info; struct nci_rf_intf_activated_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; int err = NCI_STATUS_OK; + if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_interface = *data++; ntf.rf_protocol = *data++; @@ -667,7 +707,7 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, if (err == NCI_STATUS_OK) { conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size; conn_info->initial_num_credits = ntf.initial_num_credits; @@ -721,19 +761,26 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, pr_err("error when signaling tm activation\n"); } } + + return 0; } -static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { const struct nci_conn_info *conn_info; - const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data; + const struct nci_rf_deactivate_ntf *ntf; + + if (skb->len < sizeof(struct nci_rf_deactivate_ntf)) + return -EINVAL; + + ntf = (struct nci_rf_deactivate_ntf *)skb->data; pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason); conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; /* drop tx data queue */ skb_queue_purge(&ndev->tx_q); @@ -765,14 +812,20 @@ static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, } nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { u8 status = NCI_STATUS_OK; - const struct nci_nfcee_discover_ntf *nfcee_ntf = - (struct nci_nfcee_discover_ntf *)skb->data; + const struct nci_nfcee_discover_ntf *nfcee_ntf; + + if (skb->len < sizeof(struct nci_nfcee_discover_ntf)) + return -EINVAL; + + nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data; /* NFCForum NCI 9.2.1 HCI Network Specific Handling * If the NFCC supports the HCI Network, it SHALL return one, @@ -783,6 +836,8 @@ static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, ndev->cur_params.id = nfcee_ntf->nfcee_id; nci_req_complete(ndev, status); + + return 0; } void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) @@ -809,35 +864,43 @@ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) switch (ntf_opcode) { case NCI_OP_CORE_RESET_NTF: - nci_core_reset_ntf_packet(ndev, skb); + if (nci_core_reset_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_CONN_CREDITS_NTF: - nci_core_conn_credits_ntf_packet(ndev, skb); + if (nci_core_conn_credits_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_GENERIC_ERROR_NTF: - nci_core_generic_error_ntf_packet(ndev, skb); + if (nci_core_generic_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_INTF_ERROR_NTF: - nci_core_conn_intf_error_ntf_packet(ndev, skb); + if (nci_core_conn_intf_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DISCOVER_NTF: - nci_rf_discover_ntf_packet(ndev, skb); + if (nci_rf_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_INTF_ACTIVATED_NTF: - nci_rf_intf_activated_ntf_packet(ndev, skb); + if (nci_rf_intf_activated_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DEACTIVATE_NTF: - nci_rf_deactivate_ntf_packet(ndev, skb); + if (nci_rf_deactivate_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_NFCEE_DISCOVER_NTF: - nci_nfcee_discover_ntf_packet(ndev, skb); + if (nci_nfcee_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_NFCEE_ACTION_NTF: -- 2.51.0

1 month, 2 weeks

4
3
0 0

[PATCH v2 RESEND] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.25.1

1 month, 2 weeks

2
1
0 0

Mate dar vo vyske dva miliony patstotisic euro.

by Dr Leonard Valentinovic Blavatnik

1 month, 2 weeks

1
0
0 0

[bug-report 6.12.y] Probably a problematic stable backport commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug")

by Harshit Mogalapalli

Hi stable maintainers, While skimming over stable backports for VMSCAPE commits, I found something unusual. This is regarding the 6.12.y commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug") commit 7c62c442b6eb95d21bc4c5afc12fee721646ebe2 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enumerate VMSCAPE bug Commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream. The VMSCAPE vulnerability may allow a guest to cause Branch Target Injection (BTI) in userspace hypervisors. Kernels (both host and guest) have existing defenses against direct BTI attacks from guests. There are also inter-process BTI mitigations which prevent processes from attacking each other. However, the threat in this case is to a userspace hypervisor within the same process as the attacker. Userspace hypervisors have access to their own sensitive data like disk encryption keys and also typically have access to all guest data. This means guest userspace may use the hypervisor as a confused deputy to attack sensitive guest kernel data. There are no existing mitigations for these attacks. Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected Intel and AMD CPUs. Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> So the problem in this commit is this part of the backport: in file: arch/x86/kernel/cpu/common.c VULNBL_AMD(0x15, RETBLEED), VULNBL_AMD(0x16, RETBLEED), - VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO), - VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO), - VULNBL_AMD(0x19, SRSO | TSA), + VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO | VMSCAPE), + VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO | VMSCAPE), + VULNBL_AMD(0x19, SRSO | TSA | VMSCAPE), + VULNBL_AMD(0x1a, SRSO | VMSCAPE), + {} Notice the part where VULNBL_AMD(0x1a, SRSO | VMSCAPE) is added, 6.12.y doesn't have commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") so I think we shouldn't be adding VULNBL_AMD(0x1a, SRSO | VMSCAPE) directly. Boris Ostrovsky suggested me to verify this on a Turin machine as this could cause a very big performance regression : and stated if SRSO mitigation status is Safe RET we are likely in a problem, and we are in that situation. # lscpu | grep -E "CPU family" CPU family: 26 Notes: CPU ID 26 -> 0x1a And Turin machine reports the SRSO mitigation status as "Safe RET" # uname -r 6.12.48-master.20250917.el8.rc1.x86_64 # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET Boris Ostrovsky suggested backporting three commits to 6.12.y: 1. commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") 2. commit: 8442df2b49ed ("x86/bugs: KVM: Add support for SRSO_MSR_FIX") and its fix 3. commit: e3417ab75ab2 ("KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions") -- Maybe optional After backporting these three: # uname -r 6.12.48-master.20250919.el8.dev.x86_64 // Note this this is kernel with patches above three applied. # dmesg | grep -C 2 Reduce [ 3.186135] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl [ 3.187135] Speculative Return Stack Overflow: Reducing speculation to address VM/HV SRSO attack vector. [ 3.188134] Speculative Return Stack Overflow: Mitigation: Reduced Speculation [ 3.189135] VMSCAPE: Mitigation: IBPB before exit to userspace [ 3.191139] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Reduced Speculation I can send my backports to stable if this looks good. Thoughts ? Thanks, Harshit

1 month, 2 weeks

3
3
0 0

[PATCH] ceph: fix deadlock bugs by making iput() calls asynchronous

by Max Kellermann

The iput() function is a dangerous one - if the reference counter goes to zero, the function may block for a long time due to: - inode_wait_for_writeback() waits until writeback on this inode completes - the filesystem-specific "evict_inode" callback can do similar things; e.g. all netfs-based filesystems will call netfs_wait_for_outstanding_io() which is similar to inode_wait_for_writeback() Therefore, callers must carefully evaluate the context they're in and check whether invoking iput() is a good idea at all. Most of the time, this is not a problem because the dcache holds references to all inodes, and the dcache is usually the one to release the last reference. But this assumption is fragile. For example, under (memcg) memory pressure, the dcache shrinker is more likely to release inode references, moving the inode eviction to contexts where that was extremely unlikely to occur. Our production servers "found" at least two deadlock bugs in the Ceph filesystem that were caused by this iput() behavior: 1. Writeback may lead to iput() calls in Ceph (e.g. from ceph_put_wrbuffer_cap_refs()) which deadlocks in inode_wait_for_writeback(). Waiting for writeback completion from within writeback will obviously never be able to make any progress. This leads to blocked kworkers like this: INFO: task kworker/u777:6:1270802 blocked for more than 122 seconds. Not tainted 6.16.7-i1-es #773 task:kworker/u777:6 state:D stack:0 pid:1270802 tgid:1270802 ppid:2 task_flags:0x4208060 flags:0x00004000 Workqueue: writeback wb_workfn (flush-ceph-3) Call Trace: <TASK> __schedule+0x4ea/0x17d0 schedule+0x1c/0xc0 inode_wait_for_writeback+0x71/0xb0 evict+0xcf/0x200 ceph_put_wrbuffer_cap_refs+0xdd/0x220 ceph_invalidate_folio+0x97/0xc0 ceph_writepages_start+0x127b/0x14d0 do_writepages+0xba/0x150 __writeback_single_inode+0x34/0x290 writeback_sb_inodes+0x203/0x470 __writeback_inodes_wb+0x4c/0xe0 wb_writeback+0x189/0x2b0 wb_workfn+0x30b/0x3d0 process_one_work+0x143/0x2b0 worker_thread+0x30a/0x450 2. In the Ceph messenger thread (net/ceph/messenger*.c), any iput() call may invoke ceph_evict_inode() which will deadlock in netfs_wait_for_outstanding_io(); since this blocks the messenger thread, completions from the Ceph servers will not ever be received and handled. It looks like these deadlock bugs have been in the Ceph filesystem code since forever (therefore no "Fixes" tag in this patch). There may be various ways to solve this: - make iput() asynchronous and defer the actual eviction like fput() (may add overhead) - make iput() only asynchronous if I_SYNC is set (doesn't solve random things happening inside the "evict_inode" callback) - add iput_deferred() to make this asynchronous behavior/overhead optional and explicit - refactor Ceph to avoid iput() calls from within writeback and messenger (if that is even possible) - add a Ceph-specific workaround After advice from Mateusz Guzik, I decided to do the latter. The implementation is simple because it piggybacks on the existing work_struct for ceph_queue_inode_work() - ceph_inode_work() calls iput() at the end which means we can donate the last reference to it. Since Ceph has a few iput() callers in a loop, it seemed simple enough to pass this counter and use atomic_sub() instead of atomic_dec(). This patch adds ceph_iput_n_async() and converts lots of iput() calls to it - at least those that may come through writeback and the messenger. Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: stable(a)vger.kernel.org --- fs/ceph/addr.c | 2 +- fs/ceph/caps.c | 21 ++++++++++----------- fs/ceph/dir.c | 2 +- fs/ceph/inode.c | 42 ++++++++++++++++++++++++++++++++++++++++++ fs/ceph/mds_client.c | 32 ++++++++++++++++---------------- fs/ceph/quota.c | 4 ++-- fs/ceph/snap.c | 10 +++++----- fs/ceph/super.h | 7 +++++++ 8 files changed, 84 insertions(+), 36 deletions(-) diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c index 322ed268f14a..fc497c91530e 100644 --- a/fs/ceph/addr.c +++ b/fs/ceph/addr.c @@ -265,7 +265,7 @@ static void finish_netfs_read(struct ceph_osd_request *req) subreq->error = err; trace_netfs_sreq(subreq, netfs_sreq_trace_io_progress); netfs_read_subreq_terminated(subreq); - iput(req->r_inode); + ceph_iput_async(req->r_inode); ceph_dec_osd_stopping_blocker(fsc->mdsc); } diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index b1a8ff612c41..bd88b5287a2b 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -1771,7 +1771,7 @@ void ceph_flush_snaps(struct ceph_inode_info *ci, spin_unlock(&mdsc->snap_flush_lock); if (need_put) - iput(inode); + ceph_iput_async(inode); } /* @@ -3318,8 +3318,8 @@ static void __ceph_put_cap_refs(struct ceph_inode_info *ci, int had, } if (wake) wake_up_all(&ci->i_cap_wq); - while (put-- > 0) - iput(inode); + if (put > 0) + ceph_iput_n_async(inode, put); } void ceph_put_cap_refs(struct ceph_inode_info *ci, int had) @@ -3418,9 +3418,8 @@ void ceph_put_wrbuffer_cap_refs(struct ceph_inode_info *ci, int nr, } if (complete_capsnap) wake_up_all(&ci->i_cap_wq); - while (put-- > 0) { - iput(inode); - } + if (put > 0) + ceph_iput_n_async(inode, put); } /* @@ -3917,7 +3916,7 @@ static void handle_cap_flush_ack(struct inode *inode, u64 flush_tid, if (wake_mdsc) wake_up_all(&mdsc->cap_flushing_wq); if (drop) - iput(inode); + ceph_iput_async(inode); } void __ceph_remove_capsnap(struct inode *inode, struct ceph_cap_snap *capsnap, @@ -4008,7 +4007,7 @@ static void handle_cap_flushsnap_ack(struct inode *inode, u64 flush_tid, wake_up_all(&ci->i_cap_wq); if (wake_mdsc) wake_up_all(&mdsc->cap_flushing_wq); - iput(inode); + ceph_iput_async(inode); } } @@ -4557,7 +4556,7 @@ void ceph_handle_caps(struct ceph_mds_session *session, done: mutex_unlock(&session->s_mutex); done_unlocked: - iput(inode); + ceph_iput_async(inode); out: ceph_dec_mds_stopping_blocker(mdsc); @@ -4636,7 +4635,7 @@ unsigned long ceph_check_delayed_caps(struct ceph_mds_client *mdsc) doutc(cl, "on %p %llx.%llx\n", inode, ceph_vinop(inode)); ceph_check_caps(ci, 0); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_delay_lock); } @@ -4675,7 +4674,7 @@ static void flush_dirty_session_caps(struct ceph_mds_session *s) spin_unlock(&mdsc->cap_dirty_lock); ceph_wait_on_async_create(inode); ceph_check_caps(ci, CHECK_CAPS_FLUSH); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_dirty_lock); } spin_unlock(&mdsc->cap_dirty_lock); diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c index 32973c62c1a2..ec73ed52a227 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -1290,7 +1290,7 @@ static void ceph_async_unlink_cb(struct ceph_mds_client *mdsc, ceph_mdsc_free_path_info(&path_info); } out: - iput(req->r_old_inode); + ceph_iput_async(req->r_old_inode); ceph_mdsc_release_dir_caps(req); } diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c index f67025465de0..385d5261632d 100644 --- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c @@ -2191,6 +2191,48 @@ void ceph_queue_inode_work(struct inode *inode, int work_bit) } } +/** + * Queue an asynchronous iput() call in a worker thread. Use this + * instead of iput() in contexts where evicting the inode is unsafe. + * For example, inode eviction may cause deadlocks in + * inode_wait_for_writeback() (when called from within writeback) or + * in netfs_wait_for_outstanding_io() (when called from within the + * Ceph messenger). + * + * @n: how many references to put + */ +void ceph_iput_n_async(struct inode *inode, int n) +{ + if (unlikely(!inode)) + return; + + if (likely(atomic_sub_return(n, &inode->i_count) > 0)) + /* somebody else is holding another reference - + * nothing left to do for us + */ + return; + + doutc(ceph_inode_to_fs_client(inode)->client, "%p %llx.%llx\n", inode, ceph_vinop(inode)); + + /* the reference counter is now 0, i.e. nobody else is holding + * a reference to this inode; restore it to 1 and donate it to + * ceph_inode_work() which will call iput() at the end + */ + atomic_set(&inode->i_count, 1); + + /* simply queue a ceph_inode_work() without setting + * i_work_mask bit; other than putting the reference, there is + * nothing to do + */ + WARN_ON_ONCE(!queue_work(ceph_inode_to_fs_client(inode)->inode_wq, + &ceph_inode(inode)->i_work)); + + /* note: queue_work() cannot fail; it i_work were already + * queued, then it would be holding another reference, but no + * such reference exists + */ +} + static void ceph_do_invalidate_pages(struct inode *inode) { struct ceph_client *cl = ceph_inode_to_client(inode); diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 3bc72b47fe4d..d7fce1ad8073 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -1097,14 +1097,14 @@ void ceph_mdsc_release_request(struct kref *kref) ceph_msg_put(req->r_reply); if (req->r_inode) { ceph_put_cap_refs(ceph_inode(req->r_inode), CEPH_CAP_PIN); - iput(req->r_inode); + ceph_iput_async(req->r_inode); } if (req->r_parent) { ceph_put_cap_refs(ceph_inode(req->r_parent), CEPH_CAP_PIN); - iput(req->r_parent); + ceph_iput_async(req->r_parent); } - iput(req->r_target_inode); - iput(req->r_new_inode); + ceph_iput_async(req->r_target_inode); + ceph_iput_async(req->r_new_inode); if (req->r_dentry) dput(req->r_dentry); if (req->r_old_dentry) @@ -1118,7 +1118,7 @@ void ceph_mdsc_release_request(struct kref *kref) */ ceph_put_cap_refs(ceph_inode(req->r_old_dentry_dir), CEPH_CAP_PIN); - iput(req->r_old_dentry_dir); + ceph_iput_async(req->r_old_dentry_dir); } kfree(req->r_path1); kfree(req->r_path2); @@ -1240,7 +1240,7 @@ static void __unregister_request(struct ceph_mds_client *mdsc, } if (req->r_unsafe_dir) { - iput(req->r_unsafe_dir); + ceph_iput_async(req->r_unsafe_dir); req->r_unsafe_dir = NULL; } @@ -1413,7 +1413,7 @@ static int __choose_mds(struct ceph_mds_client *mdsc, cap = rb_entry(rb_first(&ci->i_caps), struct ceph_cap, ci_node); if (!cap) { spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); goto random; } mds = cap->session->s_mds; @@ -1422,7 +1422,7 @@ static int __choose_mds(struct ceph_mds_client *mdsc, cap == ci->i_auth_cap ? "auth " : "", cap); spin_unlock(&ci->i_ceph_lock); out: - iput(inode); + ceph_iput_async(inode); return mds; random: @@ -1841,7 +1841,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, spin_unlock(&session->s_cap_lock); if (last_inode) { - iput(last_inode); + ceph_iput_async(last_inode); last_inode = NULL; } if (old_cap) { @@ -1874,7 +1874,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, session->s_cap_iterator = NULL; spin_unlock(&session->s_cap_lock); - iput(last_inode); + ceph_iput_async(last_inode); if (old_cap) ceph_put_cap(session->s_mdsc, old_cap); @@ -1903,8 +1903,8 @@ static int remove_session_caps_cb(struct inode *inode, int mds, void *arg) wake_up_all(&ci->i_cap_wq); if (invalidate) ceph_queue_invalidate(inode); - while (iputs--) - iput(inode); + if (iputs > 0) + ceph_iput_n_async(inode, iputs); return 0; } @@ -1944,7 +1944,7 @@ static void remove_session_caps(struct ceph_mds_session *session) spin_unlock(&session->s_cap_lock); inode = ceph_find_inode(sb, vino); - iput(inode); + ceph_iput_async(inode); spin_lock(&session->s_cap_lock); } @@ -2512,7 +2512,7 @@ static void ceph_cap_unlink_work(struct work_struct *work) doutc(cl, "on %p %llx.%llx\n", inode, ceph_vinop(inode)); ceph_check_caps(ci, CHECK_CAPS_FLUSH); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_delay_lock); } } @@ -3933,7 +3933,7 @@ static void handle_reply(struct ceph_mds_session *session, struct ceph_msg *msg) !req->r_reply_info.has_create_ino) { /* This should never happen on an async create */ WARN_ON_ONCE(req->r_deleg_ino); - iput(in); + ceph_iput_async(in); in = NULL; } @@ -5313,7 +5313,7 @@ static void handle_lease(struct ceph_mds_client *mdsc, out: mutex_unlock(&session->s_mutex); - iput(inode); + ceph_iput_async(inode); ceph_dec_mds_stopping_blocker(mdsc); return; diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c index d90eda19bcc4..bba00f8926e6 100644 --- a/fs/ceph/quota.c +++ b/fs/ceph/quota.c @@ -76,7 +76,7 @@ void ceph_handle_quota(struct ceph_mds_client *mdsc, le64_to_cpu(h->max_files)); spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); out: ceph_dec_mds_stopping_blocker(mdsc); } @@ -190,7 +190,7 @@ void ceph_cleanup_quotarealms_inodes(struct ceph_mds_client *mdsc) node = rb_first(&mdsc->quotarealms_inodes); qri = rb_entry(node, struct ceph_quotarealm_inode, node); rb_erase(node, &mdsc->quotarealms_inodes); - iput(qri->inode); + ceph_iput_async(qri->inode); kfree(qri); } mutex_unlock(&mdsc->quotarealms_inodes_mutex); diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c index c65f2b202b2b..19f097e79b3c 100644 --- a/fs/ceph/snap.c +++ b/fs/ceph/snap.c @@ -735,7 +735,7 @@ static void queue_realm_cap_snaps(struct ceph_mds_client *mdsc, if (!inode) continue; spin_unlock(&realm->inodes_with_caps_lock); - iput(lastinode); + ceph_iput_async(lastinode); lastinode = inode; /* @@ -762,7 +762,7 @@ static void queue_realm_cap_snaps(struct ceph_mds_client *mdsc, spin_lock(&realm->inodes_with_caps_lock); } spin_unlock(&realm->inodes_with_caps_lock); - iput(lastinode); + ceph_iput_async(lastinode); if (capsnap) kmem_cache_free(ceph_cap_snap_cachep, capsnap); @@ -955,7 +955,7 @@ static void flush_snaps(struct ceph_mds_client *mdsc) ihold(inode); spin_unlock(&mdsc->snap_flush_lock); ceph_flush_snaps(ci, &session); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->snap_flush_lock); } spin_unlock(&mdsc->snap_flush_lock); @@ -1116,12 +1116,12 @@ void ceph_handle_snap(struct ceph_mds_client *mdsc, ceph_get_snap_realm(mdsc, realm); ceph_change_snap_realm(inode, realm); spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); continue; skip_inode: spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); } /* we may have taken some of the old realm's children. */ diff --git a/fs/ceph/super.h b/fs/ceph/super.h index cf176aab0f82..15c09b6c94aa 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -1085,6 +1085,13 @@ static inline void ceph_queue_flush_snaps(struct inode *inode) ceph_queue_inode_work(inode, CEPH_I_WORK_FLUSH_SNAPS); } +void ceph_iput_n_async(struct inode *inode, int n); + +static inline void ceph_iput_async(struct inode *inode) +{ + ceph_iput_n_async(inode, 1); +} + extern int ceph_try_to_choose_auth_mds(struct inode *inode, int mask); extern int __ceph_do_getattr(struct inode *inode, struct page *locked_page, int mask, bool force); -- 2.47.3

1 month, 2 weeks

3
12
0 0

[PATCH 1/1] perf/x86/intel: Fix crash in icl_update_topdown_event()

by Angel Adetula

From: Kan Liang <kan.liang(a)linux.intel.com> [ Upstream commit b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed ] The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/ Reported-by: Vince Weaver <vincent.weaver(a)maine.edu> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Tested-by: Vince Weaver <vincent.weaver(a)maine.edu> Cc: stable(a)vger.kernel.org # v6.15+ Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com [ omitted PEBS check ] Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Angel Adetula <angeladetula(a)google.com> --- arch/x86/events/intel/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 5e43d390f7a3..36d8404f406d 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -2793,7 +2793,7 @@ static void intel_pmu_read_event(struct perf_event *event) if (pmu_enabled) intel_pmu_disable_all(); - if (is_topdown_event(event)) + if (is_topdown_count(event)) static_call(intel_pmu_update_topdown_event)(event); else intel_pmu_drain_pebs_buffer(); -- 2.51.0.470.ga7dc726c21-goog

1 month, 2 weeks

1
0
0 0

Linux 6.16.8

by Greg Kroah-Hartman

I'm announcing the release of the 6.16.8 kernel. All users of the 6.16 kernel series must upgrade. The updated 6.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/netlink/specs/mptcp_pm.yaml | 2 Documentation/networking/can.rst | 2 Documentation/networking/mptcp.rst | 8 Makefile | 2 arch/arm64/kernel/machine_kexec_file.c | 2 arch/s390/kernel/kexec_elf.c | 2 arch/s390/kernel/kexec_image.c | 2 arch/s390/kernel/machine_kexec_file.c | 6 arch/s390/kernel/perf_cpum_cf.c | 4 arch/s390/kernel/perf_pai_crypto.c | 4 arch/s390/kernel/perf_pai_ext.c | 2 arch/x86/kernel/cpu/topology_amd.c | 25 block/fops.c | 13 drivers/cpufreq/amd-pstate.c | 19 drivers/cpufreq/intel_pstate.c | 4 drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 39 - drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 11 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 drivers/gpu/drm/amd/amdgpu/isp_v4_1_1.c | 2 drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 4 drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 31 - drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 18 drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 25 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 64 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 106 ++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 1 drivers/gpu/drm/amd/display/dc/dc.h | 1 drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 74 +- drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 115 ---- drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c | 3 drivers/gpu/drm/amd/display/dc/inc/hw/pg_cntl.h | 1 drivers/gpu/drm/amd/display/dc/pg/dcn35/dcn35_pg_cntl.c | 78 +- drivers/gpu/drm/display/drm_dp_helper.c | 42 + drivers/gpu/drm/drm_edid.c | 232 ++++---- drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 drivers/gpu/drm/panthor/panthor_drv.c | 2 drivers/gpu/drm/xe/tests/xe_bo.c | 2 drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 drivers/gpu/drm/xe/xe_bo.c | 16 drivers/gpu/drm/xe/xe_bo.h | 2 drivers/gpu/drm/xe/xe_device_types.h | 6 drivers/gpu/drm/xe/xe_dma_buf.c | 2 drivers/gpu/drm/xe/xe_exec.c | 9 drivers/gpu/drm/xe/xe_pm.c | 42 + drivers/gpu/drm/xe/xe_survivability_mode.c | 3 drivers/gpu/drm/xe/xe_vm.c | 42 + drivers/gpu/drm/xe/xe_vm.h | 2 drivers/gpu/drm/xe/xe_vm_types.h | 5 drivers/i2c/busses/i2c-i801.c | 2 drivers/i2c/busses/i2c-rtl9300.c | 22 drivers/input/joystick/xpad.c | 2 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/iommu/intel/cache.c | 5 drivers/iommu/intel/iommu.c | 263 ++++++---- drivers/iommu/intel/iommu.h | 12 drivers/iommu/intel/nested.c | 4 drivers/iommu/intel/svm.c | 1 drivers/irqchip/irq-mvebu-gicp.c | 2 drivers/md/md.c | 6 drivers/mtd/nand/raw/atmel/nand-controller.c | 16 drivers/mtd/nand/raw/nuvoton-ma35d1-nand-controller.c | 4 drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 - drivers/mtd/nand/spi/core.c | 18 drivers/mtd/nand/spi/winbond.c | 80 ++- drivers/net/can/xilinx_can.c | 16 drivers/net/dsa/b53/b53_common.c | 17 drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/net/ethernet/intel/igb/igb_main.c | 3 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 20 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 4 drivers/net/macsec.c | 1 drivers/net/phy/phy.c | 12 drivers/net/phy/phylink.c | 28 - drivers/net/wireless/ath/ath12k/core.h | 1 drivers/net/wireless/ath/ath12k/dp_mon.c | 22 drivers/net/wireless/ath/ath12k/dp_rx.c | 11 drivers/net/wireless/ath/ath12k/hw.c | 55 ++ drivers/net/wireless/ath/ath12k/hw.h | 2 drivers/net/wireless/ath/ath12k/mac.c | 127 ++-- drivers/net/wireless/ath/ath12k/peer.c | 2 drivers/net/wireless/ath/ath12k/peer.h | 28 + drivers/net/wireless/ath/ath12k/wmi.c | 58 ++ drivers/net/wireless/ath/ath12k/wmi.h | 16 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 26 drivers/pci/controller/pci-mvebu.c | 21 drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 25 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-omap-usb2.c | 13 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/function/f_midi2.c | 11 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/host/xhci-dbgcap.c | 94 ++- drivers/usb/host/xhci-mem.c | 2 drivers/usb/serial/option.c | 17 drivers/usb/typec/tcpm/tcpm.c | 12 fs/btrfs/extent_io.c | 73 ++ fs/btrfs/inode.c | 12 fs/btrfs/qgroup.c | 6 fs/ceph/addr.c | 9 fs/ceph/debugfs.c | 14 fs/ceph/dir.c | 17 fs/ceph/file.c | 24 fs/ceph/inode.c | 88 ++- fs/ceph/mds_client.c | 172 +++--- fs/ceph/mds_client.h | 18 fs/coredump.c | 4 fs/erofs/data.c | 8 fs/erofs/fileio.c | 2 fs/erofs/fscache.c | 2 fs/erofs/inode.c | 8 fs/erofs/internal.h | 2 fs/erofs/super.c | 16 fs/erofs/zdata.c | 17 fs/erofs/zmap.c | 98 +-- fs/exec.c | 2 fs/fhandle.c | 8 fs/fuse/dev.c | 2 fs/fuse/file.c | 5 fs/fuse/passthrough.c | 5 fs/kernfs/file.c | 58 +- fs/nfs/client.c | 2 fs/nfs/file.c | 7 fs/nfs/flexfilelayout/flexfilelayout.c | 21 fs/nfs/inode.c | 4 fs/nfs/internal.h | 10 fs/nfs/io.c | 13 fs/nfs/localio.c | 12 fs/nfs/nfs42proc.c | 2 fs/nfs/nfs4file.c | 2 fs/nfs/nfs4proc.c | 7 fs/nfs/write.c | 1 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 fs/resctrl/ctrlmondata.c | 2 fs/resctrl/internal.h | 4 fs/resctrl/monitor.c | 6 fs/smb/client/cifsglob.h | 13 fs/smb/client/file.c | 18 fs/smb/client/inode.c | 86 ++- fs/smb/client/smb2glob.h | 3 fs/smb/client/smb2inode.c | 204 ++++++- fs/smb/client/smb2ops.c | 32 + fs/smb/client/smb2proto.h | 3 fs/smb/client/trace.h | 9 include/drm/display/drm_dp_helper.h | 6 include/drm/drm_connector.h | 4 include/drm/drm_edid.h | 8 include/linux/compiler-clang.h | 29 - include/linux/energy_model.h | 10 include/linux/fs.h | 3 include/linux/kasan.h | 6 include/linux/mtd/spinand.h | 8 include/net/netfilter/nf_tables.h | 11 include/net/netfilter/nf_tables_core.h | 49 - include/net/netns/nftables.h | 1 include/uapi/linux/raid/md_p.h | 2 io_uring/rw.c | 3 kernel/bpf/Makefile | 1 kernel/bpf/core.c | 16 kernel/bpf/cpumap.c | 4 kernel/bpf/crypto.c | 2 kernel/bpf/helpers.c | 7 kernel/bpf/rqspinlock.c | 2 kernel/dma/debug.c | 48 + kernel/dma/debug.h | 20 kernel/dma/mapping.c | 4 kernel/events/core.c | 1 kernel/power/energy_model.c | 29 - kernel/power/hibernate.c | 1 kernel/time/hrtimer.c | 11 kernel/trace/fgraph.c | 3 kernel/trace/trace.c | 10 kernel/trace/trace_osnoise.c | 3 mm/damon/core.c | 4 mm/damon/lru_sort.c | 5 mm/damon/reclaim.c | 5 mm/damon/sysfs.c | 14 mm/hugetlb.c | 9 mm/kasan/shadow.c | 31 - mm/khugepaged.c | 4 mm/memory-failure.c | 20 mm/vmalloc.c | 8 net/bluetooth/hci_conn.c | 14 net/bluetooth/hci_event.c | 7 net/bluetooth/iso.c | 2 net/bridge/br.c | 7 net/can/j1939/bus.c | 5 net/can/j1939/j1939-priv.h | 1 net/can/j1939/main.c | 3 net/can/j1939/socket.c | 52 + net/ceph/messenger.c | 7 net/core/dev_ioctl.c | 22 net/hsr/hsr_device.c | 28 - net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 3 net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/netfilter/nf_tables_api.c | 123 +++- net/netfilter/nft_dynset.c | 5 net/netfilter/nft_lookup.c | 67 +- net/netfilter/nft_objref.c | 5 net/netfilter/nft_set_bitmap.c | 14 net/netfilter/nft_set_hash.c | 54 -- net/netfilter/nft_set_pipapo.c | 214 ++------ net/netfilter/nft_set_pipapo_avx2.c | 27 - net/netfilter/nft_set_rbtree.c | 46 - net/netlink/genetlink.c | 3 net/sunrpc/sched.c | 2 net/sunrpc/xprtsock.c | 6 net/xdp/xsk.c | 113 +++- net/xdp/xsk_queue.h | 12 samples/ftrace/ftrace-direct-modify.c | 2 tools/testing/selftests/net/can/config | 3 234 files changed, 3151 insertions(+), 1712 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (3): Revert "drm/amdgpu: Add more checks to PSP mailbox" drm/amdgpu: fix a memory leak in fence cleanup when unloading drm/amd/display: use udelay rather than fsleep Alex Markuze (2): ceph: fix race condition validating r_parent before applying state ceph: fix race condition where r_parent becomes stale before sending message Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Alok Tiwari (1): genetlink: fix genl_bind() invoking bind() after -EPERM Amir Goldstein (2): fhandle: use more consistent rules for decoding file handle from userns fuse: do not allow mapping a non-regular backing file Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antheas Kapenekakis (1): Input: xpad - add support for Flydigi Apex 5 Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Baochen Qiang (1): dma-debug: don't enforce dma mapping check on noncoherent allocations Boris Burkov (2): btrfs: fix squota compressed stats leak btrfs: use readahead_expand() on compressed extents Breno Leitao (2): arm64: kexec: initialize kexec_buf struct in load_other_segments() s390: kexec: initialize kexec_buf struct Carolina Jubran (1): net: dev_ioctl: take ops lock in hwtstamp lower paths Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Chia-I Wu (1): drm/panthor: validate group queue count Chiasheng Lee (1): i2c: i801: Hide Intel Birch Stream SoC TCO WDT Christian Brauner (1): coredump: don't pointlessly check and spew warnings Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christoph Hellwig (2): fs: add a FMODE_ flag to indicate IOCB_HAS_METADATA availability block: don't silently ignore metadata for sync read/write Christophe JAILLET (1): mtd: rawnand: nuvoton: Fix an error handling path in ma35_nand_chips_init() Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Dan Carpenter (2): irqchip/mvebu-gicp: Fix an IS_ERR() vs NULL check in probe() dmaengine: idxd: Fix double free in idxd_setup_wqs() Daniel Borkmann (1): bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt David Rosca (2): drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages Davide Caratti (1): selftests: can: enable CONFIG_CAN_VCAN as a module Edward Adam Davis (1): fuse: Block access to folio overlimit Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fangzhi Zuo (1): drm/amd/display: Disable DPCD Probe Quirk Florian Westphal (11): netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation netfilter: nft_set_pipapo: remove unused arguments netfilter: nft_set: remove one argument from lookup and update functions netfilter: nft_set_pipapo: merge pipapo_get/lookup netfilter: nft_set_pipapo: don't return bogus extension pointer netfilter: nft_set_pipapo: don't check genbit from packetpath lookups netfilter: nft_set_rbtree: continue traversal if element is inactive netfilter: nf_tables: place base_seq in struct net netfilter: nf_tables: make nft_set_do_lookup available unconditionally netfilter: nf_tables: restart set lookup on base_seq change netfilter: nft_set_pipapo: fix null deref for empty set Gao Xiang (4): erofs: get rid of {get,put}_page() for ztailpacking data erofs: remove need_kmap in erofs_read_metabuf() erofs: unify meta buffers in z_erofs_fill_inode() erofs: fix invalid algorithm for encoded extents Gautham R. Shenoy (1): cpufreq/amd-pstate: Fix setting of CPPC.min_perf in active mode for performance governor Geoffrey McRae (1): drm/amd/display: remove oem i2c adapter on finish Greg Kroah-Hartman (1): Linux 6.16.8 Guenter Roeck (1): trace/fgraph: Fix error handling Hangbin Liu (3): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr hsr: hold rcu and dev lock for hsr_get_port_ndev Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Imre Deak (3): drm/edid: Define the quirks in an enum list drm/edid: Add support for quirks visible to DRM core and drivers drm/dp: Add an EDID quirk for the DPCD register access probe Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jason Gunthorpe (3): iommu/vt-d: Split intel_iommu_domain_alloc_paging_flags() iommu/vt-d: Create unique domain ops for each stage iommu/vt-d: Split paging_domain_compatible() Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jeongjun Park (1): mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Jesper Dangaard Brouer (1): bpf, cpumap: Disable page_pool direct xdp_return need larger scope Jiawen Wu (1): net: libwx: fix to enable RSS Johan Hovold (4): drm/mediatek: fix potential OF node use-after-free phy: tegra: xusb: fix device and OF node leak at probe phy: ti: omap-usb2: fix device leak at unbind phy: ti-pipe3: fix device leak at unbind Johannes Berg (1): wifi: iwlwifi: fix 130/1030 configs Jonas Gorski (1): net: dsa: b53: fix ageing time for BCM53101 Jonas Jelonek (3): i2c: rtl9300: fix channel number bound check i2c: rtl9300: ensure data length is within supported range i2c: rtl9300: remove broken SMBus Quick operation support Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Justin Worrell (1): SUNRPC: call xs_sock_process_cmsg for all cmsg K Prateek Nayak (1): x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon KaFai Wan (1): bpf: Allow fall back to interpreter for programs with stack size <= 512 Kan Liang (1): perf: Fix the POLL_HUP delivery breakage Klaus Kudielka (1): PCI: mvebu: Fix use of for_each_of_range() iterator Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kumar Kartikeya Dwivedi (1): rqspinlock: Choose trylock fallback for NMI waiters Kuniyuki Iwashima (1): tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Kyle Meyer (1): mm/memory-failure: fix redundant updates for already poisoned pages Lu Baolu (1): iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Luiz Augusto von Dentz (3): Bluetooth: hci_conn: Fix not cleaning up Broadcaster/Broadcast Source Bluetooth: hci_conn: Fix running bis_cleanup for hci_conn->type PA_LINK Bluetooth: ISO: Fix getname not returning broadcast fields Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Maciej Fijalkowski (1): xsk: Fix immature cq descriptor production Mario Limonciello (1): drm/amd/display: Destroy cached state in complete() callback Mario Limonciello (AMD) (2): cpufreq/amd-pstate: Fix a regression leading to EPP 0 after resume drm/amd/display: Drop dm_prepare_suspend() and dm_complete() Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Mathias Nyman (3): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects xhci: fix memory leak regression when freeing xhci vdev devices depth first Matthieu Baerts (NGI0) (2): doc: mptcp: net.mptcp.pm_type is deprecated netlink: specs: mptcp: fix if-idx attribute type Max Kellermann (2): ceph: always call ceph_shift_unused_folios_left() ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Miaoqing Pan (2): wifi: ath12k: Fix missing station power save configuration wifi: ath12k: fix WMI TLV header misalignment Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Michal Wajdeczko (1): drm/xe/configfs: Don't touch survivability_mode on fini Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Miquel Raynal (2): mtd: spinand: Add a ->configure_chip() hook mtd: spinand: winbond: Enable high-speed modes on w25n0xjw Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Omar Sandoval (1): btrfs: fix subvolume deletion lockup caused by inodes xarray race Ovidiu Bunea (1): drm/amd/display: Correct sequences and delays for DCN35 PG & RCG Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Paulo Alcantara (2): smb: client: fix compound alignment with encryption smb: client: fix data loss due to broken rename(2) Peilin Ye (1): bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Pengyu Luo (1): phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Petr Machata (1): net: bridge: Bounce invalid boolopts Phil Sutter (1): netfilter: nf_tables: Reintroduce shortened deletion notifications Pratap Nirujogi (1): drm/amd/amdgpu: Declare isp firmware binary file Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Qu Wenruo (1): btrfs: fix corruption reading compressed range when block size is smaller than page size Quanmin Yan (2): mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() RD Babiera (1): usb: typec: tcpm: properly deliver cable vdms to altmode drivers Rafael J. Wysocki (2): PM: EM: Add function for registering a PD without capacity update PM: hibernate: Restrict GFP mask in hibernation_snapshot() Reinette Chatre (1): fs/resctrl: Eliminate false positive lockdep warning when reading SNC counters Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Sang-Heon Jeon (1): mm/damon/core: set quota->charged_from to jiffies at first charge window Santhosh Kumar K (1): mtd: spinand: winbond: Fix oob_layout for W25N01JW Sarika Sharma (1): wifi: ath12k: add link support for multi-link in arsta Scott Mayhew (1): nfs/localio: restore creds before releasing pageio data Sriram R (1): wifi: ath12k: Add support to enqueue management frame at MLD level Stanislav Fomichev (1): macsec: sync features on RTM_NEWLINK Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (2): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees phy: qcom: qmp-pcie: Fix PHY initialization when powered down by firmware Takashi Iwai (2): usb: gadget: midi2: Fix missing UMP group attributes initialization usb: gadget: midi2: Fix MIDI2 IN EP max packet size Tetsuo Handa (3): can: j1939: implement NETDEV_UNREGISTER notification handler can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Thomas Hellström (3): drm/xe: Attempt to bring bos back to VRAM after eviction drm/xe: Allow the pm notifier to continue on failure drm/xe: Block exec and rebind worker while evicting for suspend / hibernate Thomas Richter (2): s390/pai: Deny all events not handled by this PMU s390/cpum_cf: Deny all sampling events by counter PMU Tianyu Xu (1): igb: Fix NULL pointer dereference in ethtool loopback test Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (10): NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server NFS: Serialise O_DIRECT i/o and truncate() NFSv4.2: Serialise O_DIRECT i/o and fallocate() NFSv4.2: Serialise O_DIRECT i/o and clone range NFSv4.2: Serialise O_DIRECT i/o and copy range NFS: nfs_invalidate_folio() must observe the offset and size arguments Revert "SUNRPC: Don't allow waiting for exiting tasks" Uladzislau Rezki (Sony) (1): mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() Vladimir Oltean (2): net: phylink: add lock for serializing concurrent pl->phydev writes with resolver net: phy: transfer phy_config_inband() locking responsibility to phylink Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wang Liang (1): tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiao Ni (1): md: keep recovery_cp in mdp_superblock_s Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yi Sun (2): dmaengine: idxd: Remove improper idxd_free dmaengine: idxd: Fix refcount underflow on module unload Yuezhang Mo (1): erofs: fix runtime warning on truncate_folio_batch_exceptionals() wangzijie (1): proc: fix type confusion in pde_set_flags()

1 month, 2 weeks

1
1
0 0

Linux 6.12.48

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.48 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/filesystems/nfs/localio.rst | 13 Documentation/netlink/specs/mptcp_pm.yaml | 52 +- Documentation/networking/can.rst | 2 Makefile | 2 arch/riscv/include/asm/compat.h | 1 arch/s390/kernel/perf_cpum_cf.c | 4 arch/s390/kernel/perf_pai_crypto.c | 4 arch/s390/kernel/perf_pai_ext.c | 2 arch/x86/kernel/cpu/topology_amd.c | 25 - arch/x86/kernel/vmlinux.lds.S | 10 drivers/dma-buf/Kconfig | 1 drivers/dma-buf/udmabuf.c | 22 - drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 39 - drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 64 +- drivers/gpu/drm/amd/amdgpu/vi.c | 7 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 7 drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c | 6 drivers/gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c | 8 drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c | 10 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 16 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 drivers/gpu/drm/panthor/panthor_drv.c | 2 drivers/gpu/drm/xe/tests/xe_bo.c | 2 drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 drivers/gpu/drm/xe/xe_bo.c | 16 drivers/gpu/drm/xe/xe_bo.h | 2 drivers/gpu/drm/xe/xe_dma_buf.c | 2 drivers/i2c/busses/i2c-i801.c | 2 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/mtd/nand/raw/atmel/nand-controller.c | 16 drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +- drivers/mtd/nand/spi/winbond.c | 37 + drivers/net/can/xilinx_can.c | 16 drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/net/ethernet/mellanox/mlx5/core/steering/hws/mlx5hws_matcher.c | 24 - drivers/net/phy/mdio_bus.c | 4 drivers/nvme/host/pci.c | 3 drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-omap-usb2.c | 13 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/function/f_midi2.c | 11 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/host/xhci-mem.c | 2 drivers/usb/serial/option.c | 17 drivers/usb/typec/tcpm/tcpm.c | 12 fs/btrfs/extent_io.c | 72 ++- fs/btrfs/inode.c | 12 fs/btrfs/qgroup.c | 6 fs/ceph/debugfs.c | 14 fs/ceph/dir.c | 17 fs/ceph/file.c | 24 - fs/ceph/inode.c | 88 +++- fs/ceph/mds_client.c | 172 ++++---- fs/ceph/mds_client.h | 18 fs/ext4/namei.c | 14 fs/fhandle.c | 8 fs/fuse/file.c | 5 fs/fuse/passthrough.c | 5 fs/kernfs/file.c | 58 +- fs/nfs/client.c | 2 fs/nfs/direct.c | 22 - fs/nfs/file.c | 21 fs/nfs/flexfilelayout/flexfilelayout.c | 21 fs/nfs/inode.c | 4 fs/nfs/internal.h | 17 fs/nfs/io.c | 55 +- fs/nfs/localio.c | 125 ++++- fs/nfs/nfs42proc.c | 2 fs/nfs/nfs4file.c | 2 fs/nfs/nfs4proc.c | 7 fs/nfs/write.c | 1 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 include/linux/compiler-clang.h | 29 + include/linux/fs.h | 10 include/linux/nfs_xdr.h | 1 include/linux/pgalloc.h | 29 + include/linux/pgtable.h | 13 include/net/netfilter/nf_tables.h | 11 include/net/netfilter/nf_tables_core.h | 49 +- include/net/netns/nftables.h | 1 include/trace/events/dma.h | 153 ++++++- include/uapi/linux/mptcp_pm.h | 50 +- kernel/bpf/core.c | 16 kernel/bpf/crypto.c | 2 kernel/bpf/helpers.c | 7 kernel/dma/debug.c | 135 +++--- kernel/dma/debug.h | 20 kernel/dma/mapping.c | 41 + kernel/time/hrtimer.c | 11 kernel/trace/fgraph.c | 3 kernel/trace/trace.c | 10 mm/Kconfig | 2 mm/damon/core.c | 4 mm/damon/lru_sort.c | 5 mm/damon/reclaim.c | 5 mm/damon/sysfs.c | 14 mm/hugetlb.c | 9 mm/kasan/init.c | 12 mm/kasan/kasan_test_c.c | 1 mm/khugepaged.c | 4 mm/memory-failure.c | 20 mm/percpu.c | 6 mm/sparse-vmemmap.c | 6 net/bridge/br.c | 7 net/can/j1939/bus.c | 5 net/can/j1939/socket.c | 3 net/ceph/messenger.c | 7 net/hsr/hsr_device.c | 97 ++++ net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 3 net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/netfilter/nf_tables_api.c | 123 +++-- net/netfilter/nft_dynset.c | 5 net/netfilter/nft_lookup.c | 67 ++- net/netfilter/nft_objref.c | 5 net/netfilter/nft_set_bitmap.c | 11 net/netfilter/nft_set_hash.c | 54 +- net/netfilter/nft_set_pipapo.c | 214 +++------- net/netfilter/nft_set_pipapo_avx2.c | 27 - net/netfilter/nft_set_rbtree.c | 46 +- net/netlink/genetlink.c | 3 net/sunrpc/sched.c | 2 net/sunrpc/xprtsock.c | 6 samples/ftrace/ftrace-direct-modify.c | 2 sound/pci/hda/patch_realtek.c | 1 145 files changed, 1896 insertions(+), 988 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (2): drm/amd/display: use udelay rather than fsleep drm/amdgpu: fix a memory leak in fence cleanup when unloading Alex Markuze (2): ceph: fix race condition validating r_parent before applying state ceph: fix race condition where r_parent becomes stale before sending message Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Alok Tiwari (1): genetlink: fix genl_bind() invoking bind() after -EPERM Amir Goldstein (2): fhandle: use more consistent rules for decoding file handle from userns fuse: do not allow mapping a non-regular backing file Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Aurabindo Pillai (1): Revert "drm/amd/display: Optimize cursor position updates" Baochen Qiang (1): dma-debug: don't enforce dma mapping check on noncoherent allocations Boris Burkov (2): btrfs: fix squota compressed stats leak btrfs: use readahead_expand() on compressed extents Buday Csaba (1): net: mdiobus: release reset_gpio in mdiobus_unregister_device() Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Chia-I Wu (1): drm/panthor: validate group queue count Chiasheng Lee (1): i2c: i801: Hide Intel Birch Stream SoC TCO WDT Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christoph Hellwig (1): dma-debug: store a phys_addr_t in struct dma_debug_entry Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Dan Carpenter (1): dmaengine: idxd: Fix double free in idxd_setup_wqs() Daniel Borkmann (1): bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt David Rosca (3): drm/amdgpu: Add back JPEG to video caps for carrizo and newer drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fedor Pchelkin (1): dma-debug: fix physical address calculation for struct dma_debug_entry Florian Westphal (10): netfilter: nft_set_pipapo: remove unused arguments netfilter: nft_set: remove one argument from lookup and update functions netfilter: nft_set_pipapo: merge pipapo_get/lookup netfilter: nft_set_pipapo: don't return bogus extension pointer netfilter: nft_set_pipapo: don't check genbit from packetpath lookups netfilter: nft_set_rbtree: continue traversal if element is inactive netfilter: nf_tables: place base_seq in struct net netfilter: nf_tables: make nft_set_do_lookup available unconditionally netfilter: nf_tables: restart set lookup on base_seq change netfilter: nft_set_pipapo: fix null deref for empty set Greg Kroah-Hartman (1): Linux 6.12.48 Guenter Roeck (2): trace/fgraph: Fix error handling x86: disable image size check for test builds Hangbin Liu (2): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Harry Yoo (1): mm: introduce and use {pgd,p4d}_populate_kernel() Huan Yang (1): Revert "udmabuf: fix vmap_udmabuf error page set" Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Jakub Kicinski (1): netlink: specs: mptcp: replace underscores with dashes in names Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jeongjun Park (1): mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Johan Hovold (4): drm/mediatek: fix potential OF node use-after-free phy: tegra: xusb: fix device and OF node leak at probe phy: ti: omap-usb2: fix device leak at unbind phy: ti-pipe3: fix device leak at unbind Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Justin Worrell (1): SUNRPC: call xs_sock_process_cmsg for all cmsg K Prateek Nayak (1): x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon KaFai Wan (1): bpf: Allow fall back to interpreter for programs with stack size <= 512 Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kuniyuki Iwashima (1): tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Kyle Meyer (1): mm/memory-failure: fix redundant updates for already poisoned pages Linus Torvalds (1): Disable SLUB_TINY for build testing Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Mathias Nyman (1): xhci: fix memory leak regression when freeing xhci vdev devices depth first Matthieu Baerts (NGI0) (3): netlink: specs: mptcp: add missing 'server-side' attr netlink: specs: mptcp: clearly mention attributes netlink: specs: mptcp: fix if-idx attribute type Maurizio Lombardi (1): nvme-pci: skip nvme_write_sq_db on empty rqlist Max Kellermann (1): fs/nfs/io: make nfs_start_io_*() killable Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Mike Snitzer (2): nfs/localio: remove extra indirect nfs_to call to check {read,write}_iter nfs/localio: add direct IO enablement with sync and async IO support Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Murali Karicheri (1): net: hsr: Add VLAN CTAG filter support Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Omar Sandoval (1): btrfs: fix subvolume deletion lockup caused by inodes xarray race Palmer Dabbelt (1): RISC-V: Remove unnecessary include from compat.h Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Peilin Ye (1): bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Pengyu Luo (1): phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Petr Machata (1): net: bridge: Bounce invalid boolopts Phil Sutter (1): netfilter: nf_tables: Reintroduce shortened deletion notifications Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Qu Wenruo (1): btrfs: fix corruption reading compressed range when block size is smaller than page size Quanmin Yan (2): mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() RD Babiera (1): usb: typec: tcpm: properly deliver cable vdms to altmode drivers Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Sang-Heon Jeon (1): mm/damon/core: set quota->charged_from to jiffies at first charge window Santhosh Kumar K (1): mtd: spinand: winbond: Fix oob_layout for W25N01JW Scott Mayhew (1): nfs/localio: restore creds before releasing pageio data Sean Anderson (4): dma-mapping: trace dma_alloc/free direction dma-mapping: use trace_dma_alloc for dma_alloc* instead of using trace_dma_map dma-mapping: trace more error paths dma-mapping: fix swapped dir/flags arguments to trace_dma_alloc_sgt_err Srinivasan Shanmugam (1): drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (1): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai (3): ALSA: hda/realtek: Fix built-in mic assignment on ASUS VivoBook X515UA usb: gadget: midi2: Fix missing UMP group attributes initialization usb: gadget: midi2: Fix MIDI2 IN EP max packet size Tetsuo Handa (2): can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Theodore Ts'o (1): ext4: introduce linear search for dentries Thomas Hellström (1): drm/xe: Attempt to bring bos back to VRAM after eviction Thomas Richter (2): s390/pai: Deny all events not handled by this PMU s390/cpum_cf: Deny all sampling events by counter PMU Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (10): NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server NFS: Serialise O_DIRECT i/o and truncate() NFSv4.2: Serialise O_DIRECT i/o and fallocate() NFSv4.2: Serialise O_DIRECT i/o and clone range NFSv4.2: Serialise O_DIRECT i/o and copy range NFS: nfs_invalidate_folio() must observe the offset and size arguments Revert "SUNRPC: Don't allow waiting for exiting tasks" Umesh Nerlige Ramappa (1): drm/i915/pmu: Fix zero delta busyness issue Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yeoreum Yun (1): kunit: kasan_test: disable fortify string checker on kasan_strings() test Yevgeny Kliteynik (1): net/mlx5: HWS, change error flow on matcher disconnect Yi Sun (2): dmaengine: idxd: Remove improper idxd_free dmaengine: idxd: Fix refcount underflow on module unload wangzijie (1): proc: fix type confusion in pde_set_flags()

1 month, 2 weeks

1
1
0 0

Linux 6.6.107

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.107 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/networking/can.rst | 2 Makefile | 2 arch/riscv/include/asm/compat.h | 1 arch/s390/kernel/perf_cpum_cf.c | 4 arch/x86/kernel/vmlinux.lds.S | 10 arch/x86/kvm/cpuid.c | 5 drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 39 +- drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 64 +--- drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 drivers/i2c/busses/i2c-i801.c | 2 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/media/i2c/imx214.c | 27 + drivers/mtd/nand/raw/atmel/nand-controller.c | 18 - drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +- drivers/net/can/xilinx_can.c | 16 - drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/net/phy/mdio_bus.c | 4 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/function/f_midi2.c | 11 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/host/xhci-mem.c | 2 drivers/usb/serial/option.c | 17 + fs/btrfs/extent_io.c | 78 ++++ fs/fuse/file.c | 5 fs/kernfs/file.c | 54 ++- fs/nfs/client.c | 2 fs/nfs/direct.c | 21 + fs/nfs/file.c | 14 fs/nfs/flexfilelayout/flexfilelayout.c | 21 - fs/nfs/inode.c | 4 fs/nfs/internal.h | 17 - fs/nfs/io.c | 55 ++- fs/nfs/nfs42proc.c | 2 fs/nfs/nfs4file.c | 2 fs/nfs/nfs4proc.c | 6 fs/nfsd/nfs4proc.c | 4 fs/nfsd/vfs.c | 13 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 fs/smb/client/file.c | 16 - fs/smb/server/connection.h | 11 fs/smb/server/mgmt/user_session.c | 4 fs/smb/server/smb2pdu.c | 14 include/linux/compiler-clang.h | 29 + include/linux/pgalloc.h | 29 + include/linux/pgtable.h | 13 include/net/sock.h | 40 ++ kernel/bpf/helpers.c | 7 kernel/rcu/tasks.h | 107 +++++- kernel/time/hrtimer.c | 50 --- kernel/trace/trace.c | 10 mm/Kconfig | 2 mm/damon/core.c | 4 mm/damon/lru_sort.c | 3 mm/damon/reclaim.c | 3 mm/damon/sysfs.c | 14 mm/kasan/init.c | 12 mm/kasan/kasan_test.c | 1 mm/khugepaged.c | 22 - mm/memory-failure.c | 7 mm/percpu.c | 6 mm/sparse-vmemmap.c | 6 net/bridge/br.c | 7 net/can/j1939/bus.c | 5 net/can/j1939/socket.c | 3 net/ceph/messenger.c | 7 net/core/sock.c | 5 net/hsr/hsr_device.c | 158 +++++++++- net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 3 net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/sunrpc/sched.c | 2 net/sunrpc/xprtsock.c | 6 samples/ftrace/ftrace-direct-modify.c | 2 scripts/Makefile.kasan | 12 security/integrity/ima/ima_main.c | 16 - security/integrity/integrity.h | 3 94 files changed, 985 insertions(+), 404 deletions(-) Ada Couprie Diaz (1): kasan: fix GCC mem-intrinsic prefix with sw tags Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (1): drm/amdgpu: fix a memory leak in fence cleanup when unloading Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Dahl (1): mtd: nand: raw: atmel: Fix comment in timings preparation Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio André Apitzsch (1): media: i2c: imx214: Fix link frequency validation Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Boris Burkov (1): btrfs: use readahead_expand() on compressed extents Borislav Petkov (AMD) (1): KVM: SVM: Set synthesized TSA CPUID flags Buday Csaba (1): net: mdiobus: release reset_gpio in mdiobus_unregister_device() Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Chiasheng Lee (1): i2c: i801: Hide Intel Birch Stream SoC TCO WDT Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Chuck Lever (1): NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs() Dan Carpenter (1): dmaengine: idxd: Fix double free in idxd_setup_wqs() David Rosca (2): drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman (1): Linux 6.6.107 Guenter Roeck (1): x86: disable image size check for test builds Hangbin Liu (2): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Harry Yoo (1): mm: introduce and use {pgd,p4d}_populate_kernel() Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jiapeng Chong (2): hrtimer: Remove unused function hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() Johan Hovold (3): drm/mediatek: fix potential OF node use-after-free phy: tegra: xusb: fix device and OF node leak at probe phy: ti-pipe3: fix device leak at unbind Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Justin Worrell (1): SUNRPC: call xs_sock_process_cmsg for all cmsg Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kuniyuki Iwashima (2): net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Linus Torvalds (1): Disable SLUB_TINY for build testing Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Mathias Nyman (1): xhci: fix memory leak regression when freeing xhci vdev devices depth first Max Kellermann (1): fs/nfs/io: make nfs_start_io_*() killable Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Mimi Zohar (1): ima: limit the number of ToMToU integrity violations Murali Karicheri (2): net: hsr: Add support for MC filtering at the slave device net: hsr: Add VLAN CTAG filter support Namjae Jeon (1): ksmbd: fix null pointer dereference in alloc_preauth_hash() Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Palmer Dabbelt (1): RISC-V: Remove unnecessary include from compat.h Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Paul E. McKenney (3): rcu-tasks: Maintain lists to eliminate RCU-tasks/do_exit() deadlocks rcu-tasks: Eliminate deadlocks involving do_exit() and RCU tasks rcu-tasks: Maintain real-time response in rcu_tasks_postscan() Peilin Ye (1): bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Petr Machata (1): net: bridge: Bounce invalid boolopts Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Qu Wenruo (1): btrfs: fix corruption reading compressed range when block size is smaller than page size Quanmin Yan (2): mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Sang-Heon Jeon (1): mm/damon/core: set quota->charged_from to jiffies at first charge window Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (1): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai (2): usb: gadget: midi2: Fix missing UMP group attributes initialization usb: gadget: midi2: Fix MIDI2 IN EP max packet size Tetsuo Handa (2): can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Thomas Richter (1): s390/cpum_cf: Deny all sampling events by counter PMU Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (9): nfsd: Fix a regression in nfsd_setattr() NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server NFS: Serialise O_DIRECT i/o and truncate() NFSv4.2: Serialise O_DIRECT i/o and fallocate() NFSv4.2: Serialise O_DIRECT i/o and clone range NFSv4.2: Serialise O_DIRECT i/o and copy range Revert "SUNRPC: Don't allow waiting for exiting tasks" Vishal Moola (Oracle) (1): mm/khugepaged: convert hpage_collapse_scan_pmd() to use folios Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yang Erkun (1): cifs: fix pagecache leak when do writepages Yeoreum Yun (1): kunit: kasan_test: disable fortify string checker on kasan_strings() test Yi Sun (2): dmaengine: idxd: Remove improper idxd_free dmaengine: idxd: Fix refcount underflow on module unload wangzijie (1): proc: fix type confusion in pde_set_flags()

1 month, 2 weeks

1
1
0 0

Linux 6.1.153

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.153 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/networking/can.rst | 2 Makefile | 2 arch/x86/kvm/cpuid.c | 33 +- drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 33 +- drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/media/i2c/imx214.c | 27 + drivers/media/platform/mediatek/vcodec/mtk_vcodec_fw_scp.c | 4 drivers/media/platform/mediatek/vcodec/venc/venc_h264_if.c | 6 drivers/mtd/nand/raw/atmel/nand-controller.c | 18 - drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +- drivers/net/can/xilinx_can.c | 16 drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/soc/qcom/mdt_loader.c | 14 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/serial/option.c | 17 + fs/fuse/file.c | 5 fs/kernfs/file.c | 54 ++- fs/nfs/client.c | 2 fs/nfs/flexfilelayout/flexfilelayout.c | 21 - fs/nfs/nfs4proc.c | 6 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 include/linux/compiler-clang.h | 29 + include/linux/pgalloc.h | 29 + include/linux/pgtable.h | 13 include/net/sock.h | 40 ++ kernel/time/hrtimer.c | 50 --- kernel/trace/trace.c | 10 kernel/trace/trace_events_synth.c | 2 mm/damon/lru_sort.c | 3 mm/damon/reclaim.c | 3 mm/damon/sysfs.c | 14 mm/kasan/init.c | 12 mm/kasan/kasan_test.c | 1 mm/khugepaged.c | 22 - mm/memory-failure.c | 7 mm/percpu.c | 6 mm/sparse-vmemmap.c | 6 net/can/j1939/bus.c | 5 net/can/j1939/socket.c | 3 net/ceph/messenger.c | 7 net/core/sock.c | 5 net/hsr/hsr_device.c | 163 +++++++++- net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 4 net/hsr/hsr_slave.c | 18 - net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/sunrpc/sched.c | 2 samples/ftrace/ftrace-direct-modify.c | 2 sound/soc/qcom/qdsp6/q6apm-dai.c | 28 + 67 files changed, 667 insertions(+), 282 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (1): drm/amdgpu: fix a memory leak in fence cleanup when unloading Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Dahl (1): mtd: nand: raw: atmel: Fix comment in timings preparation Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio André Apitzsch (1): media: i2c: imx214: Fix link frequency validation Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Arnd Bergmann (1): media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Bjorn Andersson (1): soc: qcom: mdt_loader: Deal with zero e_shentsize Boris Ostrovsky (1): KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func() Borislav Petkov (AMD) (1): KVM: SVM: Set synthesized TSA CPUID flags Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Dan Carpenter (2): dmaengine: idxd: Fix double free in idxd_setup_wqs() soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman (1): Linux 6.1.153 Hangbin Liu (2): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Harry Yoo (1): mm: introduce and use {pgd,p4d}_populate_kernel() Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jiapeng Chong (2): hrtimer: Remove unused function hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() Jiasheng Jiang (1): media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Johan Hovold (2): phy: tegra: xusb: fix device and OF node leak at probe phy: ti-pipe3: fix device leak at unbind Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Kim Phillips (1): KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kuniyuki Iwashima (2): net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Murali Karicheri (2): net: hsr: Add support for MC filtering at the slave device net: hsr: Add VLAN CTAG filter support Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Quanmin Yan (2): mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Ravi Gunasekaran (2): net: hsr: Disable promiscuous mode in offload mode net: hsr: hsr_slave: Fix the promiscuous mode in offload mode Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Srinivas Kandagatla (1): ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (1): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Steven Rostedt (1): tracing: Do not add length to print format in synthetic events Tetsuo Handa (2): can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (4): NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Revert "SUNRPC: Don't allow waiting for exiting tasks" Vishal Moola (Oracle) (1): mm/khugepaged: convert hpage_collapse_scan_pmd() to use folios Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yeoreum Yun (1): kunit: kasan_test: disable fortify string checker on kasan_strings() test wangzijie (1): proc: fix type confusion in pde_set_flags()

1 month, 2 weeks

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror