- Linux-stable-mirror - lists.linaro.org

[to-be-updated] mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: check if folio has valid mapcount before folio_test_{anon,ksm}() when necessary has been removed from the -mm tree. Its filename was mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: mm: check if folio has valid mapcount before folio_test_{anon,ksm}() when necessary Date: Mon, 7 Jul 2025 21:07:40 +0900 folio_test_anon() and folio_test_ksm() may return false positives when the folio is a typed page (except hugetlb), because lower bits of folio->mapping field can be set even if it doesn't mean FOLIO_MAPPING_* flags. To avoid false positives, folio_test_{anon,ksm}() should be called only if !page_has_type(&folio->page) || folio_test_hugetlb(folio). However, the check can be skipped if a folio is or will be mapped to userspace because typed pages that are not hugetlb folios cannot be mapped to userspace. As folio_expected_ref_count() already does the check, introduce a helper function folio_has_mapcount() and use it in folio_expected_ref_count() and stable_page_flags(). Update the comment in FOLIO_MAPPING_* flags accordingly. This fixes tools/mm/page-types reporting pages with KPF_SLAB, KPF_ANON and KPF_SLAB (with flags, page-counts, MB omitted): $ sudo ./page-types | grep slab _______S___________________________________ slab _______S____a________x_____________________ slab,anonymous,ksm Link: https://lkml.kernel.org/r/20250707120740.4413-1-harry.yoo@oracle.com Fixes: 130d4df57390 ("mm/sl[au]b: rearrange struct slab fields to allow larger rcu_head") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/page.c | 19 +++++++++++-------- include/linux/mm.h | 2 +- include/linux/page-flags.h | 20 ++++++++++++++------ 3 files changed, 26 insertions(+), 15 deletions(-) --- a/fs/proc/page.c~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/fs/proc/page.c @@ -148,18 +148,21 @@ u64 stable_page_flags(const struct page folio = page_folio(page); k = folio->flags; - mapping = (unsigned long)folio->mapping; - is_anon = mapping & FOLIO_MAPPING_ANON; /* * pseudo flags for the well known (anonymous) memory mapped pages */ - if (page_mapped(page)) - u |= 1 << KPF_MMAP; - if (is_anon) { - u |= 1 << KPF_ANON; - if (mapping & FOLIO_MAPPING_KSM) - u |= 1 << KPF_KSM; + if (folio_has_mapcount(folio)) { + mapping = (unsigned long)folio->mapping; + is_anon = mapping & FOLIO_MAPPING_ANON; + + if (page_mapped(page)) + u |= 1 << KPF_MMAP; + if (is_anon) { + u |= 1 << KPF_ANON; + if (mapping & FOLIO_MAPPING_KSM) + u |= 1 << KPF_KSM; + } } /* --- a/include/linux/mm.h~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/include/linux/mm.h @@ -2169,7 +2169,7 @@ static inline int folio_expected_ref_cou const int order = folio_order(folio); int ref_count = 0; - if (WARN_ON_ONCE(page_has_type(&folio->page) && !folio_test_hugetlb(folio))) + if (WARN_ON_ONCE(!folio_has_mapcount(folio))) return 0; if (folio_test_anon(folio)) { --- a/include/linux/page-flags.h~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/include/linux/page-flags.h @@ -706,12 +706,15 @@ PAGEFLAG_FALSE(VmemmapSelfHosted, vmemma * address_space which maps the folio from disk; whereas "folio_mapped" * refers to user virtual address space into which the folio is mapped. * - * For slab pages, since slab reuses the bits in struct page to store its - * internal states, the folio->mapping does not exist as such, nor do - * these flags below. So in order to avoid testing non-existent bits, - * please make sure that folio_test_slab(folio) actually evaluates to - * false before calling the following functions (e.g., folio_test_anon). - * See mm/slab.h. + * For certain typed pages like slabs, since they reuse bits in struct page + * to store internal states, folio->mapping does not point to a valid + * mapping, nor do these flags exist. To avoid testing non-existent bits, + * make sure folio_has_mapcount() actually evaluates to true before calling + * the following functions (e.g., folio_test_anon). + * + * The folio_has_mapcount() check can be skipped if the folio is mapped + * to userspace, since a folio with !folio_has_mapcount() cannot be mapped + * to userspace at all. */ #define FOLIO_MAPPING_ANON 0x1 #define FOLIO_MAPPING_ANON_KSM 0x2 @@ -1092,6 +1095,11 @@ static inline bool PageHuge(const struct return folio_test_hugetlb(page_folio(page)); } +static inline bool folio_has_mapcount(const struct folio *folio) +{ + return !page_has_type(&folio->page) || folio_test_hugetlb(folio); +} + /* * Check if a page is currently marked HWPoisoned. Note that this check is * best effort only and inherently racy: there is no way to synchronize with _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch

2 months

1
0
0 0

[ath10k][QCA9377] Firmware crashes on Dell Inspiron 5567 (IRQ #16, all modern distro kernels)

by Bandhan Pramanik

Hello, This is to inform all that constant firmware crashes have been seen in the "Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter", which was shipped with the Dell Inspiron 5567 laptops. This affects every kernel release, including the stable and the longterm ones. All the logs have been taken after livebooting an Arch Linux ISO. Every distro has been tried, and it has been confirmed that some error of this kind is shown in every distro. ## Steps to reproduce the issue 1. Boot/liveboot any Linux ISO through this card (and possibly, this laptop). 2. Wi-Fi network interface appears. 3. Connect the Wi-Fi router to the computer. 4. A few moments/minutes after that, the touchpad stops working, and the network interface cannot even access the Internet anymore (BUT, the network interface might disappear, might not disappear). ## Affected distros and the necessary workarounds This has been the pattern on every distro and their corresponding kernels (LMDE, Linux Mint, Pop!_OS, Zorin, Kubuntu, KDE Neon, elementaryOS, Fedora, and even Arch). The fix which made these distros usable is to add two things: - Adding "options ath10k_core skip_otp=y" to a new conf file in /etc/modprobe.d. - Adding "pci=noaer" in GRUB kernel parameters so that the logs are not flooded with Multiple Correctable Errors. To defend my case (that it occurs in the other models of Inspiron 5567 too), I have recently contacted someone running Linux Mint on the same model. The answer was the same: the touchpad and the Wi-Fi stop simultaneously. ## Some of the limitations The kernel was tainted, but the other things have been properly noted in case they might provide some useful details. As stated, investigating why IRQ #16 is disabled will probably give us the answer. ## Logs provided All the logs in a combined manner can be found here: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180 - Full dmesg: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Hostnamectl: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - lspci: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Modinfo of the driver: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Ping command: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - /proc/interrupts: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - IP addr command (Heavily Redacted): https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… Lastly, this issue on the GitHub repository of Pop!_OS 'might' be relevant: https://github.com/pop-os/pop/issues/1470 It would be highly appreciated if the matter were looked into. Thanks, Bandhan Pramanik

2 months

1
4
0 0

[TEST REGRESSION] stable-rc/linux-6.12.y: kselftest.breakpoints.breakpoints_step_after_suspend_test on stm32mp157a-dhcor-avenger96

by KernelCI bot

Hello, New test failure found on stable-rc/linux-6.12.y: kselftest.breakpoints.breakpoints_step_after_suspend_test running on stm32mp157a-dhcor-avenger96 giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git branch: linux-6.12.y commit HEAD: d50d16f002928cde05a54e0049ddc203323ae7ac test id: maestro:687945d32ce2c1874ed4d342 status: FAIL start time: log: https://files.kernelci.org/kselftest-breakpoints-6876a2d634612746bbcec7ff/l… # Test details: - test path: kselftest.breakpoints.breakpoints_step_after_suspend_test - platform: stm32mp157a-dhcor-avenger96 - compatibles: arrow,stm32mp157a-avenger96 | dh,stm32mp157a-dhcor-som | st,stm32mp157 - config: multi_v7_defconfig - architecture: arm - compiler: gcc-12 Dashboard: https://d.kernelci.org/t/maestro:687945d32ce2c1874ed4d342 Log excerpt: ===================================================== of an unmet condition check (ConditionPathExists=/sys/kernel/mm/hugepages). [ 28.116033] systemd[1]: dev-mqueue.mount - POSIX Message Queue File System was skipped because of an unmet condition check (ConditionPathExists=/proc/sys/fs/mqueue). [ 28.180697] systemd[1]: Mounting sys-kernel-debug.mount - Kernel Debug File System... Mounting [0;1;39msys-kernel-debug.…[0m - Kernel Debug File System... [ 28.217714] systemd[1]: Mounting sys-kernel-tracing.mount - Kernel Trace File System... Mounting [0;1;39msys-kernel-tracin…[0m - Kernel Trace File System... [ 28.291406] systemd[1]: Starting kmod-static-nodes.service - Create List of Static Device Nodes... Starting [0;1;39mkmod-static-nodes…ate List of Static Device Nodes... [ 28.331680] systemd[1]: Starting modprobe(a)configfs.service - Load Kernel Module configfs... Starting [0;1;39mmodprobe@configfs…m - Load Kernel Module configfs... [ 28.371165] systemd[1]: Starting modprobe(a)dm_mod.service - Load Kernel Module dm_mod... Starting [0;1;39mmodprobe(a)dm_mod.s...[0m - Load Kernel Module dm_mod... [ 28.408054] systemd[1]: Starting modprobe(a)drm.service - Load Kernel Module drm... Starting [0;1;39mmodprobe(a)drm.service[0m - Load Kernel Module drm... [ 28.449915] systemd[1]: Starting modprobe(a)efi_pstore.service - Load Kernel Module efi_pstore... Starting [0;1;39mmodprobe@efi_psto…- Load Kernel Module efi_pstore... [ 28.487986] systemd[1]: Starting modprobe(a)fuse.service - Load Kernel Module fuse... Starting [0;1;39mmodprobe(a)fuse.ser...e[0m - Load Kernel Module fuse... [ 28.532255] systemd[1]: Starting modprobe(a)loop.service - Load Kernel Module loop... Starting [0;1;39mmodprobe(a)loop.ser...e[0m - Load Kernel Module loop... [ 28.563256] systemd[1]: systemd-journald.service: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling. [ 28.574983] systemd[1]: (This warning is only shown for the first unit using IP firewalling.) [ 28.588124] systemd[1]: Starting systemd-journald.service - Journal Service... Starting [0;1;39msystemd-journald.service[0m - Journal Service... [ 28.682143] systemd[1]: Starting systemd-modules-load.service - Load Kernel Modules... Starting [0;1;39msystemd-modules-l…rvice[0m - Load Kernel Modules... [ 28.726528] systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line... Starting [0;1;39msystemd-network-g… units from Kernel command line... [ 28.831292] systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems... Starting [0;1;39msystemd-remount-f…nt Root and Kernel File Systems... [ 28.868196] systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices... Starting [0;1;39msystemd-udev-trig…[0m - Coldplug All udev Devices... [ 28.925905] systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System. [[0;32m OK [0m] Mounted [0;1;39msys-kernel-debug.m…nt[0m - Kernel Debug File System. [ 28.971980] systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System. [[0;32m OK [0m] Mounted [0;1;39msys-kernel-tracing…nt[0m - Kernel Trace File System. [ 29.004249] systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes. [[0;32m OK [0m] Finished [0;1;39mkmod-static-nodes…reate List of Static Device Nodes. [ 29.106198] systemd[1]: modprobe(a)configfs.service: Deactivated successfully. [ 29.121680] systemd[1]: Finished modprobe(a)configfs.service - Load Kernel Module configfs. [[0;32m OK [0m] Finished [0;1;39mmodprobe@configfs…[0m - Load Kernel Module configfs. [ 29.142952] systemd[1]: modprobe(a)dm_mod.service: Deactivated successfully. [ 29.160513] systemd[1]: Finished modprobe(a)dm_mod.service - Load Kernel Module dm_mod. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)dm_mod.s...e[0m - Load Kernel Module dm_mod. [ 29.203027] systemd[1]: modprobe(a)drm.service: Deactivated successfully. [ 29.209669] systemd[1]: Finished modprobe(a)drm.service - Load Kernel Module drm. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)drm.service[0m - Load Kernel Module drm. [ 29.251945] systemd[1]: Started systemd-journald.service - Journal Service. [[0;32m OK [0m] Started [0;1;39msystemd-journald.service[0m - Journal Service. [[0;32m OK [0m] Finished [0;1;39mmodprobe@efi_psto…m - Load Kernel Module efi_pstore. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)fuse.service[0m - Load Kernel Module fuse. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)loop.service[0m - Load Kernel Module loop. [[0;32m OK [0m] Finished [0;1;39msystemd-modules-l…service[0m - Load Kernel Modules. [[0;32m OK [0m] Finished [0;1;39msystemd-network-g…rk units from Kernel command line. [[0;32m OK [0m] Finished [0;1;39msystemd-remount-f…ount Root and Kernel File Systems. [[0;32m OK [0m] Reached target [0;1;39mnetwork-pre…get[0m - Preparation for Network. Mounting [0;1;39msys-kernel-config…ernel Configuration File System... Starting [0;1;39msystemd-journal-f…h Journal to Persistent Storage... Starting [0;1;39msystemd-random-se…ice[0m - Load/Save Random Seed... Starting [0;1;39msystemd-sysctl.se…ce[0m - Apply Kernel Variables... Starting [0;1;39msystemd-sysusers.…rvice[0m - Create System Users... [[0;32m OK [0m] Mounted [0;1;39msys-kernel-config.… Kernel Configuration File System. [ 29.895899] systemd-journald[191]: Received client request to flush runtime journal. [[0;32m OK [0m] Finished [0;1;39msystemd-random-se…rvice[0m - Load/Save Random Seed. [[0;32m OK [0m] Finished [0;1;39msystemd-sysctl.service[0m - Apply Kernel Variables. [[0;32m OK [0m] Finished [0;1;39msystemd-sysusers.service[0m - Create System Users. Starting [0;1;39msystemd-tmpfiles-…ate Static Device Nodes in /dev... [[0;32m OK [0m] Finished [0;1;39msystemd-journal-f…ush Journal to Persistent Storage. [[0;32m OK [0m] Finished [0;1;39msystemd-tmpfiles-…reate Static Device Nodes in /dev. [[0;32m OK [0m] Reached target [0;1;39mlocal-fs-pr…reparation for Local File Systems. [[0;32m OK [0m] Reached target [0;1;39mlocal-fs.target[0m - Local File Systems. Starting [0;1;39msystemd-tmpfiles-…te System Files and Directories... Starting [0;1;39msystemd-udevd.ser…ger for Device Events and Files... [[0;32m OK [0m] Started [0;1;39msystemd-udevd.serv…nager for Device Events and Files. [[0;32m OK [0m] Finished [0;1;39msystemd-tmpfiles-…eate System Files and Directories. Starting [0;1;39msystemd-networkd.…ice[0m - Network Configuration... Starting [0;1;39msystemd-timesyncd… - Network Time Synchronization... Starting [0;1;39msystemd-update-ut…rd System Boot/Shutdown in UTMP... [[0;32m OK [0m] Finished [0;1;39msystemd-update-ut…cord System Boot/Shutdown in UTMP. [[0;32m OK [0m] Finished [0;1;39msystemd-udev-trig…e[0m - Coldplug All udev Devices. [[0;32m OK [0m] Started [0;1;39msystemd-timesyncd.…0m - Network Time Synchronization. [[0;32m OK [0m] Started [0;1;39msystemd-networkd.service[0m - Network Configuration. [[0;32m OK [0m] Found device [0;1;39mdev-ttySTM0.device[0m - /dev/ttySTM0. [[0;32m OK [0m] Reached target [0;1;39mbluetooth.target[0m - Bluetooth Support. [[0;32m OK [0m] Reached target [0;1;39mnetwork.target[0m - Network. [[0;32m OK [0m] Reached target [0;1;39mtime-set.target[0m - System Time Set. [[0;32m OK [0m] Reached target [0;1;39musb-gadget.…m - Hardware activated USB gadget. [[0;32m OK [0m] Listening on [0;1;39msystemd-rfkil…l Switch Status /dev/rfkill Watch. Starting [0;1;39mmodprobe(a)dm_mod.s...[0m - Load Kernel Module dm_mod... Starting [0;1;39mmodprobe@efi_psto…- Load Kernel Module efi_pstore... Starting [0;1;39mmodprobe(a)fuse.ser...e[0m - Load Kernel Module fuse... Starting [0;1;39mmodprobe(a)loop.ser...e[0m - Load Kernel Module loop... [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)dm_mod.s...e[0m - Load Kernel Module dm_mod. [[0;32m OK [0m] Finished [0;1;39mmodprobe@efi_psto…m - Load Kernel Module efi_pstore. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)fuse.service[0m - Load Kernel Module fuse. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)loop.service[0m - Load Kernel Module loop. [[0;32m OK [0m] Reached target [0;1;39msysinit.target[0m - System Initialization. [[0;32m OK [0m] Started [0;1;39mapt-daily.timer[0m - Daily apt download activities. [[0;32m OK [0m] Started [0;1;39mapt-daily-upgrade.… apt upgrade and clean activities. [[0;32m OK [0m] Started [0;1;39mdpkg-db-backup.tim… Daily dpkg database backup timer. [[0;32m OK [0m] Started [0;1;39me2scrub_all.timer…etadata Check for All Filesystems. [[0;32m OK [0m] Started [0;1;39mfstrim.timer[0m - Discard unused blocks once a week. [[0;32m OK [0m] Started [0;1;39msystemd-tmpfiles-c… Cleanup of Temporary Directories. [[0;32m OK [0m] Reached target [0;1;39mtimers.target[0m - Timer Units. [[0;32m OK [0m] Listening on [0;1;39mdbus.socket[…- D-Bus System Message Bus Socket. [[0;32m OK [0m] Reached target [0;1;39msockets.target[0m - Socket Units. [[0;32m OK [0m] Reached target [0;1;39mbasic.target[0m - Basic System. Starting [0;1;39malsa-restore.serv…- Save/Restore Sound Card State... Starting [0;1;39mdbus.service[0m - D-Bus System Message Bus... Starting [0;1;39me2scrub_reap.serv…e ext4 Metadata Check Snapshots... Starting [0;1;39msystemd-logind.se…ice[0m - User Login Management... Starting [0;1;39msystemd-rfkill.se…Load/Save RF Kill Switch Status... Starting [0;1;39msystemd-user-sess…vice[0m - Permit User Sessions... [[0;32m OK [0m] Finished [0;1;39malsa-restore.serv…m - Save/Restore Sound Card State. [[0;32m OK [0m] Reached target [0;1;39msound.target[0m - Sound Card. [[0;32m OK [0m] Started [0;1;39msystemd-rfkill.ser…- Load/Save RF Kill Switch Status. [[0;32m OK [0m] Finished [0;1;39msystemd-user-sess…ervice[0m - Permit User Sessions. [[0;32m OK [0m] Started [0;1;39mgetty(a)tty1.service[0m - Getty on tty1. [[0;32m OK [0m] Started [0;1;39mserial-getty@ttyST…ice[0m - Serial Getty on ttySTM0. [[0;32m OK [0m] Reached target [0;1;39mgetty.target[0m - Login Prompts. [[0;32m OK [0m] Started [0;1;39mdbus.service[0m - D-Bus System Message Bus. Starting [0;1;39msystemd-hostnamed.service[0m - Hostname Service... [[0;32m OK [0m] Started [0;1;39msystemd-logind.service[0m - User Login Management. [[0;32m OK [0m] Finished [0;1;39me2scrub_reap.serv…ine ext4 Metadata Check Snapshots. [[0;32m OK [0m] Reached target [0;1;39mmulti-user.target[0m - Multi-User System. [[0;32m OK [0m] Reached target [0;1;39mgraphical.target[0m - Graphical Interface. Starting [0;1;39msystemd-update-ut… Record Runlevel Change in UTMP... [[0;32m OK [0m] Finished [0;1;39msystemd-update-ut… - Record Runlevel Change in UTMP. [[0;32m OK [0m] Started [0;1;39msystemd-hostnamed.service[0m - Hostname Service. Debian GNU/Linux 12 debian-bookworm-armhf ttySTM0 debian-bookworm-armhf login: root (automatic login) Linux debian-bookworm-armhf 6.12.39-rc2 #1 SMP Tue Jul 15 18:39:20 UTC 2025 armv7l The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. / # / # export NFS_ROOTFS='/var/lib/lava/dispatcher/tmp/1574985/extract-nfsrootfs-w6q8rnvr' export NFS_ROOTFS='/var/lib/lava/dispatcher/tmp/1574985/extract-nfsrootfs-w6q8rnvr' / # export NFS_SERVER_IP='172.16.0.3' export NFS_SERVER_IP='172.16.0.3' / # # # / # export SHELL=/bin/bash export SHELL=/bin/bash / # . /lava-1574985/environment . /lava-1574985/environment / # /lava-1574985/bin/lava-test-runner /lava-1574985/0 /lava-1574985/bin/lava-test-runner /lava-1574985/0 + export TESTRUN_ID=0_timesync-off + TESTRUN_ID=0_timesync-off + cd /lava-1574985/0/tests/0_timesync-off ++ cat uuid + UUID=1574985_1.6.2.4.1 + set +x <LAVA_SIGNAL_STARTRUN 0_timesync-off 1574985_1.6.2.4.1> + systemctl stop systemd-timesyncd + set +x <LAVA_SIGNAL_ENDRUN 0_timesync-off 1574985_1.6.2.4.1> + export TESTRUN_ID=1_kselftest-breakpoints + TESTRUN_ID=1_kselftest-breakpoints + cd /lava-1574985/0/tests/1_kselftest-breakpoints ++ cat uuid + UUID=1574985_1.6.2.4.5 + set +x <LAVA_SIGNAL_STARTRUN 1_kselftest-breakpoints 1574985_1.6.2.4.5> + cd ./automated/linux/kselftest/ + ./kselftest.sh -c breakpoints -T '' -t kselftest_armhf.tar.gz -s True -u https://files.kernelci.org/kbuild-gcc-12-arm-6876975b34612746bbce6ee9/kself… -L '' -S /dev/null -b '' -g '' -e '' -p /opt/kselftests/mainline/ -n 1 -i 1 -E '' INFO: install_deps skipped --2025-07-17 18:49:22-- https://files.kernelci.org/kbuild-gcc-12-arm-6876975b34612746bbce6ee9/kself… Resolving files.kernelci.org (files.kernelci.org)... 20.171.243.82 Connecting to files.kernelci.org (files.kernelci.org)|20.171.243.82|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 9351030 (8.9M) [application/gzip] Saving to: 'kselftest_armhf.tar.gz' kselftest_armhf.tar 0%[ ] 0 --.-KB/s ?kselftest_armhf.tar 1%[ ] 103.76K 357KB/s ?kselftest_armhf.tar 4%[ ] 439.76K 756KB/s ?kselftest_armhf.tar 12%[=> ] 1.13M 1.45MB/s ?kselftest_armhf.tar 23%[===> ] 2.13M 2.17MB/s ?kselftest_armhf.tar 35%[======> ] 3.13M 2.64MB/s ?kselftest_armhf.tar 46%[========> ] 4.13M 2.98MB/s ?kselftest_armhf.tar 57%[==========> ] 5.13M 3.24MB/s ?kselftest_armhf.tar 68%[============> ] 6.13M 3.43MB/s ?kselftest_armhf.tar 79%[==============> ] 7.13M 3.59MB/s ?kselftest_armhf.tar 90%[=================> ] 8.06M 3.57MB/s ?kselftest_armhf.tar 100%[===================>] 8.92M 3.66MB/s in 2.4s 2025-07-17 18:49:25 (3.66 MB/s) - 'kselftest_armhf.tar.gz' saved [9351030/9351030] skiplist: ======================================== ======================================== breakpoints:step_after_suspend_test ============== Tests to run =============== breakpoints:step_after_suspend_test ===========End Tests to run =============== shardfile-breakpoints pass [ 67.220163] kselftest: Running tests in breakpoints TAP version 13 1..1 # timeout set to 45 # selftests: breakpoints: step_after_suspend_test [ 67.432985] PM: suspend entry (deep) [ 67.449347] Filesystems sync: 0.014 seconds [ 67.458329] Freezing user space processes [ 67.462606] Freezing user space processes completed (elapsed 0.001 seconds) [ 67.468205] OOM killer disabled. [ 67.471493] Freezing remaining freezable tasks [ 67.477234] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 67.483366] printk: Suspending console(s) (use no_console_suspend to debug) [ 67.611609] stm32-dwmac 5800a000.ethernet end0: Link is Down [ 67.624958] Disabling non-boot CPUs ... [ 67.626403] CPU1 killed. [ 67.628604] Enabling non-boot CPUs ... [ 67.630318] CPU1 is up [ 67.638677] stm32-dwmac 5800a000.ethernet end0: configuring for phy/rgmii link mode [ 67.640262] dwmac4: Master AXI performs any burst length [ 67.640314] stm32-dwmac 5800a000.ethernet end0: No Safety Features support found [ 67.640345] stm32-dwmac 5800a000.ethernet end0: Invalid PTP clock rate [ 67.640361] stm32-dwmac 5800a000.ethernet end0: PTP init failed [ 67.642550] stm32-dwmac 5800a000.ethernet end0: Link is Up - 1Gbps/Full - flow control off [ 67.910193] usb 2-1: reset high-speed USB device number 2 using ehci-platform [ 68.257543] OOM killer enabled. [ 68.260709] Restarting tasks ... done. [ 68.267811] random: crng reseeded on system resumption [ 68.281019] PM: suspend exit # TAP version 13 # Bail out! Failed to enter Suspend state # # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:0 error:0 not ok 1 selftests: breakpoints: step_after_suspend_test # exit=1 WARNING: Optional imports not found, TAP 13 output will be ignored. To parse yaml, see requirements in docs: https://tappy.readthedocs.io/en/latest/consumers.html#tap-version-13 breakpoints_step_after_suspend_test fail + ../../utils/send-to-lava.sh ./output/result.txt <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=shardfile-breakpoints RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=breakpoints_step_after_suspend_test RESULT=fail> + set +x <LAVA_SIGNAL_ENDRUN 1_kselftest-breakpoints 1574985_1.6.2.4.5> <LAVA_TEST_RUNNER EXIT> / # ===================================================== #kernelci test maestro:687945d32ce2c1874ed4d342 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 months

2
1
0 0

FYI

by Allen Cheng

Good day, I sent you a message a few hours ago, but no reply yet, or did you not receive it? Kindly read my letter and reply. I want to make an inquiry Thanks. Dr.Allen Cheng Human Resource Manager | Product Research Assistant FGP Ltd "Email ini dan dokumen lampirannya ditujukan untuk digunakan oleh penerima e-mail. Apabila anda bukan orang yang tepat untuk menerima e-mail ini segera hapus e-mail ini. Isi e-mail ini mungkin tidak mewakili pandangan dan/atau pendapat PT. Transportasi Jakarta, kecuali bila dinyatakan dengan jelas demikian. Informasi yang terdapat dalam e-mail ini dapat bersifat rahasia. Dilarang memperbanyak, menyebarkan dan menyalin informasi rahasia kepada pihak lain tanpa persetujuan PT. Transportasi Jakart tidak bertanggung jawab atas penggunaan email ini oleh bukan penerima e-mail yang dituju dan atas kerusakan yang diakibatkan oleh e-mail ini jika terkena virus atau gangguan komunikasi."

2 months

1
0
0 0

[PATCH] vfio: cdx: Fix missing GENERIC_MSI_IRQ on compile test

by Krzysztof Kozlowski

VFIO_CDX driver uses msi_domain_alloc_irqs() which is provided by non-user-visible GENERIC_MSI_IRQ, thus it should select that option directly. VFIO_CDX depends on CDX_BUS, which also will select GENERIC_MSI_IRQ (separate fix), nevertheless driver should poll what is being used there instead of relying on bus Kconfig. Without the fix on CDX_BUS compile test fails: drivers/vfio/cdx/intr.c: In function ‘vfio_cdx_msi_enable’: drivers/vfio/cdx/intr.c:41:15: error: implicit declaration of function ‘msi_domain_alloc_irqs’; did you mean ‘irq_domain_alloc_irqs’? [-Wimplicit-function-declaration] Reported-by: Randy Dunlap <rdunlap(a)infradead.org> Closes: https://lore.kernel.org/r/4a6fd102-f8e0-42f3-b789-6e3340897032@infradead.or… Fixes: 848e447e000c ("vfio/cdx: add interrupt support") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/vfio/cdx/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vfio/cdx/Kconfig b/drivers/vfio/cdx/Kconfig index e6de0a0caa32..90cf3dee5dba 100644 --- a/drivers/vfio/cdx/Kconfig +++ b/drivers/vfio/cdx/Kconfig @@ -9,6 +9,7 @@ config VFIO_CDX tristate "VFIO support for CDX bus devices" depends on CDX_BUS select EVENTFD + select GENERIC_MSI_IRQ help Driver to enable VFIO support for the devices on CDX bus. This is required to make use of CDX devices present in -- 2.48.1

2 months

2
1
0 0

Linux 6.15.7

by Greg Kroah-Hartman

I'm announcing the release of the 6.15.7 kernel. All users of the 6.15 kernel series must upgrade. The updated 6.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/bpf/map_hash.rst | 8 Documentation/bpf/map_lru_hash_update.dot | 6 Documentation/devicetree/bindings/clock/mediatek,mt8188-clock.yaml | 3 Makefile | 2 arch/arm64/kernel/cpufeature.c | 57 +- arch/arm64/kernel/process.c | 5 arch/arm64/mm/fault.c | 30 - arch/arm64/mm/proc.S | 1 arch/riscv/kernel/vdso/vdso.lds.S | 2 arch/s390/crypto/sha1_s390.c | 2 arch/s390/crypto/sha256_s390.c | 3 arch/s390/crypto/sha512_s390.c | 3 arch/um/drivers/vector_kern.c | 42 - arch/x86/Kconfig | 2 arch/x86/coco/sev/core.c | 22 arch/x86/include/asm/msr-index.h | 1 arch/x86/include/asm/sev.h | 17 arch/x86/kernel/cpu/amd.c | 10 arch/x86/kernel/cpu/mce/amd.c | 28 - arch/x86/kernel/cpu/mce/core.c | 24 arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kvm/hyperv.c | 3 arch/x86/kvm/svm/sev.c | 4 arch/x86/kvm/xen.c | 15 drivers/acpi/battery.c | 19 drivers/atm/idt77252.c | 5 drivers/block/nbd.c | 6 drivers/block/ublk_drv.c | 3 drivers/bluetooth/hci_qca.c | 13 drivers/char/ipmi/ipmi_msghandler.c | 3 drivers/clk/clk-scmi.c | 18 drivers/clk/imx/clk-imx95-blk-ctl.c | 12 drivers/edac/ecs.c | 4 drivers/edac/mem_repair.c | 1 drivers/edac/scrub.c | 1 drivers/gpio/gpiolib.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v8.c | 8 drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 1 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 - drivers/gpu/drm/drm_framebuffer.c | 31 + drivers/gpu/drm/drm_gem.c | 74 ++ drivers/gpu/drm/drm_internal.h | 2 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/imagination/pvr_power.c | 4 drivers/gpu/drm/nouveau/nouveau_debugfs.c | 6 drivers/gpu/drm/nouveau/nouveau_debugfs.h | 5 drivers/gpu/drm/nouveau/nouveau_drm.c | 4 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 drivers/gpu/drm/tegra/nvdec.c | 6 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 drivers/gpu/drm/xe/xe_lmtt.c | 11 drivers/gpu/drm/xe/xe_migrate.c | 2 drivers/gpu/drm/xe/xe_pci.c | 1 drivers/gpu/drm/xe/xe_pm.c | 11 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-nintendo.c | 38 + drivers/hid/hid-quirks.c | 3 drivers/irqchip/Kconfig | 1 drivers/md/md-bitmap.c | 3 drivers/md/raid1.c | 4 drivers/md/raid10.c | 12 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/airoha/airoha_eth.c | 1 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 18 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/ibm/ibmvnic.h | 8 drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 drivers/net/ethernet/renesas/rtsn.c | 5 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 3 drivers/net/phy/qcom/at803x.c | 27 - drivers/net/phy/qcom/qca808x.c | 2 drivers/net/phy/qcom/qcom-phy-lib.c | 25 drivers/net/phy/qcom/qcom.h | 5 drivers/net/phy/smsc.c | 57 ++ drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/marvell/mwifiex/util.c | 4 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 40 - drivers/net/wireless/mediatek/mt76/mt7996/main.c | 5 drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 188 +++++-- drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 16 drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pci/pci-acpi.c | 23 drivers/pinctrl/nuvoton/pinctrl-ma35.c | 10 drivers/pinctrl/pinctrl-amd.c | 11 drivers/pinctrl/qcom/pinctrl-msm.c | 20 drivers/pwm/core.c | 2 drivers/pwm/pwm-mediatek.c | 13 drivers/tty/vt/vt.c | 1 drivers/usb/gadget/function/u_serial.c | 12 fs/btrfs/free-space-tree.c | 16 fs/erofs/data.c | 21 fs/erofs/decompressor.c | 12 fs/erofs/fileio.c | 6 fs/erofs/internal.h | 6 fs/erofs/zdata.c | 13 fs/erofs/zmap.c | 9 fs/eventpoll.c | 12 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 fs/proc/task_mmu.c | 14 fs/smb/server/smb2pdu.c | 29 - fs/smb/server/transport_rdma.c | 5 fs/smb/server/vfs.c | 1 include/drm/drm_file.h | 3 include/drm/drm_framebuffer.h | 7 include/drm/spsc_queue.h | 4 include/linux/blkdev.h | 5 include/linux/ieee80211.h | 45 + include/linux/io_uring_types.h | 2 include/linux/mm.h | 5 include/linux/psp-sev.h | 2 include/net/af_vsock.h | 2 include/net/bluetooth/hci_core.h | 3 include/net/netfilter/nf_flow_table.h | 2 include/sound/soc-acpi.h | 13 include/trace/events/erofs.h | 2 io_uring/msg_ring.c | 4 io_uring/opdef.c | 1 io_uring/zcrx.c | 3 kernel/bpf/bpf_lru_list.c | 9 kernel/bpf/bpf_lru_list.h | 1 kernel/events/core.c | 6 kernel/module/main.c | 4 kernel/sched/core.c | 7 kernel/sched/deadline.c | 10 kernel/stop_machine.c | 20 lib/alloc_tag.c | 3 lib/maple_tree.c | 1 mm/damon/core.c | 8 mm/kasan/report.c | 45 - mm/rmap.c | 46 + mm/vmalloc.c | 22 net/appletalk/ddp.c | 1 net/atm/clip.c | 64 +- net/bluetooth/hci_event.c | 3 net/bluetooth/hci_sync.c | 4 net/ipv4/tcp.c | 2 net/ipv6/addrconf.c | 9 net/mac80211/cfg.c | 14 net/mac80211/mlme.c | 7 net/mac80211/parse.c | 6 net/mac80211/util.c | 9 net/netlink/af_netlink.c | 82 +-- net/rxrpc/call_accept.c | 4 net/sched/sch_api.c | 23 net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 +- net/wireless/nl80211.c | 7 net/wireless/util.c | 52 +- samples/damon/prcl.c | 8 samples/damon/wsse.c | 8 scripts/gdb/linux/constants.py.in | 7 scripts/gdb/linux/interrupts.py | 16 scripts/gdb/linux/mapletree.py | 252 ++++++++++ scripts/gdb/linux/vfs.py | 2 scripts/gdb/linux/xarray.py | 28 + sound/isa/ad1816a/ad1816a.c | 2 sound/pci/hda/patch_realtek.c | 10 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/cs35l56-shared.c | 2 sound/soc/codecs/rt721-sdca.c | 23 sound/soc/fsl/fsl_asrc.c | 3 sound/soc/fsl/fsl_sai.c | 14 sound/soc/intel/boards/Kconfig | 1 sound/soc/intel/common/Makefile | 2 sound/soc/intel/common/soc-acpi-intel-arl-match.c | 21 sound/soc/intel/common/sof-function-topology-lib.c | 136 +++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 sound/soc/sof/intel/hda.c | 6 tools/arch/x86/include/asm/msr-index.h | 1 tools/include/linux/kallsyms.h | 4 tools/objtool/check.c | 1 tools/testing/selftests/bpf/test_lru_map.c | 105 ++-- tools/testing/selftests/net/lib.sh | 2 virt/kvm/kvm_main.c | 3 203 files changed, 2006 insertions(+), 827 deletions(-) Aaron Thompson (1): drm/nouveau: Do not fail module init on debugfs errors Achill Gilgenast (1): kallsyms: fix build without execinfo Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alessio Belle (1): drm/imagination: Fix kernel crash when hard resetting the GPU Alex Deucher (1): drm/amdkfd: add hqd_sdma_get_doorbell callbacks for gfx7/8 Alexander Gordeev (1): mm/vmalloc: leave lazy MMU mode on PTE mapping error Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Anshuman Khandual (1): arm64/mm: Drop wrong writes into TCR2_EL1 Arun Raghavan (1): ASoC: fsl_sai: Force a software reset when starting in consumer mode Baolin Wang (1): mm: fix the inaccurate memory statistics issue for users Bard Liao (4): ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH ASoC: soc-acpi: add get_function_tplg_files ops ASoC: Intel: add sof_sdw_get_tplg_files ops ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Ben Skeggs (1): drm/nouveau/gsp: fix potential leak of memory used during acpi init Carolina Jubran (2): net/mlx5: Reset bw_share field when changing a node's parent net/mlx5e: Fix race between DIM disable and net_dim() Chao Yu (2): erofs: fix to add missing tracepoint in erofs_read_folio() erofs: fix to add missing tracepoint in erofs_readahead() Charles Keepax (1): ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Chintan Vankar (1): net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Chris Chiu (1): ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 6 G1a Christian König (1): drm/ttm: fix error handling in ttm_buffer_object_transfer Christophe JAILLET (1): net: airoha: Fix an error handling path in airoha_probe() Dan Carpenter (1): ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Daniel J. Ogorchock (1): HID: nintendo: avoid bluetooth suspend/resume stalls Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (2): rxrpc: Fix bug due to prealloc collision rxrpc: Fix oops due to non-existence of prealloc backlog struct David Woodhouse (1): KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. Deren Wu (2): wifi: mt76: mt7921: prevent decap offload config before STA initialization wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Edip Hazuri (1): ALSA: hda/realtek - Add mute LED support for HP Victus 15-fb2xxx Eric Biggers (1): crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() EricChan (1): net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Fangrui Song (1): riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Felix Fietkau (1): wifi: rt2x00: fix remove callback type mismatch Fengnan Chang (1): io_uring: make fallocate be hashed work Filipe Manana (1): btrfs: fix assertion when building free space tree Florian Fainelli (3): scripts/gdb: fix interrupts display after MCP on x86 scripts/gdb: de-reference per-CPU MCE interrupts scripts/gdb: fix interrupts.py after maple tree conversion Gao Xiang (3): erofs: address D-cache aliasing erofs: fix large fragment handling erofs: refine readahead tracepoint Greg Kroah-Hartman (1): Linux 6.15.7 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hangbin Liu (1): selftests: net: lib: fix shift count out of range Haoxiang Li (1): net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Harry Yoo (1): lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Heiko Carstens (1): objtool: Add missing endian conversion to read_annotate() Henry Martin (1): wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Honggyu Kim (3): mm/damon: fix divide by zero in damon_get_intervals_score() samples/damon: fix damon sample prcl for start failure samples/damon: fix damon sample wsse for start failure Hugo Villeneuve (1): gpiolib: fix performance regression when using gpio_chip_get_multiple() Håkon Bugge (1): md/md-bitmap: fix GPF in bitmap_get_stats() Illia Ostapyshyn (1): scripts: gdb: vfs: support external dentry names JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jack Yu (1): ASoC: rt721-sdca: fix boost gain calculation error Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Jason Xing (1): bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL Jens Axboe (1): io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU Jianbo Liu (1): net/mlx5e: Add new prio for promiscuous mode Jiawen Wu (1): net: wangxun: revert the adjustment of the IRQ vector sequence Jiayuan Chen (1): tcp: Correct signedness in skb remaining space calculation Johannes Berg (1): wifi: mac80211: fix non-transmitted BSSID profile search Julien Massot (1): dt-bindings: clock: mediatek: Add #reset-cells property for MT8188 Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kent Russell (1): drm/amdgpu: Include sdma_4_4_4.bin Kevin Brodsky (1): arm64: poe: Handle spurious Overlay faults Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (2): usb: gadget: u_serial: Fix race condition in TTY wakeup Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lachlan Hodges (2): wifi: cfg80211: fix S1G beacon head validation in nl80211 wifi: mac80211: correctly identify S1G short beacon Lance Yang (1): mm/rmap: fix potential out-of-bounds page table access during batched unmap Liam Merwick (1): KVM: Allow CPU to reschedule while setting per-page memory attributes Linus Torvalds (1): eventpoll: don't decrement ep refcount while still holding the ep mutex Long Li (1): net: mana: Record doorbell physical address in PF mode Lorenzo Bianconi (5): wifi: mt76: Assume __mt76_connac_mcu_alloc_sta_req runs in atomic context wifi: mt76: Move RCU section in mt7996_mcu_set_fixed_field() wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl_fixed() wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl() wifi: mt76: Remove RCU section in mt7996_mac_sta_rc_work() Luiz Augusto von Dentz (4): Bluetooth: hci_sync: Fix not disabling advertising instance Bluetooth: hci_core: Remove check of BDADDR_ANY in hci_conn_hash_lookup_big_state Bluetooth: hci_sync: Fix attempting to send HCI_Disconnect to BIS handle Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luo Gengkun (1): perf/core: Fix the WARN_ON_ONCE is out of lock protected region Luo Jie (2): net: phy: qcom: move the WoL function to shared library net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Manuel Andreas (1): KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush Mario Limonciello (1): pinctrl: amd: Clear GPIO debounce for suspend Mark Brown (1): arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Mathy Vanhoef (1): wifi: prevent A-MSDU attacks in mesh networks Matthew Auld (1): drm/xe/bmg: fix compressed VRAM handling Matthew Brost (3): drm/sched: Increment job count before swapping tail spsc queue Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" drm/xe: Allocate PF queue size on pow2 boundary Michael Lo (1): wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Wajdeczko (1): drm/xe/pf: Clear all LMTT pages on alloc Mikhail Paulyshka (2): x86/rdrand: Disable RDSEED on AMD Cyan Skillfish x86/CPU/AMD: Disable INVLPGB on Zen2 Mikko Perttunen (1): drm/tegra: nvdec: Fix dma_alloc_coherent error check Ming Yen Hsieh (1): wifi: mt76: mt7925: fix the wrong config for tx interrupt Mingming Cao (1): ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Miquel Raynal (1): pinctrl: nuvoton: Fix boot on ma35dx platforms Miri Korenblit (1): wifi: mac80211: add the virtual monitor after reconfig complete Moon Hee Lee (1): wifi: mac80211: reject VHT opmode for unsupported channel widths Nam Cao (1): irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Namjae Jeon (1): ksmbd: fix potential use-after-free in oplock/lease break ack Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Nikunj A Dadhania (2): KVM: SVM: Add missing member in SNP_LAUNCH_START command structure x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation Oleksij Rempel (5): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Force predictable MDI-X state on LAN87xx net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Pankaj Raghav (1): block: reject bs > ps block devices when THP is disabled Pavel Begunkov (1): io_uring/zcrx: fix pp destruction warnings Peter Ujfalusi (1): ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Peter Zijlstra (2): sched/core: Fix migrate_swap() vs. hotplug perf: Revert to requiring CAP_SYS_ADMIN for uprobes Petr Pavlu (1): module: Fix memory deallocation on error path in move_module() Philip Yang (1): drm/amdkfd: Don't call mmput from MMU notifier callback Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Richard Fitzgerald (1): ASoC: cs35l56: probe() should fail if the device ID is not recognized Ronnie Sahlberg (1): ublk: sanity check add_dev input for underflow Sascha Hauer (1): clk: scmi: Handle case where child clocks are initialized before their parents Sean Christopherson (1): KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level SeongJae Park (1): mm/damon/core: handle damon_call_control as normal under kdmond deactivation Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shiju Jose (1): EDAC: Initialize EDAC features sysfs attributes Shravya KN (1): bnxt_en: Fix DCB ETS validation Shruti Parab (1): bnxt_en: Flush FW trace before copying to the coredump Shuai Zhang (1): driver: bluetooth: hci_qca:fix unable to load the BT driver Shuicheng Lin (2): drm/xe/pm: Restore display pm if there is error after display suspend drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Stefano Garzarella (1): vsock: fix `vsock_proto` declaration Takashi Iwai (1): ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Tamura Dai (1): ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Thomas Weißschuh (1): sched: Fix preemption string of preempt_dynamic_none Thomas Zimmermann (2): drm/gem: Acquire references on GEM handles for framebuffers drm/framebuffer: Acquire internal references on GEM handles Thorsten Blum (1): ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Tim Crawford (1): ALSA: hda/realtek: Add quirks for some Clevo laptops Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (2): pwm: Fix invalid state detection pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Vitor Soares (1): wifi: mwifiex: discard erroneous disassoc frames on STA interface Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Wei Yang (1): maple_tree: fix mt_destroy_walk() on root leaf node Willem de Bruijn (2): bpf: Adjust free target to avoid global starvation of LRU map selftests/bpf: adapt one more case in test_lru_map to the new target_free Xiaolei Wang (1): clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald (1): ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yazen Ghannam (4): x86/mce/amd: Add default names for MCA banks and blocks x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails x86/mce: Ensure user polling settings are honored when restarting timer Yeoreum Yun (1): kasan: remove kasan_find_vm_area() to prevent possible deadlock Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yuzuru10 (1): ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zhe Qiao (1): Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Zheng Qixing (2): md/raid1,raid10: strip REQ_NOWAIT from member bios nbd: fix uaf in nbd_genl_connect() error path kuyo chang (1): sched/deadline: Fix dl_server runtime calculation formula

2 months

1
1
0 0

Linux 6.12.39

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.39 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/bpf/map_hash.rst | 8 Documentation/bpf/map_lru_hash_update.dot | 6 Makefile | 2 arch/arm64/kernel/cpufeature.c | 45 +-- arch/arm64/kernel/process.c | 5 arch/arm64/mm/fault.c | 30 +- arch/riscv/kernel/vdso/vdso.lds.S | 2 arch/s390/crypto/sha1_s390.c | 2 arch/s390/crypto/sha256_s390.c | 3 arch/s390/crypto/sha512_s390.c | 3 arch/um/drivers/vector_kern.c | 42 --- arch/x86/Kconfig | 2 arch/x86/include/asm/msr-index.h | 1 arch/x86/kernel/cpu/amd.c | 7 arch/x86/kernel/cpu/mce/amd.c | 28 +- arch/x86/kernel/cpu/mce/core.c | 24 - arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kvm/cpuid.c | 4 arch/x86/kvm/svm/sev.c | 4 arch/x86/kvm/xen.c | 15 - crypto/ecc.c | 2 drivers/acpi/battery.c | 19 - drivers/atm/idt77252.c | 5 drivers/block/nbd.c | 6 drivers/block/ublk_drv.c | 3 drivers/bluetooth/hci_qca.c | 13 drivers/char/ipmi/ipmi_msghandler.c | 3 drivers/clk/clk-scmi.c | 18 - drivers/clk/imx/clk-imx95-blk-ctl.c | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 30 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 +-- drivers/gpu/drm/drm_framebuffer.c | 31 ++ drivers/gpu/drm/drm_gem.c | 74 ++++- drivers/gpu/drm/drm_internal.h | 2 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/imagination/pvr_power.c | 4 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 + drivers/gpu/drm/tegra/nvdec.c | 6 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 drivers/gpu/drm/xe/xe_lmtt.c | 11 drivers/gpu/drm/xe/xe_migrate.c | 2 drivers/gpu/drm/xe/xe_pci.c | 1 drivers/gpu/drm/xe/xe_pm.c | 8 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-nintendo.c | 38 ++ drivers/hid/hid-quirks.c | 3 drivers/irqchip/Kconfig | 1 drivers/md/md-bitmap.c | 3 drivers/md/raid1.c | 1 drivers/md/raid10.c | 10 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/ibm/ibmvnic.h | 8 drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 drivers/net/ethernet/renesas/rtsn.c | 5 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 - drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 - drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 3 drivers/net/phy/qcom/at803x.c | 27 -- drivers/net/phy/qcom/qca808x.c | 2 drivers/net/phy/qcom/qcom-phy-lib.c | 25 + drivers/net/phy/qcom/qcom.h | 5 drivers/net/phy/smsc.c | 57 +++- drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/marvell/mwifiex/util.c | 4 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pci/pci-acpi.c | 23 - drivers/pinctrl/pinctrl-amd.c | 11 drivers/pinctrl/qcom/pinctrl-msm.c | 20 + drivers/pwm/core.c | 2 drivers/pwm/pwm-mediatek.c | 13 drivers/tty/vt/vt.c | 1 drivers/usb/gadget/function/u_serial.c | 12 fs/btrfs/free-space-tree.c | 16 - fs/erofs/data.c | 21 + fs/erofs/decompressor.c | 12 fs/erofs/fileio.c | 6 fs/erofs/internal.h | 2 fs/erofs/zdata.c | 251 ++++++++---------- fs/erofs/zutil.c | 7 fs/eventpoll.c | 12 fs/netfs/write_collect.c | 2 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 - fs/proc/task_mmu.c | 14 - fs/smb/server/smb2pdu.c | 29 -- fs/smb/server/transport_rdma.c | 5 fs/smb/server/vfs.c | 1 include/drm/drm_file.h | 3 include/drm/drm_framebuffer.h | 7 include/drm/spsc_queue.h | 4 include/linux/ieee80211.h | 45 ++- include/linux/math.h | 12 include/linux/mm.h | 5 include/linux/psp-sev.h | 2 include/net/af_vsock.h | 2 include/net/netfilter/nf_flow_table.h | 2 include/sound/soc-acpi.h | 13 include/trace/events/erofs.h | 2 io_uring/opdef.c | 1 kernel/bpf/bpf_lru_list.c | 9 kernel/bpf/bpf_lru_list.h | 1 kernel/events/core.c | 6 kernel/rseq.c | 60 +++- kernel/sched/core.c | 5 kernel/sched/deadline.c | 10 kernel/stop_machine.c | 20 - lib/alloc_tag.c | 3 lib/maple_tree.c | 1 mm/kasan/report.c | 13 mm/vmalloc.c | 22 + net/appletalk/ddp.c | 1 net/atm/clip.c | 64 +++- net/bluetooth/hci_event.c | 3 net/bluetooth/hci_sync.c | 2 net/ipv4/tcp.c | 2 net/ipv6/addrconf.c | 9 net/mac80211/mlme.c | 7 net/mac80211/parse.c | 6 net/netlink/af_netlink.c | 82 +++--- net/rxrpc/call_accept.c | 4 net/sched/sch_api.c | 23 + net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/nl80211.c | 7 net/wireless/util.c | 52 +++ rust/kernel/init/macros.rs | 2 scripts/gdb/linux/constants.py.in | 7 scripts/gdb/linux/interrupts.py | 16 - scripts/gdb/linux/mapletree.py | 252 +++++++++++++++++++ scripts/gdb/linux/xarray.py | 28 ++ sound/isa/ad1816a/ad1816a.c | 2 sound/pci/hda/patch_realtek.c | 7 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/cs35l56-shared.c | 2 sound/soc/fsl/fsl_asrc.c | 3 sound/soc/fsl/fsl_sai.c | 14 - sound/soc/intel/boards/Kconfig | 1 sound/soc/intel/common/Makefile | 2 sound/soc/intel/common/soc-acpi-intel-arl-match.c | 66 ++++ sound/soc/intel/common/sof-function-topology-lib.c | 136 ++++++++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 + sound/soc/sof/intel/hda.c | 6 tools/arch/x86/include/asm/msr-index.h | 1 tools/include/linux/kallsyms.h | 4 tools/testing/selftests/bpf/test_lru_map.c | 105 +++---- tools/testing/selftests/net/forwarding/lib.sh | 113 -------- tools/testing/selftests/net/lib.sh | 115 ++++++++ virt/kvm/kvm_main.c | 3 176 files changed, 2012 insertions(+), 874 deletions(-) Achill Gilgenast (1): kallsyms: fix build without execinfo Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alessio Belle (1): drm/imagination: Fix kernel crash when hard resetting the GPU Alexander Gordeev (1): mm/vmalloc: leave lazy MMU mode on PTE mapping error Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Arun Raghavan (1): ASoC: fsl_sai: Force a software reset when starting in consumer mode Baolin Wang (1): mm: fix the inaccurate memory statistics issue for users Bard Liao (4): ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH ASoC: soc-acpi: add get_function_tplg_files ops ASoC: Intel: add sof_sdw_get_tplg_files ops ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Ben Skeggs (1): drm/nouveau/gsp: fix potential leak of memory used during acpi init Borislav Petkov (AMD) (1): KVM: SVM: Set synthesized TSA CPUID flags Carolina Jubran (1): net/mlx5e: Fix race between DIM disable and net_dim() Chao Yu (2): erofs: fix to add missing tracepoint in erofs_read_folio() erofs: fix to add missing tracepoint in erofs_readahead() Charles Keepax (1): ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Chintan Vankar (1): net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Christian König (1): drm/ttm: fix error handling in ttm_buffer_object_transfer Chunhai Guo (1): erofs: free pclusters if no cached folio is attached Dan Carpenter (1): ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Daniel J. Ogorchock (1): HID: nintendo: avoid bluetooth suspend/resume stalls Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (3): rxrpc: Fix bug due to prealloc collision rxrpc: Fix oops due to non-existence of prealloc backlog struct netfs: Fix ref leak on inserted extra subreq in write retry David Woodhouse (1): KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. Deren Wu (2): wifi: mt76: mt7921: prevent decap offload config before STA initialization wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Eric Biggers (1): crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() EricChan (1): net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Fangrui Song (1): riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Felix Fietkau (1): wifi: rt2x00: fix remove callback type mismatch Fengnan Chang (1): io_uring: make fallocate be hashed work Filipe Manana (1): btrfs: fix assertion when building free space tree Flora Cui (2): drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics drm/amdgpu/ip_discovery: add missing ip_discovery fw Florian Fainelli (3): scripts/gdb: fix interrupts display after MCP on x86 scripts/gdb: de-reference per-CPU MCE interrupts scripts/gdb: fix interrupts.py after maple tree conversion Gao Xiang (5): erofs: address D-cache aliasing erofs: get rid of `z_erofs_next_pcluster_t` erofs: tidy up zdata.c erofs: refine readahead tracepoint erofs: fix rare pcluster memory leak after unmounting Greg Kroah-Hartman (1): Linux 6.12.39 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hangbin Liu (1): selftests: net: lib: fix shift count out of range Haoxiang Li (1): net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Harry Yoo (1): lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Henry Martin (1): wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Håkon Bugge (1): md/md-bitmap: fix GPF in bitmap_get_stats() JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Jason Xing (1): bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL Jianbo Liu (1): net/mlx5e: Add new prio for promiscuous mode Jiawen Wu (1): net: wangxun: revert the adjustment of the IRQ vector sequence Jiayuan Chen (1): tcp: Correct signedness in skb remaining space calculation Johannes Berg (1): wifi: mac80211: fix non-transmitted BSSID profile search Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kevin Brodsky (1): arm64: poe: Handle spurious Overlay faults Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (2): usb: gadget: u_serial: Fix race condition in TTY wakeup Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lachlan Hodges (2): wifi: cfg80211: fix S1G beacon head validation in nl80211 wifi: mac80211: correctly identify S1G short beacon Liam Merwick (1): KVM: Allow CPU to reschedule while setting per-page memory attributes Linus Torvalds (1): eventpoll: don't decrement ep refcount while still holding the ep mutex Long Li (1): net: mana: Record doorbell physical address in PF mode Luiz Augusto von Dentz (2): Bluetooth: hci_sync: Fix not disabling advertising instance Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Lukas Wunner (1): crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Luo Gengkun (1): perf/core: Fix the WARN_ON_ONCE is out of lock protected region Luo Jie (2): net: phy: qcom: move the WoL function to shared library net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Mario Limonciello (1): pinctrl: amd: Clear GPIO debounce for suspend Mark Brown (1): arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Mathy Vanhoef (1): wifi: prevent A-MSDU attacks in mesh networks Matthew Auld (1): drm/xe/bmg: fix compressed VRAM handling Matthew Brost (3): drm/sched: Increment job count before swapping tail spsc queue Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" drm/xe: Allocate PF queue size on pow2 boundary Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michael Lo (1): wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Wajdeczko (1): drm/xe/pf: Clear all LMTT pages on alloc Miguel Ojeda (1): rust: init: allow `dead_code` warnings for Rust >= 1.89.0 Mikhail Paulyshka (1): x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Mikko Perttunen (1): drm/tegra: nvdec: Fix dma_alloc_coherent error check Ming Yen Hsieh (1): wifi: mt76: mt7925: fix the wrong config for tx interrupt Mingming Cao (1): ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Nam Cao (1): irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Namjae Jeon (1): ksmbd: fix potential use-after-free in oplock/lease break ack Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Nikunj A Dadhania (1): KVM: SVM: Add missing member in SNP_LAUNCH_START command structure Oleksij Rempel (5): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Force predictable MDI-X state on LAN87xx net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Peter Ujfalusi (1): ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Peter Zijlstra (2): sched/core: Fix migrate_swap() vs. hotplug perf: Revert to requiring CAP_SYS_ADMIN for uprobes Petr Machata (1): selftests: net: lib: Move logging from forwarding/lib.sh here Philip Yang (1): drm/amdkfd: Don't call mmput from MMU notifier callback Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Richard Fitzgerald (1): ASoC: cs35l56: probe() should fail if the device ID is not recognized Ronnie Sahlberg (1): ublk: sanity check add_dev input for underflow Sascha Hauer (1): clk: scmi: Handle case where child clocks are initialized before their parents Sean Christopherson (1): KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shravya KN (1): bnxt_en: Fix DCB ETS validation Shuai Zhang (1): driver: bluetooth: hci_qca:fix unable to load the BT driver Shuicheng Lin (1): drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Simon Trimmer (2): ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Srinivasan Shanmugam (1): drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Stefano Garzarella (1): vsock: fix `vsock_proto` declaration Takashi Iwai (1): ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Tamura Dai (1): ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Thomas Zimmermann (2): drm/gem: Acquire references on GEM handles for framebuffers drm/framebuffer: Acquire internal references on GEM handles Thorsten Blum (1): ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Tim Crawford (1): ALSA: hda/realtek: Add quirks for some Clevo laptops Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (2): pwm: Fix invalid state detection pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Vitor Soares (1): wifi: mwifiex: discard erroneous disassoc frames on STA interface Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Wei Yang (1): maple_tree: fix mt_destroy_walk() on root leaf node Willem de Bruijn (2): bpf: Adjust free target to avoid global starvation of LRU map selftests/bpf: adapt one more case in test_lru_map to the new target_free Xiaolei Wang (1): clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald (1): ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yazen Ghannam (4): x86/mce/amd: Add default names for MCA banks and blocks x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails x86/mce: Ensure user polling settings are honored when restarting timer Yeoreum Yun (1): kasan: remove kasan_find_vm_area() to prevent possible deadlock Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yuzuru10 (1): ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zhe Qiao (1): Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Zheng Qixing (1): nbd: fix uaf in nbd_genl_connect() error path kuyo chang (1): sched/deadline: Fix dl_server runtime calculation formula

2 months

1
1
0 0

Linux 6.6.99

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.99 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/bpf/map_hash.rst | 8 Documentation/bpf/map_lru_hash_update.dot | 6 Makefile | 2 arch/um/drivers/vector_kern.c | 42 -- arch/x86/Kconfig | 2 arch/x86/include/asm/msr-index.h | 1 arch/x86/kernel/cpu/amd.c | 7 arch/x86/kernel/cpu/mce/amd.c | 28 - arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kvm/svm/sev.c | 4 arch/x86/kvm/xen.c | 15 crypto/ecc.c | 2 drivers/acpi/battery.c | 19 - drivers/atm/idt77252.c | 5 drivers/block/nbd.c | 6 drivers/block/ublk_drv.c | 3 drivers/char/ipmi/ipmi_msghandler.c | 3 drivers/gpu/drm/drm_framebuffer.c | 31 + drivers/gpu/drm/drm_gem.c | 74 +++- drivers/gpu/drm/drm_internal.h | 2 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/tegra/nvdec.c | 6 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-quirks.c | 3 drivers/input/keyboard/atkbd.c | 3 drivers/md/md-bitmap.c | 3 drivers/md/raid1.c | 1 drivers/md/raid10.c | 10 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/ibm/ibmvnic.h | 8 drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 - drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 2 drivers/net/phy/smsc.c | 57 +++ drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pinctrl/pinctrl-amd.c | 11 drivers/pinctrl/qcom/pinctrl-msm.c | 20 + drivers/pwm/pwm-mediatek.c | 13 drivers/tty/vt/vt.c | 1 drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 - drivers/usb/cdns3/cdnsp-gadget.c | 6 drivers/usb/cdns3/cdnsp-gadget.h | 11 drivers/usb/cdns3/cdnsp-ring.c | 27 - drivers/usb/dwc3/core.c | 9 drivers/usb/dwc3/gadget.c | 22 - drivers/usb/gadget/function/u_serial.c | 12 fs/btrfs/btrfs_inode.h | 2 fs/btrfs/free-space-tree.c | 16 fs/btrfs/inode.c | 18 - fs/btrfs/transaction.c | 2 fs/btrfs/tree-log.c | 331 +++++++++++-------- fs/erofs/data.c | 2 fs/eventpoll.c | 12 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 - fs/proc/task_mmu.c | 14 fs/smb/client/cifsglob.h | 3 fs/smb/client/cifsproto.h | 13 fs/smb/client/connect.c | 47 +- fs/smb/client/dfs.c | 73 ++-- fs/smb/client/dfs.h | 42 +- fs/smb/client/dfs_cache.c | 186 ++++++---- fs/smb/client/fs_context.h | 1 fs/smb/client/misc.c | 9 fs/smb/client/namespace.c | 2 fs/smb/server/smb2pdu.c | 29 - fs/smb/server/transport_rdma.c | 5 fs/smb/server/vfs.c | 1 include/drm/drm_file.h | 3 include/drm/drm_framebuffer.h | 7 include/drm/spsc_queue.h | 4 include/linux/math.h | 12 include/linux/mm.h | 5 include/net/af_vsock.h | 2 include/net/netfilter/nf_flow_table.h | 2 io_uring/opdef.c | 1 kernel/bpf/bpf_lru_list.c | 9 kernel/bpf/bpf_lru_list.h | 1 kernel/events/core.c | 6 kernel/rseq.c | 60 ++- lib/maple_tree.c | 14 mm/kasan/report.c | 13 mm/vmalloc.c | 22 - net/appletalk/ddp.c | 1 net/atm/clip.c | 64 ++- net/bluetooth/hci_event.c | 39 -- net/bluetooth/hci_sync.c | 215 +++++++----- net/ipv4/tcp.c | 2 net/ipv6/addrconf.c | 9 net/netlink/af_netlink.c | 82 ++-- net/rxrpc/call_accept.c | 4 net/sched/sch_api.c | 23 - net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 ++- net/wireless/util.c | 52 ++- scripts/gdb/linux/constants.py.in | 7 scripts/gdb/linux/interrupts.py | 16 scripts/gdb/linux/mapletree.py | 252 ++++++++++++++ scripts/gdb/linux/xarray.py | 28 + sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/cs35l56-shared.c | 2 sound/soc/fsl/fsl_asrc.c | 3 tools/arch/x86/include/asm/msr-index.h | 1 tools/build/feature/Makefile | 25 + tools/include/linux/kallsyms.h | 4 tools/perf/Makefile.perf | 27 + tools/testing/selftests/bpf/test_lru_map.c | 105 +++--- 117 files changed, 1937 insertions(+), 1031 deletions(-) Achill Gilgenast (1): kallsyms: fix build without execinfo Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alexander Gordeev (1): mm/vmalloc: leave lazy MMU mode on PTE mapping error Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Baolin Wang (1): mm: fix the inaccurate memory statistics issue for users Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Chao Yu (1): erofs: fix to add missing tracepoint in erofs_read_folio() Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian Eggers (1): Bluetooth: HCI: Set extended advertising data synchronously Christian König (1): drm/ttm: fix error handling in ttm_buffer_object_transfer Dan Carpenter (1): ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (2): rxrpc: Fix bug due to prealloc collision rxrpc: Fix oops due to non-existence of prealloc backlog struct David Woodhouse (1): KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() EricChan (1): net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Fengnan Chang (1): io_uring: make fallocate be hashed work Filipe Manana (6): btrfs: remove noinline from btrfs_update_inode() btrfs: remove redundant root argument from btrfs_update_inode_fallback() btrfs: remove redundant root argument from fixup_inode_link_count() btrfs: return a btrfs_inode from btrfs_iget_logging() btrfs: fix inode lookup error handling during log replay btrfs: fix assertion when building free space tree Florian Fainelli (3): scripts/gdb: fix interrupts display after MCP on x86 scripts/gdb: de-reference per-CPU MCE interrupts scripts/gdb: fix interrupts.py after maple tree conversion Greg Kroah-Hartman (1): Linux 6.6.99 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Håkon Bugge (1): md/md-bitmap: fix GPF in bitmap_get_stats() JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Jiayuan Chen (1): tcp: Correct signedness in skb remaining space calculation Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (3): usb: gadget: u_serial: Fix race condition in TTY wakeup Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" usb: dwc3: Abort suspend on soft disconnect failure Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lee Jones (1): usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Leo Yan (1): perf: build: Setup PKG_CONFIG_LIBDIR for cross compilation Liam R. Howlett (1): maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Linus Torvalds (1): eventpoll: don't decrement ep refcount while still holding the ep mutex Long Li (1): net: mana: Record doorbell physical address in PF mode Luiz Augusto von Dentz (2): Bluetooth: hci_sync: Fix not disabling advertising instance Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Lukas Wunner (1): crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Luo Gengkun (1): perf/core: Fix the WARN_ON_ONCE is out of lock protected region Mario Limonciello (1): pinctrl: amd: Clear GPIO debounce for suspend Mathy Vanhoef (1): wifi: prevent A-MSDU attacks in mesh networks Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Mikhail Paulyshka (1): x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Mikko Perttunen (1): drm/tegra: nvdec: Fix dma_alloc_coherent error check Mingming Cao (1): ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Namjae Jeon (1): ksmbd: fix potential use-after-free in oplock/lease break ack Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Oleksij Rempel (4): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Force predictable MDI-X state on LAN87xx net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Paulo Alcantara (3): smb: client: avoid unnecessary reconnects when refreshing referrals smb: client: fix DFS interlink failover smb: client: fix potential race in cifs_put_tcon() Pawel Laszczak (2): usb:cdnsp: remove TRB_FLUSH_ENDPOINT command usb: cdnsp: Fix issue with CV Bad Descriptor test Peter Zijlstra (1): perf: Revert to requiring CAP_SYS_ADMIN for uprobes Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Richard Fitzgerald (1): ASoC: cs35l56: probe() should fail if the device ID is not recognized Ronnie Sahlberg (1): ublk: sanity check add_dev input for underflow Sean Christopherson (1): KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shravya KN (1): bnxt_en: Fix DCB ETS validation Shyam Prasad N (1): cifs: all initializations for tcon should happen in tcon_info_alloc Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Stefano Garzarella (1): vsock: fix `vsock_proto` declaration Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Thomas Zimmermann (2): drm/gem: Acquire references on GEM handles for framebuffers drm/framebuffer: Acquire internal references on GEM handles Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Wei Yang (1): maple_tree: fix mt_destroy_walk() on root leaf node Willem de Bruijn (2): bpf: Adjust free target to avoid global starvation of LRU map selftests/bpf: adapt one more case in test_lru_map to the new target_free Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald (1): ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yazen Ghannam (3): x86/mce/amd: Add default names for MCA banks and blocks x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Yeoreum Yun (1): kasan: remove kasan_find_vm_area() to prevent possible deadlock Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yuzuru10 (1): ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zheng Qixing (1): nbd: fix uaf in nbd_genl_connect() error path

2 months

1
1
0 0

Linux 6.1.146

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.146 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/um/drivers/vector_kern.c | 42 --- arch/x86/Kconfig | 2 arch/x86/Makefile | 2 arch/x86/include/asm/cpufeatures.h | 2 arch/x86/kernel/cpu/mce/amd.c | 15 - arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kvm/svm/sev.c | 4 arch/x86/kvm/xen.c | 15 - drivers/acpi/battery.c | 19 - drivers/atm/idt77252.c | 5 drivers/block/nbd.c | 6 drivers/char/ipmi/ipmi_msghandler.c | 3 drivers/gpu/drm/drm_gem.c | 10 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/tegra/nvdec.c | 6 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-quirks.c | 3 drivers/input/joystick/xpad.c | 2 drivers/input/keyboard/atkbd.c | 3 drivers/md/md-bitmap.c | 3 drivers/md/raid1.c | 1 drivers/md/raid10.c | 10 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/ibm/ibmvnic.h | 8 drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 2 drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pinctrl/qcom/pinctrl-msm.c | 20 + drivers/platform/x86/ideapad-laptop.c | 19 + drivers/pwm/pwm-mediatek.c | 13 drivers/tty/vt/vt.c | 1 drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++++-------------- drivers/usb/cdns3/cdnsp-ep0.c | 18 + drivers/usb/cdns3/cdnsp-gadget.c | 6 drivers/usb/cdns3/cdnsp-gadget.h | 11 drivers/usb/cdns3/cdnsp-ring.c | 27 - drivers/usb/dwc3/core.c | 9 drivers/usb/dwc3/gadget.c | 22 - drivers/usb/gadget/function/u_serial.c | 6 drivers/usb/host/xhci-mem.c | 4 drivers/usb/host/xhci-pci.c | 30 ++ drivers/usb/host/xhci.h | 1 drivers/vhost/scsi.c | 7 fs/anon_inodes.c | 23 + fs/btrfs/free-space-tree.c | 16 - fs/btrfs/inode.c | 28 +- fs/erofs/data.c | 2 fs/erofs/zdata.c | 126 +++------ fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 - fs/smb/server/smb2pdu.c | 29 -- fs/smb/server/transport_rdma.c | 5 fs/smb/server/vfs.c | 1 include/drm/drm_file.h | 3 include/drm/spsc_queue.h | 4 include/linux/fs.h | 2 include/net/netfilter/nf_flow_table.h | 2 include/trace/events/erofs.h | 16 - kernel/events/core.c | 2 kernel/rseq.c | 60 +++- lib/maple_tree.c | 7 mm/kasan/report.c | 13 mm/secretmem.c | 11 net/appletalk/ddp.c | 1 net/atm/clip.c | 64 +++- net/bluetooth/hci_sync.c | 2 net/ipv6/addrconf.c | 9 net/netlink/af_netlink.c | 82 +++-- net/rxrpc/call_accept.c | 3 net/sched/sch_api.c | 23 + net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 +++ sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/fsl/fsl_asrc.c | 3 tools/include/linux/kallsyms.h | 4 86 files changed, 900 insertions(+), 588 deletions(-) Achill Gilgenast (1): kallsyms: fix build without execinfo Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alexey Dobriyan (1): x86/boot: Compile boot code with -std=gnu11 too Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Basavaraj Natikar (1): xhci: Allow RPM on the USB controller (1022:43f7) by default Chao Yu (1): erofs: fix to add missing tracepoint in erofs_read_folio() Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian König (1): drm/ttm: fix error handling in ttm_buffer_object_transfer Dan Carpenter (1): ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (1): rxrpc: Fix oops due to non-existence of prealloc backlog struct David Woodhouse (1): KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. Dongli Zhang (1): vhost-scsi: protect vq->log_used with vq->mutex Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Filipe Manana (2): btrfs: propagate last_unlink_trans earlier when doing a rmdir btrfs: fix assertion when building free space tree Gao Xiang (3): erofs: allocate extra bvec pages directly instead of retrying erofs: avoid on-stack pagepool directly passed by arguments erofs: adapt folios for z_erofs_read_folio() Greg Kroah-Hartman (1): Linux 6.1.146 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Håkon Bugge (1): md/md-bitmap: fix GPF in bitmap_get_stats() JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jack Wang (1): x86: Fix X86_FEATURE_VERW_CLEAR definition Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (2): usb: gadget: u_serial: Fix race condition in TTY wakeup usb: dwc3: Abort suspend on soft disconnect failure Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lee Jones (1): usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Liam R. Howlett (1): maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Luiz Augusto von Dentz (1): Bluetooth: hci_sync: Fix not disabling advertising instance Mathy Vanhoef (1): wifi: prevent A-MSDU attacks in mesh networks Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Mikko Perttunen (1): drm/tegra: nvdec: Fix dma_alloc_coherent error check Mingming Cao (1): ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Namjae Jeon (1): ksmbd: fix potential use-after-free in oplock/lease break ack Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Nilton Perim Neto (1): Input: xpad - support Acer NGR 200 Controller Oleksij Rempel (3): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Pawel Laszczak (2): usb:cdnsp: remove TRB_FLUSH_ENDPOINT command usb: cdnsp: Fix issue with CV Bad Descriptor test Peter Zijlstra (1): perf: Revert to requiring CAP_SYS_ADMIN for uprobes Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Raju Rangoju (1): usb: xhci: quirk for data loss in ISOC transfers Rong Zhang (1): platform/x86: ideapad-laptop: use usleep_range() for EC polling Sean Christopherson (1): KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shivank Garg (1): fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Shravya KN (1): bnxt_en: Fix DCB ETS validation Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Wei Yang (1): maple_tree: fix mt_destroy_walk() on root leaf node Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald (1): ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yazen Ghannam (2): x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Yeoreum Yun (1): kasan: remove kasan_find_vm_area() to prevent possible deadlock Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yue Hu (2): erofs: remove the member readahead from struct z_erofs_decompress_frontend erofs: clean up z_erofs_pcluster_readmore() Yuzuru10 (1): ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zheng Qixing (1): nbd: fix uaf in nbd_genl_connect() error path

2 months

1
1
0 0

Linux 5.15.189

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.189 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/um/drivers/vector_kern.c | 42 - arch/x86/Kconfig | 2 arch/x86/include/asm/cpufeatures.h | 2 arch/x86/include/asm/xen/page.h | 3 arch/x86/kernel/cpu/mce/amd.c | 15 arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 drivers/acpi/battery.c | 19 drivers/atm/idt77252.c | 5 drivers/block/aoe/aoeblk.c | 5 drivers/block/nbd.c | 6 drivers/dma-buf/dma-resv.c | 171 ++++--- drivers/gpu/drm/drm_gem.c | 10 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-quirks.c | 3 drivers/infiniband/hw/mlx5/main.c | 33 + drivers/input/joystick/xpad.c | 2 drivers/input/keyboard/atkbd.c | 3 drivers/md/raid1.c | 1 drivers/md/raid10.c | 10 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/intel/ice/ice_main.c | 29 - drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 2 drivers/net/phy/smsc.c | 28 + drivers/net/usb/qmi_wwan.c | 1 drivers/net/virtio_net.c | 44 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pinctrl/qcom/pinctrl-msm.c | 20 drivers/pwm/pwm-mediatek.c | 15 drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 9 drivers/tty/hvc/hvc_xen.c | 2 drivers/tty/vt/vt.c | 1 drivers/usb/cdns3/cdnsp-debug.h | 358 +++++++--------- drivers/usb/cdns3/cdnsp-ep0.c | 18 drivers/usb/cdns3/cdnsp-gadget.c | 6 drivers/usb/cdns3/cdnsp-gadget.h | 11 drivers/usb/cdns3/cdnsp-ring.c | 27 - drivers/usb/dwc3/core.c | 9 drivers/usb/dwc3/gadget.c | 22 drivers/usb/gadget/function/u_serial.c | 6 drivers/usb/host/xhci-mem.c | 4 drivers/usb/host/xhci-pci.c | 30 + drivers/usb/host/xhci-plat.c | 3 drivers/usb/host/xhci.h | 1 drivers/vhost/scsi.c | 7 drivers/xen/grant-table.c | 6 drivers/xen/xenbus/xenbus_probe.c | 3 fs/btrfs/inode.c | 36 - fs/jfs/jfs_dtree.c | 2 fs/ksmbd/transport_rdma.c | 5 fs/ksmbd/vfs.c | 1 fs/proc/array.c | 6 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 include/drm/drm_file.h | 3 include/drm/spsc_queue.h | 4 include/linux/dma-resv.h | 95 ++++ include/net/netfilter/nf_flow_table.h | 2 include/xen/arm/page.h | 3 kernel/bpf/verifier.c | 21 kernel/events/core.c | 2 kernel/rseq.c | 60 ++ net/appletalk/ddp.c | 1 net/atm/clip.c | 64 ++ net/core/skmsg.c | 12 net/ipv6/addrconf.c | 9 net/netlink/af_netlink.c | 82 ++- net/rxrpc/call_accept.c | 3 net/sched/sch_api.c | 23 - net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 ++ sound/soc/fsl/fsl_asrc.c | 3 79 files changed, 1015 insertions(+), 546 deletions(-) Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Andrii Nakryiko (1): bpf: fix precision backtracking instruction iteration Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Basavaraj Natikar (1): xhci: Allow RPM on the USB controller (1022:43f7) by default Bui Quang Minh (1): virtio-net: ensure the received length does not exceed allocated size Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian König (3): dma-buf: add dma_resv_for_each_fence_unlocked v8 dma-buf: use new iterator in dma_resv_wait_timeout dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (1): rxrpc: Fix oops due to non-existence of prealloc backlog struct Dongli Zhang (1): vhost-scsi: protect vq->log_used with vq->mutex Edward Adam Davis (1): jfs: fix null ptr deref in dtInsertEntry Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Filipe Manana (2): btrfs: propagate last_unlink_trans earlier when doing a rmdir btrfs: use btrfs_record_snapshot_destroy() during rmdir Greg Kroah-Hartman (1): Linux 5.15.189 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Hongyu Xie (1): xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jack Wang (1): x86: Fix X86_FEATURE_VERW_CLEAR definition Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Jesse Brandeburg (1): ice: safer stats processing John Fastabend (1): bpf, sockmap: Fix skb refcnt race after locking changes Juergen Gross (1): xen: replace xen_remap() with memremap() Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (2): usb: gadget: u_serial: Fix race condition in TTY wakeup usb: dwc3: Abort suspend on soft disconnect failure Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lee Jones (1): usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Lee, Chun-Yi (1): thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR Maksim Kiselev (1): aoe: avoid potential deadlock at set_capacity Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Nilton Perim Neto (1): Input: xpad - support Acer NGR 200 Controller Oleg Nesterov (1): fs/proc: do_task_stat: use __for_each_thread() Oleksij Rempel (3): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Patrisious Haddad (1): RDMA/mlx5: Fix vport loopback for MPV device Pawel Laszczak (2): usb:cdnsp: remove TRB_FLUSH_ENDPOINT command usb: cdnsp: Fix issue with CV Bad Descriptor test Peter Zijlstra (1): perf: Revert to requiring CAP_SYS_ADMIN for uprobes Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Raju Rangoju (1): usb: xhci: quirk for data loss in ISOC transfers Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shravya KN (1): bnxt_en: Fix DCB ETS validation Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yazen Ghannam (2): x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zheng Qixing (1): nbd: fix uaf in nbd_genl_connect() error path

2 months

1
1
0 0

Linux 5.10.240

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.240 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-devices-system-cpu | 2 Documentation/ABI/testing/sysfs-driver-ufs | 2 Documentation/admin-guide/hw-vuln/index.rst | 1 Documentation/admin-guide/hw-vuln/indirect-target-selection.rst | 156 +++++ Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst | 4 Documentation/admin-guide/kernel-parameters.txt | 28 Documentation/devicetree/bindings/serial/8250.yaml | 2 Makefile | 2 arch/arm64/mm/mmu.c | 3 arch/powerpc/include/uapi/asm/ioctls.h | 8 arch/s390/Makefile | 2 arch/s390/purgatory/Makefile | 2 arch/um/drivers/ubd_user.c | 2 arch/um/drivers/vector_kern.c | 42 - arch/um/include/asm/asm-prototypes.h | 5 arch/x86/Kconfig | 22 arch/x86/entry/entry.S | 8 arch/x86/include/asm/alternative.h | 26 arch/x86/include/asm/cpu.h | 13 arch/x86/include/asm/cpufeature.h | 5 arch/x86/include/asm/cpufeatures.h | 14 arch/x86/include/asm/disabled-features.h | 2 arch/x86/include/asm/irqflags.h | 4 arch/x86/include/asm/msr-index.h | 13 arch/x86/include/asm/mwait.h | 19 arch/x86/include/asm/nospec-branch.h | 50 + arch/x86/include/asm/required-features.h | 2 arch/x86/include/asm/text-patching.h | 31 + arch/x86/kernel/alternative.c | 308 +++++++++- arch/x86/kernel/cpu/amd.c | 58 + arch/x86/kernel/cpu/bugs.c | 272 ++++++++ arch/x86/kernel/cpu/common.c | 77 ++ arch/x86/kernel/cpu/mce/amd.c | 15 arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kernel/cpu/scattered.c | 1 arch/x86/kernel/ftrace.c | 4 arch/x86/kernel/kprobes/core.c | 39 - arch/x86/kernel/module.c | 14 arch/x86/kernel/process.c | 15 arch/x86/kernel/static_call.c | 2 arch/x86/kernel/vmlinux.lds.S | 8 arch/x86/kvm/cpuid.c | 31 - arch/x86/kvm/cpuid.h | 1 arch/x86/kvm/svm/vmenter.S | 3 arch/x86/kvm/vmx/vmx.c | 2 arch/x86/kvm/x86.c | 4 arch/x86/lib/retpoline.S | 39 + arch/x86/net/bpf_jit_comp.c | 8 arch/x86/um/asm/checksum.h | 3 drivers/acpi/acpi_pad.c | 7 drivers/acpi/acpica/dsmethod.c | 7 drivers/acpi/battery.c | 19 drivers/ata/pata_cs5536.c | 2 drivers/atm/idt77252.c | 5 drivers/base/cpu.c | 15 drivers/dma-buf/dma-resv.c | 2 drivers/dma/xilinx/xilinx_dma.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 drivers/gpu/drm/bridge/cdns-dsi.c | 27 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 drivers/gpu/drm/i915/selftests/i915_request.c | 20 drivers/gpu/drm/i915/selftests/mock_request.c | 2 drivers/gpu/drm/tegra/dc.c | 17 drivers/gpu/drm/tegra/hub.c | 4 drivers/gpu/drm/tegra/hub.h | 3 drivers/gpu/drm/udl/udl_drv.c | 2 drivers/gpu/drm/v3d/v3d_drv.h | 7 drivers/gpu/drm/v3d/v3d_gem.c | 2 drivers/gpu/drm/v3d/v3d_irq.c | 38 - drivers/hid/hid-ids.h | 5 drivers/hid/hid-quirks.c | 3 drivers/hid/wacom_sys.c | 6 drivers/hv/channel_mgmt.c | 117 ++- drivers/hv/hyperv_vmbus.h | 19 drivers/hv/vmbus_drv.c | 2 drivers/hwmon/pmbus/max34440.c | 48 + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 drivers/i2c/busses/i2c-tiny-usb.c | 6 drivers/iio/pressure/zpa2326.c | 2 drivers/infiniband/core/iwcm.c | 38 - drivers/infiniband/core/iwcm.h | 2 drivers/infiniband/hw/mlx5/counters.c | 2 drivers/infiniband/hw/mlx5/devx.c | 2 drivers/infiniband/hw/mlx5/main.c | 33 + drivers/input/joystick/xpad.c | 5 drivers/input/keyboard/atkbd.c | 3 drivers/leds/led-class-multicolor.c | 3 drivers/mailbox/mailbox.c | 2 drivers/md/bcache/super.c | 7 drivers/md/dm-raid.c | 2 drivers/md/md-bitmap.c | 2 drivers/md/raid1.c | 1 drivers/media/platform/omap3isp/ispccdc.c | 8 drivers/media/platform/omap3isp/ispstat.c | 6 drivers/media/usb/uvc/uvc_ctrl.c | 61 + drivers/mfd/max14577.c | 1 drivers/misc/vmw_vmci/vmci_host.c | 9 drivers/mmc/host/mtk-sd.c | 39 - drivers/mmc/host/sdhci.c | 9 drivers/mmc/host/sdhci.h | 16 drivers/net/can/m_can/m_can.c | 2 drivers/net/can/m_can/tcan4x5x.c | 9 drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/atheros/atlx/atl1.c | 78 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/cisco/enic/enic_main.c | 4 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 141 +++- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 20 drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 drivers/net/ethernet/sun/niu.c | 31 - drivers/net/ethernet/sun/niu.h | 4 drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 2 drivers/net/phy/smsc.c | 28 drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/ath/ath6kl/bmi.c | 4 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 drivers/pci/controller/pci-hyperv.c | 17 drivers/pinctrl/qcom/pinctrl-msm.c | 20 drivers/platform/mellanox/mlxbf-tmfifo.c | 3 drivers/pwm/pwm-mediatek.c | 15 drivers/regulator/gpio-regulator.c | 4 drivers/rtc/lib_test.c | 2 drivers/rtc/rtc-cmos.c | 10 drivers/scsi/qla2xxx/qla_mbx.c | 2 drivers/scsi/qla4xxx/ql4_os.c | 2 drivers/scsi/ufs/ufs-sysfs.c | 4 drivers/spi/spi-fsl-dspi.c | 11 drivers/staging/rtl8723bs/core/rtw_security.c | 46 - drivers/target/target_core_pr.c | 4 drivers/tty/vt/vt.c | 1 drivers/uio/uio_hv_generic.c | 18 drivers/usb/class/cdc-wdm.c | 23 drivers/usb/common/usb-conn-gpio.c | 25 drivers/usb/core/quirks.c | 3 drivers/usb/core/usb.c | 14 drivers/usb/gadget/function/f_tcm.c | 4 drivers/usb/gadget/function/u_serial.c | 6 drivers/usb/host/xhci-dbgcap.c | 4 drivers/usb/host/xhci-dbgtty.c | 1 drivers/usb/typec/altmodes/displayport.c | 5 drivers/usb/typec/tcpm/tcpci_maxim.c | 20 drivers/vhost/scsi.c | 7 fs/btrfs/inode.c | 36 - fs/btrfs/tree-log.c | 4 fs/btrfs/volumes.c | 6 fs/ceph/file.c | 2 fs/cifs/misc.c | 8 fs/f2fs/super.c | 30 fs/jfs/jfs_dmap.c | 41 - fs/namespace.c | 8 fs/nfs/flexfilelayout/flexfilelayout.c | 121 ++- fs/nfs/inode.c | 17 fs/nfs/nfs4proc.c | 12 fs/nfs/pnfs.c | 4 fs/overlayfs/util.c | 4 fs/proc/array.c | 6 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 include/drm/spsc_queue.h | 4 include/linux/cpu.h | 3 include/linux/hyperv.h | 2 include/linux/ipv6.h | 1 include/linux/module.h | 5 include/linux/usb/typec_dp.h | 1 include/uapi/linux/vm_sockets.h | 30 kernel/events/core.c | 2 kernel/rcu/tree.c | 4 kernel/rseq.c | 60 + lib/test_objagg.c | 4 net/appletalk/ddp.c | 1 net/atm/clip.c | 75 +- net/atm/resources.c | 3 net/bluetooth/l2cap_core.c | 9 net/ipv6/ip6_output.c | 9 net/mac80211/rx.c | 4 net/mac80211/util.c | 2 net/netlink/af_netlink.c | 82 +- net/rose/rose_route.c | 15 net/rxrpc/call_accept.c | 3 net/sched/sch_api.c | 42 - net/sched/sch_sfq.c | 10 net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 78 ++ net/vmw_vsock/vmci_transport.c | 4 sound/isa/sb/sb16_main.c | 4 sound/pci/hda/hda_bind.c | 2 sound/pci/hda/hda_intel.c | 3 sound/soc/fsl/fsl_asrc.c | 3 sound/usb/stream.c | 2 tools/lib/bpf/btf_dump.c | 3 202 files changed, 2709 insertions(+), 793 deletions(-) Al Viro (2): attach_recursive_mnt(): do not lock the covering tree when sliding something under it fix proc_sys_compare() handling of in-lookup dentries Alexandre Belloni (1): rtc: lib_test: add MODULE_LICENSE Alexandru Ardelean (1): uio: uio_hv_generic: use devm_kzalloc() for private data alloc Alexis Czezar Torreno (1): hwmon: (pmbus/max34440) Fix support for max34451 Alok Tiwari (2): enic: fix incorrect MTU comparison in enic_change_mtu() net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Amit Sunil Dhamne (1): usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Andra Paraschiv (4): vm_sockets: Add flags field in the vsock address data structure vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path af_vsock: Assign the vsock transport considering the vsock address flags Andrei Kuchynski (1): usb: typec: displayport: Fix potential deadlock Andy Shevchenko (1): usb: Add checks for snprintf() calls in usb_alloc_dev() Aradhya Bhatia (4): drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() drm/bridge: cdns-dsi: Fix connecting to next bridge drm/bridge: cdns-dsi: Check return value when getting default PHY config drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Badhri Jagan Sridharan (1): usb: typec: tcpci_maxim: Fix uninitialized return variable Bart Van Assche (1): scsi: ufs: core: Fix spelling of a sysfs attribute name Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Benjamin Coddington (1): NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Borislav Petkov (5): x86/bugs: Rename MDS machinery to something more generic x86/bugs: Add a Transient Scheduler Attacks mitigation KVM: x86: add support for CPUID leaf 0x80000021 KVM: SVM: Advertise TSA CPUID bits to guests x86/process: Move the buffer clearing before MONITOR Borislav Petkov (AMD) (1): x86/alternative: Optimize returns patching Brett A C Sheffield (Librecast) (1): Revert "ipv6: save dontfrag in cork" Brett Werling (1): can: tcan4x5x: fix power regulator retrieval during probe Cezary Rojewski (1): ALSA: hda: Ignore unsol events for cards being shut down Chance Yang (1): usb: common: usb-conn-gpio: use a unique name for usb connector device Chao Yu (1): f2fs: don't over-report free space or inodes in statvfs Chen Yufeng (1): usb: potential integer overflow in usbg_make_tpg() Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian König (1): dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Dan Carpenter (2): drm/i915/selftests: Change mock_request() to return error pointers lib: test_objagg: Set error message in check_expect_hints_stats() Daniel Sneddon (1): x86/bhi: Define SPEC_CTRL_BHI_DIS_S Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Dave Kleikamp (1): fs/jfs: consolidate sanity checking in dbMount David Howells (1): rxrpc: Fix oops due to non-existence of prealloc backlog struct David Thompson (1): platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Dev Jain (1): arm64: Restrict pagetable teardown to avoid false warning Dexuan Cui (1): PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time Dmitry Kandybka (1): ceph: fix possible integer overflow in ceph_zero_objects() Dongli Zhang (1): vhost-scsi: protect vq->log_used with vq->mutex Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Eric Dumazet (2): net_sched: sch_sfq: reject invalid perturb period atm: clip: prevent NULL deref in clip_push() Filipe Manana (3): btrfs: fix missing error handling when searching for inode refs during log replay btrfs: propagate last_unlink_trans earlier when doing a rmdir btrfs: use btrfs_record_snapshot_destroy() during rmdir Frédéric Danis (1): Bluetooth: L2CAP: Fix L2CAP MTU negotiation Fushuai Wang (1): dpaa2-eth: fix xdp_rxq_info leak George Kennedy (1): VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Greg Kroah-Hartman (1): Linux 5.10.240 Gustavo A. R. Silva (1): net: rose: Fix fall-through warnings for Clang Haiyang Zhang (1): Drivers: hv: vmbus: Fix duplicate CPU assignments within a device Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID HarshaVardhana S A (1): vsock/vmci: Clear the vmci transport packet properly when initializing it Heinz Mauelshagen (1): dm-raid: fix variable in journal device check Ioana Ciornei (2): dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jakub Kicinski (1): netlink: make sure we allow at least one dump skb James Clark (1): spi: spi-fsl-dspi: Clear completion counter before initiating transfer Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Janusz Krzysztofik (1): drm/i915/gt: Fix timeline left held on VMA alloc error Jay Cornwall (1): drm/amdkfd: Fix race in GWS queue scheduling Johannes Berg (3): ata: pata_cs5536: fix build on 32-bit UML wifi: mac80211: drop invalid source address OCB frames wifi: ath6kl: remove WARN on bad firmware input Jonathan Cameron (1): iio: pressure: zpa2326: Use aligned_s64 for the timestamp Jos Wang (1): usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Josh Poimboeuf (1): x86/alternatives: Remove faulty optimization Junlin Yang (2): usb: typec: tcpci_maxim: remove redundant assignment usb: typec: tcpci_maxim: add terminating newlines to logging Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kees Cook (1): ovl: Check for NULL d_inode() in ovl_dentry_upper() Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kohei Enju (1): rose: fix dangling neighbour pointers in rose_rt_device_down() Krzysztof Kozlowski (1): mfd: max14577: Fix wakeup source leaks on device unbind Kuen-Han Tsai (1): usb: gadget: u_serial: Fix race condition in TTY wakeup Kuniyuki Iwashima (8): atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lachlan Hodges (1): wifi: mac80211: fix beacon interval calculation overflow Linggang Zeng (1): bcache: fix NULL pointer in cache_set_flush() Lion Ackermann (1): net/sched: Always pass notifications when child class becomes empty Long Li (1): uio_hv_generic: Align ring size to system page Madhavan Srinivasan (1): powerpc: Fix struct termio related ioctl macros Manivannan Sadhasivam (1): regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Marek Szyprowski (2): media: omap3isp: use sgtable-based scatterlist wrappers drm/exynos: fimd: Guard display clock control with runtime PM calls Mark Harmstone (1): btrfs: update superblock's device bytes_used when dropping chunk Mark Zhang (1): RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert Masami Hiramatsu (Google) (2): mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data mtk-sd: Prevent memory corruption from DMA map failure Mateusz Jończyk (1): rtc: cmos: use spin_lock_irqsave in cmos_interrupt Mathias Nyman (1): xhci: dbc: Flush queued requests before stopping dbc Matt Reynolds (1): Input: xpad - add support for Amazon Game Controller Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Maurizio Lombardi (1): scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Maíra Canal (1): drm/v3d: Disable interrupts before resetting the GPU Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Nathan Chancellor (2): s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Nicolas Pitre (1): vt: add missing notification when switching back to text mode Niklas Cassel (1): PCI: cadence-ep: Correct PBA offset in .set_msix() callback Nilton Perim Neto (1): Input: xpad - support Acer NGR 200 Controller Oleg Nesterov (1): fs/proc: do_task_stat: use __for_each_thread() Oleksij Rempel (3): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Olga Kornievskaia (1): NFSv4.2: fix listxattr to return selinux security label Oliver Neukum (1): Logitech C-270 even more broken Pali Rohár (1): cifs: Fix cifs_query_path_info() for Windows NT servers Patrisious Haddad (2): RDMA/mlx5: Fix CC counters query for MPV RDMA/mlx5: Fix vport loopback for MPV device Pawan Gupta (7): Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Fix undefined reference to cpu_wants_rethunk_at() x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs Peng Fan (1): mailbox: Not protect module_put with spin_lock_irqsave Peter Zijlstra (5): perf: Revert to requiring CAP_SYS_ADMIN for uprobes x86/alternatives: Introduce int3_emulate_jcc() x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions x86/its: Use dynamic thunks for indirect branches x86/its: FineIBT-paranoid vs ITS Qasim Ijaz (3): HID: wacom: fix memory leak on kobject creation failure HID: wacom: fix memory leak on sysfs attribute creation failure HID: wacom: fix kobject reference count leak Qiu-ji Chen (1): drm/tegra: Fix a possible null pointer dereference RD Babiera (1): usb: typec: altmodes/displayport: do not index invalid pin_assignments Radu Bulie (2): dpaa2-eth: Update dpni_get_single_step_cfg command dpaa2-eth: Update SINGLE_STEP register access Rafael J. Wysocki (2): ACPICA: Refuse to evaluate a method if arguments are missing Revert "ACPI: battery: negate current when discharging" Raju Rangoju (1): amd-xgbe: align CL37 AN sequence as per databook Ricardo Ribalda (3): media: uvcvideo: Return the number of processed controls media: uvcvideo: Send control events for partial succeeds media: uvcvideo: Rollback non processed entities on error Robert Hodaszi (1): usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Sami Tolvanen (1): um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Saurabh Sengar (2): Drivers: hv: vmbus: Add utility function for querying ring size uio_hv_generic: Query the ringbuffer size for device Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Seiji Nishikawa (1): ACPI: PAD: fix crash in exit_round_robin() Sergey Senozhatsky (1): mtk-sd: reset host->mrq on prepare_data() error Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shin'ichiro Kawasaki (1): RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Shravya KN (1): bnxt_en: Fix DCB ETS validation Simon Horman (1): net: enetc: Correct endianness handling in _enetc_rd_reg64 Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefano Garzarella (1): vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Sven Schwermer (1): leds: multicolor: Fix intensity setting while SW blinking Takashi Iwai (1): ALSA: sb: Force to disable DMAs once when DMA mode is changed Thierry Reding (1): drm/tegra: Assign plane type before registration Thomas Fourier (5): scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() nui: Fix dma_mapping_error() check ethernet: atl1: Add missing DMA mapping error checks and count errors atm: idt77252: Add missing `dma_map_error()` Thomas Gessler (1): dmaengine: xilinx_dma: Set dma_device directions Thomas Gleixner (1): x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Thomas Zimmermann (1): drm/udl: Unregister device before cleaning up on disconnect Tigran Mkrtchyan (1): flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Tiwei Bie (2): um: ubd: Add missing error check in start_io_thread() um: vector: Reduce stack usage in vector_eth_configure() Trond Myklebust (1): NFSv4/flexfiles: Fix handling of NFS level errors in I/O Uladzislau Rezki (Sony) (1): rcu: Return early if callback is not specified Ulf Hansson (1): Revert "mmc: sdhci: Disable SD card clock before changing parameters" Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Vasiliy Kovalev (1): jfs: validate AG parameters in dbMount() to prevent crashes Vicki Pfau (1): Input: xpad - add VID for Turtle Beach controllers Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Victor Shih (1): mmc: sdhci: Add a helper function for dump register in dynamic debug mode Vijendar Mukunda (1): ALSA: hda: Add new pci id for AMD GPU display HD audio controller Vitaly Kuznetsov (1): Drivers: hv: Rename 'alloced' to 'allocated' Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Weihang Li (1): RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Wolfram Sang (2): i2c: tiny-usb: disable zero-length read messages i2c: robotfuzz-osif: disable zero-length read messages Wupeng Ma (1): VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yao Zi (1): dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Yazen Ghannam (2): x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Youngjun Lee (1): ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Yu Kuai (1): md/md-bitmap: fix dm-raid max_write_behind setting Yuan Chen (1): libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yue Hu (1): mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Łukasz Bartosik (1): xhci: dbctty: disable ECHO flag by default

2 months

1
1
0 0

Linux 5.4.296

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.296 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-driver-ufs | 2 Makefile | 2 arch/arm64/mm/mmu.c | 3 arch/powerpc/include/uapi/asm/ioctls.h | 8 arch/s390/Makefile | 2 arch/s390/purgatory/Makefile | 2 arch/um/drivers/ubd_user.c | 2 arch/x86/Kconfig | 2 arch/x86/kernel/cpu/mce/amd.c | 15 - arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 drivers/acpi/acpi_pad.c | 7 drivers/acpi/acpica/dsmethod.c | 7 drivers/acpi/battery.c | 19 - drivers/ata/pata_cs5536.c | 2 drivers/atm/idt77252.c | 5 drivers/dma-buf/dma-resv.c | 5 drivers/dma/xilinx/xilinx_dma.c | 2 drivers/gpu/drm/bridge/cdns-dsi.c | 11 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 drivers/gpu/drm/i915/gt/intel_ringbuffer.c | 3 drivers/gpu/drm/i915/selftests/i915_request.c | 20 - drivers/gpu/drm/i915/selftests/mock_request.c | 2 drivers/gpu/drm/tegra/dc.c | 12 drivers/gpu/drm/tegra/hub.c | 4 drivers/gpu/drm/tegra/hub.h | 3 drivers/gpu/drm/v3d/v3d_drv.h | 9 drivers/gpu/drm/v3d/v3d_gem.c | 2 drivers/gpu/drm/v3d/v3d_irq.c | 36 +- drivers/hid/hid-ids.h | 5 drivers/hid/hid-quirks.c | 3 drivers/hid/wacom_sys.c | 6 drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 drivers/i2c/busses/i2c-tiny-usb.c | 6 drivers/iio/pressure/zpa2326.c | 2 drivers/infiniband/core/device.c | 1 drivers/infiniband/core/iwcm.c | 38 +- drivers/infiniband/core/iwcm.h | 2 drivers/infiniband/core/uverbs_std_types_counters.c | 17 - drivers/infiniband/hw/mlx5/devx.c | 2 drivers/infiniband/hw/mlx5/main.c | 55 ++- drivers/input/joystick/xpad.c | 5 drivers/input/keyboard/atkbd.c | 3 drivers/mailbox/mailbox.c | 2 drivers/md/dm-raid.c | 2 drivers/md/md-bitmap.c | 2 drivers/md/raid1.c | 1 drivers/media/platform/omap3isp/ispccdc.c | 8 drivers/media/platform/omap3isp/ispstat.c | 6 drivers/media/platform/vivid/vivid-vid-cap.c | 2 drivers/media/usb/dvb-usb/cxusb.c | 36 +- drivers/media/usb/uvc/uvc_ctrl.c | 61 +++- drivers/mfd/max14577.c | 1 drivers/misc/vmw_vmci/vmci_host.c | 9 drivers/mmc/host/mtk-sd.c | 39 +- drivers/mmc/host/sdhci.c | 9 drivers/mmc/host/sdhci.h | 16 + drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/atheros/atlx/atl1.c | 78 +++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/cisco/enic/enic_main.c | 4 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 26 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 drivers/net/ethernet/sun/niu.c | 31 ++ drivers/net/ethernet/sun/niu.h | 4 drivers/net/phy/microchip.c | 2 drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/ath/ath6kl/bmi.c | 4 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pinctrl/qcom/pinctrl-msm.c | 20 + drivers/platform/mellanox/mlxbf-tmfifo.c | 3 drivers/pwm/pwm-mediatek.c | 15 - drivers/regulator/gpio-regulator.c | 19 + drivers/scsi/qla4xxx/ql4_os.c | 2 drivers/scsi/ufs/ufs-sysfs.c | 4 drivers/spi/spi-fsl-dspi.c | 55 ++- drivers/staging/rtl8723bs/core/rtw_security.c | 46 --- drivers/tty/serial/uartlite.c | 15 - drivers/tty/vt/vt.c | 1 drivers/usb/class/cdc-wdm.c | 23 - drivers/usb/core/quirks.c | 3 drivers/usb/core/usb.c | 14 drivers/usb/gadget/function/f_tcm.c | 4 drivers/usb/gadget/function/u_serial.c | 6 drivers/usb/typec/altmodes/displayport.c | 5 fs/btrfs/inode.c | 36 +- fs/btrfs/ioctl.c | 3 fs/btrfs/tree-log.c | 4 fs/ceph/file.c | 2 fs/cifs/misc.c | 8 fs/jfs/jfs_dmap.c | 41 -- fs/namespace.c | 8 fs/nfs/flexfilelayout/flexfilelayout.c | 144 +++++++-- fs/nfs/inode.c | 17 - fs/overlayfs/util.c | 4 fs/proc/inode.c | 16 - fs/proc/proc_sysctl.c | 18 - include/drm/spsc_queue.h | 4 include/linux/of.h | 291 +++++++++----------- include/linux/regulator/gpio-regulator.h | 2 include/linux/usb/typec_dp.h | 1 include/rdma/ib_verbs.h | 7 include/uapi/linux/vm_sockets.h | 4 init/Kconfig | 4 lib/test_objagg.c | 4 net/appletalk/ddp.c | 1 net/atm/clip.c | 64 +++- net/atm/resources.c | 3 net/bluetooth/l2cap_core.c | 9 net/bpfilter/Makefile | 5 net/ipv6/route.c | 3 net/mac80211/rx.c | 4 net/mac80211/util.c | 2 net/netlink/af_netlink.c | 82 +++-- net/rose/rose_route.c | 15 - net/rxrpc/call_accept.c | 3 net/sched/sch_api.c | 42 +- net/tipc/topsrv.c | 2 net/vmw_vsock/vmci_transport.c | 4 scripts/Kbuild.include | 2 scripts/Makefile.host | 4 scripts/Makefile.lib | 8 sound/isa/sb/sb16_main.c | 4 sound/pci/hda/hda_bind.c | 2 sound/soc/meson/meson-card-utils.c | 2 sound/usb/stream.c | 2 usr/include/Makefile | 6 132 files changed, 1178 insertions(+), 680 deletions(-) Al Viro (2): attach_recursive_mnt(): do not lock the covering tree when sliding something under it fix proc_sys_compare() handling of in-lookup dentries Alok Tiwari (1): enic: fix incorrect MTU comparison in enic_change_mtu() Andrei Kuchynski (1): usb: typec: displayport: Fix potential deadlock Andy Shevchenko (1): usb: Add checks for snprintf() calls in usb_alloc_dev() Aradhya Bhatia (3): drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() drm/bridge: cdns-dsi: Fix connecting to next bridge drm/bridge: cdns-dsi: Check return value when getting default PHY config Arnd Bergmann (1): kbuild: hdrcheck: fix cross build with clang Bart Van Assche (1): scsi: ufs: core: Fix spelling of a sysfs attribute name Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Cezary Rojewski (1): ALSA: hda: Ignore unsol events for cards being shut down Chen Yufeng (1): usb: potential integer overflow in usbg_make_tpg() Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian König (1): dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Dan Carpenter (2): lib: test_objagg: Set error message in check_expect_hints_stats() drm/i915/selftests: Change mock_request() to return error pointers Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Dave Kleikamp (1): fs/jfs: consolidate sanity checking in dbMount David Howells (1): rxrpc: Fix oops due to non-existence of prealloc backlog struct David Thompson (1): platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Denis Arefev (1): media: vivid: Change the siize of the composing Dev Jain (1): arm64: Restrict pagetable teardown to avoid false warning Dmitry Kandybka (1): ceph: fix possible integer overflow in ceph_zero_objects() Edward Adam Davis (1): media: cxusb: no longer judge rbuf when the write fails Eric W. Biederman (1): proc: Clear the pieces of proc_inode that proc_evict_inode cares about Filipe Manana (3): btrfs: fix missing error handling when searching for inode refs during log replay btrfs: propagate last_unlink_trans earlier when doing a rmdir btrfs: use btrfs_record_snapshot_destroy() during rmdir Frédéric Danis (1): Bluetooth: L2CAP: Fix L2CAP MTU negotiation Fushuai Wang (1): dpaa2-eth: fix xdp_rxq_info leak Georg Kohmann (1): net: ipv6: Discard next-hop MTU less than minimum link MTU George Kennedy (1): VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Greg Kroah-Hartman (1): Linux 5.4.296 Gustavo A. R. Silva (1): net: rose: Fix fall-through warnings for Clang Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID HarshaVardhana S A (1): vsock/vmci: Clear the vmci transport packet properly when initializing it Heinz Mauelshagen (1): dm-raid: fix variable in journal device check JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jakub Lewalski (1): tty: serial: uartlite: register uart driver in init James Clark (1): spi: spi-fsl-dspi: Clear completion counter before initiating transfer Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Janusz Krzysztofik (1): drm/i915/gt: Fix timeline left held on VMA alloc error Jerome Neanne (1): regulator: gpio: Add input_supply support in gpio_regulator_config Johannes Berg (3): ata: pata_cs5536: fix build on 32-bit UML wifi: mac80211: drop invalid source address OCB frames wifi: ath6kl: remove WARN on bad firmware input Jonathan Cameron (1): iio: pressure: zpa2326: Use aligned_s64 for the timestamp Jos Wang (1): usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kees Cook (1): ovl: Check for NULL d_inode() in ovl_dentry_upper() Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kohei Enju (1): rose: fix dangling neighbour pointers in rose_rt_device_down() Krzysztof Kozlowski (1): mfd: max14577: Fix wakeup source leaks on device unbind Kuen-Han Tsai (1): usb: gadget: u_serial: Fix race condition in TTY wakeup Kuniyuki Iwashima (8): atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lachlan Hodges (1): wifi: mac80211: fix beacon interval calculation overflow Leon Romanovsky (1): RDMA/core: Create and destroy counters in the ib_core Lion Ackermann (1): net/sched: Always pass notifications when child class becomes empty Madhavan Srinivasan (1): powerpc: Fix struct termio related ioctl macros Manivannan Sadhasivam (1): regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Marek Szyprowski (2): media: omap3isp: use sgtable-based scatterlist wrappers drm/exynos: fimd: Guard display clock control with runtime PM calls Mark Zhang (1): RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert Martin Blumenstingl (1): ASoC: meson: meson-card-utils: use of_property_present() for DT parsing Masahiro Yamada (3): kbuild: use -MMD instead of -MD to exclude system headers from dependency bpfilter: match bit size of bpfilter_umh to that of the kernel kbuild: add --target to correctly cross-compile UAPI headers with Clang Masami Hiramatsu (Google) (2): mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data mtk-sd: Prevent memory corruption from DMA map failure Matt Reynolds (1): Input: xpad - add support for Amazon Game Controller Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Maíra Canal (1): drm/v3d: Disable interrupts before resetting the GPU Michael Walle (1): of: property: define of_property_read_u{8,16,32,64}_array() unconditionally Nathan Chancellor (2): s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nilton Perim Neto (1): Input: xpad - support Acer NGR 200 Controller Oleksij Rempel (1): net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Oliver Neukum (1): Logitech C-270 even more broken Omar Sandoval (1): btrfs: don't abort filesystem when attempting to snapshot deleted subvolume Pali Rohár (1): cifs: Fix cifs_query_path_info() for Windows NT servers Patrisious Haddad (2): RDMA/mlx5: Fix CC counters query for MPV RDMA/mlx5: Fix vport loopback for MPV device Peng Fan (1): mailbox: Not protect module_put with spin_lock_irqsave Qasim Ijaz (3): HID: wacom: fix memory leak on kobject creation failure HID: wacom: fix memory leak on sysfs attribute creation failure HID: wacom: fix kobject reference count leak RD Babiera (1): usb: typec: altmodes/displayport: do not index invalid pin_assignments Rafael J. Wysocki (2): ACPICA: Refuse to evaluate a method if arguments are missing Revert "ACPI: battery: negate current when discharging" Raju Rangoju (1): amd-xgbe: align CL37 AN sequence as per databook Ricardo Ribalda (3): media: uvcvideo: Return the number of processed controls media: uvcvideo: Send control events for partial succeeds media: uvcvideo: Rollback non processed entities on error Rob Herring (1): of: Add of_property_present() helper Robert Hodaszi (1): usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Sean Young (1): media: cxusb: use dev_dbg() rather than hand-rolled debug Seiji Nishikawa (1): ACPI: PAD: fix crash in exit_round_robin() Sergey Senozhatsky (1): mtk-sd: reset host->mrq on prepare_data() error Shin'ichiro Kawasaki (1): RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Shravya KN (1): bnxt_en: Fix DCB ETS validation Simon Horman (1): net: enetc: Correct endianness handling in _enetc_rd_reg64 Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefano Garzarella (1): vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Takashi Iwai (1): ALSA: sb: Force to disable DMAs once when DMA mode is changed Thierry Reding (1): drm/tegra: Assign plane type before registration Thomas Fourier (4): scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() nui: Fix dma_mapping_error() check ethernet: atl1: Add missing DMA mapping error checks and count errors atm: idt77252: Add missing `dma_map_error()` Thomas Gessler (1): dmaengine: xilinx_dma: Set dma_device directions Tigran Mkrtchyan (1): flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Tiwei Bie (1): um: ubd: Add missing error check in start_io_thread() Trond Myklebust (1): NFSv4/flexfiles: Fix handling of NFS level errors in I/O Ulf Hansson (1): Revert "mmc: sdhci: Disable SD card clock before changing parameters" Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Vasiliy Kovalev (1): jfs: validate AG parameters in dbMount() to prevent crashes Vicki Pfau (1): Input: xpad - add VID for Turtle Beach controllers Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Victor Shih (1): mmc: sdhci: Add a helper function for dump register in dynamic debug mode Vladimir Oltean (2): spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Weihang Li (1): RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Wolfram Sang (2): i2c: tiny-usb: disable zero-length read messages i2c: robotfuzz-osif: disable zero-length read messages Wupeng Ma (1): VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yazen Ghannam (2): x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Youngjun Lee (1): ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Yu Kuai (1): md/md-bitmap: fix dm-raid max_write_behind setting Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yue Hu (1): mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY

2 months

1
1
0 0

[PATCH vulns] CVE-2022-49501: Fix affected versions

by He Zhe

As mentioned in the commit log of the fix, it is commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()") that causes this CVE. Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- cve/published/2022/CVE-2022-49501.vulnerable | 1 + 1 file changed, 1 insertion(+) create mode 100644 cve/published/2022/CVE-2022-49501.vulnerable diff --git a/cve/published/2022/CVE-2022-49501.vulnerable b/cve/published/2022/CVE-2022-49501.vulnerable new file mode 100644 index 000000000..138b53caf --- /dev/null +++ b/cve/published/2022/CVE-2022-49501.vulnerable @@ -0,0 +1 @@ +2c9d6c2b871d5841ce26ede3e81fd37e2e33c42c -- 2.34.1

2 months

2
1
0 0

[PATCH v2] iommu/amd: Fix geometry.aperture_end for V2 tables

by Jason Gunthorpe

The AMD IOMMU documentation seems pretty clear that the V2 table follows the normal CPU expectation of sign extension. This is shown in Figure 25: AMD64 Long Mode 4-Kbyte Page Address Translation Where bits Sign-Extend [63:57] == [56]. This is typical for x86 which would have three regions in the page table: lower, non-canonical, upper. The manual describes that the V1 table does not sign extend in section 2.2.4 Sharing AMD64 Processor and IOMMU Page Tables GPA-to-SPA Further, Vasant has checked this and indicates the HW has an addtional behavior that the manual does not yet describe. The AMDv2 table does not have the sign extended behavior when attached to PASID 0, which may explain why this has gone unnoticed. The iommu domain geometry does not directly support sign extended page tables. The driver should report only one of the lower/upper spaces. Solve this by removing the top VA bit from the geometry to use only the lower space. This will also make the iommu_domain work consistently on all PASID 0 and PASID != 1. Adjust dma_max_address() to remove the top VA bit. It now returns: 5 Level: Before 0x1ffffffffffffff After 0x0ffffffffffffff 4 Level: Before 0xffffffffffff After 0x7fffffffffff Fixes: 11c439a19466 ("iommu/amd/pgtbl_v2: Fix domain max address") Link: https://lore.kernel.org/all/8858d4d6-d360-4ef0-935c-bfd13ea54f42@amd.com/ Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> --- drivers/iommu/amd/iommu.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) v2: - Revise the commit message and comment with the new information from Vasant. v1: https://patch.msgid.link/r/0-v1-6925ece6b623+296-amdv2_geo_jgg@nvidia.com diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c index 3117d99cf83d0d..1baa9d3583f369 100644 --- a/drivers/iommu/amd/iommu.c +++ b/drivers/iommu/amd/iommu.c @@ -2526,8 +2526,21 @@ static inline u64 dma_max_address(enum protection_domain_mode pgtable) if (pgtable == PD_MODE_V1) return ~0ULL; - /* V2 with 4/5 level page table */ - return ((1ULL << PM_LEVEL_SHIFT(amd_iommu_gpt_level)) - 1); + /* + * V2 with 4/5 level page table. Note that "2.2.6.5 AMD64 4-Kbyte Page + * Translation" shows that the V2 table sign extends the top of the + * address space creating a reserved region in the middle of the + * translation, just like the CPU does. Further Vasant says the docs are + * incomplete and this only applies to non-zero PASIDs. If the AMDv2 + * page table is assigned to the 0 PASID then there is no sign extension + * check. + * + * Since the IOMMU must have a fixed geometry, and the core code does + * not understand sign extended addressing, we have to chop off the high + * bit to get consistent behavior with attachments of the domain to any + * PASID. + */ + return ((1ULL << (PM_LEVEL_SHIFT(amd_iommu_gpt_level) - 1)) - 1); } static bool amd_iommu_hd_support(struct amd_iommu *iommu) base-commit: eb328711b15b17987021dbb674f446b7b008dca5 -- 2.43.0

2 months

4
8
0 0

Backport 36569780b0d6 ("sched: Change nr_uninterruptible type to unsigned long") to linux-stable

by Aruna Ramakrishna

Hi maintainers, Please consider backporting this upstream commit: 36569780b0d6 ("sched: Change nr_uninterruptible type to unsigned long”) into all stable branches newer than (and including) linux-5.14.y. This fixes an overflow bug introduced in commit: e6fe3f422be1 ("sched: Make multiple runqueue task counters 32-bit”) which was merged into 5.14. I forgot to tag the original patch for inclusion into stable - I apologize for the oversight. The patch should apply cleanly to all versions - let me know if you’d like me to send a separate patch for stable. Thanks very much, Aruna

2 months

1
0
0 0

[PATCH net] phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()

by Nathan Chancellor

A new warning in clang [1] points out a place in pep_sock_accept() where dst is uninitialized then passed as a const pointer to pep_find_pipe(): net/phonet/pep.c:829:37: error: variable 'dst' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] 829 | newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); | ^~~: Move the call to pn_skb_get_dst_sockaddr(), which initializes dst, to before the call to pep_find_pipe(), so that dst is consistently used initialized throughout the function. Cc: stable(a)vger.kernel.org Fixes: f7ae8d59f661 ("Phonet: allocate sock from accept syscall rather than soft IRQ") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Closes: https://github.com/ClangBuiltLinux/linux/issues/2101 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- net/phonet/pep.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/phonet/pep.c b/net/phonet/pep.c index 53a858478e22..62527e1ebb88 100644 --- a/net/phonet/pep.c +++ b/net/phonet/pep.c @@ -826,6 +826,7 @@ static struct sock *pep_sock_accept(struct sock *sk, } /* Check for duplicate pipe handle */ + pn_skb_get_dst_sockaddr(skb, &dst); newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); if (unlikely(newsk)) { __sock_put(newsk); @@ -850,7 +851,6 @@ static struct sock *pep_sock_accept(struct sock *sk, newsk->sk_destruct = pipe_destruct; newpn = pep_sk(newsk); - pn_skb_get_dst_sockaddr(skb, &dst); pn_skb_get_src_sockaddr(skb, &src); newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst); newpn->pn_sk.dobject = pn_sockaddr_get_object(&src); --- base-commit: 0e9418961f897be59b1fab6e31ae1b09a0bae902 change-id: 20250715-net-phonet-fix-uninit-const-pointer-64f0182b11e1 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

2
1
0 0

[PATCH v9 1/4] serial: 8250: fix panic due to PSLVERR

by Yunhui Cui

When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/8250/8250_port.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 6d7b8c4667c9c..07fe818dffa34 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2376,9 +2376,10 @@ int serial8250_do_startup(struct uart_port *port) /* * Now, initialize the UART */ - serial_port_out(port, UART_LCR, UART_LCR_WLEN8); uart_port_lock_irqsave(port, &flags); + serial_port_out(port, UART_LCR, UART_LCR_WLEN8); + if (up->port.flags & UPF_FOURPORT) { if (!up->port.irq) up->port.mctrl |= TIOCM_OUT1; -- 2.39.5

2 months

4
3
0 0

[PATCH v2 1/3] bus: mhi: host: keep bhi buffer through suspend cycle

by Muhammad Usama Anjum

When there is memory pressure, at resume time dma_alloc_coherent() returns error which in turn fails the loading of firmware and hence the driver crashes: kernel: kworker/u33:5: page allocation failure: order:7, mode:0xc04(GFP_NOIO|GFP_DMA32), nodemask=(null),cpuset=/,mems_allowed=0 kernel: CPU: 1 UID: 0 PID: 7693 Comm: kworker/u33:5 Not tainted 6.11.11-valve17-1-neptune-611-g027868a0ac03 #1 3843143b92e9da0fa2d3d5f21f51beaed15c7d59 kernel: Hardware name: Valve Galileo/Galileo, BIOS F7G0112 08/01/2024 kernel: Workqueue: mhi_hiprio_wq mhi_pm_st_worker [mhi] kernel: Call Trace: kernel: <TASK> kernel: dump_stack_lvl+0x4e/0x70 kernel: warn_alloc+0x164/0x190 kernel: ? srso_return_thunk+0x5/0x5f kernel: ? __alloc_pages_direct_compact+0xaf/0x360 kernel: __alloc_pages_slowpath.constprop.0+0xc75/0xd70 kernel: __alloc_pages_noprof+0x321/0x350 kernel: __dma_direct_alloc_pages.isra.0+0x14a/0x290 kernel: dma_direct_alloc+0x70/0x270 kernel: mhi_fw_load_handler+0x126/0x340 [mhi a96cb91daba500cc77f86bad60c1f332dc3babdf] kernel: mhi_pm_st_worker+0x5e8/0xac0 [mhi a96cb91daba500cc77f86bad60c1f332dc3babdf] kernel: ? srso_return_thunk+0x5/0x5f kernel: process_one_work+0x17e/0x330 kernel: worker_thread+0x2ce/0x3f0 kernel: ? __pfx_worker_thread+0x10/0x10 kernel: kthread+0xd2/0x100 kernel: ? __pfx_kthread+0x10/0x10 kernel: ret_from_fork+0x34/0x50 kernel: ? __pfx_kthread+0x10/0x10 kernel: ret_from_fork_asm+0x1a/0x30 kernel: </TASK> kernel: Mem-Info: kernel: active_anon:513809 inactive_anon:152 isolated_anon:0 active_file:359315 inactive_file:2487001 isolated_file:0 unevictable:637 dirty:19 writeback:0 slab_reclaimable:160391 slab_unreclaimable:39729 mapped:175836 shmem:51039 pagetables:4415 sec_pagetables:0 bounce:0 kernel_misc_reclaimable:0 free:125666 free_pcp:0 free_cma:0 In above example, if we sum all the consumed memory, it comes out to be 15.5GB and free memory is ~ 500MB from a total of 16GB RAM. Even though memory is present. But all of the dma memory has been exhausted or fragmented. Fix it by allocating it only once and then reuse the same allocated memory. As we'll allocate this memory only once, this memory will stay allocated. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: cd457afb1667 ("bus: mhi: core: Add support for downloading firmware over BHIe") Cc: stable(a)vger.kernel.org Cc: Krishna Chaitanya Chundru <krishna.chundru(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Reported here: https://lore.kernel.org/all/ead32f5b-730a-4b81-b38f-93d822f990c6@collabora.… Still a lot of more fixes are required. Hence, I'm not adding closes tag. Changes since v1: - fix mhi_load_image_bhi() - Cc stable and fix tested on tag --- drivers/bus/mhi/host/boot.c | 25 +++++++++++++++---------- drivers/bus/mhi/host/init.c | 5 +++++ drivers/bus/mhi/host/internal.h | 2 ++ include/linux/mhi.h | 1 + 4 files changed, 23 insertions(+), 10 deletions(-) diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c index b3a85aa3c4768..9fc983bc12d49 100644 --- a/drivers/bus/mhi/host/boot.c +++ b/drivers/bus/mhi/host/boot.c @@ -302,8 +302,8 @@ static int mhi_fw_load_bhi(struct mhi_controller *mhi_cntrl, return -EIO; } -static void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl, - struct image_info *image_info) +void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl, + struct image_info *image_info) { struct mhi_buf *mhi_buf = image_info->mhi_buf; @@ -455,18 +455,23 @@ static enum mhi_fw_load_type mhi_fw_load_type_get(const struct mhi_controller *m static int mhi_load_image_bhi(struct mhi_controller *mhi_cntrl, const u8 *fw_data, size_t size) { - struct image_info *image; + struct image_info **image = &mhi_cntrl->bhi_image; int ret; - ret = mhi_alloc_bhi_buffer(mhi_cntrl, &image, size); - if (ret) - return ret; + if (!(*image)) { + ret = mhi_alloc_bhi_buffer(mhi_cntrl, image, size); + if (ret) + return ret; - /* Load the firmware into BHI vec table */ - memcpy(image->mhi_buf->buf, fw_data, size); + /* Load the firmware into BHI vec table */ + memcpy((*image)->mhi_buf->buf, fw_data, size); + } - ret = mhi_fw_load_bhi(mhi_cntrl, &image->mhi_buf[image->entries - 1]); - mhi_free_bhi_buffer(mhi_cntrl, image); + ret = mhi_fw_load_bhi(mhi_cntrl, &(*image)->mhi_buf[(*image)->entries - 1]); + if (ret) { + mhi_free_bhi_buffer(mhi_cntrl, *image); + *image = NULL; + } return ret; } diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c index 6e06e4efec765..2e0f18c939e68 100644 --- a/drivers/bus/mhi/host/init.c +++ b/drivers/bus/mhi/host/init.c @@ -1228,6 +1228,11 @@ void mhi_unprepare_after_power_down(struct mhi_controller *mhi_cntrl) mhi_cntrl->rddm_image = NULL; } + if (mhi_cntrl->bhi_image) { + mhi_free_bhi_buffer(mhi_cntrl, mhi_cntrl->bhi_image); + mhi_cntrl->bhi_image = NULL; + } + mhi_deinit_dev_ctxt(mhi_cntrl); } EXPORT_SYMBOL_GPL(mhi_unprepare_after_power_down); diff --git a/drivers/bus/mhi/host/internal.h b/drivers/bus/mhi/host/internal.h index 1054e67bb450d..60b0699323375 100644 --- a/drivers/bus/mhi/host/internal.h +++ b/drivers/bus/mhi/host/internal.h @@ -324,6 +324,8 @@ int mhi_alloc_bhie_table(struct mhi_controller *mhi_cntrl, struct image_info **image_info, size_t alloc_size); void mhi_free_bhie_table(struct mhi_controller *mhi_cntrl, struct image_info *image_info); +void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl, + struct image_info *image_info); /* Power management APIs */ enum mhi_pm_state __must_check mhi_tryset_pm_state( diff --git a/include/linux/mhi.h b/include/linux/mhi.h index 4c567907933a5..593012f779d97 100644 --- a/include/linux/mhi.h +++ b/include/linux/mhi.h @@ -391,6 +391,7 @@ struct mhi_controller { size_t reg_len; struct image_info *fbc_image; struct image_info *rddm_image; + struct image_info *bhi_image; struct mhi_chan *mhi_chan; struct list_head lpm_chans; int *irq; -- 2.39.5

2 months

3
4
0 0

[PATCH v2 0/1] nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails

by Rick Wertenbroek

Changes from v1 : - Updated comment for nvmet_pci_epf_queue_response() per Damien's suggestion. - Fixed typo in commit message. - Added 3 tags in commit message: Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver") Cc: stable(a)vger.kernel.org Best regards, Rick Rick Wertenbroek (1): nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails drivers/nvme/target/pci-epf.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) -- 2.25.1

2 months

4
4
0 0

[PATCH v2 1/1] arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default

by Aleksandrs Vinarskis

pm8010 is a camera specific PMIC, and may not be present on some devices. These may instead use a dedicated vreg for this purpose (Dell XPS 9345, Dell Inspiron..) or use USB webcam instead of a MIPI one alltogether (Lenovo Thinbook 16, Lenovo Yoga..). Disable pm8010 by default, let platforms that actually have one onboard enable it instead. Cc: <stable(a)vger.kernel.org> Fixes: 2559e61e7ef4 ("arm64: dts: qcom: x1e80100-pmics: Add the missing PMICs") Reviewed-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Signed-off-by: Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> --- arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi b/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi index e3888bc143a0..621890ada153 100644 --- a/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi +++ b/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi @@ -475,6 +475,8 @@ pm8010: pmic@c { #address-cells = <1>; #size-cells = <0>; + status = "disabled"; + pm8010_temp_alarm: temp-alarm@2400 { compatible = "qcom,spmi-temp-alarm"; reg = <0x2400>; -- 2.48.1

2 months

1
1
0 0

[PATCH v2] drm/sched: Remove optimization that causes hang when killing dependent jobs

by Lin.Cao

When application A submits jobs and application B submits a job with a dependency on A's fence, the normal flow wakes up the scheduler after processing each job. However, the optimization in drm_sched_entity_add_dependency_cb() uses a callback that only clears dependencies without waking up the scheduler. When application A is killed before its jobs can run, the callback gets triggered but only clears the dependency without waking up the scheduler, causing the scheduler to enter sleep state and application B to hang. Remove the optimization by deleting drm_sched_entity_clear_dep() and its usage, ensuring the scheduler is always woken up when dependencies are cleared. Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler") Cc: stable(a)vger.kernel.org # v4.6+ Signed-off-by: Lin.Cao <lincao12(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> --- drivers/gpu/drm/scheduler/sched_entity.c | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index e671aa241720..ac678de7fe5e 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -355,17 +355,6 @@ void drm_sched_entity_destroy(struct drm_sched_entity *entity) } EXPORT_SYMBOL(drm_sched_entity_destroy); -/* drm_sched_entity_clear_dep - callback to clear the entities dependency */ -static void drm_sched_entity_clear_dep(struct dma_fence *f, - struct dma_fence_cb *cb) -{ - struct drm_sched_entity *entity = - container_of(cb, struct drm_sched_entity, cb); - - entity->dependency = NULL; - dma_fence_put(f); -} - /* * drm_sched_entity_wakeup - callback to clear the entity's dependency and * wake up the scheduler @@ -376,7 +365,8 @@ static void drm_sched_entity_wakeup(struct dma_fence *f, struct drm_sched_entity *entity = container_of(cb, struct drm_sched_entity, cb); - drm_sched_entity_clear_dep(f, cb); + entity->dependency = NULL; + dma_fence_put(f); drm_sched_wakeup(entity->rq->sched); } @@ -429,13 +419,6 @@ static bool drm_sched_entity_add_dependency_cb(struct drm_sched_entity *entity) fence = dma_fence_get(&s_fence->scheduled); dma_fence_put(entity->dependency); entity->dependency = fence; - if (!dma_fence_add_callback(fence, &entity->cb, - drm_sched_entity_clear_dep)) - return true; - - /* Ignore it when it is already scheduled */ - dma_fence_put(fence); - return false; } if (!dma_fence_add_callback(entity->dependency, &entity->cb, -- 2.46.1

2 months

2
1
0 0

[PATCH v4 2/9] vsock/virtio: Validate length in packet header before skb_put()

by Will Deacon

When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put(). Cc: <stable(a)vger.kernel.org> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Signed-off-by: Will Deacon <will(a)kernel.org> --- net/vmw_vsock/virtio_transport.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index f0e48e6911fc..eb08a393413d 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -624,8 +624,9 @@ static void virtio_transport_rx_work(struct work_struct *work) do { virtqueue_disable_cb(vq); for (;;) { + unsigned int len, payload_len; + struct virtio_vsock_hdr *hdr; struct sk_buff *skb; - unsigned int len; if (!virtio_transport_more_replies(vsock)) { /* Stop rx until the device processes already @@ -642,12 +643,19 @@ static void virtio_transport_rx_work(struct work_struct *work) vsock->rx_buf_nr--; /* Drop short/long packets */ - if (unlikely(len < sizeof(struct virtio_vsock_hdr) || + if (unlikely(len < sizeof(*hdr) || len > virtio_vsock_skb_len(skb))) { kfree_skb(skb); continue; } + hdr = virtio_vsock_hdr(skb); + payload_len = le32_to_cpu(hdr->len); + if (unlikely(payload_len > len - sizeof(*hdr))) { + kfree_skb(skb); + continue; + } + virtio_vsock_skb_rx_put(skb); virtio_transport_deliver_tap_pkt(skb); virtio_transport_recv_pkt(&virtio_transport, skb); -- 2.50.0.727.gbf7dc18ff4-goog

2 months

2
1
0 0

[PATCH 5.10 000/209] 5.10.240-rc3 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.240 release. There are 209 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:35 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.240-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.240-rc3 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Borislav Petkov <bp(a)kernel.org> x86/process: Move the buffer clearing before MONITOR Borislav Petkov <bp(a)kernel.org> KVM: SVM: Advertise TSA CPUID bits to guests Borislav Petkov <bp(a)kernel.org> KVM: x86: add support for CPUID leaf 0x80000021 Borislav Petkov <bp(a)kernel.org> x86/bugs: Add a Transient Scheduler Attacks mitigation Borislav Petkov <bp(a)kernel.org> x86/bugs: Rename MDS machinery to something more generic Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - add VID for Turtle Beach controllers Matt Reynolds <mattreynolds(a)chromium.org> Input: xpad - add support for Amazon Game Controller Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: lib_test: add MODULE_LICENSE Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Peter Zijlstra <peterz(a)infradead.org> x86/its: FineIBT-paranoid vs ITS Eric Biggers <ebiggers(a)google.com> x86/its: Fix build errors when CONFIG_MODULES=n Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Thomas Gleixner <tglx(a)linutronix.de> x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Fix undefined reference to cpu_wants_rethunk_at() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Josh Poimboeuf <jpoimboe(a)kernel.org> x86/alternatives: Remove faulty optimization Borislav Petkov (AMD) <bp(a)alien8.de> x86/alternative: Optimize returns patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Introduce int3_emulate_jcc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bhi: Define SPEC_CTRL_BHI_DIS_S Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use __for_each_thread() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Assign the vsock transport considering the vsock address flags Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add flags field in the vsock address data structure Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Flush queued requests before stopping dbc Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbctty: disable ECHO flag by default Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Ioana Ciornei <ioana.ciornei(a)nxp.com> net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update SINGLE_STEP register access Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update dpni_get_single_step_cfg command Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Yue Hu <huyue2(a)yulong.com> mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu: Return early if callback is not specified Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Maurizio Lombardi <mlombard(a)redhat.com> scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Gustavo A. R. Silva <gustavoars(a)kernel.org> net: rose: Fix fall-through warnings for Clang Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() Benjamin Coddington <bcodding(a)redhat.com> NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Mateusz Jończyk <mat.jonczyk(a)o2.pl> rtc: cmos: use spin_lock_irqsave in cmos_interrupt Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Brett A C Sheffield (Librecast) <bacs(a)librecast.net> Revert "ipv6: save dontfrag in cork" Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: reject invalid perturb period Niklas Cassel <cassel(a)kernel.org> PCI: cadence-ep: Correct PBA offset in .set_msix() callback Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Query the ringbuffer size for device Saurabh Sengar <ssengar(a)linux.microsoft.com> Drivers: hv: vmbus: Add utility function for querying ring size Vitaly Kuznetsov <vkuznets(a)redhat.com> Drivers: hv: Rename 'alloced' to 'allocated' Haiyang Zhang <haiyangz(a)microsoft.com> Drivers: hv: vmbus: Fix duplicate CPU assignments within a device Alexandru Ardelean <alexandru.ardelean(a)analog.com> uio: uio_hv_generic: use devm_kzalloc() for private data alloc Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Weihang Li <liweihang(a)huawei.com> RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Brett Werling <brett.werling(a)garmin.com> can: tcan4x5x: fix power regulator retrieval during probe Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: add terminating newlines to logging Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: remove redundant assignment Badhri Jagan Sridharan <badhri(a)google.com> usb: typec: tcpci_maxim: Fix uninitialized return variable Wupeng Ma <mawupeng1(a)huawei.com> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify George Kennedy <george.kennedy(a)oracle.com> VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix read_stb function and get_stb ioctl Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Add USBTMC_IOCTL_GET_STB Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Fix reading stale status byte Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 2 + Documentation/ABI/testing/sysfs-driver-ufs | 2 +- Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 +++++++++++ .../hw-vuln/processor_mmio_stale_data.rst | 4 +- Documentation/admin-guide/kernel-parameters.txt | 28 ++ Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/drivers/vector_kern.c | 42 +-- arch/um/include/asm/asm-prototypes.h | 5 + arch/x86/Kconfig | 22 +- arch/x86/entry/entry.S | 8 +- arch/x86/include/asm/alternative.h | 26 ++ arch/x86/include/asm/cpu.h | 13 + arch/x86/include/asm/cpufeature.h | 5 +- arch/x86/include/asm/cpufeatures.h | 14 +- arch/x86/include/asm/disabled-features.h | 2 +- arch/x86/include/asm/irqflags.h | 4 +- arch/x86/include/asm/msr-index.h | 13 +- arch/x86/include/asm/mwait.h | 19 +- arch/x86/include/asm/nospec-branch.h | 50 ++-- arch/x86/include/asm/required-features.h | 2 +- arch/x86/include/asm/text-patching.h | 31 +++ arch/x86/kernel/alternative.c | 308 ++++++++++++++++++++- arch/x86/kernel/cpu/amd.c | 58 ++++ arch/x86/kernel/cpu/bugs.c | 272 +++++++++++++++++- arch/x86/kernel/cpu/common.c | 77 +++++- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/kprobes/core.c | 39 +-- arch/x86/kernel/module.c | 14 +- arch/x86/kernel/process.c | 15 +- arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 8 + arch/x86/kvm/cpuid.c | 31 ++- arch/x86/kvm/cpuid.h | 1 + arch/x86/kvm/svm/vmenter.S | 3 + arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 +++ arch/x86/net/bpf_jit_comp.c | 8 +- arch/x86/um/asm/checksum.h | 3 + drivers/acpi/acpi_pad.c | 7 +- drivers/acpi/acpica/dsmethod.c | 7 + drivers/acpi/battery.c | 19 +- drivers/ata/pata_cs5536.c | 2 +- drivers/atm/idt77252.c | 5 + drivers/base/cpu.c | 15 + drivers/dma-buf/dma-resv.c | 2 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- drivers/gpu/drm/bridge/cdns-dsi.c | 27 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/v3d/v3d_drv.h | 7 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 38 ++- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-quirks.c | 3 + drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 121 +++++--- drivers/hv/hyperv_vmbus.h | 19 +- drivers/hv/vmbus_drv.c | 2 +- drivers/hwmon/pmbus/max34440.c | 48 +++- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/core/iwcm.c | 38 +-- drivers/infiniband/core/iwcm.h | 2 +- drivers/infiniband/hw/mlx5/counters.c | 2 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 33 +++ drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/atkbd.c | 3 +- drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/md/raid1.c | 1 + drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 61 ++-- drivers/mfd/max14577.c | 1 + drivers/misc/vmw_vmci/vmci_host.c | 9 +- drivers/mmc/host/mtk-sd.c | 39 ++- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 ++ drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/m_can/tcan4x5x.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 ++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 141 ++++++++-- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 20 +- .../net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 +- drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 +- drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 + drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/sun/niu.c | 31 ++- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +- drivers/pci/controller/pci-hyperv.c | 17 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- drivers/pwm/pwm-mediatek.c | 15 +- drivers/regulator/gpio-regulator.c | 4 +- drivers/rtc/lib_test.c | 2 + drivers/rtc/rtc-cmos.c | 10 +- drivers/scsi/qla2xxx/qla_mbx.c | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 11 +- drivers/staging/rtl8723bs/core/rtw_security.c | 46 +-- drivers/target/target_core_pr.c | 4 +- drivers/tty/vt/vt.c | 1 + drivers/uio/uio_hv_generic.c | 18 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/class/usbtmc.c | 53 ++-- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-dbgcap.c | 4 + drivers/usb/host/xhci-dbgtty.c | 1 + drivers/usb/typec/altmodes/displayport.c | 5 +- drivers/usb/typec/tcpm/tcpci_maxim.c | 20 +- drivers/vhost/scsi.c | 7 +- fs/btrfs/inode.c | 36 +-- fs/btrfs/tree-log.c | 4 +- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 121 +++++--- fs/nfs/inode.c | 17 +- fs/nfs/nfs4proc.c | 12 +- fs/nfs/pnfs.c | 4 +- fs/overlayfs/util.c | 4 +- fs/proc/array.c | 6 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- include/drm/spsc_queue.h | 4 +- include/linux/cpu.h | 3 + include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/linux/module.h | 5 + include/linux/usb/typec_dp.h | 1 + include/uapi/linux/usb/tmc.h | 2 + include/uapi/linux/vm_sockets.h | 30 +- kernel/events/core.c | 2 +- kernel/rcu/tree.c | 4 + kernel/rseq.c | 60 +++- lib/test_objagg.c | 4 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 75 +++-- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/netlink/af_netlink.c | 90 +++--- net/rose/rose_route.c | 15 +- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 42 +-- net/sched/sch_sfq.c | 10 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 78 +++++- net/vmw_vsock/vmci_transport.c | 4 +- sound/isa/sb/sb16_main.c | 4 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/soc/fsl/fsl_asrc.c | 3 +- sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 204 files changed, 2750 insertions(+), 821 deletions(-)

2 months

8
7
0 0

[PATCH v2] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again

by Muhammad Usama Anjum

Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Clear essential fields as they may have stale data --- drivers/net/wireless/ath/ath11k/core.c | 6 +----- drivers/net/wireless/ath/ath11k/hal.c | 12 ++++++++++++ drivers/net/wireless/ath/ath11k/hal.h | 1 + 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index 4488e4cdc5e9e..34b27711ed00f 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2213,14 +2213,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index b32de563d453a..dafa9bdbb3d32 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1359,6 +1359,18 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c752..839095af9267e 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len); -- 2.39.5

2 months

2
2
0 0

[PATCH v4 1/9] vhost/vsock: Avoid allocating arbitrarily-sized SKBs

by Will Deacon

vhost_vsock_alloc_skb() returns NULL for packets advertising a length larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However, this is only checked once the SKB has been allocated and, if the length in the packet header is zero, the SKB may not be freed immediately. Hoist the size check before the SKB allocation so that an iovec larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected outright. The subsequent check on the length field in the header can then simply check that the allocated SKB is indeed large enough to hold the packet. Cc: <stable(a)vger.kernel.org> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> Signed-off-by: Will Deacon <will(a)kernel.org> --- drivers/vhost/vsock.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index 802153e23073..66a0f060770e 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -344,6 +344,9 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq, len = iov_length(vq->iov, out); + if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) + return NULL; + /* len contains both payload and hdr */ skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); if (!skb) @@ -367,8 +370,7 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq, return skb; /* The pkt is too big or the length in the header is invalid */ - if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || - payload_len + sizeof(*hdr) > len) { + if (payload_len + sizeof(*hdr) > len) { kfree_skb(skb); return NULL; } -- 2.50.0.727.gbf7dc18ff4-goog

2 months

3
2
0 0

[PATCH 6.1 00/89] 6.1.146-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.146 release. There are 89 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:20 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.146-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.146-rc2 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Jack Wang <jinpu.wang(a)ionos.com> x86: Fix X86_FEATURE_VERW_CLEAR definition Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Gao Xiang <xiang(a)kernel.org> erofs: adapt folios for z_erofs_read_folio() Gao Xiang <xiang(a)kernel.org> erofs: avoid on-stack pagepool directly passed by arguments Gao Xiang <xiang(a)kernel.org> erofs: allocate extra bvec pages directly instead of retrying Yue Hu <huyue2(a)coolpad.com> erofs: clean up z_erofs_pcluster_readmore() Yue Hu <huyue2(a)coolpad.com> erofs: remove the member readahead from struct z_erofs_decompress_frontend Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Zhang Rui <rui.zhang(a)intel.com> platform/x86: think-lmi: Fix sysfs group cleanup Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Raju Rangoju <Raju.Rangoju(a)amd.com> usb: xhci: quirk for data loss in ISOC transfers Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Allow RPM on the USB controller (1022:43f7) by default Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Shivank Garg <shivankg(a)amd.com> fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Alexey Dobriyan <adobriyan(a)gmail.com> x86/boot: Compile boot code with -std=gnu11 too David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Rong Zhang <i(a)rong.moe> platform/x86: ideapad-laptop: use usleep_range() for EC polling Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling ------------- Diffstat: Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/Makefile | 2 +- arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/x86/ideapad-laptop.c | 19 +- drivers/powercap/intel_rapl_common.c | 22 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 +++++++++++++------------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-mem.c | 4 + drivers/usb/host/xhci-pci.c | 30 ++- drivers/usb/host/xhci.h | 1 + drivers/vhost/scsi.c | 7 +- fs/anon_inodes.c | 23 +- fs/btrfs/free-space-tree.c | 16 +- fs/btrfs/inode.c | 28 +- fs/erofs/data.c | 2 + fs/erofs/zdata.c | 124 ++++----- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/spsc_queue.h | 4 +- include/linux/fs.h | 2 + include/net/netfilter/nf_flow_table.h | 2 +- include/trace/events/erofs.h | 16 +- kernel/events/core.c | 2 +- kernel/rseq.c | 60 ++++- lib/maple_tree.c | 7 +- mm/kasan/report.c | 13 +- mm/secretmem.c | 11 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++-- net/bluetooth/hci_sync.c | 2 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 ++++--- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 +++- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/fsl/fsl_asrc.c | 3 +- tools/include/linux/kallsyms.h | 4 + 87 files changed, 924 insertions(+), 594 deletions(-)

2 months

10
9
0 0

[PATCH 6.6 000/111] 6.6.99-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.99 release. There are 111 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:12 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.99-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.99-rc2 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Lukas Wunner <lukas(a)wunner.de> crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential race in cifs_put_tcon() Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Shyam Prasad N <sprasad(a)microsoft.com> cifs: all initializations for tcon should happen in tcon_info_alloc Paulo Alcantara <pc(a)manguebit.com> smb: client: fix DFS interlink failover Paulo Alcantara <pc(a)manguebit.com> smb: client: avoid unnecessary reconnects when refreshing referrals Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Filipe Manana <fdmanana(a)suse.com> btrfs: fix inode lookup error handling during log replay Filipe Manana <fdmanana(a)suse.com> btrfs: return a btrfs_inode from btrfs_iget_logging() Filipe Manana <fdmanana(a)suse.com> btrfs: remove redundant root argument from fixup_inode_link_count() Filipe Manana <fdmanana(a)suse.com> btrfs: remove redundant root argument from btrfs_update_inode_fallback() Filipe Manana <fdmanana(a)suse.com> btrfs: remove noinline from btrfs_update_inode() Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Christian Eggers <ceggers(a)arri.de> Bluetooth: HCI: Set extended advertising data synchronously Leo Yan <leo.yan(a)arm.com> perf: build: Setup PKG_CONFIG_LIBDIR for cross compilation Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/mce/amd.c | 28 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- crypto/ecc.c | 2 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/gpu/drm/drm_framebuffer.c | 31 +- drivers/gpu/drm/drm_gem.c | 74 ++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 57 +++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/free-space-tree.c | 16 +- fs/btrfs/inode.c | 18 +- fs/btrfs/transaction.c | 2 +- fs/btrfs/tree-log.c | 331 +++++++++++-------- fs/erofs/data.c | 2 + fs/eventpoll.c | 12 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/client/cifsglob.h | 3 + fs/smb/client/cifsproto.h | 13 +- fs/smb/client/connect.c | 47 ++- fs/smb/client/dfs.c | 73 ++--- fs/smb/client/dfs.h | 42 ++- fs/smb/client/dfs_cache.c | 198 +++++++----- fs/smb/client/fs_context.h | 1 + fs/smb/client/misc.c | 9 + fs/smb/client/namespace.c | 2 +- fs/smb/server/smb2pdu.c | 29 +- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/math.h | 12 + include/linux/mm.h | 5 + include/net/af_vsock.h | 2 +- include/net/netfilter/nf_flow_table.h | 2 +- io_uring/opdef.c | 1 + kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- kernel/rseq.c | 60 +++- lib/maple_tree.c | 14 +- mm/kasan/report.c | 13 +- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++- net/bluetooth/hci_event.c | 39 +-- net/bluetooth/hci_sync.c | 215 ++++++++----- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 +++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 ++- scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++ scripts/gdb/linux/xarray.py | 28 ++ sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/fsl/fsl_asrc.c | 3 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/build/feature/Makefile | 25 +- tools/include/linux/kallsyms.h | 4 + tools/perf/Makefile.perf | 27 +- tools/testing/selftests/bpf/test_lru_map.c | 105 +++--- 117 files changed, 1948 insertions(+), 1042 deletions(-) From gregkh(a)linuxfoundation.org Tue Jul 15 18:35:42 2025 Message-ID: <20250715163542.121531643(a)linuxfoundation.org> User-Agent: quilt/0.68 Date: Tue, 15 Jul 2025 18:35:43 +0200 From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> To: stable(a)vger.kernel.org Cc: patches(a)lists.linux.dev, linux-kernel(a)vger.kernel.org, torvalds(a)linux-foundation.org, akpm(a)linux-foundation.org, linux(a)roeck-us.net, shuah(a)kernel.org, patches(a)kernelci.org, lkft-triage(a)lists.linaro.org, pavel(a)denx.de, jonathanh(a)nvidia.com, f.fainelli(a)gmail.com, sudipm.mukherjee(a)gmail.com, srw(a)sladewatkins.net, rwarsow(a)gmx.de, conor(a)kernel.org, hargar(a)microsoft.com, broonie(a)kernel.org, Jann Horn <jannh(a)google.com>, Alexander Viro <viro(a)zeniv.linux.org.uk>, Christian Brauner <brauner(a)kernel.org>, Jan Kara <jack(a)suse.cz>, Linus Torvalds <torvalds(a)linux-foundation.org> X-stable: review X-Patchwork-Hint: ignore Subject: [PATCH 6.6 001/111] eventpoll: dont decrement ep refcount while still holding the ep mutex MIME-Version: 1.0 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Linus Torvalds <torvalds(a)linux-foundation.org> commit 8c2e52ebbe885c7eeaabd3b7ddcdc1246fc400d2 upstream. Jann Horn points out that epoll is decrementing the ep refcount and then doing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead to a use-after-free. That pattern is actually fine for the very last reference, because the code in question will delay the actual call to "ep_free(ep)" until after it has unlocked the mutex. But it's wrong for the much subtler "next to last" case when somebody *else* may also be dropping their reference and free the ep while we're still using the mutex. Note that this is true even if that other user is also using the same ep mutex: mutexes, unlike spinlocks, can not be used for object ownership, even if they guarantee mutual exclusion. A mutex "unlock" operation is not atomic, and as one user is still accessing the mutex as part of unlocking it, another user can come in and get the now released mutex and free the data structure while the first user is still cleaning up. See our mutex documentation in Documentation/locking/mutex-design.rst, in particular the section [1] about semantics: "mutex_unlock() may access the mutex structure even after it has internally released the lock already - so it's not safe for another context to acquire the mutex and assume that the mutex_unlock() context is not using the structure anymore" So if we drop our ep ref before the mutex unlock, but we weren't the last one, we may then unlock the mutex, another user comes in, drops _their_ reference and releases the 'ep' as it now has no users - all while the mutex_unlock() is still accessing it. Fix this by simply moving the ep refcount dropping to outside the mutex: the refcount itself is atomic, and doesn't need mutex protection (that's the whole _point_ of refcounts: unlike mutexes, they are inherently about object lifetimes). Reported-by: Jann Horn <jannh(a)google.com> Link: https://docs.kernel.org/locking/mutex-design.html#semantics [1] Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jan Kara <jack(a)suse.cz> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/eventpoll.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -772,7 +772,7 @@ static bool __ep_remove(struct eventpoll call_rcu(&epi->rcu, epi_rcu_free); percpu_counter_dec(&ep->user->epoll_watches); - return ep_refcount_dec_and_test(ep); + return true; } /* @@ -780,14 +780,14 @@ static bool __ep_remove(struct eventpoll */ static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi) { - WARN_ON_ONCE(__ep_remove(ep, epi, false)); + if (__ep_remove(ep, epi, false)) + WARN_ON_ONCE(ep_refcount_dec_and_test(ep)); } static void ep_clear_and_put(struct eventpoll *ep) { struct rb_node *rbp, *next; struct epitem *epi; - bool dispose; /* We need to release all tasks waiting for these file */ if (waitqueue_active(&ep->poll_wait)) @@ -820,10 +820,8 @@ static void ep_clear_and_put(struct even cond_resched(); } - dispose = ep_refcount_dec_and_test(ep); mutex_unlock(&ep->mtx); - - if (dispose) + if (ep_refcount_dec_and_test(ep)) ep_free(ep); } @@ -1003,7 +1001,7 @@ again: dispose = __ep_remove(ep, epi, true); mutex_unlock(&ep->mtx); - if (dispose) + if (dispose && ep_refcount_dec_and_test(ep)) ep_free(ep); goto again; }

2 months

10
9
0 0

[PATCH 5.10 000/355] 5.10.239-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.239 release. There are 355 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 25 Jun 2025 13:05:51 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.239-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.239-rc1 Tengda Wu <wutengda(a)huaweicloud.com> arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() Peter Zijlstra <peterz(a)infradead.org> perf: Fix sample vs do_exit() Aaron Lu <ziqianlu(a)bytedance.com> Revert "bpf: allow precision tracking for programs with subprogs" Aaron Lu <ziqianlu(a)bytedance.com> Revert "bpf: stop setting precise in current state" Aaron Lu <ziqianlu(a)bytedance.com> Revert "bpf: aggressively forget precise markings during state checkpointing" Aaron Lu <ziqianlu(a)bytedance.com> Revert "selftests/bpf: make test_align selftest more robust" Heiko Carstens <hca(a)linux.ibm.com> s390/pci: Fix __pcilg_mio_inuser() inline assembly David Gow <davidgow(a)google.com> rtc: test: Fix invalid format specifier. Eddie James <eajames(a)linux.ibm.com> hwmon: (occ) Fix P10 VRM temp sensors Gavin Guo <gavinguo(a)igalia.com> mm/huge_memory: fix dereferencing invalid pmd migration entry Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: move the limit validation Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: use a temporary work area for validating configuration Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: don't allow 1 packet limit Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: handle bigger packets Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: annotate data-races around q->perturb_period Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Make rtc_time64_to_tm() support dates before 1970 Cassio Neri <cassio.neri(a)gmail.com> rtc: Improve performance of rtc_time64_to_tm(). Add tests. Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE Paul Chaignon <paul.chaignon(a)gmail.com> net: Fix checksum update for ILA adj-transport Eliav Farber <farbere(a)amazon.com> net/ipv4: fix type mismatch in inet_ehash_locks_alloc() causing build failure James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs Liu Song <liusong(a)linux.alibaba.com> arm64: spectre: increase parameters that can be used to turn off bhb mitigation individually James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Douglas Anderson <dianders(a)chromium.org> arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Hou Tao <houtao1(a)huawei.com> arm64: insn: add encoders for atomic operations Hou Tao <houtao1(a)huawei.com> arm64: move AARCH64_BREAK_FAULT into insn-def.h Julien Thierry <jthierry(a)redhat.com> arm64: insn: Add barrier encodings Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Increment the runtime usage counter for the earlycon device Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms Colin Foster <colin.foster(a)in-advantage.com> ARM: dts: am335x-bone-common: Increase MDIO reset deassert time Shengyu Qu <wiagn233(a)outlook.com> ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board Eric Dumazet <edumazet(a)google.com> net: atm: fix /proc/net/atm/lec handling Eric Dumazet <edumazet(a)google.com> net: atm: add lec_mutex Kuniyuki Iwashima <kuniyu(a)google.com> calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). Haixia Qu <hxqu(a)hillstonenet.com> tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior Kuniyuki Iwashima <kuniyu(a)google.com> atm: atmtcp: Free invalid length skb in atmtcp_c_send(). Kuniyuki Iwashima <kuniyu(a)google.com> mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). Dmitry Antipov <dmantipov(a)yandex.ru> wifi: carl9170: do not ping device which has failed to load firmware Krishna Kumar <krikku(a)gmail.com> net: ice: Perform accurate aRFS flow match Justin Sanders <jsanders.devel(a)gmail.com> aoe: clean device rq_list in aoedev_downdev() Simon Horman <horms(a)kernel.org> pldmfw: Select CRC32 when PLDMFW is selected Arnd Bergmann <arnd(a)arndb.de> hwmon: (occ) fix unaligned accesses Arnd Bergmann <arnd(a)arndb.de> hwmon: (occ) Rework attribute registration for stack usage Eddie James <eajames(a)linux.ibm.com> hwmon: (occ) Add soft minimum power cap attribute Eddie James <eajames(a)linux.ibm.com> hwmon: (occ) Add new temperature sensor type Jacob Keller <jacob.e.keller(a)intel.com> drm/nouveau/bl: increase buffer size to avoid truncate warning Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: remove unused trace event erofs_destroy_inode Jann Horn <jannh(a)google.com> mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race Liu Shixin <liushixin2(a)huawei.com> mm: hugetlb: independent PMD page table shared count Jann Horn <jannh(a)google.com> mm/hugetlb: unshare page tables during VMA split, not before James Houghton <jthoughton(a)google.com> hugetlb: unshare some PMDs when splitting VMAs Jonathan Lane <jon(a)borg.moe> ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged Takashi Iwai <tiwai(a)suse.de> ALSA: hda/intel: Add Thinkpad E15 to PM deny list wangdicheng <wangdicheng(a)kylinos.cn> ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card WangYuli <wangyuli(a)uniontech.com> Input: sparcspkr - avoid unannotated fall-through Terry Junge <linuxhid(a)cosmicgizmosystems.com> HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Kuniyuki Iwashima <kuniyu(a)google.com> atm: Revert atm_account_tx() if copy_from_iter_full() fails. Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len Marek Szyprowski <m.szyprowski(a)samsung.com> udmabuf: use sgtable-based scatterlist wrappers Peter Oberparleiter <oberpar(a)linux.ibm.com> scsi: s390: zfcp: Ensure synchronous unit_add Dexuan Cui <decui(a)microsoft.com> scsi: storvsc: Increase the timeouts to storvsc_timeout Fedor Pchelkin <pchelkin(a)ispras.ru> jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Artem Sadovnikov <a.sadovnikov(a)ispras.ru> jffs2: check that raw node were preallocated before writing summary Andrew Morton <akpm(a)linux-foundation.org> drivers/rapidio/rio_cm.c: prevent possible heap overwrite Breno Leitao <leitao(a)debian.org> Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older Narayana Murty N <nnmlinux(a)linux.ibm.com> powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery Stuart Hayes <stuart.w.hayes(a)gmail.com> platform/x86: dell_rbu: Stop overwriting data buffer Stuart Hayes <stuart.w.hayes(a)gmail.com> platform/x86: dell_rbu: Fix list usage Maximilian Luz <luzmaximilian(a)gmail.com> platform: Add Surface platform directory Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" Jann Horn <jannh(a)google.com> tee: Prevent size calculation wraparound on 32-bit kernels Sukrut Bellary <sbellary(a)baylibre.com> ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY Laurentiu Tudor <laurentiu.tudor(a)nxp.com> bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value Marcus Folkesson <marcus.folkesson(a)gmail.com> watchdog: da9052_wdt: respect TWDMIN Kyungwook Boo <bookyungwook(a)gmail.com> i40e: fix MMIO write access to an invalid page in i40e_clear_hw Zijun Hu <quic_zijuhu(a)quicinc.com> sock: Correct error checking condition for (assign|release)_proto_idx() Daniel Wagner <wagi(a)kernel.org> scsi: lpfc: Use memcpy() for BIOS version Zijun Hu <quic_zijuhu(a)quicinc.com> software node: Correct a OOB check in software_node_get_reference_args() Ido Schimmel <idosch(a)nvidia.com> vxlan: Do not treat dst cache initialization errors as fatal Sean Christopherson <seanjc(a)google.com> iommu/amd: Ensure GA log notifier callbacks finish running before module unload Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Heiko Stuebner <heiko(a)sntech.de> clk: rockchip: rk3036: mark ddrphy as critical Benjamin Berg <benjamin(a)sipsolutions.net> wifi: mac80211: do not offer a mesh path if forwarding is disabled Jason Xing <kernelxing(a)tencent.com> net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Jason Xing <kernelxing(a)tencent.com> net: atlantic: generate software timestamp just before the doorbell Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Eric Dumazet <edumazet(a)google.com> tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Eric Dumazet <edumazet(a)google.com> tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Moon Yeounsu <yyyynoom(a)gmail.com> net: dlink: add synchronization for stats update Tali Perry <tali.perry1(a)gmail.com> i2c: npcm: Add clock toggle recovery Petr Malat <oss(a)malat.biz> sctp: Do not wake readers in __sctp_write_space() Henk Vergonet <henk.vergonet(a)gmail.com> wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Alok Tiwari <alok.a.tiwari(a)oracle.com> emulex/benet: correct command version selection in be_cmd_get_stats() Tan En De <ende.tan(a)starfivetech.com> i2c: designware: Invoke runtime suspend on quick slave re-registration Zilin Guan <zilin(a)seu.edu.cn> tipc: use kfree_sensitive() for aead cleanup Sergio Perez Gonzalez <sperezglz(a)gmail.com> net: macb: Check return value of dma_set_mask_and_coherent() Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Force sync policy boost with global boost on sysfs update George Moussalem <george.moussalem(a)outlook.com> thermal/drivers/qcom/tsens: Update conditions to strictly evaluate for IP v2+ Simon Schuster <schuster.simon(a)siemens-energy.com> nios2: force update_mmu_cache on spurious tlb-permission--related pagefaults Wentao Liang <vulab(a)iscas.ac.cn> media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() Hans Verkuil <hverkuil(a)xs4all.nl> media: tc358743: ignore video while HPD is low Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: don't select single flush for active CTL blocks Dylan Wolff <wolffd(a)comp.nus.edu.sg> jfs: Fix null-ptr-deref in jfs_ioc_trim Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: fix CSIB handling Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx8: fix CSIB handling Zhang Yi <yi.zhang(a)huawei.com> ext4: prevent stale extent cache entries caused by concurrent get es_cache Long Li <leo.lilong(a)huawei.com> sunrpc: fix race in cache cleanup causing stale nextcheck time Nicolas Dufresne <nicolas.dufresne(a)collabora.com> media: rkvdec: Initialize the m2m context before the controls Aditya Dutt <duttaditya18(a)gmail.com> jfs: fix array-index-out-of-bounds read in add_missing_indices Zhang Yi <yi.zhang(a)huawei.com> ext4: ext4: unify EXT4_EX_NOCACHE|NOFAIL flags in ext4_ext_remove_space() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx7: fix CSIB handling Nas Chung <nas.chung(a)chipsnmedia.com> media: uapi: v4l: Change V4L2_TYPE_IS_CAPTURE condition Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: fix CSIB handling Akhil P Oommen <quic_akhilpo(a)quicinc.com> drm/msm/a6xx: Increase HFI response timeout Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() Nas Chung <nas.chung(a)chipsnmedia.com> media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/hdmi: add runtime PM calls to DDC transfer function Namjae Jeon <linkinjeon(a)kernel.org> exfat: fix double free in delayed_free Damon Ding <damon.ding(a)rock-chips.com> drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling disable_irq() Long Li <leo.lilong(a)huawei.com> sunrpc: update nextcheck time when adding new cache entries Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx6: fix CSIB handling Peter Marheine <pmarheine(a)chromium.org> ACPI: battery: negate current when discharging Charan Teja Kalla <quic_charante(a)quicinc.com> PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() Yuanjun Gong <ruc_gongyuanjun(a)163.com> ASoC: tegra210_ahub: Add check to of_device_get_match_data() gldrk <me(a)rarity.fan> ACPICA: utilities: Fix overflow check in vsnprintf() Jerry Lv <Jerry.Lv(a)axis.com> power: supply: bq27xxx: Retrieve again when busy Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi parse and parseext cache leaks Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change Ahmed Salem <x0rw3ll(a)gmail.com> ACPICA: Avoid sequence overread in call to strncmp() Guilherme G. Piccoli <gpiccoli(a)igalia.com> clocksource: Fix the CPUs' choice in the watchdog per CPU verification Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi operand cache leak in dswstate.c David Lechner <dlechner(a)baylibre.com> iio: adc: ad7606_spi: fix reg write value mask Sean Nyekjaer <sean(a)geanix.com> iio: imu: inv_icm42600: Fix temperature calculation Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Fix lock symmetry in pci_slot_unlock() Huacai Chen <chenhuacai(a)loongson.cn> PCI: Add ACS quirk for Loongson PCIe Long Li <longli(a)microsoft.com> uio_hv_generic: Use correct size for interrupt and monitor pages Wentao Liang <vulab(a)iscas.ac.cn> regulator: max14577: Add error check for max14577_read_reg() Khem Raj <raj.khem(a)gmail.com> mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: ad5933: Correct settling cycles encoding per datasheet Qasim Ijaz <qasdev00(a)gmail.com> net: ch9200: fix uninitialised access during mii_nway_restart Ye Bin <yebin10(a)huawei.com> ftrace: Fix UAF when lookup kallsym after ftrace disabled Mikulas Patocka <mpatocka(a)redhat.com> dm-mirror: fix a tiny race condition Wentao Liang <vulab(a)iscas.ac.cn> mtd: nand: sunxi: Add randomizer configuration before randomizer enable Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk Jinliang Zheng <alexjlzheng(a)tencent.com> mm: fix ratelimit_pages update error in dirty_ratio_handler() Jeongjun Park <aha310510(a)gmail.com> ipc: fix to protect IPCS lookups using RCU Da Xue <da(a)libre.computer> clk: meson-g12a: add missing fclk_div2 to spicc Arnd Bergmann <arnd(a)arndb.de> parisc: fix building with gcc-15 GONG Ruiqi <gongruiqi1(a)huawei.com> vgacon: Add check for vc_origin address range in vgacon_scroll() Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> EDAC/altera: Use correct write width with the INTTEST register Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> NFC: nci: uart: Set tty->disc_data only in success path Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on sit_bitmap_size Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: prevent kernel warning due to negative i_nlink from corrupted image Dan Carpenter <dan.carpenter(a)linaro.org> Input: ims-pcu - check record size in ims_pcu_flash_firmware() Zhang Yi <yi.zhang(a)huawei.com> ext4: ensure i_size is smaller than maxbytes Zhang Yi <yi.zhang(a)huawei.com> ext4: factor out ext4_get_maxbytes() Jan Kara <jack(a)suse.cz> ext4: fix calculation of credits for extent tree modification Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: inline: fix len overflow in ext4_prepare_inline_data Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device Tasos Sahanidis <tasos(a)tasossah.com> ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 Jeff Hugo <quic_jhugo(a)quicinc.com> bus: mhi: host: Fix conflict between power_up and SYSERR Andreas Kemnade <andreas(a)kemnade.info> ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4 Ross Stutterheim <ross.stutterheim(a)garmin.com> ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() Denis Arefev <arefev(a)swemel.ru> media: vivid: Change the siize of the composing Edward Adam Davis <eadavis(a)qq.com> media: vidtv: Terminating the subsequent process of initialization failure Marek Szyprowski <m.szyprowski(a)samsung.com> media: videobuf2: use sgtable-based scatterlist wrappers Loic Poulain <loic.poulain(a)oss.qualcomm.com> media: venus: Fix probe error handling Ma Ke <make24(a)iscas.ac.cn> media: v4l2-dev: fix error handling in __video_register_device() Wentao Liang <vulab(a)iscas.ac.cn> media: gspca: Add error handling for stv06xx_read_sensor() Edward Adam Davis <eadavis(a)qq.com> media: cxusb: no longer judge rbuf when the write fails Johan Hovold <johan+linaro(a)kernel.org> media: ov8856: suppress probe deferral errors Mingcong Bai <jeffbai(a)aosc.io> wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 Jeongjun Park <aha310510(a)gmail.com> jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: Initialize ssc before laundromat_work to prevent NULL dereference NeilBrown <neil(a)brown.name> nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request Christian Lamparter <chunkeey(a)gmail.com> wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> ASoC: meson: meson-card-utils: use of_property_present() for DT parsing Wentao Liang <vulab(a)iscas.ac.cn> ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() Alexander Aring <aahringo(a)redhat.com> gfs2: move msleep to sleepable context Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Do not chain submitted requests Zijun Hu <quic_zijuhu(a)quicinc.com> configfs: Do not override creating attribute file failure in populate_attrs() Eric Dumazet <edumazet(a)google.com> tcp: tcp_data_ready() must look at SOCK_DONE Arnd Bergmann <arnd(a)arndb.de> kbuild: hdrcheck: fix cross build with clang Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kbuild: userprogs: fix bitsize and target detection on clang Oliver Neukum <oneukum(a)suse.com> net: usb: aqc111: debug info before sanitation Eric Dumazet <edumazet(a)google.com> calipso: unlock rcu before returning -EAFNOSUPPORT Thomas Gleixner <tglx(a)linutronix.de> x86/iopl: Cure TIF_IO_BITMAP inconsistencies Stefano Stabellini <stefano.stabellini(a)amd.com> xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: Flush altsetting 0 endpoints before reinitializating them after reset. Nathan Chancellor <nathan(a)kernel.org> drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for clang Nathan Chancellor <nathan(a)kernel.org> kbuild: Add KBUILD_CPPFLAGS to as-option invocation Masahiro Yamada <masahiroy(a)kernel.org> kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS Nathan Chancellor <nathan(a)kernel.org> kbuild: Add CLANG_FLAGS to as-instr Nathan Chancellor <nathan(a)kernel.org> mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation Nathan Chancellor <nathan(a)kernel.org> drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang Nick Desaulniers <ndesaulniers(a)google.com> kbuild: Update assembler calls to use proper flags and language target Nathan Chancellor <nathan(a)kernel.org> MIPS: Prefer cc-option for additions to cflags Nathan Chancellor <nathan(a)kernel.org> MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option Nick Desaulniers <ndesaulniers(a)google.com> x86/boot/compressed: prefer cc-option for CFLAGS additions Oleg Nesterov <oleg(a)redhat.com> posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Zijun Hu <quic_zijuhu(a)quicinc.com> fs/filesystems: Fix potential unsigned integer underflow in fs_name() Eric Dumazet <edumazet(a)google.com> net_sched: ets: fix a race in ets_qdisc_change() Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Eric Dumazet <edumazet(a)google.com> net_sched: tbf: fix a race in tbf_change() Eric Dumazet <edumazet(a)google.com> net_sched: red: fix a race in __red_change() Eric Dumazet <edumazet(a)google.com> net_sched: prio: fix a race in prio_tune() Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix return value when searching for existing flow group Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Ensure fw pages are always allocated on same NUMA Jakub Raczynski <j.raczynski(a)samsung.com> net/mdiobus: Fix potential out-of-bounds read/write access Andrew Lunn <andrew(a)lunn.ch> net: mdio: C22 is now optional, EOPNOTSUPP if not provided Carlos Fernandez <carlos.fernandez(a)technica-engineering.de> macsec: MACsec SCI assignment for ES = 0 Michal Luczaj <mhal(a)rbox.co> net: Fix TOCTOU issue in sk_is_readable() Cong Wang <cong.wang(a)bytedance.com> net: Rename ->stream_memory_read to ->sock_is_readable Cong Wang <cong.wang(a)bytedance.com> bpf: Clean up sockmap related Kconfigs Eric Dumazet <edumazet(a)google.com> tcp: factorize logic into tcp_epollin_ready() Robert Malz <robert.malz(a)canonical.com> i40e: retry VFLR handling if there is ongoing VF reset Robert Malz <robert.malz(a)canonical.com> i40e: return false from i40e_reset_vf if reset is in progress Haren Myneni <haren(a)linux.ibm.com> powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() Haren Myneni <haren(a)linux.ibm.com> powerpc/vas: Move VAS API to book3s common platform Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: fix a potential crash on gso_skb handling Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: iscsi: Fix incorrect error path labels for flashnode operations Caleb Connolly <caleb.connolly(a)linaro.org> ath10k: snoc: fix unbalanced IRQ enable in crash recovery Wen Gong <wgong(a)codeaurora.org> ath10k: prevent deinitializing NAPI twice Wen Gong <wgong(a)codeaurora.org> ath10k: add atomic protection for device recovery Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Clean sci_ports[0] after at earlycon exit Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Move runtime PM enable to sci_probe_single() Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Check if TX data was written to device in .tx_empty() Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am65-main: Fix sdhci node properties Nishanth Menon <nm(a)ti.com> arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics-rmi - fix crash with unsupported versions of F34 zhang songyi <zhang.songyi(a)zte.com.cn> Input: synaptics-rmi4 - convert to use sysfs_emit() APIs Dan Carpenter <dan.carpenter(a)linaro.org> pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Al Viro <viro(a)zeniv.linux.org.uk> do_change_type(): refuse to operate on unmounted/not ours mounts Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: correctly report gso type for UDP tunnels Michal Kubiak <michal.kubiak(a)intel.com> ice: create new Tx scheduler nodes for new queues only Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Álvaro Fernández Rojas <noltari(a)gmail.com> spi: bcm63xx-hsspi: fix shared reset Álvaro Fernández Rojas <noltari(a)gmail.com> spi: bcm63xx-spi: fix shared reset Dan Carpenter <dan.carpenter(a)linaro.org> net/mlx4_en: Prevent potential integer overflow calculating Hz Yanqing Wang <ot_yanqing.wang(a)mediatek.com> driver: net: ethernet: mtk_star_emac: fix suspend/resume issue Charalampos Mitrodimas <charmitro(a)posteo.net> net: tipc: fix refcount warning in tipc_aead_encrypt Alok Tiwari <alok.a.tiwari(a)oracle.com> gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt Quentin Schulz <quentin.schulz(a)cherry.de> net: stmmac: platform: guarantee uniqueness of bus_id Nicolas Pitre <npitre(a)baylibre.com> vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() WangYuli <wangyuli(a)uniontech.com> MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> iio: adc: ad7124: Fix 3dB filter frequency reading Henry Martin <bsdhenrymartin(a)gmail.com> serial: Fix potential null-ptr-deref in mlb_usio_probe() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> usb: renesas_usbhs: Reorder clock handling and power management in probe Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Fix offset calculation for .start_secs < 0 Bjorn Helgaas <bhelgaas(a)google.com> PCI/DPC: Initialize aer_err_info before using it Henry Martin <bsdhenrymartin(a)gmail.com> dmaengine: ti: Add NULL check in udma_probe() Hans Zhang <18255117159(a)163.com> PCI: cadence: Fix runtime atomic count underflow Wolfram Sang <wsa+renesas(a)sang-engineering.com> rtc: sh: assign correct interrupts with DT Li Lingfeng <lilingfeng3(a)huawei.com> nfs: ignore SB_RDONLY when remounting nfs Li Lingfeng <lilingfeng3(a)huawei.com> nfs: clear SB_RDONLY before getting superblock Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf record: Fix incorrect --user-regs comments Leo Yan <leo.yan(a)arm.com> perf tests switch-tracking: Fix timestamp comparison Alexey Gladkov <legion(a)kernel.org> mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Dan Carpenter <dan.carpenter(a)linaro.org> rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Adrian Hunter <adrian.hunter(a)intel.com> perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Henry Martin <bsdhenrymartin(a)gmail.com> backlight: pm8941: Add NULL check in wled_configure() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf ui browser hists: Set actions->thread before calling do_zoom_thread() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf build: Warn when libdebuginfod devel files are not available Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Fix attribute addition Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Remove bogus void member Sergey Shtylyov <s.shtylyov(a)omp.ru> fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Henry Martin <bsdhenrymartin(a)gmail.com> soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Su Hui <suhui(a)nfschina.com> soc: aspeed: lpc: Fix impossible judgment condition Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: fix double-free on mc_dev Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Wentao Liang <vulab(a)iscas.ac.cn> nilfs2: add pointer check for nilfs_direct_propagate() Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: check return result of sb_min_blocksize Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mm-beacon: Fix RTC capacitive load Wolfram Sang <wsa+renesas(a)sang-engineering.com> ARM: dts: at91: at91sam9263: fix NAND chip selects Wolfram Sang <wsa+renesas(a)sang-engineering.com> ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: fix to correct check conditions in f2fs_cross_rename Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: use d_inode(dentry) cleanup dentry->d_inode Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames Faicker Mo <faicker.mo(a)zenlayer.com> net: openvswitch: Fix the dead loop of MPLS parse Kuniyuki Iwashima <kuniyu(a)amazon.com> calipso: Don't call calipso functions for AF_INET sk. Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net: usb: aqc111: fix error handling of usbnet read calls Fernando Fernandez Mancera <fmancera(a)suse.de> netfilter: nft_tunnel: fix geneve_opt dump Li RongQing <lirongqing(a)baidu.com> vfio/type1: Fix error unwind in migration dirty bitmap allocation Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Toke Høiland-Jørgensen <toke(a)toke.dk> wifi: ath9k_htc: Abort software beacon handling if disabled Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Store backchain even for leaf progs Vincent Knecht <vincent.knecht(a)mailoo.org> clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz Tao Chen <chen.dylane(a)linux.dev> bpf: Fix WARN() in get_bpf_raw_tp_regs Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> pinctrl: at91: Fix possible out-of-boundary access Anton Protopopov <a.s.protopopov(a)gmail.com> libbpf: Use proper errno value in nlattr Jiayuan Chen <jiayuan.chen(a)linux.dev> ktls, sockmap: Fix missing uncharge operation Henry Martin <bsdhenrymartin(a)gmail.com> clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Huajian Yang <huajianyang(a)asrmicro.com> netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Chao Yu <chao(a)kernel.org> f2fs: clean up w/ fscrypt_is_bounce_page() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtw88: do not ignore hardware read error during DPK Hari Kalavakunta <kalavakunta.hari.prasad(a)gmail.com> net: ncsi: Fix GCPS 64-bit member variables Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on sbi->total_valid_block_count Stone Zhang <quic_stonez(a)quicinc.com> wifi: ath11k: fix node corruption in ar->arvifs list Huang Yiwei <quic_hyiwei(a)quicinc.com> firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES Biju Das <biju.das.jz(a)bp.renesas.com> drm/tegra: rgb: Fix the unbound reference count Kees Cook <kees(a)kernel.org> drm/vkms: Adjust vkms_state->active_planes allocation type Biju Das <biju.das.jz(a)bp.renesas.com> drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Neill Kapron <nkapron(a)google.com> selftests/seccomp: fix syscall_restart test for arm compat Miaoqian Lin <linmq006(a)gmail.com> firmware: psci: Fix refcount leak in psci_dt_init Finn Thain <fthain(a)linux-m68k.org> m68k: mac: Fix macintosh_config for Mac II Jonas Karlman <jonas(a)kwiboo.se> media: rkvdec: Fix frame size enumeration Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Add seqno waiter for sync_files Geert Uytterhoeven <geert+renesas(a)glider.be> spi: sh-msiof: Fix maximum DMA transfer size Armin Wolf <W_Armin(a)gmx.de> ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Zijun Hu <quic_zijuhu(a)quicinc.com> PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Alexander Shiyan <eagle.alexander923(a)gmail.com> power: reset: at91-reset: Optimize at91_reset() Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/skx_common: Fix general protection fault Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> crypto: sun8i-ce - move fallback ahash_request to the end of the struct Herbert Xu <herbert(a)gondor.apana.org.au> crypto: xts - Only add ecb if it is not already there Herbert Xu <herbert(a)gondor.apana.org.au> crypto: lrw - Only add ecb if it is not already there Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Avoid empty transfer descriptor Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Handle zero-length skcipher requests Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Sanitize CPUID(0x80000000) output Corentin Labbe <clabbe.montjoie(a)gmail.com> crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions Qing Wang <wangqing7171(a)gmail.com> perf/core: Fix broken throttling when max_samples_per_tick=1 Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: gfs2_create_inode error handling fix Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Sergey Senozhatsky <senozhatsky(a)chromium.org> thunderbolt: Do not double dequeue a configuration request Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix timeout value in get_stb Hongyu Xie <xiehongyu1(a)kylinos.cn> usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Jiayi Li <lijiayi(a)kylinos.cn> usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Gautham R. Shenoy <gautham.shenoy(a)amd.com> acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: set GPIO output value before setting direction Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Pan Taixi <pantaixi(a)huaweicloud.com> tracing: Fix compilation warning on arm32 ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 7 +- MAINTAINERS | 9 + Makefile | 11 +- arch/arm/boot/dts/am335x-bone-common.dtsi | 8 + arch/arm/boot/dts/at91sam9263ek.dts | 2 +- arch/arm/boot/dts/qcom-apq8064.dtsi | 13 +- arch/arm/boot/dts/tny_a9263.dts | 2 +- arch/arm/boot/dts/usb_a9263.dts | 4 +- arch/arm/mach-omap2/clockdomain.h | 1 + arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +- arch/arm/mach-omap2/cm33xx.c | 14 +- arch/arm/mach-omap2/pmic-cpcap.c | 6 +- arch/arm/mm/ioremap.c | 4 +- .../boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 + .../arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 - arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 20 +- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/debug-monitors.h | 12 - arch/arm64/include/asm/insn.h | 114 +++++++- arch/arm64/include/asm/spectre.h | 4 +- arch/arm64/kernel/insn.c | 199 ++++++++++++- arch/arm64/kernel/proton-pack.c | 202 ++++++++------ arch/arm64/kernel/ptrace.c | 2 +- arch/arm64/net/bpf_jit.h | 11 +- arch/arm64/net/bpf_jit_comp.c | 58 +++- arch/arm64/xen/hypercall.S | 21 +- arch/m68k/mac/config.c | 2 +- arch/mips/Makefile | 6 +- .../boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 + arch/mips/loongson2ef/Platform | 2 +- arch/mips/vdso/Makefile | 1 + arch/nios2/include/asm/pgtable.h | 16 ++ arch/parisc/boot/compressed/Makefile | 1 + arch/powerpc/include/asm/vas.h | 3 + arch/powerpc/kernel/eeh.c | 2 + arch/powerpc/platforms/Kconfig | 1 + arch/powerpc/platforms/Makefile | 1 + arch/powerpc/platforms/book3s/Kconfig | 15 + arch/powerpc/platforms/book3s/Makefile | 2 + .../platforms/{powernv => book3s}/vas-api.c | 11 +- arch/powerpc/platforms/powernv/Kconfig | 14 - arch/powerpc/platforms/powernv/Makefile | 2 +- arch/powerpc/platforms/powernv/vas.h | 2 - arch/s390/net/bpf_jit_comp.c | 12 +- arch/s390/pci/pci_mmio.c | 2 +- arch/x86/boot/compressed/Makefile | 2 +- arch/x86/kernel/cpu/bugs.c | 10 +- arch/x86/kernel/cpu/common.c | 17 +- arch/x86/kernel/cpu/mtrr/generic.c | 2 +- arch/x86/kernel/ioport.c | 13 +- arch/x86/kernel/process.c | 6 + crypto/lrw.c | 4 +- crypto/xts.c | 4 +- drivers/acpi/acpica/dsutils.c | 9 +- drivers/acpi/acpica/psobject.c | 52 +--- drivers/acpi/acpica/utprint.c | 7 +- drivers/acpi/apei/Kconfig | 1 + drivers/acpi/apei/ghes.c | 2 +- drivers/acpi/battery.c | 19 +- drivers/acpi/osi.c | 1 - drivers/ata/pata_via.c | 3 +- drivers/atm/atmtcp.c | 4 +- drivers/base/power/domain.c | 2 +- drivers/base/power/main.c | 3 +- drivers/base/power/runtime.c | 2 +- drivers/base/swnode.c | 2 +- drivers/block/aoe/aoedev.c | 8 + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +- drivers/bus/fsl-mc/mc-io.c | 19 +- drivers/bus/fsl-mc/mc-sys.c | 2 +- drivers/bus/mhi/host/pm.c | 18 +- drivers/bus/ti-sysc.c | 49 ---- drivers/clk/bcm/clk-raspberrypi.c | 2 + drivers/clk/meson/g12a.c | 1 + drivers/clk/qcom/gcc-msm8939.c | 4 +- drivers/clk/rockchip/clk-rk3036.c | 1 + drivers/cpufreq/acpi-cpufreq.c | 2 +- drivers/cpufreq/cpufreq.c | 6 +- drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +- .../crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +- drivers/crypto/marvell/cesa/cesa.c | 2 +- drivers/crypto/marvell/cesa/cesa.h | 9 +- drivers/crypto/marvell/cesa/cipher.c | 3 + drivers/crypto/marvell/cesa/hash.c | 2 +- drivers/crypto/marvell/cesa/tdma.c | 53 ++-- drivers/dma-buf/udmabuf.c | 5 +- drivers/dma/ti/k3-udma.c | 3 +- drivers/edac/altera_edac.c | 6 +- drivers/edac/skx_common.c | 1 + drivers/firmware/Kconfig | 1 - drivers/firmware/arm_sdei.c | 11 +- drivers/firmware/psci/psci.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 - drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 4 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 18 +- drivers/gpu/drm/amd/display/dc/dcn20/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dcn21/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dml/Makefile | 3 +- drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 5 +- drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 2 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 3 +- drivers/gpu/drm/msm/hdmi/hdmi_i2c.c | 14 +- drivers/gpu/drm/nouveau/nouveau_backlight.c | 2 +- drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 +- drivers/gpu/drm/tegra/rgb.c | 14 +- drivers/gpu/drm/vkms/vkms_crtc.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 ++ drivers/hid/hid-hyperv.c | 5 +- drivers/hid/usbhid/hid-core.c | 25 +- drivers/hwmon/occ/common.c | 307 ++++++++++++--------- drivers/i2c/busses/i2c-designware-slave.c | 2 +- drivers/i2c/busses/i2c-npcm7xx.c | 12 +- drivers/iio/adc/ad7124.c | 4 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 8 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 - drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + drivers/infiniband/hw/hns/hns_roce_main.c | 1 - drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 - drivers/infiniband/hw/mlx5/qpc.c | 30 +- drivers/input/misc/ims-pcu.c | 6 + drivers/input/misc/sparcspkr.c | 22 +- drivers/input/rmi4/rmi_f34.c | 135 +++++---- drivers/iommu/amd/iommu.c | 8 + drivers/md/dm-raid1.c | 5 +- drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 +- drivers/media/i2c/ov8856.c | 9 +- drivers/media/i2c/tc358743.c | 4 + drivers/media/platform/exynos4-is/fimc-is-regs.c | 1 + drivers/media/platform/qcom/venus/core.c | 16 +- drivers/media/test-drivers/vidtv/vidtv_channel.c | 2 +- drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +- drivers/media/usb/dvb-usb/cxusb.c | 3 +- drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 +- drivers/media/v4l2-core/v4l2-dev.c | 14 +- drivers/mfd/exynos-lpass.c | 1 - drivers/mfd/stmpe-spi.c | 2 +- drivers/mtd/nand/raw/sunxi_nand.c | 2 + drivers/net/ethernet/aquantia/atlantic/aq_main.c | 1 - drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 + drivers/net/ethernet/cadence/macb_main.c | 6 +- drivers/net/ethernet/dlink/dl2k.c | 14 +- drivers/net/ethernet/dlink/dl2k.h | 2 + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- drivers/net/ethernet/google/gve/gve_main.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_common.c | 7 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 11 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 48 ++++ drivers/net/ethernet/intel/ice/ice_sched.c | 11 +- drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 + drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 +- .../net/ethernet/mellanox/mlx5/core/pagealloc.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/vport.c | 18 +- drivers/net/ethernet/microchip/lan743x_main.c | 4 +- .../net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +- drivers/net/macsec.c | 40 ++- drivers/net/phy/mdio_bus.c | 16 +- drivers/net/phy/mscc/mscc_ptp.c | 4 +- drivers/net/usb/aqc111.c | 10 +- drivers/net/usb/ch9200.c | 7 +- drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++ drivers/net/vxlan/vxlan_core.c | 8 +- drivers/net/wireless/ath/ath10k/ahb.c | 5 +- drivers/net/wireless/ath/ath10k/core.c | 36 +++ drivers/net/wireless/ath/ath10k/core.h | 9 + drivers/net/wireless/ath/ath10k/debug.c | 6 +- drivers/net/wireless/ath/ath10k/mac.c | 1 + drivers/net/wireless/ath/ath10k/pci.c | 9 +- drivers/net/wireless/ath/ath10k/sdio.c | 11 +- drivers/net/wireless/ath/ath10k/snoc.c | 12 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 +- drivers/net/wireless/ath/ath11k/core.c | 8 +- drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 + drivers/net/wireless/ath/carl9170/usb.c | 19 +- drivers/net/wireless/intersil/p54/fwio.c | 2 + drivers/net/wireless/intersil/p54/p54.h | 1 + drivers/net/wireless/intersil/p54/txrx.c | 13 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 2 + .../net/wireless/mediatek/mt76/mt76x2/usb_init.c | 13 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 10 + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 +- drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +- drivers/pci/pci.c | 3 +- drivers/pci/pcie/dpc.c | 2 +- drivers/pci/quirks.c | 23 ++ drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 35 ++- drivers/pinctrl/pinctrl-at91.c | 6 +- drivers/platform/Kconfig | 2 + drivers/platform/Makefile | 1 + drivers/platform/surface/Kconfig | 14 + drivers/platform/surface/Makefile | 5 + drivers/platform/x86/dell_rbu.c | 6 +- drivers/power/reset/at91-reset.c | 5 +- drivers/power/supply/bq27xxx_battery.c | 2 +- drivers/power/supply/bq27xxx_battery_i2c.c | 13 +- drivers/rapidio/rio_cm.c | 3 + drivers/regulator/max14577-regulator.c | 5 +- drivers/rpmsg/qcom_smd.c | 2 +- drivers/rtc/Kconfig | 10 + drivers/rtc/Makefile | 1 + drivers/rtc/class.c | 2 +- drivers/rtc/lib.c | 121 ++++++-- drivers/rtc/lib_test.c | 79 ++++++ drivers/rtc/rtc-sh.c | 12 +- drivers/s390/scsi/zfcp_sysfs.c | 2 + drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +- drivers/scsi/lpfc/lpfc_sli.c | 4 +- drivers/scsi/scsi_transport_iscsi.c | 11 +- drivers/scsi/storvsc_drv.c | 10 +- drivers/soc/aspeed/aspeed-lpc-snoop.c | 17 +- drivers/spi/spi-bcm63xx-hsspi.c | 2 +- drivers/spi/spi-bcm63xx.c | 2 +- drivers/spi/spi-sh-msiof.c | 13 +- drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- drivers/staging/media/rkvdec/rkvdec.c | 24 +- drivers/tee/tee_core.c | 11 +- drivers/thermal/qcom/tsens.c | 10 +- drivers/thunderbolt/ctl.c | 5 + drivers/tty/serial/milbeaut_usio.c | 5 +- drivers/tty/serial/sh-sci.c | 97 +++++-- drivers/tty/vt/vt_ioctl.c | 2 - drivers/uio/uio_hv_generic.c | 4 +- drivers/usb/class/usbtmc.c | 4 +- drivers/usb/core/hub.c | 16 +- drivers/usb/core/quirks.c | 3 + drivers/usb/gadget/function/f_hid.c | 12 +- drivers/usb/renesas_usbhs/common.c | 50 +++- drivers/usb/storage/unusual_uas.h | 7 + drivers/vfio/vfio_iommu_type1.c | 2 +- drivers/video/backlight/qcom-wled.c | 6 +- drivers/video/console/vgacon.c | 2 +- drivers/video/fbdev/core/fbcvt.c | 2 +- drivers/video/fbdev/core/fbmem.c | 4 +- drivers/watchdog/da9052_wdt.c | 1 + fs/configfs/dir.c | 2 +- fs/exfat/nls.c | 1 + fs/ext4/ext4.h | 7 + fs/ext4/extents.c | 39 ++- fs/ext4/file.c | 7 +- fs/ext4/inline.c | 2 +- fs/ext4/inode.c | 3 +- fs/ext4/ioctl.c | 8 +- fs/f2fs/data.c | 2 +- fs/f2fs/f2fs.h | 10 +- fs/f2fs/namei.c | 19 +- fs/f2fs/super.c | 12 +- fs/filesystems.c | 14 +- fs/gfs2/inode.c | 3 +- fs/gfs2/lock_dlm.c | 3 +- fs/jbd2/transaction.c | 5 +- fs/jffs2/erase.c | 4 +- fs/jffs2/scan.c | 4 +- fs/jffs2/summary.c | 7 +- fs/jfs/jfs_discard.c | 3 +- fs/jfs/jfs_dtree.c | 18 +- fs/namespace.c | 4 + fs/nfs/super.c | 19 ++ fs/nfsd/nfs4proc.c | 3 +- fs/nfsd/nfssvc.c | 6 +- fs/nilfs2/btree.c | 4 +- fs/nilfs2/direct.c | 3 + fs/squashfs/super.c | 5 + include/acpi/actypes.h | 2 +- include/linux/arm_sdei.h | 4 +- include/linux/atmdev.h | 6 + include/linux/bpf.h | 26 +- include/linux/bpf_types.h | 6 +- include/linux/hid.h | 3 +- include/linux/hugetlb.h | 6 + include/linux/mlx5/driver.h | 1 + include/linux/mm.h | 3 + include/linux/mm_types.h | 3 + include/linux/skmsg.h | 18 ++ include/net/checksum.h | 2 +- include/net/sock.h | 11 +- include/net/tcp.h | 28 +- include/net/tls.h | 2 +- include/net/udp.h | 4 +- include/trace/events/erofs.h | 18 -- include/uapi/linux/bpf.h | 2 + include/uapi/linux/videodev2.h | 12 +- init/Kconfig | 1 + ipc/shm.c | 5 +- kernel/bpf/verifier.c | 175 +----------- kernel/events/core.c | 23 +- kernel/exit.c | 17 +- kernel/power/wakelock.c | 3 + kernel/time/clocksource.c | 2 +- kernel/time/posix-cpu-timers.c | 9 + kernel/trace/bpf_trace.c | 2 +- kernel/trace/ftrace.c | 10 +- kernel/trace/trace.c | 2 +- lib/Kconfig | 1 + mm/huge_memory.c | 2 +- mm/hugetlb.c | 117 +++++++- mm/mmap.c | 8 + mm/page-writeback.c | 2 +- net/Kconfig | 6 +- net/atm/common.c | 1 + net/atm/lec.c | 12 +- net/atm/raw.c | 2 +- net/bluetooth/l2cap_core.c | 3 +- net/bridge/netfilter/nf_conntrack_bridge.c | 12 +- net/core/Makefile | 6 +- net/core/filter.c | 5 +- net/core/skmsg.c | 145 +++++----- net/core/sock.c | 4 +- net/core/sock_map.c | 2 + net/core/utils.c | 4 +- net/ipv4/Makefile | 2 +- net/ipv4/inet_hashtables.c | 2 +- net/ipv4/route.c | 4 + net/ipv4/tcp.c | 21 +- net/ipv4/tcp_bpf.c | 8 +- net/ipv4/tcp_input.c | 74 ++--- net/ipv6/calipso.c | 8 + net/ipv6/ila/ila_common.c | 6 +- net/ipv6/netfilter.c | 12 +- net/ipv6/netfilter/nft_fib_ipv6.c | 13 +- net/mac80211/mesh_hwmp.c | 6 +- net/mpls/af_mpls.c | 4 +- net/ncsi/internal.h | 21 +- net/ncsi/ncsi-pkt.h | 23 +- net/ncsi/ncsi-rsp.c | 21 +- net/netfilter/nft_socket.c | 5 +- net/netfilter/nft_tunnel.c | 8 +- net/netlabel/netlabel_kapi.c | 5 + net/nfc/nci/uart.c | 8 +- net/openvswitch/flow.c | 2 +- net/sched/sch_ets.c | 10 +- net/sched/sch_prio.c | 2 +- net/sched/sch_red.c | 2 +- net/sched/sch_sfq.c | 117 +++++--- net/sched/sch_tbf.c | 2 +- net/sctp/socket.c | 3 +- net/sunrpc/cache.c | 17 +- net/tipc/crypto.c | 8 +- net/tipc/udp_media.c | 4 +- net/tls/tls_main.c | 4 +- net/tls/tls_sw.c | 9 +- scripts/Kbuild.include | 8 +- scripts/Kconfig.include | 2 +- scripts/as-version.sh | 2 +- scripts/gcc-plugins/gcc-common.h | 32 +++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 +-- security/selinux/xfrm.c | 2 +- sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/tas2770.c | 30 +- sound/soc/meson/meson-card-utils.c | 2 +- sound/soc/qcom/sdm845.c | 4 + sound/soc/tegra/tegra210_ahub.c | 2 + sound/usb/mixer_maps.c | 12 + tools/include/uapi/linux/bpf.h | 2 + tools/lib/bpf/nlattr.c | 15 +- tools/perf/Makefile.config | 2 + tools/perf/builtin-record.c | 2 +- tools/perf/scripts/python/exported-sql-viewer.py | 5 +- tools/perf/tests/switch-tracking.c | 2 +- tools/perf/ui/browsers/hists.c | 2 +- tools/testing/selftests/bpf/prog_tests/align.c | 36 +-- tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +- usr/include/Makefile | 2 +- 369 files changed, 3117 insertions(+), 1586 deletions(-)

2 months

8
364
0 0

[PATCH 6.12 000/165] 6.12.39-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.39 release. There are 165 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:06 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.39-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.39-rc2 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Lukas Wunner <lukas(a)wunner.de> crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Mark Brown <broonie(a)kernel.org> arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Jiawen Wu <jiawenwu(a)trustnetic.com> net: wangxun: revert the adjustment of the IRQ vector sequence Gao Xiang <xiang(a)kernel.org> erofs: fix rare pcluster memory leak after unmounting Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Daniel J. Ogorchock <djogorchock(a)gmail.com> HID: nintendo: avoid bluetooth suspend/resume stalls Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Fangrui Song <i(a)maskray.me> riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Shuai Zhang <quic_shuaz(a)quicinc.com> driver: bluetooth: hci_qca:fix unable to load the BT driver Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tim Crawford <tcrawford(a)system76.com> ALSA: hda/realtek: Add quirks for some Clevo laptops Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Tamura Dai <kirinode0(a)gmail.com> ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Add new prio for promiscuous mode Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix race between DIM disable and net_dim() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Hangbin Liu <liuhangbin(a)gmail.com> selftests: net: lib: fix shift count out of range Petr Machata <petrm(a)nvidia.com> selftests: net: lib: Move logging from forwarding/lib.sh here Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_readahead() Gao Xiang <xiang(a)kernel.org> erofs: refine readahead tracepoint Gao Xiang <xiang(a)kernel.org> erofs: tidy up zdata.c Gao Xiang <xiang(a)kernel.org> erofs: get rid of `z_erofs_next_pcluster_t` Chunhai Guo <guochunhai(a)vivo.com> erofs: free pclusters if no cached folio is attached Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Clear all LMTT pages on alloc Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Henry Martin <bsdhenrymartin(a)gmail.com> wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/gsp: fix potential leak of memory used during acpi init Felix Fietkau <nbd(a)nbd.name> wifi: rt2x00: fix remove callback type mismatch Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix non-transmitted BSSID profile search Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: correctly identify S1G short beacon Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: cfg80211: fix S1G beacon head validation in nl80211 David Howells <dhowells(a)redhat.com> netfs: Fix ref leak on inserted extra subreq in write retry Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Gao Xiang <xiang(a)kernel.org> erofs: address D-cache aliasing Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Sascha Hauer <s.hauer(a)pengutronix.de> clk: scmi: Handle case where child clocks are initialized before their parents Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Xiaolei Wang <xiaolei.wang(a)windriver.com> clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Miguel Ojeda <ojeda(a)kernel.org> rust: init: allow `dead_code` warnings for Rust >= 1.89.0 Harry Yoo <harry.yoo(a)oracle.com> lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Zhe Qiao <qiaozhe(a)iscas.ac.cn> Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Matthew Brost <matthew.brost(a)intel.com> drm/xe: Allocate PF queue size on pow2 boundary Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" Matthew Auld <matthew.auld(a)intel.com> drm/xe/bmg: fix compressed VRAM handling Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Don't call mmput from MMU notifier callback Alessio Belle <alessio.belle(a)imgtec.com> drm/imagination: Fix kernel crash when hard resetting the GPU Michael Lo <michael.lo(a)mediatek.com> wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong config for tx interrupt Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: prevent decap offload config before STA initialization Vitor Soares <vitor.soares(a)toradex.com> wifi: mwifiex: discard erroneous disassoc frames on STA interface Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: Fix invalid state detection Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Haoxiang Li <haoxiang_li2024(a)163.com> net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Arun Raghavan <arun(a)asymptotic.io> ASoC: fsl_sai: Force a software reset when starting in consumer mode Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Liam Merwick <liam.merwick(a)oracle.com> KVM: Allow CPU to reschedule while setting per-page memory attributes Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Nikunj A Dadhania <nikunj(a)amd.com> KVM: SVM: Add missing member in SNP_LAUNCH_START command structure David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Ensure user polling settings are honored when restarting timer Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Chintan Vankar <c-vankar(a)ti.com> net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: move the WoL function to shared library Kevin Brodsky <kevin.brodsky(a)arm.com> arm64: poe: Handle spurious Overlay faults Jason Xing <kernelxing(a)tencent.com> bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL kuyo chang <kuyo.chang(a)mediatek.com> sched/deadline: Fix dl_server runtime calculation formula Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix migrate_swap() vs. hotplug Nam Cao <namcao(a)linutronix.de> irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: add sof_sdw_get_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: soc-acpi: add get_function_tplg_files ops Simon Trimmer <simont(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops Simon Trimmer <simont(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV Eric Biggers <ebiggers(a)kernel.org> crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 Flora Cui <flora.cui(a)amd.com> drm/amdgpu/ip_discovery: add missing ip_discovery fw Flora Cui <flora.cui(a)amd.com> drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- Makefile | 4 +- arch/arm64/kernel/cpufeature.c | 45 ++-- arch/arm64/kernel/process.c | 5 + arch/arm64/mm/fault.c | 30 ++- arch/riscv/kernel/vdso/vdso.lds.S | 2 +- arch/s390/crypto/sha1_s390.c | 2 + arch/s390/crypto/sha256_s390.c | 3 + arch/s390/crypto/sha512_s390.c | 3 + arch/um/drivers/vector_kern.c | 42 ++-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/mce/amd.c | 28 ++- arch/x86/kernel/cpu/mce/core.c | 24 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- crypto/ecc.c | 2 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/bluetooth/hci_qca.c | 13 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/clk/clk-scmi.c | 20 +- drivers/clk/imx/clk-imx95-blk-ctl.c | 12 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 30 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 ++-- drivers/gpu/drm/drm_framebuffer.c | 31 ++- drivers/gpu/drm/drm_gem.c | 74 +++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/imagination/pvr_power.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 +- drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 + drivers/gpu/drm/xe/xe_lmtt.c | 11 + drivers/gpu/drm/xe/xe_migrate.c | 2 +- drivers/gpu/drm/xe/xe_pci.c | 1 - drivers/gpu/drm/xe/xe_pm.c | 8 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-nintendo.c | 38 +++- drivers/hid/hid-quirks.c | 3 + drivers/irqchip/Kconfig | 1 + drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 +- drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/renesas/rtsn.c | 5 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 +- drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 +- drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 3 +- drivers/net/phy/qcom/at803x.c | 27 --- drivers/net/phy/qcom/qca808x.c | 2 +- drivers/net/phy/qcom/qcom-phy-lib.c | 25 ++ drivers/net/phy/qcom/qcom.h | 5 + drivers/net/phy/smsc.c | 57 ++++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/marvell/mwifiex/util.c | 4 +- .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/pci-acpi.c | 23 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/core.c | 2 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/free-space-tree.c | 16 +- fs/erofs/data.c | 21 +- fs/erofs/decompressor.c | 12 +- fs/erofs/fileio.c | 6 +- fs/erofs/internal.h | 2 +- fs/erofs/zdata.c | 251 +++++++++----------- fs/erofs/zutil.c | 7 +- fs/eventpoll.c | 12 +- fs/netfs/write_collect.c | 2 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/ieee80211.h | 45 +++- include/linux/math.h | 12 + include/linux/mm.h | 5 + include/linux/psp-sev.h | 2 + include/net/af_vsock.h | 2 +- include/net/netfilter/nf_flow_table.h | 2 +- include/sound/soc-acpi.h | 13 ++ include/trace/events/erofs.h | 2 +- io_uring/opdef.c | 1 + kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- kernel/rseq.c | 60 ++++- kernel/sched/core.c | 5 + kernel/sched/deadline.c | 10 +- kernel/stop_machine.c | 20 +- lib/alloc_tag.c | 3 + lib/maple_tree.c | 1 + mm/kasan/report.c | 13 +- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 ++++-- net/bluetooth/hci_event.c | 3 + net/bluetooth/hci_sync.c | 2 +- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/mac80211/mlme.c | 7 +- net/mac80211/parse.c | 6 +- net/netlink/af_netlink.c | 90 +++++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 ++++- net/wireless/nl80211.c | 7 +- net/wireless/util.c | 52 ++++- rust/kernel/init/macros.rs | 2 + scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++++++++ scripts/gdb/linux/xarray.py | 28 +++ sound/isa/ad1816a/ad1816a.c | 2 +- sound/pci/hda/patch_realtek.c | 7 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/fsl/fsl_asrc.c | 3 +- sound/soc/fsl/fsl_sai.c | 14 +- sound/soc/intel/boards/Kconfig | 1 + sound/soc/intel/common/Makefile | 2 +- sound/soc/intel/common/soc-acpi-intel-arl-match.c | 66 +++++- sound/soc/intel/common/sof-function-topology-lib.c | 136 +++++++++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 ++ sound/soc/sof/intel/hda.c | 6 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/include/linux/kallsyms.h | 4 + tools/testing/selftests/bpf/test_lru_map.c | 105 ++++----- tools/testing/selftests/net/forwarding/lib.sh | 113 --------- tools/testing/selftests/net/lib.sh | 115 ++++++++++ virt/kvm/kvm_main.c | 3 + 175 files changed, 2014 insertions(+), 880 deletions(-)

2 months

10
9
0 0

[PATCH 6.15 000/192] 6.15.7-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.15.7 release. There are 192 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.7-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.15.7-rc1 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Nikunj A Dadhania <nikunj(a)amd.com> x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation Jiawen Wu <jiawenwu(a)trustnetic.com> net: wangxun: revert the adjustment of the IRQ vector sequence Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Daniel J. Ogorchock <djogorchock(a)gmail.com> HID: nintendo: avoid bluetooth suspend/resume stalls Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Fangrui Song <i(a)maskray.me> riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Shuai Zhang <quic_shuaz(a)quicinc.com> driver: bluetooth: hci_qca:fix unable to load the BT driver Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tim Crawford <tcrawford(a)system76.com> ALSA: hda/realtek: Add quirks for some Clevo laptops Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 6 G1a Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Jack Yu <jack.yu(a)realtek.com> ASoC: rt721-sdca: fix boost gain calculation error Tamura Dai <kirinode0(a)gmail.com> ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Flush FW trace before copying to the coredump Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Add new prio for promiscuous mode Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix race between DIM disable and net_dim() Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Reset bw_share field when changing a node's parent Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/pm: Restore display pm if there is error after display suspend Hangbin Liu <liuhangbin(a)gmail.com> selftests: net: lib: fix shift count out of range Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: add the virtual monitor after reconfig complete Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_readahead() Gao Xiang <xiang(a)kernel.org> erofs: refine readahead tracepoint Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Clear all LMTT pages on alloc Pankaj Raghav <p.raghav(a)samsung.com> block: reject bs > ps block devices when THP is disabled Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Henry Martin <bsdhenrymartin(a)gmail.com> wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Remove RCU section in mt7996_mac_sta_rc_work() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl_fixed() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Move RCU section in mt7996_mcu_set_fixed_field() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Assume __mt76_connac_mcu_alloc_sta_req runs in atomic context Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/gsp: fix potential leak of memory used during acpi init Pavel Begunkov <asml.silence(a)gmail.com> io_uring/zcrx: fix pp destruction warnings Felix Fietkau <nbd(a)nbd.name> wifi: rt2x00: fix remove callback type mismatch Moon Hee Lee <moonhee.lee.ca(a)gmail.com> wifi: mac80211: reject VHT opmode for unsupported channel widths Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix non-transmitted BSSID profile search Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: correctly identify S1G short beacon Zheng Qixing <zhengqixing(a)huawei.com> md/raid1,raid10: strip REQ_NOWAIT from member bios Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: cfg80211: fix S1G beacon head validation in nl80211 Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Gao Xiang <xiang(a)kernel.org> erofs: fix large fragment handling Gao Xiang <xiang(a)kernel.org> erofs: address D-cache aliasing Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Sascha Hauer <s.hauer(a)pengutronix.de> clk: scmi: Handle case where child clocks are initialized before their parents Julien Massot <julien.massot(a)collabora.com> dt-bindings: clock: mediatek: Add #reset-cells property for MT8188 Mikhail Paulyshka <me(a)mixaill.net> x86/CPU/AMD: Disable INVLPGB on Zen2 Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Xiaolei Wang <xiaolei.wang(a)windriver.com> clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Harry Yoo <harry.yoo(a)oracle.com> lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Honggyu Kim <honggyu.kim(a)sk.com> samples/damon: fix damon sample wsse for start failure Honggyu Kim <honggyu.kim(a)sk.com> samples/damon: fix damon sample prcl for start failure Honggyu Kim <honggyu.kim(a)sk.com> mm/damon: fix divide by zero in damon_get_intervals_score() SeongJae Park <sj(a)kernel.org> mm/damon/core: handle damon_call_control as normal under kdmond deactivation Lance Yang <lance.yang(a)linux.dev> mm/rmap: fix potential out-of-bounds page table access during batched unmap Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Illia Ostapyshyn <illia(a)yshyn.com> scripts: gdb: vfs: support external dentry names Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Zhe Qiao <qiaozhe(a)iscas.ac.cn> Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Matthew Brost <matthew.brost(a)intel.com> drm/xe: Allocate PF queue size on pow2 boundary Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Aaron Thompson <dev(a)aaront.org> drm/nouveau: Do not fail module init on debugfs errors Matthew Brost <matthew.brost(a)intel.com> Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" Matthew Auld <matthew.auld(a)intel.com> drm/xe/bmg: fix compressed VRAM handling Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Alex Deucher <alexander.deucher(a)amd.com> drm/amdkfd: add hqd_sdma_get_doorbell callbacks for gfx7/8 Kent Russell <kent.russell(a)amd.com> drm/amdgpu: Include sdma_4_4_4.bin Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Don't call mmput from MMU notifier callback Alessio Belle <alessio.belle(a)imgtec.com> drm/imagination: Fix kernel crash when hard resetting the GPU Michael Lo <michael.lo(a)mediatek.com> wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong config for tx interrupt Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: prevent decap offload config before STA initialization Vitor Soares <vitor.soares(a)toradex.com> wifi: mwifiex: discard erroneous disassoc frames on STA interface Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: Fix invalid state detection Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Miquel Raynal <miquel.raynal(a)bootlin.com> pinctrl: nuvoton: Fix boot on ma35dx platforms Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Hugo Villeneuve <hvilleneuve(a)dimonoff.com> gpiolib: fix performance regression when using gpio_chip_get_multiple() Haoxiang Li <haoxiang_li2024(a)163.com> net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Jens Axboe <axboe(a)kernel.dk> io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU Arun Raghavan <arun(a)asymptotic.io> ASoC: fsl_sai: Force a software reset when starting in consumer mode Mark Brown <broonie(a)kernel.org> arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Add mute LED support for HP Victus 15-fb2xxx Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> sched: Fix preemption string of preempt_dynamic_none Liam Merwick <liam.merwick(a)oracle.com> KVM: Allow CPU to reschedule while setting per-page memory attributes Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Nikunj A Dadhania <nikunj(a)amd.com> KVM: SVM: Add missing member in SNP_LAUNCH_START command structure Manuel Andreas <manuel.andreas(a)tum.de> KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Ensure user polling settings are honored when restarting timer Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Eric Biggers <ebiggers(a)kernel.org> crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Chintan Vankar <c-vankar(a)ti.com> net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Petr Pavlu <petr.pavlu(a)suse.com> module: Fix memory deallocation on error path in move_module() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net: airoha: Fix an error handling path in airoha_probe() Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: move the WoL function to shared library Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/mm: Drop wrong writes into TCR2_EL1 Kevin Brodsky <kevin.brodsky(a)arm.com> arm64: poe: Handle spurious Overlay faults Jason Xing <kernelxing(a)tencent.com> bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL kuyo chang <kuyo.chang(a)mediatek.com> sched/deadline: Fix dl_server runtime calculation formula Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix attempting to send HCI_Disconnect to BIS handle Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Remove check of BDADDR_ANY in hci_conn_hash_lookup_big_state Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Heiko Carstens <hca(a)linux.ibm.com> objtool: Add missing endian conversion to read_annotate() Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix migrate_swap() vs. hotplug Nam Cao <namcao(a)linutronix.de> irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Shiju Jose <shiju.jose(a)huawei.com> EDAC: Initialize EDAC features sysfs attributes Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: add sof_sdw_get_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: soc-acpi: add get_function_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- .../bindings/clock/mediatek,mt8188-clock.yaml | 3 + Makefile | 4 +- arch/arm64/kernel/cpufeature.c | 57 +++-- arch/arm64/kernel/process.c | 5 + arch/arm64/mm/fault.c | 30 ++- arch/arm64/mm/proc.S | 1 - arch/riscv/kernel/vdso/vdso.lds.S | 2 +- arch/s390/crypto/sha1_s390.c | 2 + arch/s390/crypto/sha256_s390.c | 3 + arch/s390/crypto/sha512_s390.c | 3 + arch/um/drivers/vector_kern.c | 42 ++-- arch/x86/Kconfig | 2 +- arch/x86/coco/sev/core.c | 22 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/include/asm/sev.h | 17 +- arch/x86/kernel/cpu/amd.c | 10 + arch/x86/kernel/cpu/mce/amd.c | 28 ++- arch/x86/kernel/cpu/mce/core.c | 24 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/hyperv.c | 3 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/bluetooth/hci_qca.c | 13 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/clk/clk-scmi.c | 20 +- drivers/clk/imx/clk-imx95-blk-ctl.c | 12 +- drivers/edac/ecs.c | 4 +- drivers/edac/mem_repair.c | 1 + drivers/edac/scrub.c | 1 + drivers/gpio/gpiolib.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v8.c | 8 + drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 1 + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 ++-- drivers/gpu/drm/drm_framebuffer.c | 31 ++- drivers/gpu/drm/drm_gem.c | 74 +++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/imagination/pvr_power.c | 4 +- drivers/gpu/drm/nouveau/nouveau_debugfs.c | 6 +- drivers/gpu/drm/nouveau/nouveau_debugfs.h | 5 +- drivers/gpu/drm/nouveau/nouveau_drm.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 +- drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 + drivers/gpu/drm/xe/xe_lmtt.c | 11 + drivers/gpu/drm/xe/xe_migrate.c | 2 +- drivers/gpu/drm/xe/xe_pci.c | 1 - drivers/gpu/drm/xe/xe_pm.c | 11 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-nintendo.c | 38 +++- drivers/hid/hid-quirks.c | 3 + drivers/irqchip/Kconfig | 1 + drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 12 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/airoha/airoha_eth.c | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +- drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 18 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 +- drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/renesas/rtsn.c | 5 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 +- drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 +- drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 3 +- drivers/net/phy/qcom/at803x.c | 27 --- drivers/net/phy/qcom/qca808x.c | 2 +- drivers/net/phy/qcom/qcom-phy-lib.c | 25 ++ drivers/net/phy/qcom/qcom.h | 5 + drivers/net/phy/smsc.c | 57 ++++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/marvell/mwifiex/util.c | 4 +- .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 40 +--- drivers/net/wireless/mediatek/mt76/mt7996/main.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 188 ++++++++++----- drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 16 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/pci-acpi.c | 23 +- drivers/pinctrl/nuvoton/pinctrl-ma35.c | 10 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/core.c | 2 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/free-space-tree.c | 16 +- fs/erofs/data.c | 21 +- fs/erofs/decompressor.c | 12 +- fs/erofs/fileio.c | 6 +- fs/erofs/internal.h | 6 +- fs/erofs/zdata.c | 13 +- fs/erofs/zmap.c | 9 +- fs/eventpoll.c | 12 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/blkdev.h | 5 + include/linux/ieee80211.h | 45 +++- include/linux/io_uring_types.h | 2 + include/linux/mm.h | 5 + include/linux/psp-sev.h | 2 + include/net/af_vsock.h | 2 +- include/net/bluetooth/hci_core.h | 3 +- include/net/netfilter/nf_flow_table.h | 2 +- include/sound/soc-acpi.h | 13 ++ include/trace/events/erofs.h | 2 +- io_uring/msg_ring.c | 4 +- io_uring/opdef.c | 1 + io_uring/zcrx.c | 3 - kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- kernel/module/main.c | 4 +- kernel/sched/core.c | 7 +- kernel/sched/deadline.c | 10 +- kernel/stop_machine.c | 20 +- lib/alloc_tag.c | 3 + lib/maple_tree.c | 1 + mm/damon/core.c | 8 +- mm/kasan/report.c | 45 +--- mm/rmap.c | 46 ++-- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 ++++-- net/bluetooth/hci_event.c | 3 + net/bluetooth/hci_sync.c | 4 +- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/mac80211/cfg.c | 14 ++ net/mac80211/mlme.c | 7 +- net/mac80211/parse.c | 6 +- net/mac80211/util.c | 9 +- net/netlink/af_netlink.c | 90 +++++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 ++++- net/wireless/nl80211.c | 7 +- net/wireless/util.c | 52 ++++- samples/damon/prcl.c | 8 +- samples/damon/wsse.c | 8 +- scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++++++++ scripts/gdb/linux/vfs.py | 2 +- scripts/gdb/linux/xarray.py | 28 +++ sound/isa/ad1816a/ad1816a.c | 2 +- sound/pci/hda/patch_realtek.c | 10 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/codecs/rt721-sdca.c | 23 +- sound/soc/fsl/fsl_asrc.c | 3 +- sound/soc/fsl/fsl_sai.c | 14 +- sound/soc/intel/boards/Kconfig | 1 + sound/soc/intel/common/Makefile | 2 +- sound/soc/intel/common/soc-acpi-intel-arl-match.c | 21 +- sound/soc/intel/common/sof-function-topology-lib.c | 136 +++++++++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 ++ sound/soc/sof/intel/hda.c | 6 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/include/linux/kallsyms.h | 4 + tools/objtool/check.c | 1 + tools/testing/selftests/bpf/test_lru_map.c | 105 ++++----- tools/testing/selftests/net/lib.sh | 2 +- virt/kvm/kvm_main.c | 3 + 203 files changed, 2012 insertions(+), 833 deletions(-)

2 months

20
212
0 0

[PATCH net v2 5/5] rxrpc: Fix to use conn aborts for conn-wide failures

by David Howells

Fix rxrpc to use connection-level aborts for things that affect the whole connection, such as the service ID not matching a local service. Fixes: 57af281e5389 ("rxrpc: Tidy up abort generation infrastructure") Reported-by: Jeffrey Altman <jaltman(a)auristor.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- Notes: Changes ======= ver #2) - Moved trace note declaration out to earlier patch that uses it net/rxrpc/ar-internal.h | 3 +++ net/rxrpc/call_accept.c | 12 ++++++------ net/rxrpc/io_thread.c | 14 ++++++++++++++ net/rxrpc/output.c | 19 ++++++++++--------- net/rxrpc/security.c | 8 ++++---- 5 files changed, 37 insertions(+), 19 deletions(-) diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index df1a618dbf7d..5b7342d43486 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -44,6 +44,7 @@ enum rxrpc_skb_mark { RXRPC_SKB_MARK_SERVICE_CONN_SECURED, /* Service connection response has been verified */ RXRPC_SKB_MARK_REJECT_BUSY, /* Reject with BUSY */ RXRPC_SKB_MARK_REJECT_ABORT, /* Reject with ABORT (code in skb->priority) */ + RXRPC_SKB_MARK_REJECT_CONN_ABORT, /* Reject with connection ABORT (code in skb->priority) */ }; /* @@ -1253,6 +1254,8 @@ int rxrpc_encap_rcv(struct sock *, struct sk_buff *); void rxrpc_error_report(struct sock *); bool rxrpc_direct_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, s32 abort_code, int err); +bool rxrpc_direct_conn_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, + s32 abort_code, int err); int rxrpc_io_thread(void *data); void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb); static inline void rxrpc_wake_up_io_thread(struct rxrpc_local *local) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index a4d76f2da684..00982a030744 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -374,8 +374,8 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, spin_lock(&rx->incoming_lock); if (rx->sk.sk_state == RXRPC_SERVER_LISTEN_DISABLED || rx->sk.sk_state == RXRPC_CLOSE) { - rxrpc_direct_abort(skb, rxrpc_abort_shut_down, - RX_INVALID_OPERATION, -ESHUTDOWN); + rxrpc_direct_conn_abort(skb, rxrpc_abort_shut_down, + RX_INVALID_OPERATION, -ESHUTDOWN); goto no_call; } @@ -422,12 +422,12 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, unsupported_service: read_unlock_irq(&local->services_lock); - return rxrpc_direct_abort(skb, rxrpc_abort_service_not_offered, - RX_INVALID_OPERATION, -EOPNOTSUPP); + return rxrpc_direct_conn_abort(skb, rxrpc_abort_service_not_offered, + RX_INVALID_OPERATION, -EOPNOTSUPP); unsupported_security: read_unlock_irq(&local->services_lock); - return rxrpc_direct_abort(skb, rxrpc_abort_service_not_offered, - RX_INVALID_OPERATION, -EKEYREJECTED); + return rxrpc_direct_conn_abort(skb, rxrpc_abort_service_not_offered, + RX_INVALID_OPERATION, -EKEYREJECTED); no_call: spin_unlock(&rx->incoming_lock); read_unlock_irq(&local->services_lock); diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c index 27b650d30f4d..e939ecf417c4 100644 --- a/net/rxrpc/io_thread.c +++ b/net/rxrpc/io_thread.c @@ -97,6 +97,20 @@ bool rxrpc_direct_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, return false; } +/* + * Directly produce a connection abort from a packet. + */ +bool rxrpc_direct_conn_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, + s32 abort_code, int err) +{ + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + + trace_rxrpc_abort(0, why, sp->hdr.cid, 0, sp->hdr.seq, abort_code, err); + skb->mark = RXRPC_SKB_MARK_REJECT_CONN_ABORT; + skb->priority = abort_code; + return false; +} + static bool rxrpc_bad_message(struct sk_buff *skb, enum rxrpc_abort_reason why) { return rxrpc_direct_abort(skb, why, RX_PROTOCOL_ERROR, -EBADMSG); diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index 17c33b5cf7dd..8b5903b6e481 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -829,7 +829,13 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) msg.msg_controllen = 0; msg.msg_flags = 0; - memset(&whdr, 0, sizeof(whdr)); + whdr = (struct rxrpc_wire_header) { + .epoch = htonl(sp->hdr.epoch), + .cid = htonl(sp->hdr.cid), + .callNumber = htonl(sp->hdr.callNumber), + .serviceId = htons(sp->hdr.serviceId), + .flags = ~sp->hdr.flags & RXRPC_CLIENT_INITIATED, + }; switch (skb->mark) { case RXRPC_SKB_MARK_REJECT_BUSY: @@ -837,6 +843,9 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) size = sizeof(whdr); ioc = 1; break; + case RXRPC_SKB_MARK_REJECT_CONN_ABORT: + whdr.callNumber = 0; + fallthrough; case RXRPC_SKB_MARK_REJECT_ABORT: whdr.type = RXRPC_PACKET_TYPE_ABORT; code = htonl(skb->priority); @@ -850,14 +859,6 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) if (rxrpc_extract_addr_from_skb(&srx, skb) == 0) { msg.msg_namelen = srx.transport_len; - whdr.epoch = htonl(sp->hdr.epoch); - whdr.cid = htonl(sp->hdr.cid); - whdr.callNumber = htonl(sp->hdr.callNumber); - whdr.serviceId = htons(sp->hdr.serviceId); - whdr.flags = sp->hdr.flags; - whdr.flags ^= RXRPC_CLIENT_INITIATED; - whdr.flags &= RXRPC_CLIENT_INITIATED; - iov_iter_kvec(&msg.msg_iter, WRITE, iov, ioc, size); ret = do_udp_sendmsg(local->socket, &msg, size); if (ret < 0) diff --git a/net/rxrpc/security.c b/net/rxrpc/security.c index 078d91a6b77f..2bfbf2b2bb37 100644 --- a/net/rxrpc/security.c +++ b/net/rxrpc/security.c @@ -140,15 +140,15 @@ const struct rxrpc_security *rxrpc_get_incoming_security(struct rxrpc_sock *rx, sec = rxrpc_security_lookup(sp->hdr.securityIndex); if (!sec) { - rxrpc_direct_abort(skb, rxrpc_abort_unsupported_security, - RX_INVALID_OPERATION, -EKEYREJECTED); + rxrpc_direct_conn_abort(skb, rxrpc_abort_unsupported_security, + RX_INVALID_OPERATION, -EKEYREJECTED); return NULL; } if (sp->hdr.securityIndex != RXRPC_SECURITY_NONE && !rx->securities) { - rxrpc_direct_abort(skb, rxrpc_abort_no_service_key, - sec->no_key_abort, -EKEYREJECTED); + rxrpc_direct_conn_abort(skb, rxrpc_abort_no_service_key, + sec->no_key_abort, -EKEYREJECTED); return NULL; }

2 months

1
0
0 0

[PATCH net v2 4/5] rxrpc: Fix transmission of an abort in response to an abort

by David Howells

Under some circumstances, such as when a server socket is closing, ABORT packets will be generated in response to incoming packets. Unfortunately, this also may include generating aborts in response to incoming aborts - which may cause a cycle. It appears this may be made possible by giving the client a multicast address. Fix this such that rxrpc_reject_packet() will refuse to generate aborts in response to aborts. Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Linus Torvalds <torvalds(a)linux-foundation.org> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- net/rxrpc/output.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index ef7b3096c95e..17c33b5cf7dd 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -814,6 +814,9 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) __be32 code; int ret, ioc; + if (sp->hdr.type == RXRPC_PACKET_TYPE_ABORT) + return; /* Never abort an abort. */ + rxrpc_see_skb(skb, rxrpc_skb_see_reject); iov[0].iov_base = &whdr;

2 months

1
0
0 0

[PATCH net v2 3/5] rxrpc: Fix notification vs call-release vs recvmsg

by David Howells

When a call is released, rxrpc takes the spinlock and removes it from ->recvmsg_q in an effort to prevent racing recvmsg() invocations from seeing the same call. Now, rxrpc_recvmsg() only takes the spinlock when actually removing a call from the queue; it doesn't, however, take it in the lead up to that when it checks to see if the queue is empty. It *does* hold the socket lock, which prevents a recvmsg/recvmsg race - but this doesn't prevent sendmsg from ending the call because sendmsg() drops the socket lock and relies on the call->user_mutex. Fix this by firstly removing the bit in rxrpc_release_call() that dequeues the released call and, instead, rely on recvmsg() to simply discard released calls (done in a preceding fix). Secondly, rxrpc_notify_socket() is abandoned if the call is already marked as released rather than trying to be clever by setting both pointers in call->recvmsg_link to NULL to trick list_empty(). This isn't perfect and can still race, resulting in a released call on the queue, but recvmsg() will now clean that up. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- Notes: Changes ======= ver #2) - Moved in missing trace note declaration from later patch include/trace/events/rxrpc.h | 3 ++- net/rxrpc/call_object.c | 28 ++++++++++++---------------- net/rxrpc/recvmsg.c | 4 ++++ 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index e7dcfb1369b6..de6f6d25767c 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -322,10 +322,10 @@ EM(rxrpc_call_put_kernel, "PUT kernel ") \ EM(rxrpc_call_put_poke, "PUT poke ") \ EM(rxrpc_call_put_recvmsg, "PUT recvmsg ") \ + EM(rxrpc_call_put_release_recvmsg_q, "PUT rls-rcmq") \ EM(rxrpc_call_put_release_sock, "PUT rls-sock") \ EM(rxrpc_call_put_release_sock_tba, "PUT rls-sk-a") \ EM(rxrpc_call_put_sendmsg, "PUT sendmsg ") \ - EM(rxrpc_call_put_unnotify, "PUT unnotify") \ EM(rxrpc_call_put_userid_exists, "PUT u-exists") \ EM(rxrpc_call_put_userid, "PUT user-id ") \ EM(rxrpc_call_see_accept, "SEE accept ") \ @@ -338,6 +338,7 @@ EM(rxrpc_call_see_disconnected, "SEE disconn ") \ EM(rxrpc_call_see_distribute_error, "SEE dist-err") \ EM(rxrpc_call_see_input, "SEE input ") \ + EM(rxrpc_call_see_notify_released, "SEE nfy-rlsd") \ EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 15067ff7b1f2..918f41d97a2f 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -561,7 +561,7 @@ static void rxrpc_cleanup_rx_buffers(struct rxrpc_call *call) void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call) { struct rxrpc_connection *conn = call->conn; - bool put = false, putu = false; + bool putu = false; _enter("{%d,%d}", call->debug_id, refcount_read(&call->ref)); @@ -573,23 +573,13 @@ void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call) rxrpc_put_call_slot(call); - /* Make sure we don't get any more notifications */ + /* Note that at this point, the call may still be on or may have been + * added back on to the socket receive queue. recvmsg() must discard + * released calls. The CALL_RELEASED flag should prevent further + * notifications. + */ spin_lock_irq(&rx->recvmsg_lock); - - if (!list_empty(&call->recvmsg_link)) { - _debug("unlinking once-pending call %p { e=%lx f=%lx }", - call, call->events, call->flags); - list_del(&call->recvmsg_link); - put = true; - } - - /* list_empty() must return false in rxrpc_notify_socket() */ - call->recvmsg_link.next = NULL; - call->recvmsg_link.prev = NULL; - spin_unlock_irq(&rx->recvmsg_lock); - if (put) - rxrpc_put_call(call, rxrpc_call_put_unnotify); write_lock(&rx->call_lock); @@ -638,6 +628,12 @@ void rxrpc_release_calls_on_socket(struct rxrpc_sock *rx) rxrpc_put_call(call, rxrpc_call_put_release_sock); } + while ((call = list_first_entry_or_null(&rx->recvmsg_q, + struct rxrpc_call, recvmsg_link))) { + list_del_init(&call->recvmsg_link); + rxrpc_put_call(call, rxrpc_call_put_release_recvmsg_q); + } + _leave(""); } diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index 6990e37697de..7fa7e77f6bb9 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -29,6 +29,10 @@ void rxrpc_notify_socket(struct rxrpc_call *call) if (!list_empty(&call->recvmsg_link)) return; + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_notify_released); + return; + } rcu_read_lock();

2 months

1
0
0 0

[PATCH net v2 2/5] rxrpc: Fix recv-recv race of completed call

by David Howells

If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeued, and once the socket lock is dropped (recvmsg uses call->user_mutex to allow the socket to be used in parallel), a second thread can come in and its recvmsg can pop the call off the socket queue again. In such a case, the first thread will be receiving stuff from the call and the second thread will be blocked on call->user_mutex. The first thread can, at this point, process both the event that it picked call for and the event that the second thread picked the call for and may see the call terminate - in which case the call will be "released", decoupling the call from the user call ID assigned to it (RXRPC_USER_CALL_ID in the control message). The first thread will return okay, but then the second thread will wake up holding the user_mutex and, if it sees that the call has been released by the first thread, it will BUG thusly: kernel BUG at net/rxrpc/recvmsg.c:474! Fix this by just dequeuing the call and ignoring it if it is seen to be already released. We can't tell userspace about it anyway as the user call ID has become stale. Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- include/trace/events/rxrpc.h | 3 +++ net/rxrpc/call_accept.c | 1 + net/rxrpc/recvmsg.c | 19 +++++++++++++++++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 378d2dfc7392..e7dcfb1369b6 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -330,12 +330,15 @@ EM(rxrpc_call_put_userid, "PUT user-id ") \ EM(rxrpc_call_see_accept, "SEE accept ") \ EM(rxrpc_call_see_activate_client, "SEE act-clnt") \ + EM(rxrpc_call_see_already_released, "SEE alrdy-rl") \ EM(rxrpc_call_see_connect_failed, "SEE con-fail") \ EM(rxrpc_call_see_connected, "SEE connect ") \ EM(rxrpc_call_see_conn_abort, "SEE conn-abt") \ + EM(rxrpc_call_see_discard, "SEE discard ") \ EM(rxrpc_call_see_disconnected, "SEE disconn ") \ EM(rxrpc_call_see_distribute_error, "SEE dist-err") \ EM(rxrpc_call_see_input, "SEE input ") \ + EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ EM(rxrpc_call_see_waiting_call, "SEE q-conn ") \ diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 226b4bf82747..a4d76f2da684 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -219,6 +219,7 @@ void rxrpc_discard_prealloc(struct rxrpc_sock *rx) tail = b->call_backlog_tail; while (CIRC_CNT(head, tail, size) > 0) { struct rxrpc_call *call = b->call_backlog[tail]; + rxrpc_see_call(call, rxrpc_call_see_discard); rcu_assign_pointer(call->socket, rx); if (rx->app_ops && rx->app_ops->discard_new_call) { diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index 86a27fb55a1c..6990e37697de 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -447,6 +447,16 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, goto try_again; } + rxrpc_see_call(call, rxrpc_call_see_recvmsg); + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_already_released); + list_del_init(&call->recvmsg_link); + spin_unlock_irq(&rx->recvmsg_lock); + release_sock(&rx->sk); + trace_rxrpc_recvmsg(call->debug_id, rxrpc_recvmsg_unqueue, 0); + rxrpc_put_call(call, rxrpc_call_put_recvmsg); + goto try_again; + } if (!(flags & MSG_PEEK)) list_del_init(&call->recvmsg_link); else @@ -470,8 +480,13 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, release_sock(&rx->sk); - if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) - BUG(); + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_already_released); + mutex_unlock(&call->user_mutex); + if (!(flags & MSG_PEEK)) + rxrpc_put_call(call, rxrpc_call_put_recvmsg); + goto try_again; + } ret = rxrpc_recvmsg_user_id(call, msg, flags); if (ret < 0)

2 months

1
0
0 0

[PATCH net v2 1/5] rxrpc: Fix irq-disabled in local_bh_enable()

by David Howells

The rxrpc_assess_MTU_size() function calls down into the IP layer to find out the MTU size for a route. When accepting an incoming call, this is called from rxrpc_new_incoming_call() which holds interrupts disabled across the code that calls down to it. Unfortunately, the IP layer uses local_bh_enable() which, config dependent, throws a warning if IRQs are enabled: WARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0 ... RIP: 0010:__local_bh_enable_ip+0x43/0xd0 ... Call Trace: <TASK> rt_cache_route+0x7e/0xa0 rt_set_nexthop.isra.0+0x3b3/0x3f0 __mkroute_output+0x43a/0x460 ip_route_output_key_hash+0xf7/0x140 ip_route_output_flow+0x1b/0x90 rxrpc_assess_MTU_size.isra.0+0x2a0/0x590 rxrpc_new_incoming_peer+0x46/0x120 rxrpc_alloc_incoming_call+0x1b1/0x400 rxrpc_new_incoming_call+0x1da/0x5e0 rxrpc_input_packet+0x827/0x900 rxrpc_io_thread+0x403/0xb60 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 ... hardirqs last enabled at (23): _raw_spin_unlock_irq+0x24/0x50 hardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70 softirqs last enabled at (0): copy_process+0xc61/0x2730 softirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90 Fix this by moving the call to rxrpc_assess_MTU_size() out of rxrpc_init_peer() and further up the stack where it can be done without interrupts disabled. It shouldn't be a problem for rxrpc_new_incoming_call() to do it after the locks are dropped as pmtud is going to be performed by the I/O thread - and we're in the I/O thread at this point. Fixes: a2ea9a907260 ("rxrpc: Use irq-disabling spinlocks between app and I/O thread") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- net/rxrpc/ar-internal.h | 1 + net/rxrpc/call_accept.c | 1 + net/rxrpc/peer_object.c | 6 ++---- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 376e33dce8c1..df1a618dbf7d 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -1383,6 +1383,7 @@ struct rxrpc_peer *rxrpc_lookup_peer_rcu(struct rxrpc_local *, const struct sockaddr_rxrpc *); struct rxrpc_peer *rxrpc_lookup_peer(struct rxrpc_local *local, struct sockaddr_rxrpc *srx, gfp_t gfp); +void rxrpc_assess_MTU_size(struct rxrpc_local *local, struct rxrpc_peer *peer); struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *, gfp_t, enum rxrpc_peer_trace); void rxrpc_new_incoming_peer(struct rxrpc_local *local, struct rxrpc_peer *peer); diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 49fccee1a726..226b4bf82747 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -406,6 +406,7 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, spin_unlock(&rx->incoming_lock); read_unlock_irq(&local->services_lock); + rxrpc_assess_MTU_size(local, call->peer); if (hlist_unhashed(&call->error_link)) { spin_lock_irq(&call->peer->lock); diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c index e2f35e6c04d6..366431b0736c 100644 --- a/net/rxrpc/peer_object.c +++ b/net/rxrpc/peer_object.c @@ -149,8 +149,7 @@ struct rxrpc_peer *rxrpc_lookup_peer_rcu(struct rxrpc_local *local, * assess the MTU size for the network interface through which this peer is * reached */ -static void rxrpc_assess_MTU_size(struct rxrpc_local *local, - struct rxrpc_peer *peer) +void rxrpc_assess_MTU_size(struct rxrpc_local *local, struct rxrpc_peer *peer) { struct net *net = local->net; struct dst_entry *dst; @@ -277,8 +276,6 @@ static void rxrpc_init_peer(struct rxrpc_local *local, struct rxrpc_peer *peer, peer->hdrsize += sizeof(struct rxrpc_wire_header); peer->max_data = peer->if_mtu - peer->hdrsize; - - rxrpc_assess_MTU_size(local, peer); } /* @@ -297,6 +294,7 @@ static struct rxrpc_peer *rxrpc_create_peer(struct rxrpc_local *local, if (peer) { memcpy(&peer->srx, srx, sizeof(*srx)); rxrpc_init_peer(local, peer, hash_key); + rxrpc_assess_MTU_size(local, peer); } _leave(" = %p", peer);

2 months

1
0
0 0

[PATCH v2] arm64: dts: qcom: qcs615: add missing dt property in QUP SEs

by Viken Dadhaniya

Add the missing required-opps and operating-points-v2 properties to several I2C, SPI, and UART nodes in the QUP SEs. Fixes: f6746dc9e379 ("arm64: dts: qcom: qcs615: Add QUPv3 configuration") Cc: stable(a)vger.kernel.org Signed-off-by: Viken Dadhaniya <viken.dadhaniya(a)oss.qualcomm.com> --- v1 -> v2: - Added Fixes and Cc tag. v1 Link: https://lore.kernel.org/all/20250626102826.3422984-1-viken.dadhaniya@oss.qu… --- --- arch/arm64/boot/dts/qcom/qcs615.dtsi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/qcs615.dtsi b/arch/arm64/boot/dts/qcom/qcs615.dtsi index bfbb21035492..e033b53f0f0f 100644 --- a/arch/arm64/boot/dts/qcom/qcs615.dtsi +++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi @@ -631,6 +631,7 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, interconnect-names = "qup-core", "qup-config"; power-domains = <&rpmhpd RPMHPD_CX>; + operating-points-v2 = <&qup_opp_table>; status = "disabled"; }; @@ -654,6 +655,7 @@ &config_noc SLAVE_QUP_0 QCOM_ICC_TAG_ALWAYS>, "qup-config", "qup-memory"; power-domains = <&rpmhpd RPMHPD_CX>; + required-opps = <&rpmhpd_opp_low_svs>; dmas = <&gpi_dma0 0 1 QCOM_GPI_I2C>, <&gpi_dma0 1 1 QCOM_GPI_I2C>; dma-names = "tx", @@ -681,6 +683,7 @@ &config_noc SLAVE_QUP_0 QCOM_ICC_TAG_ALWAYS>, "qup-config", "qup-memory"; power-domains = <&rpmhpd RPMHPD_CX>; + required-opps = <&rpmhpd_opp_low_svs>; dmas = <&gpi_dma0 0 2 QCOM_GPI_I2C>, <&gpi_dma0 1 2 QCOM_GPI_I2C>; dma-names = "tx", @@ -703,6 +706,7 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, interconnect-names = "qup-core", "qup-config"; power-domains = <&rpmhpd RPMHPD_CX>; + operating-points-v2 = <&qup_opp_table>; dmas = <&gpi_dma0 0 2 QCOM_GPI_SPI>, <&gpi_dma0 1 2 QCOM_GPI_SPI>; dma-names = "tx", @@ -728,6 +732,7 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, interconnect-names = "qup-core", "qup-config"; power-domains = <&rpmhpd RPMHPD_CX>; + operating-points-v2 = <&qup_opp_table>; status = "disabled"; }; @@ -751,6 +756,7 @@ &config_noc SLAVE_QUP_0 QCOM_ICC_TAG_ALWAYS>, "qup-config", "qup-memory"; power-domains = <&rpmhpd RPMHPD_CX>; + required-opps = <&rpmhpd_opp_low_svs>; dmas = <&gpi_dma0 0 3 QCOM_GPI_I2C>, <&gpi_dma0 1 3 QCOM_GPI_I2C>; dma-names = "tx", -- 2.34.1

2 months

3
2
0 0

[PATCH] i2c: qup: jump out of the loop in case of timeout

by Yang Xiwen via B4 Relay

From: Yang Xiwen <forbidden405(a)outlook.com> Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a long time test with a PCA953x GPIO extender. Fix it by changing the logic to not only sets the return value, but also jumps out of the loop and return to the caller with -ETIMEDOUT. Cc: stable(a)vger.kernel.org Signed-off-by: Yang Xiwen <forbidden405(a)outlook.com> --- drivers/i2c/busses/i2c-qup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c index 3a36d682ed57..5b053e51f4c9 100644 --- a/drivers/i2c/busses/i2c-qup.c +++ b/drivers/i2c/busses/i2c-qup.c @@ -452,8 +452,10 @@ static int qup_i2c_bus_active(struct qup_i2c_dev *qup, int len) if (!(status & I2C_STATUS_BUS_ACTIVE)) break; - if (time_after(jiffies, timeout)) + if (time_after(jiffies, timeout)) { ret = -ETIMEDOUT; + break; + } usleep_range(len, len * 2); } --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250615-qca-i2c-d41bb61aa59e Best regards, -- Yang Xiwen <forbidden405(a)outlook.com>

2 months

4
3
0 0

Access Target Contacts from the GSX 2025 Audience

by Lena Schwekendiek

Hi , Planning to get the GSX 2025 attendee list? Expo Name: Global Security Exchange (GSX) 2025 Total Number of records: 17,000 records List includes: Company Name, Contact Name, Job Title, Mailing Address, Phone, Emails, etc. Interested in moving forward with these leads? Let me know, and I'll share the price. Can't wait for your reply Regards Lena Marketing Manager Pro Tech Insights., Please reply with REMOVE if you don't wish to receive further emails

2 months

1
0
0 0

[PATCH 1/7] drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> On g4x we currently use the 96MHz non-SSC refclk, which can't actually generate an exact 2.7 Gbps link rate. In practice we end up with 2.688 Gbps which seems to be close enough to actually work, but link training is currently failing due to miscalculating the DP_LINK_BW value (we calcualte it directly from port_clock which reflects the actual PLL outpout frequency). Ideas how to fix this: - nudge port_clock back up to 270000 during PLL computation/readout - track port_clock and the nominal link rate separately so they might differ a bit - switch to the 100MHz refclk, but that one should be SSC so perhaps not something we want While we ponder about a better solution apply some band aid to the immediate issue of miscalculated DP_LINK_BW value. With this I can again use 2.7 Gbps link rate on g4x. Cc: stable(a)vger.kernel.org Fixes: 665a7b04092c ("drm/i915: Feed the DPLL output freq back into crtc_state") Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_dp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index f48912f308df..7976fec88606 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -1606,6 +1606,12 @@ int intel_dp_rate_select(struct intel_dp *intel_dp, int rate) void intel_dp_compute_rate(struct intel_dp *intel_dp, int port_clock, u8 *link_bw, u8 *rate_select) { + struct intel_display *display = to_intel_display(intel_dp); + + /* FIXME g4x can't generate an exact 2.7GHz with the 96MHz non-SSC refclk */ + if (display->platform.g4x && port_clock == 268800) + port_clock = 270000; + /* eDP 1.4 rate select method. */ if (intel_dp->use_rate_select) { *link_bw = 0; -- 2.49.0

2 months

3
3
0 0

+ kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kasan: use vmalloc_dump_obj() for vmalloc error reports has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Marco Elver <elver(a)google.com> Subject: kasan: use vmalloc_dump_obj() for vmalloc error reports Date: Wed, 16 Jul 2025 17:23:28 +0200 Since 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock"), more detailed info about the vmalloc mapping and the origin was dropped due to potential deadlocks. While fixing the deadlock is necessary, that patch was too quick in killing an otherwise useful feature, and did no due-diligence in understanding if an alternative option is available. Restore printing more helpful vmalloc allocation info in KASAN reports with the help of vmalloc_dump_obj(). Example report: | BUG: KASAN: vmalloc-out-of-bounds in vmalloc_oob+0x4c9/0x610 | Read of size 1 at addr ffffc900002fd7f3 by task kunit_try_catch/493 | | CPU: [...] | Call Trace: | <TASK> | dump_stack_lvl+0xa8/0xf0 | print_report+0x17e/0x810 | kasan_report+0x155/0x190 | vmalloc_oob+0x4c9/0x610 | [...] | | The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900002fd000 allocated at vmalloc_oob+0x36/0x610 | The buggy address belongs to the physical page: | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126364 | flags: 0x200000000000000(node=0|zone=2) | raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: kasan: bad access detected | | [..] Link: https://lkml.kernel.org/r/20250716152448.3877201-1-elver@google.com Fixes: 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock") Signed-off-by: Marco Elver <elver(a)google.com> Suggested-by: Uladzislau Rezki <urezki(a)gmail.com> Acked-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Yeoreum Yun <yeoreum.yun(a)arm.com> Cc: Yunseong Kim <ysk(a)kzalloc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/report.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/kasan/report.c~kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports +++ a/mm/kasan/report.c @@ -399,7 +399,9 @@ static void print_address_description(vo } if (is_vmalloc_addr(addr)) { - pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + pr_err("The buggy address belongs to a"); + if (!vmalloc_dump_obj(addr)) + pr_cont(" vmalloc virtual mapping\n"); page = vmalloc_to_page(addr); } _ Patches currently in -mm which might be from elver(a)google.com are kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch

2 months

1
0
0 0

[PATCH 1/2] s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again

by Ilya Leoshkevich

Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has accidentally removed the critical piece of commit c730fce7c70c ("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing intermittent kernel panics in e.g. perf's on_switch() prog to reappear. Restore the fix and add a comment. Fixes: 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") Cc: stable(a)vger.kernel.org Signed-off-by: Ilya Leoshkevich <iii(a)linux.ibm.com> --- arch/s390/net/bpf_jit_comp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c index 8bb738f1b1b6..bb17efe29d65 100644 --- a/arch/s390/net/bpf_jit_comp.c +++ b/arch/s390/net/bpf_jit_comp.c @@ -576,7 +576,15 @@ static void bpf_jit_plt(struct bpf_plt *plt, void *ret, void *target) { memcpy(plt, &bpf_plt, sizeof(*plt)); plt->ret = ret; - plt->target = target; + /* + * (target == NULL) implies that the branch to this PLT entry was + * patched and became a no-op. However, some CPU could have jumped + * to this PLT entry before patching and may be still executing it. + * + * Since the intention in this case is to make the PLT entry a no-op, + * make the target point to the return label instead of NULL. + */ + plt->target = target ?: ret; } /* -- 2.50.1

2 months

1
0
0 0

[PATCH net 3/5] rxrpc: Fix notification vs call-release vs recvmsg

by David Howells

When a call is released, rxrpc takes the spinlock and removes it from ->recvmsg_q in an effort to prevent racing recvmsg() invocations from seeing the same call. Now, rxrpc_recvmsg() only takes the spinlock when actually removing a call from the queue; it doesn't, however, take it in the lead up to that when it checks to see if the queue is empty. It *does* hold the socket lock, which prevents a recvmsg/recvmsg race - but this doesn't prevent sendmsg from ending the call because sendmsg() drops the socket lock and relies on the call->user_mutex. Fix this by firstly removing the bit in rxrpc_release_call() that dequeues the released call and, instead, rely on recvmsg() to simply discard released calls (done in a preceding fix). Secondly, rxrpc_notify_socket() is abandoned if the call is already marked as released rather than trying to be clever by setting both pointers in call->recvmsg_link to NULL to trick list_empty(). This isn't perfect and can still race, resulting in a released call on the queue, but recvmsg() will now clean that up. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- include/trace/events/rxrpc.h | 2 +- net/rxrpc/call_object.c | 28 ++++++++++++---------------- net/rxrpc/recvmsg.c | 4 ++++ 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index e7dcfb1369b6..8e5a73eb5268 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -325,7 +325,6 @@ EM(rxrpc_call_put_release_sock, "PUT rls-sock") \ EM(rxrpc_call_put_release_sock_tba, "PUT rls-sk-a") \ EM(rxrpc_call_put_sendmsg, "PUT sendmsg ") \ - EM(rxrpc_call_put_unnotify, "PUT unnotify") \ EM(rxrpc_call_put_userid_exists, "PUT u-exists") \ EM(rxrpc_call_put_userid, "PUT user-id ") \ EM(rxrpc_call_see_accept, "SEE accept ") \ @@ -338,6 +337,7 @@ EM(rxrpc_call_see_disconnected, "SEE disconn ") \ EM(rxrpc_call_see_distribute_error, "SEE dist-err") \ EM(rxrpc_call_see_input, "SEE input ") \ + EM(rxrpc_call_see_notify_released, "SEE nfy-rlsd") \ EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 15067ff7b1f2..918f41d97a2f 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -561,7 +561,7 @@ static void rxrpc_cleanup_rx_buffers(struct rxrpc_call *call) void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call) { struct rxrpc_connection *conn = call->conn; - bool put = false, putu = false; + bool putu = false; _enter("{%d,%d}", call->debug_id, refcount_read(&call->ref)); @@ -573,23 +573,13 @@ void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call) rxrpc_put_call_slot(call); - /* Make sure we don't get any more notifications */ + /* Note that at this point, the call may still be on or may have been + * added back on to the socket receive queue. recvmsg() must discard + * released calls. The CALL_RELEASED flag should prevent further + * notifications. + */ spin_lock_irq(&rx->recvmsg_lock); - - if (!list_empty(&call->recvmsg_link)) { - _debug("unlinking once-pending call %p { e=%lx f=%lx }", - call, call->events, call->flags); - list_del(&call->recvmsg_link); - put = true; - } - - /* list_empty() must return false in rxrpc_notify_socket() */ - call->recvmsg_link.next = NULL; - call->recvmsg_link.prev = NULL; - spin_unlock_irq(&rx->recvmsg_lock); - if (put) - rxrpc_put_call(call, rxrpc_call_put_unnotify); write_lock(&rx->call_lock); @@ -638,6 +628,12 @@ void rxrpc_release_calls_on_socket(struct rxrpc_sock *rx) rxrpc_put_call(call, rxrpc_call_put_release_sock); } + while ((call = list_first_entry_or_null(&rx->recvmsg_q, + struct rxrpc_call, recvmsg_link))) { + list_del_init(&call->recvmsg_link); + rxrpc_put_call(call, rxrpc_call_put_release_recvmsg_q); + } + _leave(""); } diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index 6990e37697de..7fa7e77f6bb9 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -29,6 +29,10 @@ void rxrpc_notify_socket(struct rxrpc_call *call) if (!list_empty(&call->recvmsg_link)) return; + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_notify_released); + return; + } rcu_read_lock();

2 months

2
1
0 0

[PATCH] usb: atm: cxacru: Zero initialize bp in cxacru_heavy_init()

by Nathan Chancellor

After a recent change in clang to expose uninitialized warnings from const variables [1], there is a warning in cxacru_heavy_init(): drivers/usb/atm/cxacru.c:1104:6: error: variable 'bp' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 1104 | if (instance->modem_type->boot_rom_patch) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/usb/atm/cxacru.c:1113:39: note: uninitialized use occurs here 1113 | cxacru_upload_firmware(instance, fw, bp); | ^~ drivers/usb/atm/cxacru.c:1104:2: note: remove the 'if' if its condition is always true 1104 | if (instance->modem_type->boot_rom_patch) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/usb/atm/cxacru.c:1095:32: note: initialize the variable 'bp' to silence this warning 1095 | const struct firmware *fw, *bp; | ^ | = NULL This warning occurs in clang's frontend before inlining occurs, so it cannot notice that bp is only used within cxacru_upload_firmware() under the same condition that initializes it in cxacru_heavy_init(). Just initialize bp to NULL to silence the warning without functionally changing the code, which is what happens with modern compilers when they support '-ftrivial-auto-var-init=zero' (CONFIG_INIT_STACK_ALL_ZERO=y). Cc: stable(a)vger.kernel.org Fixes: 1b0e61465234 ("[PATCH] USB ATM: driver for the Conexant AccessRunner chipset cxacru") Closes: https://github.com/ClangBuiltLinux/linux/issues/2102 Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/usb/atm/cxacru.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c index a12ab90b3db7..b7c3b224a759 100644 --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c @@ -1092,7 +1092,7 @@ static int cxacru_find_firmware(struct cxacru_data *instance, static int cxacru_heavy_init(struct usbatm_data *usbatm_instance, struct usb_interface *usb_intf) { - const struct firmware *fw, *bp; + const struct firmware *fw, *bp = NULL; struct cxacru_data *instance = usbatm_instance->driver_data; int ret = cxacru_find_firmware(instance, "fw", &fw); --- base-commit: fdfa018c6962c86d2faa183187669569be4d513f change-id: 20250715-usb-cxacru-fix-clang-21-uninit-warning-9430d96c6bc1 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

2
7
0 0

[PATCH v4 1/1] mm/rmap: fix potential out-of-bounds page table access during batched unmap

by Lance Yang

From: Lance Yang <lance.yang(a)linux.dev> As pointed out by David[1], the batched unmap logic in try_to_unmap_one() may read past the end of a PTE table when a large folio's PTE mappings are not fully contained within a single page table. While this scenario might be rare, an issue triggerable from userspace must be fixed regardless of its likelihood. This patch fixes the out-of-bounds access by refactoring the logic into a new helper, folio_unmap_pte_batch(). The new helper correctly calculates the safe batch size by capping the scan at both the VMA and PMD boundaries. To simplify the code, it also supports partial batching (i.e., any number of pages from 1 up to the calculated safe maximum), as there is no strong reason to special-case for fully mapped folios. [1] https://lore.kernel.org/linux-mm/a694398c-9f03-4737-81b9-7e49c857fcbe@redha… Cc: <stable(a)vger.kernel.org> Reported-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/linux-mm/a694398c-9f03-4737-81b9-7e49c857fcbe@redha… Fixes: 354dffd29575 ("mm: support batched unmap for lazyfree large folios during reclamation") Suggested-by: Barry Song <baohua(a)kernel.org> Acked-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Lance Yang <lance.yang(a)linux.dev> --- v3 -> v4: - Add Reported-by + Closes tags (per David) - Pick RB from Lorenzo - thanks! - Pick AB from David - thanks! - https://lore.kernel.org/linux-mm/20250630011305.23754-1-lance.yang@linux.dev v2 -> v3: - Tweak changelog (per Barry and David) - Pick AB from Barry - thanks! - https://lore.kernel.org/linux-mm/20250627062319.84936-1-lance.yang@linux.dev v1 -> v2: - Update subject and changelog (per Barry) - https://lore.kernel.org/linux-mm/20250627025214.30887-1-lance.yang@linux.dev mm/rmap.c | 46 ++++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/mm/rmap.c b/mm/rmap.c index fb63d9256f09..1320b88fab74 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1845,23 +1845,32 @@ void folio_remove_rmap_pud(struct folio *folio, struct page *page, #endif } -/* We support batch unmapping of PTEs for lazyfree large folios */ -static inline bool can_batch_unmap_folio_ptes(unsigned long addr, - struct folio *folio, pte_t *ptep) +static inline unsigned int folio_unmap_pte_batch(struct folio *folio, + struct page_vma_mapped_walk *pvmw, + enum ttu_flags flags, pte_t pte) { const fpb_t fpb_flags = FPB_IGNORE_DIRTY | FPB_IGNORE_SOFT_DIRTY; - int max_nr = folio_nr_pages(folio); - pte_t pte = ptep_get(ptep); + unsigned long end_addr, addr = pvmw->address; + struct vm_area_struct *vma = pvmw->vma; + unsigned int max_nr; + + if (flags & TTU_HWPOISON) + return 1; + if (!folio_test_large(folio)) + return 1; + /* We may only batch within a single VMA and a single page table. */ + end_addr = pmd_addr_end(addr, vma->vm_end); + max_nr = (end_addr - addr) >> PAGE_SHIFT; + + /* We only support lazyfree batching for now ... */ if (!folio_test_anon(folio) || folio_test_swapbacked(folio)) - return false; + return 1; if (pte_unused(pte)) - return false; - if (pte_pfn(pte) != folio_pfn(folio)) - return false; + return 1; - return folio_pte_batch(folio, addr, ptep, pte, max_nr, fpb_flags, NULL, - NULL, NULL) == max_nr; + return folio_pte_batch(folio, addr, pvmw->pte, pte, max_nr, fpb_flags, + NULL, NULL, NULL); } /* @@ -2024,9 +2033,7 @@ static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma, if (pte_dirty(pteval)) folio_mark_dirty(folio); } else if (likely(pte_present(pteval))) { - if (folio_test_large(folio) && !(flags & TTU_HWPOISON) && - can_batch_unmap_folio_ptes(address, folio, pvmw.pte)) - nr_pages = folio_nr_pages(folio); + nr_pages = folio_unmap_pte_batch(folio, &pvmw, flags, pteval); end_addr = address + nr_pages * PAGE_SIZE; flush_cache_range(vma, address, end_addr); @@ -2206,13 +2213,16 @@ static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma, hugetlb_remove_rmap(folio); } else { folio_remove_rmap_ptes(folio, subpage, nr_pages, vma); - folio_ref_sub(folio, nr_pages - 1); } if (vma->vm_flags & VM_LOCKED) mlock_drain_local(); - folio_put(folio); - /* We have already batched the entire folio */ - if (nr_pages > 1) + folio_put_refs(folio, nr_pages); + + /* + * If we are sure that we batched the entire folio and cleared + * all PTEs, we can just optimize and stop right here. + */ + if (nr_pages == folio_nr_pages(folio)) goto walk_done; continue; walk_abort: -- 2.49.0

2 months

6
7
0 0

[PATCH 5.4 000/148] 5.4.296-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.296 release. There are 148 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.296-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.296-rc1 Georg Kohmann <geokohma(a)cisco.com> net: ipv6: Discard next-hop MTU less than minimum link MTU Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - add VID for Turtle Beach controllers Matt Reynolds <mattreynolds(a)chromium.org> Input: xpad - add support for Amazon Game Controller Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Eric W. Biederman <ebiederm(a)xmission.com> proc: Clear the pieces of proc_inode that proc_evict_inode cares about Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Gustavo A. R. Silva <gustavoars(a)kernel.org> net: rose: Fix fall-through warnings for Clang Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Vladimir Oltean <vladimir.oltean(a)nxp.com> spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path Vladimir Oltean <vladimir.oltean(a)nxp.com> spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Leon Romanovsky <leon(a)kernel.org> RDMA/core: Create and destroy counters in the ib_core Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Yue Hu <huyue2(a)yulong.com> mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Jerome Neanne <jneanne(a)baylibre.com> regulator: gpio: Add input_supply support in gpio_regulator_config Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu: Return early if callback is not specified Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Omar Sandoval <osandov(a)fb.com> btrfs: don't abort filesystem when attempting to snapshot deleted subvolume Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Weihang Li <liweihang(a)huawei.com> RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Denis Arefev <arefev(a)swemel.ru> media: vivid: Change the siize of the composing Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Edward Adam Davis <eadavis(a)qq.com> media: cxusb: no longer judge rbuf when the write fails Sean Young <sean(a)mess.org> media: cxusb: use dev_dbg() rather than hand-rolled debug Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> ASoC: meson: meson-card-utils: use of_property_present() for DT parsing Rob Herring <robh(a)kernel.org> of: Add of_property_present() helper Michael Walle <michael(a)walle.cc> of: property: define of_property_read_u{8,16,32,64}_array() unconditionally Arnd Bergmann <arnd(a)arndb.de> kbuild: hdrcheck: fix cross build with clang Masahiro Yamada <masahiroy(a)kernel.org> kbuild: add --target to correctly cross-compile UAPI headers with Clang Masahiro Yamada <masahiroy(a)kernel.org> bpfilter: match bit size of bpfilter_umh to that of the kernel Masahiro Yamada <masahiroy(a)kernel.org> kbuild: use -MMD instead of -MD to exclude system headers from dependency Wupeng Ma <mawupeng1(a)huawei.com> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify George Kennedy <george.kennedy(a)oracle.com> VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix read_stb function and get_stb ioctl Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Add USBTMC_IOCTL_GET_STB Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Fix reading stale status byte Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Jakub Lewalski <jakub.lewalski(a)nokia.com> tty: serial: uartlite: register uart driver in init Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-driver-ufs | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/x86/Kconfig | 2 +- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + drivers/acpi/acpi_pad.c | 7 +- drivers/acpi/acpica/dsmethod.c | 7 + drivers/acpi/battery.c | 19 +- drivers/ata/pata_cs5536.c | 2 +- drivers/atm/idt77252.c | 5 + drivers/dma-buf/dma-resv.c | 5 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/bridge/cdns-dsi.c | 11 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ringbuffer.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/tegra/dc.c | 12 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/v3d/v3d_drv.h | 9 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 36 ++- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-quirks.c | 3 + drivers/hid/wacom_sys.c | 6 +- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/core/device.c | 1 + drivers/infiniband/core/iwcm.c | 38 +-- drivers/infiniband/core/iwcm.h | 2 +- .../infiniband/core/uverbs_std_types_counters.c | 17 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 55 ++-- drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/atkbd.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/md/raid1.c | 1 + drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/platform/vivid/vivid-vid-cap.c | 2 +- drivers/media/usb/dvb-usb/cxusb.c | 36 ++- drivers/media/usb/uvc/uvc_ctrl.c | 61 +++-- drivers/mfd/max14577.c | 1 + drivers/misc/vmw_vmci/vmci_host.c | 9 +- drivers/mmc/host/mtk-sd.c | 39 ++- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 ++ drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 ++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 26 +- drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/sun/niu.c | 31 ++- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/phy/microchip.c | 2 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- drivers/pwm/pwm-mediatek.c | 15 +- drivers/regulator/gpio-regulator.c | 19 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 55 ++-- drivers/staging/rtl8723bs/core/rtw_security.c | 46 +--- drivers/tty/serial/uartlite.c | 15 +- drivers/tty/vt/vt.c | 1 + drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/class/usbtmc.c | 53 ++-- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/typec/altmodes/displayport.c | 5 +- fs/btrfs/inode.c | 36 +-- fs/btrfs/ioctl.c | 3 + fs/btrfs/tree-log.c | 4 +- fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/jfs/jfs_dmap.c | 41 +-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 144 +++++++--- fs/nfs/inode.c | 17 +- fs/overlayfs/util.c | 4 +- fs/proc/inode.c | 16 +- fs/proc/proc_sysctl.c | 18 +- include/drm/spsc_queue.h | 4 +- include/linux/of.h | 291 ++++++++++----------- include/linux/regulator/gpio-regulator.h | 2 + include/linux/usb/typec_dp.h | 1 + include/rdma/ib_verbs.h | 7 +- include/uapi/linux/usb/tmc.h | 2 + include/uapi/linux/vm_sockets.h | 4 + init/Kconfig | 4 +- kernel/rcu/tree.c | 4 + lib/test_objagg.c | 4 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++-- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/bpfilter/Makefile | 5 +- net/ipv6/route.c | 3 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/netlink/af_netlink.c | 90 ++++--- net/rose/rose_route.c | 15 +- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 42 +-- net/tipc/topsrv.c | 2 + net/vmw_vsock/vmci_transport.c | 4 +- scripts/Kbuild.include | 2 +- scripts/Makefile.host | 4 +- scripts/Makefile.lib | 8 +- sound/isa/sb/sb16_main.c | 4 + sound/pci/hda/hda_bind.c | 2 +- sound/soc/meson/meson-card-utils.c | 2 +- sound/usb/stream.c | 2 + usr/include/Makefile | 6 +- 135 files changed, 1221 insertions(+), 706 deletions(-)

2 months

4
153
0 0

[PATCH 5.15 00/77] 5.15.189-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.189 release. There are 77 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.189-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.189-rc1 Jack Wang <jinpu.wang(a)ionos.com> x86: Fix X86_FEATURE_VERW_CLEAR definition Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Kurt Borja <kuurtb(a)gmail.com> platform/x86: think-lmi: Fix sysfs group cleanup Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Christian König <christian.koenig(a)amd.com> dma-buf: use new iterator in dma_resv_wait_timeout Christian König <christian.koenig(a)amd.com> dma-buf: add dma_resv_for_each_fence_unlocked v8 Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Hongyu Xie <xiehongyu1(a)kylinos.cn> xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Raju Rangoju <Raju.Rangoju(a)amd.com> usb: xhci: quirk for data loss in ISOC transfers Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Allow RPM on the USB controller (1022:43f7) by default Bui Quang Minh <minhquangbui99(a)gmail.com> virtio-net: ensure the received length does not exceed allocated size Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Juergen Gross <jgross(a)suse.com> xen: replace xen_remap() with memremap() Edward Adam Davis <eadavis(a)qq.com> jfs: fix null ptr deref in dtInsertEntry John Fastabend <john.fastabend(a)gmail.com> bpf, sockmap: Fix skb refcnt race after locking changes Maksim Kiselev <bigunclemax(a)gmail.com> aoe: avoid potential deadlock at set_capacity Lee, Chun-Yi <joeyli.kernel(a)gmail.com> thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR Andrii Nakryiko <andrii(a)kernel.org> bpf: fix precision backtracking instruction iteration David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Jesse Brandeburg <jesse.brandeburg(a)intel.com> ice: safer stats processing Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use __for_each_thread() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling ------------- Diffstat: Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/include/asm/xen/page.h | 3 - arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/aoe/aoeblk.c | 5 +- drivers/block/nbd.c | 6 +- drivers/dma-buf/dma-resv.c | 171 ++++++---- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/infiniband/hw/mlx5/main.c | 33 ++ drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/intel/ice/ice_main.c | 29 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/virtio_net.c | 44 ++- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/x86/think-lmi.c | 35 +- drivers/pwm/pwm-mediatek.c | 15 +- .../intel/int340x_thermal/int3400_thermal.c | 9 +- drivers/tty/hvc/hvc_xen.c | 2 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-mem.c | 4 + drivers/usb/host/xhci-pci.c | 30 +- drivers/usb/host/xhci-plat.c | 3 +- drivers/usb/host/xhci.h | 1 + drivers/vhost/scsi.c | 7 +- drivers/xen/grant-table.c | 6 +- drivers/xen/xenbus/xenbus_probe.c | 3 +- fs/btrfs/inode.c | 36 +-- fs/jfs/jfs_dtree.c | 2 + fs/ksmbd/transport_rdma.c | 5 +- fs/ksmbd/vfs.c | 1 + fs/proc/array.c | 6 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drm_file.h | 3 + include/drm/spsc_queue.h | 4 +- include/linux/dma-resv.h | 95 ++++++ include/net/netfilter/nf_flow_table.h | 2 +- include/xen/arm/page.h | 3 - kernel/bpf/verifier.c | 21 +- kernel/events/core.c | 2 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++- net/core/skmsg.c | 12 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 +++--- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- sound/soc/fsl/fsl_asrc.c | 3 +- 79 files changed, 982 insertions(+), 564 deletions(-)

2 months

5
85
0 0

[PATCH 6.1 00/88] 6.1.146-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.146 release. There are 88 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.146-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.146-rc1 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Jack Wang <jinpu.wang(a)ionos.com> x86: Fix X86_FEATURE_VERW_CLEAR definition Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Gao Xiang <xiang(a)kernel.org> erofs: adapt folios for z_erofs_read_folio() Gao Xiang <xiang(a)kernel.org> erofs: avoid on-stack pagepool directly passed by arguments Gao Xiang <xiang(a)kernel.org> erofs: allocate extra bvec pages directly instead of retrying Yue Hu <huyue2(a)coolpad.com> erofs: clean up z_erofs_pcluster_readmore() Yue Hu <huyue2(a)coolpad.com> erofs: remove the member readahead from struct z_erofs_decompress_frontend Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Zhang Rui <rui.zhang(a)intel.com> platform/x86: think-lmi: Fix sysfs group cleanup Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Raju Rangoju <Raju.Rangoju(a)amd.com> usb: xhci: quirk for data loss in ISOC transfers Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Allow RPM on the USB controller (1022:43f7) by default Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Shivank Garg <shivankg(a)amd.com> fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Alexey Dobriyan <adobriyan(a)gmail.com> x86/boot: Compile boot code with -std=gnu11 too David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Rong Zhang <i(a)rong.moe> platform/x86: ideapad-laptop: use usleep_range() for EC polling Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling ------------- Diffstat: Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/Makefile | 2 +- arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/x86/ideapad-laptop.c | 19 +- drivers/powercap/intel_rapl_common.c | 22 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 +++++++++++++------------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-mem.c | 4 + drivers/usb/host/xhci-pci.c | 30 ++- drivers/usb/host/xhci.h | 1 + drivers/vhost/scsi.c | 7 +- fs/anon_inodes.c | 23 +- fs/btrfs/free-space-tree.c | 16 +- fs/btrfs/inode.c | 28 +- fs/erofs/data.c | 2 + fs/erofs/zdata.c | 124 ++++----- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/spsc_queue.h | 4 +- include/linux/fs.h | 2 + include/net/netfilter/nf_flow_table.h | 2 +- include/trace/events/erofs.h | 16 +- kernel/events/core.c | 2 +- lib/maple_tree.c | 7 +- mm/kasan/report.c | 13 +- mm/secretmem.c | 11 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++-- net/bluetooth/hci_sync.c | 2 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 ++++--- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 +++- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/fsl/fsl_asrc.c | 3 +- tools/include/linux/kallsyms.h | 4 + 86 files changed, 876 insertions(+), 582 deletions(-)

2 months

5
92
0 0

[PATCH 6.6 000/109] 6.6.99-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.99 release. There are 109 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.99-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.99-rc1 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential race in cifs_put_tcon() Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Shyam Prasad N <sprasad(a)microsoft.com> cifs: all initializations for tcon should happen in tcon_info_alloc Paulo Alcantara <pc(a)manguebit.com> smb: client: fix DFS interlink failover Paulo Alcantara <pc(a)manguebit.com> smb: client: avoid unnecessary reconnects when refreshing referrals Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Filipe Manana <fdmanana(a)suse.com> btrfs: fix inode lookup error handling during log replay Filipe Manana <fdmanana(a)suse.com> btrfs: return a btrfs_inode from btrfs_iget_logging() Filipe Manana <fdmanana(a)suse.com> btrfs: remove redundant root argument from fixup_inode_link_count() Filipe Manana <fdmanana(a)suse.com> btrfs: remove redundant root argument from btrfs_update_inode_fallback() Filipe Manana <fdmanana(a)suse.com> btrfs: remove noinline from btrfs_update_inode() Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Christian Eggers <ceggers(a)arri.de> Bluetooth: HCI: Set extended advertising data synchronously Leo Yan <leo.yan(a)arm.com> perf: build: Setup PKG_CONFIG_LIBDIR for cross compilation Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/mce/amd.c | 28 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/gpu/drm/drm_framebuffer.c | 31 +- drivers/gpu/drm/drm_gem.c | 74 ++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 57 +++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/free-space-tree.c | 16 +- fs/btrfs/inode.c | 18 +- fs/btrfs/transaction.c | 2 +- fs/btrfs/tree-log.c | 331 +++++++++++-------- fs/erofs/data.c | 2 + fs/eventpoll.c | 12 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/client/cifsglob.h | 3 + fs/smb/client/cifsproto.h | 13 +- fs/smb/client/connect.c | 47 ++- fs/smb/client/dfs.c | 73 ++--- fs/smb/client/dfs.h | 42 ++- fs/smb/client/dfs_cache.c | 198 +++++++----- fs/smb/client/fs_context.h | 1 + fs/smb/client/misc.c | 9 + fs/smb/client/namespace.c | 2 +- fs/smb/server/smb2pdu.c | 29 +- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/mm.h | 5 + include/net/af_vsock.h | 2 +- include/net/netfilter/nf_flow_table.h | 2 +- io_uring/opdef.c | 1 + kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- lib/maple_tree.c | 14 +- mm/kasan/report.c | 13 +- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++- net/bluetooth/hci_event.c | 39 +-- net/bluetooth/hci_sync.c | 215 ++++++++----- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 +++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 ++- scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++ scripts/gdb/linux/xarray.py | 28 ++ sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/fsl/fsl_asrc.c | 3 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/build/feature/Makefile | 25 +- tools/include/linux/kallsyms.h | 4 + tools/perf/Makefile.perf | 27 +- tools/testing/selftests/bpf/test_lru_map.c | 105 +++--- 114 files changed, 1887 insertions(+), 1029 deletions(-)

2 months

3
111
0 0

[PATCH 6.12 000/163] 6.12.39-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.39 release. There are 163 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.39-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.39-rc1 Mark Brown <broonie(a)kernel.org> arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Jiawen Wu <jiawenwu(a)trustnetic.com> net: wangxun: revert the adjustment of the IRQ vector sequence Gao Xiang <xiang(a)kernel.org> erofs: fix rare pcluster memory leak after unmounting Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Daniel J. Ogorchock <djogorchock(a)gmail.com> HID: nintendo: avoid bluetooth suspend/resume stalls Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Fangrui Song <i(a)maskray.me> riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Shuai Zhang <quic_shuaz(a)quicinc.com> driver: bluetooth: hci_qca:fix unable to load the BT driver Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tim Crawford <tcrawford(a)system76.com> ALSA: hda/realtek: Add quirks for some Clevo laptops Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Tamura Dai <kirinode0(a)gmail.com> ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Add new prio for promiscuous mode Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix race between DIM disable and net_dim() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Hangbin Liu <liuhangbin(a)gmail.com> selftests: net: lib: fix shift count out of range Petr Machata <petrm(a)nvidia.com> selftests: net: lib: Move logging from forwarding/lib.sh here Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_readahead() Gao Xiang <xiang(a)kernel.org> erofs: refine readahead tracepoint Gao Xiang <xiang(a)kernel.org> erofs: tidy up zdata.c Gao Xiang <xiang(a)kernel.org> erofs: get rid of `z_erofs_next_pcluster_t` Chunhai Guo <guochunhai(a)vivo.com> erofs: free pclusters if no cached folio is attached Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Clear all LMTT pages on alloc Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Henry Martin <bsdhenrymartin(a)gmail.com> wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/gsp: fix potential leak of memory used during acpi init Felix Fietkau <nbd(a)nbd.name> wifi: rt2x00: fix remove callback type mismatch Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix non-transmitted BSSID profile search Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: correctly identify S1G short beacon Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: cfg80211: fix S1G beacon head validation in nl80211 David Howells <dhowells(a)redhat.com> netfs: Fix ref leak on inserted extra subreq in write retry Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Gao Xiang <xiang(a)kernel.org> erofs: address D-cache aliasing Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Sascha Hauer <s.hauer(a)pengutronix.de> clk: scmi: Handle case where child clocks are initialized before their parents Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Xiaolei Wang <xiaolei.wang(a)windriver.com> clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Miguel Ojeda <ojeda(a)kernel.org> rust: init: allow `dead_code` warnings for Rust >= 1.89.0 Harry Yoo <harry.yoo(a)oracle.com> lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Zhe Qiao <qiaozhe(a)iscas.ac.cn> Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Matthew Brost <matthew.brost(a)intel.com> drm/xe: Allocate PF queue size on pow2 boundary Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" Matthew Auld <matthew.auld(a)intel.com> drm/xe/bmg: fix compressed VRAM handling Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Don't call mmput from MMU notifier callback Alessio Belle <alessio.belle(a)imgtec.com> drm/imagination: Fix kernel crash when hard resetting the GPU Michael Lo <michael.lo(a)mediatek.com> wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong config for tx interrupt Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: prevent decap offload config before STA initialization Vitor Soares <vitor.soares(a)toradex.com> wifi: mwifiex: discard erroneous disassoc frames on STA interface Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: Fix invalid state detection Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Haoxiang Li <haoxiang_li2024(a)163.com> net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Arun Raghavan <arun(a)asymptotic.io> ASoC: fsl_sai: Force a software reset when starting in consumer mode Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Liam Merwick <liam.merwick(a)oracle.com> KVM: Allow CPU to reschedule while setting per-page memory attributes Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Nikunj A Dadhania <nikunj(a)amd.com> KVM: SVM: Add missing member in SNP_LAUNCH_START command structure David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Ensure user polling settings are honored when restarting timer Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Chintan Vankar <c-vankar(a)ti.com> net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: move the WoL function to shared library Kevin Brodsky <kevin.brodsky(a)arm.com> arm64: poe: Handle spurious Overlay faults Jason Xing <kernelxing(a)tencent.com> bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL kuyo chang <kuyo.chang(a)mediatek.com> sched/deadline: Fix dl_server runtime calculation formula Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix migrate_swap() vs. hotplug Nam Cao <namcao(a)linutronix.de> irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: add sof_sdw_get_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: soc-acpi: add get_function_tplg_files ops Simon Trimmer <simont(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops Simon Trimmer <simont(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV Eric Biggers <ebiggers(a)kernel.org> crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 Flora Cui <flora.cui(a)amd.com> drm/amdgpu/ip_discovery: add missing ip_discovery fw Flora Cui <flora.cui(a)amd.com> drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- Makefile | 4 +- arch/arm64/kernel/cpufeature.c | 45 ++-- arch/arm64/kernel/process.c | 5 + arch/arm64/mm/fault.c | 30 ++- arch/riscv/kernel/vdso/vdso.lds.S | 2 +- arch/s390/crypto/sha1_s390.c | 2 + arch/s390/crypto/sha256_s390.c | 3 + arch/s390/crypto/sha512_s390.c | 3 + arch/um/drivers/vector_kern.c | 42 ++-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/mce/amd.c | 28 ++- arch/x86/kernel/cpu/mce/core.c | 24 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/bluetooth/hci_qca.c | 13 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/clk/clk-scmi.c | 20 +- drivers/clk/imx/clk-imx95-blk-ctl.c | 12 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 30 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 ++-- drivers/gpu/drm/drm_framebuffer.c | 31 ++- drivers/gpu/drm/drm_gem.c | 74 +++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/imagination/pvr_power.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 +- drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 + drivers/gpu/drm/xe/xe_lmtt.c | 11 + drivers/gpu/drm/xe/xe_migrate.c | 2 +- drivers/gpu/drm/xe/xe_pci.c | 1 - drivers/gpu/drm/xe/xe_pm.c | 8 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-nintendo.c | 38 +++- drivers/hid/hid-quirks.c | 3 + drivers/irqchip/Kconfig | 1 + drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 +- drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/renesas/rtsn.c | 5 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 +- drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 +- drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 3 +- drivers/net/phy/qcom/at803x.c | 27 --- drivers/net/phy/qcom/qca808x.c | 2 +- drivers/net/phy/qcom/qcom-phy-lib.c | 25 ++ drivers/net/phy/qcom/qcom.h | 5 + drivers/net/phy/smsc.c | 57 ++++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/marvell/mwifiex/util.c | 4 +- .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/pci-acpi.c | 23 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/core.c | 2 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/free-space-tree.c | 16 +- fs/erofs/data.c | 21 +- fs/erofs/decompressor.c | 12 +- fs/erofs/fileio.c | 6 +- fs/erofs/internal.h | 2 +- fs/erofs/zdata.c | 251 +++++++++----------- fs/erofs/zutil.c | 7 +- fs/eventpoll.c | 12 +- fs/netfs/write_collect.c | 2 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/ieee80211.h | 45 +++- include/linux/mm.h | 5 + include/linux/psp-sev.h | 2 + include/net/af_vsock.h | 2 +- include/net/netfilter/nf_flow_table.h | 2 +- include/sound/soc-acpi.h | 13 ++ include/trace/events/erofs.h | 2 +- io_uring/opdef.c | 1 + kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- kernel/sched/core.c | 5 + kernel/sched/deadline.c | 10 +- kernel/stop_machine.c | 20 +- lib/alloc_tag.c | 3 + lib/maple_tree.c | 1 + mm/kasan/report.c | 13 +- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 ++++-- net/bluetooth/hci_event.c | 3 + net/bluetooth/hci_sync.c | 2 +- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/mac80211/mlme.c | 7 +- net/mac80211/parse.c | 6 +- net/netlink/af_netlink.c | 90 +++++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 ++++- net/wireless/nl80211.c | 7 +- net/wireless/util.c | 52 ++++- rust/kernel/init/macros.rs | 2 + scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++++++++ scripts/gdb/linux/xarray.py | 28 +++ sound/isa/ad1816a/ad1816a.c | 2 +- sound/pci/hda/patch_realtek.c | 7 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/fsl/fsl_asrc.c | 3 +- sound/soc/fsl/fsl_sai.c | 14 +- sound/soc/intel/boards/Kconfig | 1 + sound/soc/intel/common/Makefile | 2 +- sound/soc/intel/common/soc-acpi-intel-arl-match.c | 66 +++++- sound/soc/intel/common/sof-function-topology-lib.c | 136 +++++++++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 ++ sound/soc/sof/intel/hda.c | 6 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/include/linux/kallsyms.h | 4 + tools/testing/selftests/bpf/test_lru_map.c | 105 ++++----- tools/testing/selftests/net/forwarding/lib.sh | 113 --------- tools/testing/selftests/net/lib.sh | 115 ++++++++++ virt/kvm/kvm_main.c | 3 + 172 files changed, 1953 insertions(+), 867 deletions(-)

2 months

6
169
0 0

[TEST REGRESSION] stable-rc/linux-6.12.y: kselftest.seccomp.seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 on bcm2837-rpi-3-b-plus

by KernelCI bot

Hello, New test failure found on stable-rc/linux-6.12.y: kselftest.seccomp.seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 running on bcm2837-rpi-3-b-plus giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git branch: linux-6.12.y commit HEAD: d50d16f002928cde05a54e0049ddc203323ae7ac test id: maestro:687779f42ce2c1874ed2365d status: FAIL timestamp: 2025-07-16 10:14:31.303039+00:00 log: https://files.kernelci.org/kselftest-seccomp-6876c79234612746bbcf9a7e/log.t… # Test details: - test path: kselftest.seccomp.seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 - platform: bcm2837-rpi-3-b-plus - compatibles: raspberrypi,3-model-b-plus | rbrcm | bcm2837; - config: defconfig+arm64-chromebook+kselftest - architecture: arm64 - compiler: gcc-12 Dashboard: https://d.kernelci.org/t/maestro:687779f42ce2c1874ed2365d Log excerpt: ===================================================== t_is_kill_inside pass seccomp_seccomp_bpf_global_unknown_ret_is_kill_above_allow pass seccomp_seccomp_bpf_global_KILL_all pass seccomp_seccomp_bpf_global_KILL_one pass seccomp_seccomp_bpf_global_KILL_one_arg_one pass seccomp_seccomp_bpf_global_KILL_one_arg_six pass seccomp_seccomp_bpf_global_KILL_thread pass seccomp_seccomp_bpf_global_KILL_process pass seccomp_seccomp_bpf_global_KILL_unknown pass seccomp_seccomp_bpf_global_arg_out_of_range pass seccomp_seccomp_bpf_global_ERRNO_valid pass seccomp_seccomp_bpf_global_ERRNO_zero pass seccomp_seccomp_bpf_global_ERRNO_capped pass seccomp_seccomp_bpf_global_ERRNO_order pass seccomp_seccomp_bpf_global_negative_ENOSYS pass seccomp_seccomp_bpf_global_seccomp_syscall pass seccomp_seccomp_bpf_global_seccomp_syscall_mode_lock pass seccomp_seccomp_bpf_global_detect_seccomp_filter_flags pass seccomp_seccomp_bpf_global_TSYNC_first pass seccomp_seccomp_bpf_global_syscall_restart pass seccomp_seccomp_bpf_global_filter_flag_log pass seccomp_seccomp_bpf_global_get_action_avail pass seccomp_seccomp_bpf_global_get_metadata_Kernel_does_not_support_PTRACE_SECCOMP_GET_METADATA_missing_CONFIG_CHECKPOINT_RESTORE skip seccomp_seccomp_bpf_global_user_notification_basic pass seccomp_seccomp_bpf_global_user_notification_with_tsync pass seccomp_seccomp_bpf_global_user_notification_kill_in_middle pass seccomp_seccomp_bpf_global_user_notification_signal pass seccomp_seccomp_bpf_global_user_notification_closed_listener pass seccomp_seccomp_bpf_global_user_notification_child_pid_ns pass seccomp_seccomp_bpf_global_user_notification_sibling_pid_ns pass seccomp_seccomp_bpf_global_user_notification_fault_recv pass seccomp_seccomp_bpf_global_seccomp_get_notif_sizes pass seccomp_seccomp_bpf_global_user_notification_continue pass seccomp_seccomp_bpf_global_user_notification_filter_empty pass seccomp_seccomp_bpf_global_user_ioctl_notification_filter_empty pass seccomp_seccomp_bpf_global_user_notification_filter_empty_threaded pass seccomp_seccomp_bpf_global_user_notification_addfd pass seccomp_seccomp_bpf_global_user_notification_addfd_rlimit pass seccomp_seccomp_bpf_global_user_notification_sync pass seccomp_seccomp_bpf_global_user_notification_fifo pass seccomp_seccomp_bpf_global_user_notification_wait_killable_pre_notification pass seccomp_seccomp_bpf_global_user_notification_wait_killable pass seccomp_seccomp_bpf_global_user_notification_wait_killable_fatal pass seccomp_seccomp_bpf_global_tsync_vs_dead_thread_leader pass seccomp_seccomp_bpf_TRAP_dfl pass seccomp_seccomp_bpf_TRAP_ign pass seccomp_seccomp_bpf_TRAP_handler pass seccomp_seccomp_bpf_precedence_allow_ok pass seccomp_seccomp_bpf_precedence_kill_is_highest pass seccomp_seccomp_bpf_precedence_kill_is_highest_in_any_order pass seccomp_seccomp_bpf_precedence_trap_is_second pass seccomp_seccomp_bpf_precedence_trap_is_second_in_any_order pass seccomp_seccomp_bpf_precedence_errno_is_third pass seccomp_seccomp_bpf_precedence_errno_is_third_in_any_order pass seccomp_seccomp_bpf_precedence_trace_is_fourth pass seccomp_seccomp_bpf_precedence_trace_is_fourth_in_any_order pass seccomp_seccomp_bpf_precedence_log_is_fifth pass seccomp_seccomp_bpf_precedence_log_is_fifth_in_any_order pass seccomp_seccomp_bpf_TRACE_poke_read_has_side_effects pass seccomp_seccomp_bpf_TRACE_poke_getpid_runs_normally pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_negative_ENOSYS pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_allowed pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_redirected pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_errno pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_faked pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_kill_immediate pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_skip_after pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_kill_after pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_negative_ENOSYS pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_allowed pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_redirected pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_errno pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_faked pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_kill_immediate pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_skip_after pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_kill_after pass seccomp_seccomp_bpf_TSYNC_siblings_fail_prctl pass seccomp_seccomp_bpf_TSYNC_two_siblings_with_ancestor pass seccomp_seccomp_bpf_TSYNC_two_sibling_want_nnp pass seccomp_seccomp_bpf_TSYNC_two_siblings_with_no_filter pass seccomp_seccomp_bpf_TSYNC_two_siblings_with_one_divergence pass seccomp_seccomp_bpf_TSYNC_two_siblings_with_one_divergence_no_tid_in_err pass seccomp_seccomp_bpf_TSYNC_two_siblings_not_under_filter pass seccomp_seccomp_bpf_O_SUSPEND_SECCOMP_setoptions_Kernel_does_not_support_PTRACE_O_SUSPEND_SECCOMP_missing_CONFIG_CHECKPOINT_RESTORE skip seccomp_seccomp_bpf_O_SUSPEND_SECCOMP_seize_Kernel_does_not_support_PTRACE_O_SUSPEND_SECCOMP_missing_CONFIG_CHECKPOINT_RESTORE skip seccomp_seccomp_bpf pass seccomp_seccomp_benchmark_native_1_bitmap pass seccomp_seccomp_benchmark_native_1_filter pass seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 fail seccomp_seccomp_benchmark_1_bitmapped_2_bitmapped pass seccomp_seccomp_benchmark_entry_1_bitmapped pass seccomp_seccomp_benchmark_entry_2_bitmapped pass seccomp_seccomp_benchmark_native_entry_per_filter_4_4_filters_total pass seccomp_seccomp_benchmark fail + ../../utils/send-to-lava.sh ./output/result.txt <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=shardfile-seccomp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_kcmp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_strict_support RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_strict_cannot_call_prctl RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_no_new_privs_support RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_filter_support RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_filter_without_nnp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_filter_size_limits RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_filter_chain_limits RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_filter_cannot_move_to_strict RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_filter_get_seccomp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ALLOW_all RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_empty_prog RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_log_all RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_unknown_ret_is_kill_inside RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_unknown_ret_is_kill_above_allow RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_all RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_one RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_one_arg_one RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_one_arg_six RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_thread RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_process RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_unknown RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_arg_out_of_range RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ERRNO_valid RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ERRNO_zero RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ERRNO_capped RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ERRNO_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_negative_ENOSYS RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_seccomp_syscall RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_seccomp_syscall_mode_lock RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_detect_seccomp_filter_flags RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_TSYNC_first RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_syscall_restart RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_filter_flag_log RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_get_action_avail RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_get_metadata_Kernel_does_not_support_PTRACE_SECCOMP_GET_METADATA_missing_CONFIG_CHECKPOINT_RESTORE RESULT=skip> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_basic RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_with_tsync RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_kill_in_middle RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_signal RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_closed_listener RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_child_pid_ns RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_sibling_pid_ns RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_fault_recv RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_seccomp_get_notif_sizes RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_continue RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_filter_empty RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_ioctl_notification_filter_empty RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_filter_empty_threaded RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_addfd RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_addfd_rlimit RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_sync RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_fifo RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_wait_killable_pre_notification RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_wait_killable RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_wait_killable_fatal RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_tsync_vs_dead_thread_leader RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRAP_dfl RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRAP_ign RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRAP_handler RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_allow_ok RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_kill_is_highest RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_kill_is_highest_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_trap_is_second RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_trap_is_second_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_errno_is_third RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_errno_is_third_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_trace_is_fourth RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_trace_is_fourth_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_log_is_fifth RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_log_is_fifth_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_poke_read_has_side_effects RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_poke_getpid_runs_normally RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_negative_ENOSYS RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_allowed RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_redirected RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_errno RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_faked RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_kill_immediate RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_skip_after RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_kill_after RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_negative_ENOSYS RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_allowed RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_redirected RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_errno RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_faked RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_kill_immediate RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_skip_after RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_kill_after RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_siblings_fail_prctl RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_with_ancestor RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_sibling_want_nnp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_with_no_filter RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_with_one_divergence RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_with_one_divergence_no_tid_in_err RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_not_under_filter RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_O_SUSPEND_SECCOMP_setoptions_Kernel_does_not_support_PTRACE_O_SUSPEND_SECCOMP_missing_CONFIG_CHECKPOINT_RESTORE RESULT=skip> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_O_SUSPEND_SECCOMP_seize_Kernel_does_not_support_PTRACE_O_SUSPEND_SECCOMP_missing_CONFIG_CHECKPOINT_RESTORE RESULT=skip> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_native_1_bitmap RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_native_1_filter RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 RESULT=fail> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_1_bitmapped_2_bitmapped RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_entry_1_bitmapped RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_entry_2_bitmapped RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_native_entry_per_filter_4_4_filters_total RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark RESULT=fail> + set +x <LAVA_SIGNAL_ENDRUN 1_kselftest-seccomp 1575830_1.6.2.4.5> <LAVA_TEST_RUNNER EXIT> / # ===================================================== #kernelci test maestro:687779f42ce2c1874ed2365d Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 months

3
3
0 0

[PATCH v2] nvmem: layouts: u-boot-env: remove crc32 endianness conversion

by srini＠kernel.org

From: "Michael C. Pratt" <mcpratt(a)pm.me> On 11 Oct 2022, it was reported that the crc32 verification of the u-boot environment failed only on big-endian systems for the u-boot-env nvmem layout driver with the following error. Invalid calculated CRC32: 0x88cd6f09 (expected: 0x096fcd88) This problem has been present since the driver was introduced, and before it was made into a layout driver. The suggested fix at the time was to use further endianness conversion macros in order to have both the stored and calculated crc32 values to compare always represented in the system's endianness. This was not accepted due to sparse warnings and some disagreement on how to handle the situation. Later on in a newer revision of the patch, it was proposed to use cpu_to_le32() for both values to compare instead of le32_to_cpu() and store the values as __le32 type to remove compilation errors. The necessity of this is based on the assumption that the use of crc32() requires endianness conversion because the algorithm uses little-endian, however, this does not prove to be the case and the issue is unrelated. Upon inspecting the current kernel code, there already is an existing use of le32_to_cpu() in this driver, which suggests there already is special handling for big-endian systems, however, it is big-endian systems that have the problem. This, being the only functional difference between architectures in the driver combined with the fact that the suggested fix was to use the exact same endianness conversion for the values brings up the possibility that it was not necessary to begin with, as the same endianness conversion for two values expected to be the same is expected to be equivalent to no conversion at all. After inspecting the u-boot environment of devices of both endianness and trying to remove the existing endianness conversion, the problem is resolved in an equivalent way as the other suggested fixes. Ultimately, it seems that u-boot is agnostic to endianness at least for the purpose of environment variables. In other words, u-boot reads and writes the stored crc32 value with the same endianness that the crc32 value is calculated with in whichever endianness a certain architecture runs on. Therefore, the u-boot-env driver does not need to convert endianness. Remove the usage of endianness macros in the u-boot-env driver, and change the type of local variables to maintain the same return type. If there is a special situation in the case of endianness, it would be a corner case and should be handled by a unique "compatible". Even though it is not necessary to use endianness conversion macros here, it may be useful to use them in the future for consistent error printing. Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables") Reported-by: INAGAKI Hiroshi <musashino.open(a)gmail.com> Link: https://lore.kernel.org/all/20221011024928.1807-1-musashino.open@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Michael C. Pratt <mcpratt(a)pm.me> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> --- Changes since v1: - removed long list of short git ids as it was too much for small patch. drivers/nvmem/layouts/u-boot-env.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/nvmem/layouts/u-boot-env.c b/drivers/nvmem/layouts/u-boot-env.c index 436426d4e8f9..8571aac56295 100644 --- a/drivers/nvmem/layouts/u-boot-env.c +++ b/drivers/nvmem/layouts/u-boot-env.c @@ -92,7 +92,7 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, size_t crc32_data_offset; size_t crc32_data_len; size_t crc32_offset; - __le32 *crc32_addr; + uint32_t *crc32_addr; size_t data_offset; size_t data_len; size_t dev_size; @@ -143,8 +143,8 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, goto err_kfree; } - crc32_addr = (__le32 *)(buf + crc32_offset); - crc32 = le32_to_cpu(*crc32_addr); + crc32_addr = (uint32_t *)(buf + crc32_offset); + crc32 = *crc32_addr; crc32_data_len = dev_size - crc32_data_offset; data_len = dev_size - data_offset; -- 2.43.0

2 months

1
0
0 0

[PATCH 6.12 1/2] arm64: defconfig: enable DRM_DISPLAY_CONNECTOR as a module

by Macpaul Lin

From: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> [ Upstream commit 691b5b53dbcc30bb3572cbb255374990723af0d2 ] The display connector family of bridges is used on a plenty of ARM64 platforms (including, but not being limited to several Qualcomm Robotics and Dragonboard platforms). It doesn't make sense for the DRM drivers to select the driver, so select it via the defconfig. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Reviewed-by: Neil Armstrong <neil.armstrong(a)linaro.org> Link: https://lore.kernel.org/r/20250214-arm64-display-connector-v1-1-306bca76316… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> [ Backport to 6.12.y ] Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> --- arch/arm64/configs/defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig index 7e475f38f3e1..219ef05ee5a7 100644 --- a/arch/arm64/configs/defconfig +++ b/arch/arm64/configs/defconfig @@ -911,6 +911,7 @@ CONFIG_DRM_PANEL_SAMSUNG_ATNA33XC20=m CONFIG_DRM_PANEL_SITRONIX_ST7703=m CONFIG_DRM_PANEL_TRULY_NT35597_WQXGA=m CONFIG_DRM_PANEL_VISIONOX_VTDR6130=m +CONFIG_DRM_DISPLAY_CONNECTOR=m CONFIG_DRM_FSL_LDB=m CONFIG_DRM_LONTIUM_LT8912B=m CONFIG_DRM_LONTIUM_LT9611=m -- 2.45.2

2 months

4
4
0 0

[PATCH v2] media: pci: ivtv: Add missing check after DMA map

by Thomas Fourier

The DMA map functions can fail and should be tested for errors. If the mapping fails, free blanking_ptr and set it to 0. As 0 is a valid DMA address, use blanking_ptr to test if the DMA address is set. Fixes: 1a0adaf37c30 ("V4L/DVB (5345): ivtv driver for Conexant cx23416/cx23415 MPEG encoder/decoder") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> --- v1 -> v2: - Fix Fixes: line - Add Cc: stable drivers/media/pci/ivtv/ivtv-irq.c | 2 +- drivers/media/pci/ivtv/ivtv-yuv.c | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/media/pci/ivtv/ivtv-irq.c b/drivers/media/pci/ivtv/ivtv-irq.c index 748c14e87963..4d63daa01eed 100644 --- a/drivers/media/pci/ivtv/ivtv-irq.c +++ b/drivers/media/pci/ivtv/ivtv-irq.c @@ -351,7 +351,7 @@ void ivtv_dma_stream_dec_prepare(struct ivtv_stream *s, u32 offset, int lock) /* Insert buffer block for YUV if needed */ if (s->type == IVTV_DEC_STREAM_TYPE_YUV && f->offset_y) { - if (yi->blanking_dmaptr) { + if (yi->blanking_ptr) { s->sg_pending[idx].src = yi->blanking_dmaptr; s->sg_pending[idx].dst = offset; s->sg_pending[idx].size = 720 * 16; diff --git a/drivers/media/pci/ivtv/ivtv-yuv.c b/drivers/media/pci/ivtv/ivtv-yuv.c index 2d9274537725..71f040106647 100644 --- a/drivers/media/pci/ivtv/ivtv-yuv.c +++ b/drivers/media/pci/ivtv/ivtv-yuv.c @@ -125,7 +125,7 @@ static int ivtv_yuv_prep_user_dma(struct ivtv *itv, struct ivtv_user_dma *dma, ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size); /* If we've offset the y plane, ensure top area is blanked */ - if (f->offset_y && yi->blanking_dmaptr) { + if (f->offset_y && yi->blanking_ptr) { dma->SGarray[dma->SG_length].size = cpu_to_le32(720*16); dma->SGarray[dma->SG_length].src = cpu_to_le32(yi->blanking_dmaptr); dma->SGarray[dma->SG_length].dst = cpu_to_le32(IVTV_DECODER_OFFSET + yuv_offset[frame]); @@ -929,6 +929,12 @@ static void ivtv_yuv_init(struct ivtv *itv) yi->blanking_dmaptr = dma_map_single(&itv->pdev->dev, yi->blanking_ptr, 720 * 16, DMA_TO_DEVICE); + if (dma_mapping_error(&itv->pdev->dev, yi->blanking_dmaptr)) { + kfree(yi->blanking_ptr); + yi->blanking_ptr = NULL; + yi->blanking_dmaptr = 0; + IVTV_DEBUG_WARN("Failed to dma_map yuv blanking buffer\n"); + } } else { yi->blanking_dmaptr = 0; IVTV_DEBUG_WARN("Failed to allocate yuv blanking buffer\n"); -- 2.43.0

2 months

1
0
0 0

[PATCH 6.6.y] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented

by Mark Brown

[ Upstream commit a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac ] We have a number of hwcaps for various SME subfeatures enumerated via ID_AA64SMFR0_EL1. Currently we advertise these without cross checking against the main SME feature, advertised in ID_AA64PFR1_EL1.SME which means that if the two are out of sync userspace can see a confusing situation where SME subfeatures are advertised without the base SME hwcap. This can be readily triggered by using the arm64.nosme override which only masks out ID_AA64PFR1_EL1.SME, and there have also been reports of VMMs which do the same thing. Fix this as we did previously for SVE in 064737920bdb ("arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented") by filtering out the SME subfeature hwcaps when FEAT_SME is not present. Fixes: 5e64b862c482 ("arm64/sme: Basic enumeration support") Reported-by: Yury Khrustalev <yury.khrustalev(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250620-arm64-sme-filter-hwcaps-v1-1-02b9d3c2d8e… Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Mark Brown <broonie(a)kernel.org> --- arch/arm64/kernel/cpufeature.c | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 82778258855d..b6d381f743f3 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -2804,6 +2804,13 @@ static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) } #endif +#ifdef CONFIG_ARM64_SME +static bool has_sme_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sme() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -2875,20 +2882,20 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR2_EL1, MOPS, IMP, CAP_HWCAP, KERNEL_HWCAP_MOPS), HWCAP_CAP(ID_AA64ISAR2_EL1, BC, IMP, CAP_HWCAP, KERNEL_HWCAP_HBC), #ifdef CONFIG_ARM64_SME - HWCAP_CAP(ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), - HWCAP_CAP(ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), - HWCAP_CAP(ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), + HWCAP_CAP(ID_MATCH_ID(has_sme_feature, AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), #endif /* CONFIG_ARM64_SME */ {}, }; --- base-commit: 9247f4e6573a4d05fe70c3e90dbd53da26e8c5cb change-id: 20250715-stable-6-6-sme-feat-filt-5e942478105f Best regards, -- Mark Brown <broonie(a)kernel.org>

2 months

1
0
0 0

[PATCH net 5/5] rxrpc: Fix to use conn aborts for conn-wide failures

by David Howells

Fix rxrpc to use connection-level aborts for things that affect the whole connection, such as the service ID not matching a local service. Fixes: 57af281e5389 ("rxrpc: Tidy up abort generation infrastructure") Reported-by: Jeffrey Altman <jaltman(a)auristor.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- include/trace/events/rxrpc.h | 1 + net/rxrpc/ar-internal.h | 3 +++ net/rxrpc/call_accept.c | 12 ++++++------ net/rxrpc/io_thread.c | 14 ++++++++++++++ net/rxrpc/output.c | 19 ++++++++++--------- net/rxrpc/security.c | 8 ++++---- 6 files changed, 38 insertions(+), 19 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 8e5a73eb5268..de6f6d25767c 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -322,6 +322,7 @@ EM(rxrpc_call_put_kernel, "PUT kernel ") \ EM(rxrpc_call_put_poke, "PUT poke ") \ EM(rxrpc_call_put_recvmsg, "PUT recvmsg ") \ + EM(rxrpc_call_put_release_recvmsg_q, "PUT rls-rcmq") \ EM(rxrpc_call_put_release_sock, "PUT rls-sock") \ EM(rxrpc_call_put_release_sock_tba, "PUT rls-sk-a") \ EM(rxrpc_call_put_sendmsg, "PUT sendmsg ") \ diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index df1a618dbf7d..5b7342d43486 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -44,6 +44,7 @@ enum rxrpc_skb_mark { RXRPC_SKB_MARK_SERVICE_CONN_SECURED, /* Service connection response has been verified */ RXRPC_SKB_MARK_REJECT_BUSY, /* Reject with BUSY */ RXRPC_SKB_MARK_REJECT_ABORT, /* Reject with ABORT (code in skb->priority) */ + RXRPC_SKB_MARK_REJECT_CONN_ABORT, /* Reject with connection ABORT (code in skb->priority) */ }; /* @@ -1253,6 +1254,8 @@ int rxrpc_encap_rcv(struct sock *, struct sk_buff *); void rxrpc_error_report(struct sock *); bool rxrpc_direct_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, s32 abort_code, int err); +bool rxrpc_direct_conn_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, + s32 abort_code, int err); int rxrpc_io_thread(void *data); void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb); static inline void rxrpc_wake_up_io_thread(struct rxrpc_local *local) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index a4d76f2da684..00982a030744 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -374,8 +374,8 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, spin_lock(&rx->incoming_lock); if (rx->sk.sk_state == RXRPC_SERVER_LISTEN_DISABLED || rx->sk.sk_state == RXRPC_CLOSE) { - rxrpc_direct_abort(skb, rxrpc_abort_shut_down, - RX_INVALID_OPERATION, -ESHUTDOWN); + rxrpc_direct_conn_abort(skb, rxrpc_abort_shut_down, + RX_INVALID_OPERATION, -ESHUTDOWN); goto no_call; } @@ -422,12 +422,12 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, unsupported_service: read_unlock_irq(&local->services_lock); - return rxrpc_direct_abort(skb, rxrpc_abort_service_not_offered, - RX_INVALID_OPERATION, -EOPNOTSUPP); + return rxrpc_direct_conn_abort(skb, rxrpc_abort_service_not_offered, + RX_INVALID_OPERATION, -EOPNOTSUPP); unsupported_security: read_unlock_irq(&local->services_lock); - return rxrpc_direct_abort(skb, rxrpc_abort_service_not_offered, - RX_INVALID_OPERATION, -EKEYREJECTED); + return rxrpc_direct_conn_abort(skb, rxrpc_abort_service_not_offered, + RX_INVALID_OPERATION, -EKEYREJECTED); no_call: spin_unlock(&rx->incoming_lock); read_unlock_irq(&local->services_lock); diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c index 27b650d30f4d..e939ecf417c4 100644 --- a/net/rxrpc/io_thread.c +++ b/net/rxrpc/io_thread.c @@ -97,6 +97,20 @@ bool rxrpc_direct_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, return false; } +/* + * Directly produce a connection abort from a packet. + */ +bool rxrpc_direct_conn_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, + s32 abort_code, int err) +{ + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + + trace_rxrpc_abort(0, why, sp->hdr.cid, 0, sp->hdr.seq, abort_code, err); + skb->mark = RXRPC_SKB_MARK_REJECT_CONN_ABORT; + skb->priority = abort_code; + return false; +} + static bool rxrpc_bad_message(struct sk_buff *skb, enum rxrpc_abort_reason why) { return rxrpc_direct_abort(skb, why, RX_PROTOCOL_ERROR, -EBADMSG); diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index 17c33b5cf7dd..8b5903b6e481 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -829,7 +829,13 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) msg.msg_controllen = 0; msg.msg_flags = 0; - memset(&whdr, 0, sizeof(whdr)); + whdr = (struct rxrpc_wire_header) { + .epoch = htonl(sp->hdr.epoch), + .cid = htonl(sp->hdr.cid), + .callNumber = htonl(sp->hdr.callNumber), + .serviceId = htons(sp->hdr.serviceId), + .flags = ~sp->hdr.flags & RXRPC_CLIENT_INITIATED, + }; switch (skb->mark) { case RXRPC_SKB_MARK_REJECT_BUSY: @@ -837,6 +843,9 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) size = sizeof(whdr); ioc = 1; break; + case RXRPC_SKB_MARK_REJECT_CONN_ABORT: + whdr.callNumber = 0; + fallthrough; case RXRPC_SKB_MARK_REJECT_ABORT: whdr.type = RXRPC_PACKET_TYPE_ABORT; code = htonl(skb->priority); @@ -850,14 +859,6 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) if (rxrpc_extract_addr_from_skb(&srx, skb) == 0) { msg.msg_namelen = srx.transport_len; - whdr.epoch = htonl(sp->hdr.epoch); - whdr.cid = htonl(sp->hdr.cid); - whdr.callNumber = htonl(sp->hdr.callNumber); - whdr.serviceId = htons(sp->hdr.serviceId); - whdr.flags = sp->hdr.flags; - whdr.flags ^= RXRPC_CLIENT_INITIATED; - whdr.flags &= RXRPC_CLIENT_INITIATED; - iov_iter_kvec(&msg.msg_iter, WRITE, iov, ioc, size); ret = do_udp_sendmsg(local->socket, &msg, size); if (ret < 0) diff --git a/net/rxrpc/security.c b/net/rxrpc/security.c index 078d91a6b77f..2bfbf2b2bb37 100644 --- a/net/rxrpc/security.c +++ b/net/rxrpc/security.c @@ -140,15 +140,15 @@ const struct rxrpc_security *rxrpc_get_incoming_security(struct rxrpc_sock *rx, sec = rxrpc_security_lookup(sp->hdr.securityIndex); if (!sec) { - rxrpc_direct_abort(skb, rxrpc_abort_unsupported_security, - RX_INVALID_OPERATION, -EKEYREJECTED); + rxrpc_direct_conn_abort(skb, rxrpc_abort_unsupported_security, + RX_INVALID_OPERATION, -EKEYREJECTED); return NULL; } if (sp->hdr.securityIndex != RXRPC_SECURITY_NONE && !rx->securities) { - rxrpc_direct_abort(skb, rxrpc_abort_no_service_key, - sec->no_key_abort, -EKEYREJECTED); + rxrpc_direct_conn_abort(skb, rxrpc_abort_no_service_key, + sec->no_key_abort, -EKEYREJECTED); return NULL; }

2 months

1
0
0 0

[PATCH net 4/5] rxrpc: Fix transmission of an abort in response to an abort

by David Howells

Under some circumstances, such as when a server socket is closing, ABORT packets will be generated in response to incoming packets. Unfortunately, this also may include generating aborts in response to incoming aborts - which may cause a cycle. It appears this may be made possible by giving the client a multicast address. Fix this such that rxrpc_reject_packet() will refuse to generate aborts in response to aborts. Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Linus Torvalds <torvalds(a)linux-foundation.org> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- net/rxrpc/output.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index ef7b3096c95e..17c33b5cf7dd 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -814,6 +814,9 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) __be32 code; int ret, ioc; + if (sp->hdr.type == RXRPC_PACKET_TYPE_ABORT) + return; /* Never abort an abort. */ + rxrpc_see_skb(skb, rxrpc_skb_see_reject); iov[0].iov_base = &whdr;

2 months

1
0
0 0

[PATCH net 2/5] rxrpc: Fix recv-recv race of completed call

by David Howells

If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeued, and once the socket lock is dropped (recvmsg uses call->user_mutex to allow the socket to be used in parallel), a second thread can come in and its recvmsg can pop the call off the socket queue again. In such a case, the first thread will be receiving stuff from the call and the second thread will be blocked on call->user_mutex. The first thread can, at this point, process both the event that it picked call for and the event that the second thread picked the call for and may see the call terminate - in which case the call will be "released", decoupling the call from the user call ID assigned to it (RXRPC_USER_CALL_ID in the control message). The first thread will return okay, but then the second thread will wake up holding the user_mutex and, if it sees that the call has been released by the first thread, it will BUG thusly: kernel BUG at net/rxrpc/recvmsg.c:474! Fix this by just dequeuing the call and ignoring it if it is seen to be already released. We can't tell userspace about it anyway as the user call ID has become stale. Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- include/trace/events/rxrpc.h | 3 +++ net/rxrpc/call_accept.c | 1 + net/rxrpc/recvmsg.c | 19 +++++++++++++++++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 378d2dfc7392..e7dcfb1369b6 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -330,12 +330,15 @@ EM(rxrpc_call_put_userid, "PUT user-id ") \ EM(rxrpc_call_see_accept, "SEE accept ") \ EM(rxrpc_call_see_activate_client, "SEE act-clnt") \ + EM(rxrpc_call_see_already_released, "SEE alrdy-rl") \ EM(rxrpc_call_see_connect_failed, "SEE con-fail") \ EM(rxrpc_call_see_connected, "SEE connect ") \ EM(rxrpc_call_see_conn_abort, "SEE conn-abt") \ + EM(rxrpc_call_see_discard, "SEE discard ") \ EM(rxrpc_call_see_disconnected, "SEE disconn ") \ EM(rxrpc_call_see_distribute_error, "SEE dist-err") \ EM(rxrpc_call_see_input, "SEE input ") \ + EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ EM(rxrpc_call_see_waiting_call, "SEE q-conn ") \ diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 226b4bf82747..a4d76f2da684 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -219,6 +219,7 @@ void rxrpc_discard_prealloc(struct rxrpc_sock *rx) tail = b->call_backlog_tail; while (CIRC_CNT(head, tail, size) > 0) { struct rxrpc_call *call = b->call_backlog[tail]; + rxrpc_see_call(call, rxrpc_call_see_discard); rcu_assign_pointer(call->socket, rx); if (rx->app_ops && rx->app_ops->discard_new_call) { diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index 86a27fb55a1c..6990e37697de 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -447,6 +447,16 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, goto try_again; } + rxrpc_see_call(call, rxrpc_call_see_recvmsg); + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_already_released); + list_del_init(&call->recvmsg_link); + spin_unlock_irq(&rx->recvmsg_lock); + release_sock(&rx->sk); + trace_rxrpc_recvmsg(call->debug_id, rxrpc_recvmsg_unqueue, 0); + rxrpc_put_call(call, rxrpc_call_put_recvmsg); + goto try_again; + } if (!(flags & MSG_PEEK)) list_del_init(&call->recvmsg_link); else @@ -470,8 +480,13 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, release_sock(&rx->sk); - if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) - BUG(); + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_already_released); + mutex_unlock(&call->user_mutex); + if (!(flags & MSG_PEEK)) + rxrpc_put_call(call, rxrpc_call_put_recvmsg); + goto try_again; + } ret = rxrpc_recvmsg_user_id(call, msg, flags); if (ret < 0)

2 months

1
0
0 0

[PATCH net 1/5] rxrpc: Fix irq-disabled in local_bh_enable()

by David Howells

The rxrpc_assess_MTU_size() function calls down into the IP layer to find out the MTU size for a route. When accepting an incoming call, this is called from rxrpc_new_incoming_call() which holds interrupts disabled across the code that calls down to it. Unfortunately, the IP layer uses local_bh_enable() which, config dependent, throws a warning if IRQs are enabled: WARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0 ... RIP: 0010:__local_bh_enable_ip+0x43/0xd0 ... Call Trace: <TASK> rt_cache_route+0x7e/0xa0 rt_set_nexthop.isra.0+0x3b3/0x3f0 __mkroute_output+0x43a/0x460 ip_route_output_key_hash+0xf7/0x140 ip_route_output_flow+0x1b/0x90 rxrpc_assess_MTU_size.isra.0+0x2a0/0x590 rxrpc_new_incoming_peer+0x46/0x120 rxrpc_alloc_incoming_call+0x1b1/0x400 rxrpc_new_incoming_call+0x1da/0x5e0 rxrpc_input_packet+0x827/0x900 rxrpc_io_thread+0x403/0xb60 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 ... hardirqs last enabled at (23): _raw_spin_unlock_irq+0x24/0x50 hardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70 softirqs last enabled at (0): copy_process+0xc61/0x2730 softirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90 Fix this by moving the call to rxrpc_assess_MTU_size() out of rxrpc_init_peer() and further up the stack where it can be done without interrupts disabled. It shouldn't be a problem for rxrpc_new_incoming_call() to do it after the locks are dropped as pmtud is going to be performed by the I/O thread - and we're in the I/O thread at this point. Fixes: a2ea9a907260 ("rxrpc: Use irq-disabling spinlocks between app and I/O thread") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- net/rxrpc/ar-internal.h | 1 + net/rxrpc/call_accept.c | 1 + net/rxrpc/peer_object.c | 6 ++---- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 376e33dce8c1..df1a618dbf7d 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -1383,6 +1383,7 @@ struct rxrpc_peer *rxrpc_lookup_peer_rcu(struct rxrpc_local *, const struct sockaddr_rxrpc *); struct rxrpc_peer *rxrpc_lookup_peer(struct rxrpc_local *local, struct sockaddr_rxrpc *srx, gfp_t gfp); +void rxrpc_assess_MTU_size(struct rxrpc_local *local, struct rxrpc_peer *peer); struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *, gfp_t, enum rxrpc_peer_trace); void rxrpc_new_incoming_peer(struct rxrpc_local *local, struct rxrpc_peer *peer); diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 49fccee1a726..226b4bf82747 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -406,6 +406,7 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, spin_unlock(&rx->incoming_lock); read_unlock_irq(&local->services_lock); + rxrpc_assess_MTU_size(local, call->peer); if (hlist_unhashed(&call->error_link)) { spin_lock_irq(&call->peer->lock); diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c index e2f35e6c04d6..366431b0736c 100644 --- a/net/rxrpc/peer_object.c +++ b/net/rxrpc/peer_object.c @@ -149,8 +149,7 @@ struct rxrpc_peer *rxrpc_lookup_peer_rcu(struct rxrpc_local *local, * assess the MTU size for the network interface through which this peer is * reached */ -static void rxrpc_assess_MTU_size(struct rxrpc_local *local, - struct rxrpc_peer *peer) +void rxrpc_assess_MTU_size(struct rxrpc_local *local, struct rxrpc_peer *peer) { struct net *net = local->net; struct dst_entry *dst; @@ -277,8 +276,6 @@ static void rxrpc_init_peer(struct rxrpc_local *local, struct rxrpc_peer *peer, peer->hdrsize += sizeof(struct rxrpc_wire_header); peer->max_data = peer->if_mtu - peer->hdrsize; - - rxrpc_assess_MTU_size(local, peer); } /* @@ -297,6 +294,7 @@ static struct rxrpc_peer *rxrpc_create_peer(struct rxrpc_local *local, if (peer) { memcpy(&peer->srx, srx, sizeof(*srx)); rxrpc_init_peer(local, peer, hash_key); + rxrpc_assess_MTU_size(local, peer); } _leave(" = %p", peer);

2 months

1
0
0 0

Re: [PATCH 6.15 000/192] 6.15.7-rc1 review

by Dileep malepu

> This is the start of the stable review cycle for the 6.15.7 release. > There are 192 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. > > Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. > Anything received after that time might be too late. > > The whole patch series can be found in one patch at: > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.7-rc1… > or in the git tree and branch at: > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y > and the diffstat can be found below. > > thanks, > > greg k-h Tested Linux kernel 6.15.7-rc1 on Fedora 37 (x86_64) with Intel i7-11800H. All major tests including boot, Wi-Fi, Bluetooth, audio, video, and USB mass storage detection passed successfully. Kernel Version : 6.15.7-rc1 Fedora Version : 37 (Thirty Seven) Processor : 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz Build Architecture: x86_64 Test Results: - Boot Test : PASS - Wi-Fi Test : PASS - Bluetooth Test : PASS - Audio Test : PASS - Video Test : PASS - USB Mass Storage Drive Detect : PASS Tested-by: Dileep Malepu <dileep.debian(a)gmail.com>

2 months

1
0
0 0

[PATCH] kernel/fork: Increase minimum number of allowed threads

by Hauke Mehrtens

From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> A modern Linux system creates much more than 20 threads at bootup. When I booted up OpenWrt in qemu the system sometimes failed to boot up when it wanted to create the 419th thread. The VM had 128MB RAM and the calculation in set_max_threads() calculated that max_threads should be set to 419. When the system booted up it tried to notify the user space about every device it created because CONFIG_UEVENT_HELPER was set and used. I counted 1299 calles to call_usermodehelper_setup(), all of them try to create a new thread and call the userspace hotplug script in it. This fixes bootup of Linux on systems with low memory. I saw the problem with qemu 10.0.2 using these commands: qemu-system-aarch64 -machine virt -cpu cortex-a57 -nographic Cc: stable(a)vger.kernel.org Signed-off-by: Hauke Mehrtens <hauke(a)hauke-m.de> --- kernel/fork.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/fork.c b/kernel/fork.c index 7966c9a1c163..388299525f3c 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -115,7 +115,7 @@ /* * Minimum number of threads to boot the kernel */ -#define MIN_THREADS 20 +#define MIN_THREADS 600 /* * Maximum number of threads -- 2.50.1

2 months

2
2
0 0

[PATCH v5 2/3] drm/amdgpu: Reset the clear flag in buddy during resume

by Arunpravin Paneer Selvam

- Added a handler in DRM buddy manager to reset the cleared flag for the blocks in the freelist. - This is necessary because, upon resuming, the VRAM becomes cluttered with BIOS data, yet the VRAM backend manager believes that everything has been cleared. v2: - Add lock before accessing drm_buddy_clear_reset_blocks()(Matthew Auld) - Force merge the two dirty blocks.(Matthew Auld) - Add a new unit test case for this issue.(Matthew Auld) - Having this function being able to flip the state either way would be good. (Matthew Brost) v3(Matthew Auld): - Do merge step first to avoid the use of extra reset flag. Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> Suggested-by: Christian König <christian.koenig(a)amd.com> Acked-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3812 --- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 17 ++++++++ drivers/gpu/drm/drm_buddy.c | 43 ++++++++++++++++++++ include/drm/drm_buddy.h | 2 + 5 files changed, 65 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c index 723ab95d8c48..ac92220f9fc3 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c @@ -5327,6 +5327,8 @@ int amdgpu_device_resume(struct drm_device *dev, bool notify_clients) dev->dev->power.disable_depth--; #endif } + + amdgpu_vram_mgr_clear_reset_blocks(adev); adev->in_suspend = false; if (amdgpu_acpi_smart_shift_update(dev, AMDGPU_SS_DEV_D0)) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h index 215c198e4aff..2309df3f68a9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h @@ -155,6 +155,7 @@ int amdgpu_vram_mgr_reserve_range(struct amdgpu_vram_mgr *mgr, uint64_t start, uint64_t size); int amdgpu_vram_mgr_query_page_status(struct amdgpu_vram_mgr *mgr, uint64_t start); +void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev); bool amdgpu_res_cpu_visible(struct amdgpu_device *adev, struct ttm_resource *res); diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c index abdc52b0895a..07c936e90d8e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c @@ -782,6 +782,23 @@ uint64_t amdgpu_vram_mgr_vis_usage(struct amdgpu_vram_mgr *mgr) return atomic64_read(&mgr->vis_usage); } +/** + * amdgpu_vram_mgr_clear_reset_blocks - reset clear blocks + * + * @adev: amdgpu device pointer + * + * Reset the cleared drm buddy blocks. + */ +void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev) +{ + struct amdgpu_vram_mgr *mgr = &adev->mman.vram_mgr; + struct drm_buddy *mm = &mgr->mm; + + mutex_lock(&mgr->lock); + drm_buddy_reset_clear(mm, false); + mutex_unlock(&mgr->lock); +} + /** * amdgpu_vram_mgr_intersects - test each drm buddy block for intersection * diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a1e652b7631d..a94061f373de 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -405,6 +405,49 @@ drm_get_buddy(struct drm_buddy_block *block) } EXPORT_SYMBOL(drm_get_buddy); +/** + * drm_buddy_reset_clear - reset blocks clear state + * + * @mm: DRM buddy manager + * @is_clear: blocks clear state + * + * Reset the clear state based on @is_clear value for each block + * in the freelist. + */ +void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) +{ + u64 root_size, size, start; + unsigned int order; + int i; + + size = mm->size; + for (i = 0; i < mm->n_roots; ++i) { + order = ilog2(size) - ilog2(mm->chunk_size); + start = drm_buddy_block_offset(mm->roots[i]); + __force_merge(mm, start, start + size, order); + + root_size = mm->chunk_size << order; + size -= root_size; + } + + for (i = 0; i <= mm->max_order; ++i) { + struct drm_buddy_block *block; + + list_for_each_entry_reverse(block, &mm->free_list[i], link) { + if (is_clear != drm_buddy_block_is_clear(block)) { + if (is_clear) { + mark_cleared(block); + mm->clear_avail += drm_buddy_block_size(mm, block); + } else { + clear_reset(block); + mm->clear_avail -= drm_buddy_block_size(mm, block); + } + } + } + } +} +EXPORT_SYMBOL(drm_buddy_reset_clear); + /** * drm_buddy_free_block - free a block * diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 9689a7c5dd36..513837632b7d 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -160,6 +160,8 @@ int drm_buddy_block_trim(struct drm_buddy *mm, u64 new_size, struct list_head *blocks); +void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear); + void drm_buddy_free_block(struct drm_buddy *mm, struct drm_buddy_block *block); void drm_buddy_free_list(struct drm_buddy *mm, -- 2.43.0

2 months

3
5
0 0

[PATCH] PCI: j721e: Fix programming sequence of "strap" settings

by Siddharth Vadapalli

The Cadence PCIe Controller integrated in the TI K3 SoCs supports both Root-Complex and Endpoint modes of operation. The Glue Layer allows "strapping" the mode of operation of the Controller, the Link Speed and the Link Width. This is enabled by programming the "PCIEn_CTRL" register (n corresponds to the PCIe instance) within the CTRL_MMR memory-mapped register space. In the PCIe Controller's register space, the same set of registers that correspond to the Root-Port configuration space when the Controller is configured for Root-Complex mode of operation, also correspond to the Physical Function configuration space when the Controller is configured for Endpoint mode of operation. As a result, the "reset-value" of these set of registers _should_ vary depending on the selected mode of operation. This is the expected behavior according to the description of the registers and their reset values in the Technical Reference Manual for the SoCs. However, it is observed that the "reset-value" seen in practice do not match the description. To be precise, when the Controller is configured for Root-Complex mode of operation, the "reset-value" of the Root-Port configuration space reflect the "reset-value" corresponding to the Physical Function configuration space. This can be attributed to the fact that the "strap" settings play a role in "switching" the "reset-value" of the registers to match the expected values as determined by the selected mode of operation. Since the "strap" settings are sampled the moment the PCIe Controller is powered ON, the "reset-value" of the registers are setup at that point in time. As a result, if the "strap" settings are programmed at a later point in time, it _will not_ update the "reset-value" of the registers. This will cause the Physical Function configuration space to be seen when the Root-Port configuration space is accessed after programming the PCIe Controller for Root-Complex mode of operation. Fix this by powering off the PCIe Controller before programming the "strap" settings and powering it on after that. This will ensure that the "strap" settings that have been sampled convey the intended mode of operation, thereby resulting in the "reset-value" of the registers being accurate. Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- Hello, This patch is based on commit 155a3c003e55 Merge tag 'for-6.16/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm of Mainline Linux. Patch has been validated on the J7200 SoC which is affected by the existing programming sequence of the "strap" settings. Regards, Siddharth. drivers/pci/controller/cadence/pci-j721e.c | 82 ++++++++++++++-------- 1 file changed, 53 insertions(+), 29 deletions(-) diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index 6c93f39d0288..d5e7cb7277dc 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -19,6 +19,7 @@ #include <linux/of.h> #include <linux/pci.h> #include <linux/platform_device.h> +#include <linux/pm_domain.h> #include <linux/pm_runtime.h> #include <linux/regmap.h> @@ -173,10 +174,9 @@ static const struct cdns_pcie_ops j721e_pcie_ops = { .link_up = j721e_pcie_link_up, }; -static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct regmap *syscon, - unsigned int offset) +static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct device *dev, + struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; u32 mask = J721E_MODE_RC; u32 mode = pcie->mode; u32 val = 0; @@ -193,9 +193,9 @@ static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct regmap *syscon, } static int j721e_pcie_set_link_speed(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *np = dev->of_node; int link_speed; u32 val = 0; @@ -214,9 +214,9 @@ static int j721e_pcie_set_link_speed(struct j721e_pcie *pcie, } static int j721e_pcie_set_lane_count(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; u32 lanes = pcie->num_lanes; u32 mask = BIT(8); u32 val = 0; @@ -234,9 +234,9 @@ static int j721e_pcie_set_lane_count(struct j721e_pcie *pcie, } static int j721e_enable_acspcie_refclk(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *node = dev->of_node; u32 mask = ACSPCIE_PAD_DISABLE_MASK; struct of_phandle_args args; @@ -263,9 +263,8 @@ static int j721e_enable_acspcie_refclk(struct j721e_pcie *pcie, return 0; } -static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) +static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie, struct device *dev) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *node = dev->of_node; struct of_phandle_args args; unsigned int offset = 0; @@ -284,19 +283,19 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!ret) offset = args.args[0]; - ret = j721e_pcie_set_mode(pcie, syscon, offset); + ret = j721e_pcie_set_mode(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set pci mode\n"); return ret; } - ret = j721e_pcie_set_link_speed(pcie, syscon, offset); + ret = j721e_pcie_set_link_speed(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set link speed\n"); return ret; } - ret = j721e_pcie_set_lane_count(pcie, syscon, offset); + ret = j721e_pcie_set_lane_count(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set num-lanes\n"); return ret; @@ -308,7 +307,7 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!syscon) return 0; - return j721e_enable_acspcie_refclk(pcie, syscon); + return j721e_enable_acspcie_refclk(pcie, dev, syscon); } static int cdns_ti_pcie_config_read(struct pci_bus *bus, unsigned int devfn, @@ -469,6 +468,47 @@ static int j721e_pcie_probe(struct platform_device *pdev) if (!pcie) return -ENOMEM; + pcie->mode = mode; + + ret = of_property_read_u32(node, "num-lanes", &num_lanes); + if (ret || num_lanes > data->max_lanes) { + dev_warn(dev, "num-lanes property not provided or invalid, setting num-lanes to 1\n"); + num_lanes = 1; + } + + pcie->num_lanes = num_lanes; + pcie->max_lanes = data->max_lanes; + + /* + * The PCIe Controller's registers have different "reset-value" depending + * on the "strap" settings programmed into the Controller's Glue Layer. + * This is because the same set of registers are used for representing the + * Physical Function configuration space in Endpoint mode and for + * representing the Root-Port configuration space in Root-Complex mode. + * + * The registers latch onto a "reset-value" based on the "strap" settings + * sampled after the Controller is powered on. Therefore, for the + * "reset-value" to be accurate, it is necessary to program the "strap" + * settings when the Controller is powered off, and power on the Controller + * after the "strap" settings have been programmed. + * + * The "strap" settings are programmed by "j721e_pcie_ctrl_init()". + * Therefore, power off the Controller before invoking "j721e_pcie_ctrl_init()", + * program the "strap" settings, and then power on the Controller. This ensures + * that the reset values are accurate and reflect the "strap" settings. + */ + dev_pm_domain_detach(dev, true); + + ret = j721e_pcie_ctrl_init(pcie, dev); + if (ret < 0) + return ret; + + ret = dev_pm_domain_attach(dev, true); + if (ret < 0) { + dev_err(dev, "failed to power on PCIe Controller\n"); + return ret; + } + switch (mode) { case PCI_MODE_RC: if (!IS_ENABLED(CONFIG_PCI_J721E_HOST)) @@ -510,7 +550,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) return 0; } - pcie->mode = mode; pcie->linkdown_irq_regfield = data->linkdown_irq_regfield; base = devm_platform_ioremap_resource_byname(pdev, "intd_cfg"); @@ -523,15 +562,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) return PTR_ERR(base); pcie->user_cfg_base = base; - ret = of_property_read_u32(node, "num-lanes", &num_lanes); - if (ret || num_lanes > data->max_lanes) { - dev_warn(dev, "num-lanes property not provided or invalid, setting num-lanes to 1\n"); - num_lanes = 1; - } - - pcie->num_lanes = num_lanes; - pcie->max_lanes = data->max_lanes; - if (dma_set_mask_and_coherent(dev, DMA_BIT_MASK(48))) return -EINVAL; @@ -547,12 +577,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) goto err_get_sync; } - ret = j721e_pcie_ctrl_init(pcie); - if (ret < 0) { - dev_err_probe(dev, ret, "pm_runtime_get_sync failed\n"); - goto err_get_sync; - } - ret = devm_request_irq(dev, irq, j721e_pcie_link_irq_handler, 0, "j721e-pcie-link-down-irq", pcie); if (ret < 0) { @@ -680,7 +704,7 @@ static int j721e_pcie_resume_noirq(struct device *dev) struct cdns_pcie *cdns_pcie = pcie->cdns_pcie; int ret; - ret = j721e_pcie_ctrl_init(pcie); + ret = j721e_pcie_ctrl_init(pcie, dev); if (ret < 0) return ret; -- 2.34.1

2 months

1
0
0 0

[PATCH] memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()

by Nathan Chancellor

A new warning in clang [1] points out that id_reg is uninitialized then passed to memstick_init_req() as a const pointer: drivers/memstick/core/memstick.c:330:59: error: variable 'id_reg' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] 330 | memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, | ^~~~~~ Commit de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull warning") intentionally passed this variable uninitialized to avoid an -Wnonnull warning from a NULL value that was previously there because id_reg is never read from the call to memstick_init_req() in h_memstick_read_dev_id(). Just zero initialize id_reg to avoid the warning, which is likely happening in the majority of builds using modern compilers that support '-ftrivial-auto-var-init=zero'. Cc: stable(a)vger.kernel.org Fixes: de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull warning") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Closes: https://github.com/ClangBuiltLinux/linux/issues/2105 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/memstick/core/memstick.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c index 043b9ec756ff..7f3f47db4c98 100644 --- a/drivers/memstick/core/memstick.c +++ b/drivers/memstick/core/memstick.c @@ -324,7 +324,7 @@ EXPORT_SYMBOL(memstick_init_req); static int h_memstick_read_dev_id(struct memstick_dev *card, struct memstick_request **mrq) { - struct ms_id_register id_reg; + struct ms_id_register id_reg = {}; if (!(*mrq)) { memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, --- base-commit: ff09b71bf9daeca4f21d6e5e449641c9fad75b53 change-id: 20250715-memstick-fix-uninit-const-pointer-ed6f138bf40d Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

2
1
0 0

[PATCH v2 3/3] bus: mhi: keep device context through suspend cycles

by Muhammad Usama Anjum

Don't deinitialize the device context while going into suspend or hibernation cycles. Otherwise the resume may fail if at resume time, the memory pressure is high and no dma memory is available. At resume, only reset the read/write ring pointers as rings may have stale data. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations") Cc: Krishna Chaitanya Chundru <krishna.chundru(a)oss.qualcomm.com> Cc: stable(a)vger.kernel.org Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Add logic to reset rings at resume --- drivers/bus/mhi/host/init.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c index 46ed0ae2ac285..6513012311ce3 100644 --- a/drivers/bus/mhi/host/init.c +++ b/drivers/bus/mhi/host/init.c @@ -474,6 +474,24 @@ static int mhi_init_dev_ctxt(struct mhi_controller *mhi_cntrl) return ret; } +static void mhi_reset_dev_rings(struct mhi_controller *mhi_cntrl) +{ + struct mhi_event *mhi_event = mhi_cntrl->mhi_event; + struct mhi_cmd *mhi_cmd = mhi_cntrl->mhi_cmd; + struct mhi_ring *ring; + int i; + + for (i = 0; i < mhi_cntrl->total_ev_rings; i++, mhi_event++) { + ring = &mhi_event->ring; + ring->rp = ring->wp = ring->base; + } + + for (i = 0; i < NR_OF_CMD_RINGS; i++, mhi_cmd++) { + ring = &mhi_cmd->ring; + ring->rp = ring->wp = ring->base; + } +} + int mhi_init_mmio(struct mhi_controller *mhi_cntrl) { u32 val; @@ -1133,9 +1151,13 @@ int mhi_prepare_for_power_up(struct mhi_controller *mhi_cntrl) mutex_lock(&mhi_cntrl->pm_mutex); - ret = mhi_init_dev_ctxt(mhi_cntrl); - if (ret) - goto error_dev_ctxt; + if (!mhi_cntrl->mhi_ctxt) { + ret = mhi_init_dev_ctxt(mhi_cntrl); + if (ret) + goto error_dev_ctxt; + } else { + mhi_reset_dev_rings(mhi_cntrl); + } ret = mhi_read_reg(mhi_cntrl, mhi_cntrl->regs, BHIOFF, &bhi_off); if (ret) { @@ -1212,8 +1234,6 @@ void mhi_deinit_dev_ctxt(struct mhi_controller *mhi_cntrl) { mhi_cntrl->bhi = NULL; mhi_cntrl->bhie = NULL; - - __mhi_deinit_dev_ctxt(mhi_cntrl); } void mhi_unprepare_after_power_down(struct mhi_controller *mhi_cntrl) @@ -1239,6 +1259,7 @@ void mhi_unprepare_after_power_down(struct mhi_controller *mhi_cntrl) } mhi_deinit_dev_ctxt(mhi_cntrl); + __mhi_deinit_dev_ctxt(mhi_cntrl); } EXPORT_SYMBOL_GPL(mhi_unprepare_after_power_down); -- 2.39.5

2 months

2
1
0 0

[PATCH v2 2/3] bus: mhi: host: keep bhie buffer through suspend cycle

by Muhammad Usama Anjum

When there is memory pressure, at resume time dma_alloc_coherent() returns error which in turn fails the loading of the firmware and hence the driver crashes. Fix it by allocating only once and then reuse the same allocated memory. As we'll allocate this memory only once, this memory will stays allocated. Fixes: f88f1d0998ea ("bus: mhi: host: Add a policy to enable image transfer via BHIe in PBL") Cc: Krishna Chaitanya Chundru <krishna.chundru(a)oss.qualcomm.com> Cc: stable(a)vger.kernel.org Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Added in v2 --- drivers/bus/mhi/host/boot.c | 19 ++++++++++++------- drivers/bus/mhi/host/init.c | 5 +++++ include/linux/mhi.h | 1 + 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c index 9fc983bc12d49..9f35ce9d670e7 100644 --- a/drivers/bus/mhi/host/boot.c +++ b/drivers/bus/mhi/host/boot.c @@ -478,17 +478,22 @@ static int mhi_load_image_bhi(struct mhi_controller *mhi_cntrl, const u8 *fw_dat static int mhi_load_image_bhie(struct mhi_controller *mhi_cntrl, const u8 *fw_data, size_t size) { - struct image_info *image; + struct image_info **image = &mhi_cntrl->bhie_image; int ret; - ret = mhi_alloc_bhie_table(mhi_cntrl, &image, size); - if (ret) - return ret; + if (!(*image)) { + ret = mhi_alloc_bhie_table(mhi_cntrl, image, size); + if (ret) + return ret; - mhi_firmware_copy_bhie(mhi_cntrl, fw_data, size, image); + mhi_firmware_copy_bhie(mhi_cntrl, fw_data, size, *image); + } - ret = mhi_fw_load_bhie(mhi_cntrl, &image->mhi_buf[image->entries - 1]); - mhi_free_bhie_table(mhi_cntrl, image); + ret = mhi_fw_load_bhie(mhi_cntrl, &(*image)->mhi_buf[(*image)->entries - 1]); + if (ret) { + mhi_free_bhie_table(mhi_cntrl, *image); + *image = NULL; + } return ret; } diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c index 2e0f18c939e68..46ed0ae2ac285 100644 --- a/drivers/bus/mhi/host/init.c +++ b/drivers/bus/mhi/host/init.c @@ -1228,6 +1228,11 @@ void mhi_unprepare_after_power_down(struct mhi_controller *mhi_cntrl) mhi_cntrl->rddm_image = NULL; } + if (mhi_cntrl->bhie_image) { + mhi_free_bhie_table(mhi_cntrl, mhi_cntrl->bhie_image); + mhi_cntrl->bhie_image = NULL; + } + if (mhi_cntrl->bhi_image) { mhi_free_bhi_buffer(mhi_cntrl, mhi_cntrl->bhi_image); mhi_cntrl->bhi_image = NULL; diff --git a/include/linux/mhi.h b/include/linux/mhi.h index 593012f779d97..77986cd66fda3 100644 --- a/include/linux/mhi.h +++ b/include/linux/mhi.h @@ -391,6 +391,7 @@ struct mhi_controller { size_t reg_len; struct image_info *fbc_image; struct image_info *rddm_image; + struct image_info *bhie_image; struct image_info *bhi_image; struct mhi_chan *mhi_chan; struct list_head lpm_chans; -- 2.39.5

2 months

2
1
0 0

[PATCH] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table()

by Nathan Chancellor

A new warning in clang [1] complains that diq_start in wlc_lcnphy_tx_iqlo_cal() is passed uninitialized as a const pointer to wlc_lcnphy_common_read_table(): drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:2728:13: error: variable 'diq_start' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] 2728 | &diq_start, 1, 16, 69); | ^~~~~~~~~ The table pointer passed to wlc_lcnphy_common_read_table() should not be considered constant, as wlc_phy_read_table() is ultimately going to update it. Remove the const qualifier from the tbl_ptr to clear up the warning. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2108 Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c index d0faba240561..b4bba67a45ec 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c @@ -919,7 +919,7 @@ void wlc_lcnphy_read_table(struct brcms_phy *pi, struct phytbl_info *pti) static void wlc_lcnphy_common_read_table(struct brcms_phy *pi, u32 tbl_id, - const u16 *tbl_ptr, u32 tbl_len, + u16 *tbl_ptr, u32 tbl_len, u32 tbl_width, u32 tbl_offset) { struct phytbl_info tab; --- base-commit: bbc19fef578970158847a41d9b6b6b218034b8c2 change-id: 20250715-brcmsmac-fix-uninit-const-pointer-d35114a50936 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

2
1
0 0

[PATCH v4 2/3] drm/amdgpu: Reset the clear flag in buddy during resume

by Arunpravin Paneer Selvam

- Added a handler in DRM buddy manager to reset the cleared flag for the blocks in the freelist. - This is necessary because, upon resuming, the VRAM becomes cluttered with BIOS data, yet the VRAM backend manager believes that everything has been cleared. v2: - Add lock before accessing drm_buddy_clear_reset_blocks()(Matthew Auld) - Force merge the two dirty blocks.(Matthew Auld) - Add a new unit test case for this issue.(Matthew Auld) - Having this function being able to flip the state either way would be good. (Matthew Brost) v3(Matthew Auld): - Do merge step first to avoid the use of extra reset flag. Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> Suggested-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3812 --- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 17 ++++++++ drivers/gpu/drm/drm_buddy.c | 43 ++++++++++++++++++++ include/drm/drm_buddy.h | 2 + 5 files changed, 65 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c index 723ab95d8c48..ac92220f9fc3 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c @@ -5327,6 +5327,8 @@ int amdgpu_device_resume(struct drm_device *dev, bool notify_clients) dev->dev->power.disable_depth--; #endif } + + amdgpu_vram_mgr_clear_reset_blocks(adev); adev->in_suspend = false; if (amdgpu_acpi_smart_shift_update(dev, AMDGPU_SS_DEV_D0)) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h index 215c198e4aff..2309df3f68a9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h @@ -155,6 +155,7 @@ int amdgpu_vram_mgr_reserve_range(struct amdgpu_vram_mgr *mgr, uint64_t start, uint64_t size); int amdgpu_vram_mgr_query_page_status(struct amdgpu_vram_mgr *mgr, uint64_t start); +void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev); bool amdgpu_res_cpu_visible(struct amdgpu_device *adev, struct ttm_resource *res); diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c index abdc52b0895a..07c936e90d8e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c @@ -782,6 +782,23 @@ uint64_t amdgpu_vram_mgr_vis_usage(struct amdgpu_vram_mgr *mgr) return atomic64_read(&mgr->vis_usage); } +/** + * amdgpu_vram_mgr_clear_reset_blocks - reset clear blocks + * + * @adev: amdgpu device pointer + * + * Reset the cleared drm buddy blocks. + */ +void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev) +{ + struct amdgpu_vram_mgr *mgr = &adev->mman.vram_mgr; + struct drm_buddy *mm = &mgr->mm; + + mutex_lock(&mgr->lock); + drm_buddy_reset_clear(mm, false); + mutex_unlock(&mgr->lock); +} + /** * amdgpu_vram_mgr_intersects - test each drm buddy block for intersection * diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a1e652b7631d..a94061f373de 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -405,6 +405,49 @@ drm_get_buddy(struct drm_buddy_block *block) } EXPORT_SYMBOL(drm_get_buddy); +/** + * drm_buddy_reset_clear - reset blocks clear state + * + * @mm: DRM buddy manager + * @is_clear: blocks clear state + * + * Reset the clear state based on @is_clear value for each block + * in the freelist. + */ +void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) +{ + u64 root_size, size, start; + unsigned int order; + int i; + + size = mm->size; + for (i = 0; i < mm->n_roots; ++i) { + order = ilog2(size) - ilog2(mm->chunk_size); + start = drm_buddy_block_offset(mm->roots[i]); + __force_merge(mm, start, start + size, order); + + root_size = mm->chunk_size << order; + size -= root_size; + } + + for (i = 0; i <= mm->max_order; ++i) { + struct drm_buddy_block *block; + + list_for_each_entry_reverse(block, &mm->free_list[i], link) { + if (is_clear != drm_buddy_block_is_clear(block)) { + if (is_clear) { + mark_cleared(block); + mm->clear_avail += drm_buddy_block_size(mm, block); + } else { + clear_reset(block); + mm->clear_avail -= drm_buddy_block_size(mm, block); + } + } + } + } +} +EXPORT_SYMBOL(drm_buddy_reset_clear); + /** * drm_buddy_free_block - free a block * diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 9689a7c5dd36..513837632b7d 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -160,6 +160,8 @@ int drm_buddy_block_trim(struct drm_buddy *mm, u64 new_size, struct list_head *blocks); +void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear); + void drm_buddy_free_block(struct drm_buddy *mm, struct drm_buddy_block *block); void drm_buddy_free_list(struct drm_buddy *mm, -- 2.43.0

2 months

3
2
0 0

[PATCH stable 6.12] selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar

by Shung-Hsi Yu

From: Ihor Solodrai <ihor.solodrai(a)pm.me> Commit f01750aecdfb8bfb02842f60af3d805a3ae7267a upstream. token/obj_priv_implicit_token_envvar test may fail in an environment where the process executing tests can not write to the root path. Example: https://github.com/libbpf/libbpf/actions/runs/11844507007/job/33007897936 Change default path used by the test to /tmp/bpf-token-fs, and make it runtime configurable via an environment variable. Signed-off-by: Ihor Solodrai <ihor.solodrai(a)pm.me> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/bpf/20241115003853.864397-1-ihor.solodrai@pm.me Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- Without this patch test_prog's token/obj_priv_implicit_token_envvar test will fail. --- .../testing/selftests/bpf/prog_tests/token.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c index fe86e4fdb89c..c3ab9b6fb069 100644 --- a/tools/testing/selftests/bpf/prog_tests/token.c +++ b/tools/testing/selftests/bpf/prog_tests/token.c @@ -828,8 +828,12 @@ static int userns_obj_priv_btf_success(int mnt_fd, struct token_lsm *lsm_skel) return validate_struct_ops_load(mnt_fd, true /* should succeed */); } +static const char *token_bpffs_custom_dir() +{ + return getenv("BPF_SELFTESTS_BPF_TOKEN_DIR") ?: "/tmp/bpf-token-fs"; +} + #define TOKEN_ENVVAR "LIBBPF_BPF_TOKEN_PATH" -#define TOKEN_BPFFS_CUSTOM "/bpf-token-fs" static int userns_obj_priv_implicit_token(int mnt_fd, struct token_lsm *lsm_skel) { @@ -892,6 +896,7 @@ static int userns_obj_priv_implicit_token(int mnt_fd, struct token_lsm *lsm_skel static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *lsm_skel) { + const char *custom_dir = token_bpffs_custom_dir(); LIBBPF_OPTS(bpf_object_open_opts, opts); struct dummy_st_ops_success *skel; int err; @@ -909,10 +914,10 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l * BPF token implicitly, unless pointed to it through * LIBBPF_BPF_TOKEN_PATH envvar */ - rmdir(TOKEN_BPFFS_CUSTOM); - if (!ASSERT_OK(mkdir(TOKEN_BPFFS_CUSTOM, 0777), "mkdir_bpffs_custom")) + rmdir(custom_dir); + if (!ASSERT_OK(mkdir(custom_dir, 0777), "mkdir_bpffs_custom")) goto err_out; - err = sys_move_mount(mnt_fd, "", AT_FDCWD, TOKEN_BPFFS_CUSTOM, MOVE_MOUNT_F_EMPTY_PATH); + err = sys_move_mount(mnt_fd, "", AT_FDCWD, custom_dir, MOVE_MOUNT_F_EMPTY_PATH); if (!ASSERT_OK(err, "move_mount_bpffs")) goto err_out; @@ -925,7 +930,7 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l goto err_out; } - err = setenv(TOKEN_ENVVAR, TOKEN_BPFFS_CUSTOM, 1 /*overwrite*/); + err = setenv(TOKEN_ENVVAR, custom_dir, 1 /*overwrite*/); if (!ASSERT_OK(err, "setenv_token_path")) goto err_out; @@ -951,11 +956,11 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l if (!ASSERT_ERR(err, "obj_empty_token_path_load")) goto err_out; - rmdir(TOKEN_BPFFS_CUSTOM); + rmdir(custom_dir); unsetenv(TOKEN_ENVVAR); return 0; err_out: - rmdir(TOKEN_BPFFS_CUSTOM); + rmdir(custom_dir); unsetenv(TOKEN_ENVVAR); return -EINVAL; } -- 2.50.1

2 months

1
0
0 0

[PATCH] tracing/probes: Avoid using params uninitialized in parse_btf_arg()

by Nathan Chancellor

After a recent change in clang to strengthen uninitialized warnings [1], it points out that in one of the error paths in parse_btf_arg(), params is used uninitialized: kernel/trace/trace_probe.c:660:19: warning: variable 'params' is uninitialized when used here [-Wuninitialized] 660 | return PTR_ERR(params); | ^~~~~~ Match many other NO_BTF_ENTRY error cases and return -ENOENT, clearing up the warning. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2110 Fixes: d157d7694460 ("tracing/probes: Support BTF field access from $retval") Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- kernel/trace/trace_probe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c index 424751cdf31f..40830a3ecd96 100644 --- a/kernel/trace/trace_probe.c +++ b/kernel/trace/trace_probe.c @@ -657,7 +657,7 @@ static int parse_btf_arg(char *varname, ret = query_btf_context(ctx); if (ret < 0 || ctx->nr_params == 0) { trace_probe_log_err(ctx->offset, NO_BTF_ENTRY); - return PTR_ERR(params); + return -ENOENT; } } params = ctx->params; --- base-commit: 6921d1e07cb5eddec830801087b419194fde0803 change-id: 20250715-trace_probe-fix-const-uninit-warning-7dc3accce903 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

2
1
0 0

[PATCH net v2] net: libwx: fix multicast packets received count

by Jiawen Wu

Multicast good packets received by PF rings that pass ethternet MAC address filtering are counted for rtnl_link_stats64.multicast. The counter is not cleared on read. Fix the duplicate counting on updating statistics. Fixes: 46b92e10d631 ("net: libwx: support hardware statistics") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- v1 -> v2: - add code comment --- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 0f4be72116b8..7ae3786d90b8 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2778,6 +2778,8 @@ void wx_update_stats(struct wx *wx) hwstats->fdirmiss += rd32(wx, WX_RDB_FDIR_MISS); } + /* qmprc is not cleared on read, manual reset it */ + hwstats->qmprc = 0; for (i = wx->num_vfs * wx->num_rx_queues_per_pool; i < wx->mac.max_rx_queues; i++) hwstats->qmprc += rd32(wx, WX_PX_MPRC(i)); -- 2.48.1

2 months

3
2
0 0

[PATCH net 0/3] mptcp: fix fallback-related races

by Matthieu Baerts (NGI0)

This series contains 3 fixes somewhat related to various races we have while handling fallback. The root cause of the issues addressed here is that the check for "we can fallback to tcp now" and the related action are not atomic. That also applies to fallback due to MP_FAIL -- where the window race is even wider. Address the issue introducing an additional spinlock to bundle together all the relevant events, as per patch 1 and 2. These fixes can be backported up to v5.19 and v5.15. Note that mptcp_disconnect() unconditionally clears the fallback status (zeroing msk->flags) but don't touch the `allows_infinite_fallback` flag. Such issue is addressed in patch 3, and can be backported up to v5.17. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Paolo Abeni (3): mptcp: make fallback action and fallback decision atomic mptcp: plug races between subflow fail and subflow creation mptcp: reset fallback status gracefully at disconnect() time net/mptcp/options.c | 3 ++- net/mptcp/pm.c | 8 +++++++- net/mptcp/protocol.c | 56 ++++++++++++++++++++++++++++++++++++++++++++-------- net/mptcp/protocol.h | 29 ++++++++++++++++++++------- net/mptcp/subflow.c | 30 +++++++++++++++++----------- 5 files changed, 98 insertions(+), 28 deletions(-) --- base-commit: b640daa2822a39ff76e70200cb2b7b892b896dce change-id: 20250714-net-mptcp-fallback-races-a99f171cf5ca Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

2 months

2
4
0 0

[PATCH] drm/msm/dpu: Initialize crtc_state to NULL in dpu_plane_virtual_atomic_check()

by Nathan Chancellor

After a recent change in clang to expose uninitialized warnings from const variables and pointers [1], there is a warning around crtc_state in dpu_plane_virtual_atomic_check(): drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1145:6: error: variable 'crtc_state' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 1145 | if (plane_state->crtc) | ^~~~~~~~~~~~~~~~~ drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1149:58: note: uninitialized use occurs here 1149 | ret = dpu_plane_atomic_check_nosspp(plane, plane_state, crtc_state); | ^~~~~~~~~~ drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1145:2: note: remove the 'if' if its condition is always true 1145 | if (plane_state->crtc) | ^~~~~~~~~~~~~~~~~~~~~~ 1146 | crtc_state = drm_atomic_get_new_crtc_state(state, drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1139:35: note: initialize the variable 'crtc_state' to silence this warning 1139 | struct drm_crtc_state *crtc_state; | ^ | = NULL Initialize crtc_state to NULL like other places in the driver do, so that it is consistently initialized. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2106 Fixes: 774bcfb73176 ("drm/msm/dpu: add support for virtual planes") Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c index 421138bc3cb7..30ff21c01a36 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c @@ -1136,7 +1136,7 @@ static int dpu_plane_virtual_atomic_check(struct drm_plane *plane, struct drm_plane_state *old_plane_state = drm_atomic_get_old_plane_state(state, plane); struct dpu_plane_state *pstate = to_dpu_plane_state(plane_state); - struct drm_crtc_state *crtc_state; + struct drm_crtc_state *crtc_state = NULL; int ret; if (IS_ERR(plane_state)) --- base-commit: d3deabe4c619875714b9a844b1a3d9752dbae1dd change-id: 20250715-drm-msm-fix-const-uninit-warning-2b93cef9f1c6 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

2
1
0 0

[PATCH] wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data()

by Nathan Chancellor

A new warning in clang [1] points out a couple of places where a hdr variable is not initialized then passed along to skb_put_data(). drivers/net/wireless/mediatek/mt76/mt7996/mcu.c:1894:21: warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] 1894 | skb_put_data(skb, &hdr, sizeof(hdr)); | ^~~ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c:3386:21: warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] 3386 | skb_put_data(skb, &hdr, sizeof(hdr)); | ^~~ Zero initialize these headers as done in other places in the driver when there is nothing stored in the header. Cc: stable(a)vger.kernel.org Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Closes: https://github.com/ClangBuiltLinux/linux/issues/2104 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c index 994526c65bfc..640abb4dce7f 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c @@ -1879,8 +1879,8 @@ mt7996_mcu_get_mmps_mode(enum ieee80211_smps_mode smps) int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev, void *data, u16 version) { + struct uni_header hdr = {}; struct ra_fixed_rate *req; - struct uni_header hdr; struct sk_buff *skb; struct tlv *tlv; int len; @@ -3373,7 +3373,7 @@ int mt7996_mcu_set_hdr_trans(struct mt7996_dev *dev, bool hdr_trans) { struct { u8 __rsv[4]; - } __packed hdr; + } __packed hdr = {}; struct hdr_trans_blacklist *req_blacklist; struct hdr_trans_en *req_en; struct sk_buff *skb; --- base-commit: eb8352ee2d1e70f916fac02094dca2b435076fa4 change-id: 20250715-mt7996-fix-uninit-const-pointer-01e1dd03d444 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

1
0
0 0

[PATCH linux-6.12.y 1/2] selftests/bpf: Add a test for arena range tree algorithm

by Yifei Liu

From: Alexei Starovoitov <ast(a)kernel.org> Add a test that verifies specific behavior of arena range tree algorithm and adjust existing big_alloc1 test due to use of global data in arena. Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Acked-by: Kumar Kartikeya Dwivedi <memxor(a)gmail.com> Link: https://lore.kernel.org/bpf/20241108025616.17625-3-alexei.starovoitov@gmail… (cherry picked from commit e58358afa84e8e271a296459d35d1715c7572013) [Yifei: This commit fixes the failure of verifier_arena_large test over 64k page size kernels. This commit also introduce some new tests targeting the new feature, arena range tree algorithm, which is not in linux-6.12.y, I just comment out the test headers so that it would not be run here. If this feature is introduced later, we can just uncomment those two lines.] Signed-off-by: Yifei Liu <yifei.l.liu(a)oracle.com> --- .../bpf/progs/verifier_arena_large.c | 110 +++++++++++++++++- 1 file changed, 108 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/bpf/progs/verifier_arena_large.c b/tools/testing/selftests/bpf/progs/verifier_arena_large.c index 6065f862d964..f318675814c6 100644 --- a/tools/testing/selftests/bpf/progs/verifier_arena_large.c +++ b/tools/testing/selftests/bpf/progs/verifier_arena_large.c @@ -29,12 +29,12 @@ int big_alloc1(void *ctx) if (!page1) return 1; *page1 = 1; - page2 = bpf_arena_alloc_pages(&arena, base + ARENA_SIZE - PAGE_SIZE, + page2 = bpf_arena_alloc_pages(&arena, base + ARENA_SIZE - PAGE_SIZE * 2, 1, NUMA_NO_NODE, 0); if (!page2) return 2; *page2 = 2; - no_page = bpf_arena_alloc_pages(&arena, base + ARENA_SIZE, + no_page = bpf_arena_alloc_pages(&arena, base + ARENA_SIZE - PAGE_SIZE, 1, NUMA_NO_NODE, 0); if (no_page) return 3; @@ -66,4 +66,110 @@ int big_alloc1(void *ctx) #endif return 0; } + +#if defined(__BPF_FEATURE_ADDR_SPACE_CAST) +#define PAGE_CNT 100 +__u8 __arena * __arena page[PAGE_CNT]; /* occupies the first page */ +__u8 __arena *base; + +/* + * Check that arena's range_tree algorithm allocates pages sequentially + * on the first pass and then fills in all gaps on the second pass. + */ +__noinline int alloc_pages(int page_cnt, int pages_atonce, bool first_pass, + int max_idx, int step) +{ + __u8 __arena *pg; + int i, pg_idx; + + for (i = 0; i < page_cnt; i++) { + pg = bpf_arena_alloc_pages(&arena, NULL, pages_atonce, + NUMA_NO_NODE, 0); + if (!pg) + return step; + pg_idx = (pg - base) / PAGE_SIZE; + if (first_pass) { + /* Pages must be allocated sequentially */ + if (pg_idx != i) + return step + 100; + } else { + /* Allocator must fill into gaps */ + if (pg_idx >= max_idx || (pg_idx & 1)) + return step + 200; + } + *pg = pg_idx; + page[pg_idx] = pg; + cond_break; + } + return 0; +} + +//SEC("syscall") +//__success __retval(0) +int big_alloc2(void *ctx) +{ + __u8 __arena *pg; + int i, err; + + base = bpf_arena_alloc_pages(&arena, NULL, 1, NUMA_NO_NODE, 0); + if (!base) + return 1; + bpf_arena_free_pages(&arena, (void __arena *)base, 1); + + err = alloc_pages(PAGE_CNT, 1, true, PAGE_CNT, 2); + if (err) + return err; + + /* Clear all even pages */ + for (i = 0; i < PAGE_CNT; i += 2) { + pg = page[i]; + if (*pg != i) + return 3; + bpf_arena_free_pages(&arena, (void __arena *)pg, 1); + page[i] = NULL; + cond_break; + } + + /* Allocate into freed gaps */ + err = alloc_pages(PAGE_CNT / 2, 1, false, PAGE_CNT, 4); + if (err) + return err; + + /* Free pairs of pages */ + for (i = 0; i < PAGE_CNT; i += 4) { + pg = page[i]; + if (*pg != i) + return 5; + bpf_arena_free_pages(&arena, (void __arena *)pg, 2); + page[i] = NULL; + page[i + 1] = NULL; + cond_break; + } + + /* Allocate 2 pages at a time into freed gaps */ + err = alloc_pages(PAGE_CNT / 4, 2, false, PAGE_CNT, 6); + if (err) + return err; + + /* Check pages without freeing */ + for (i = 0; i < PAGE_CNT; i += 2) { + pg = page[i]; + if (*pg != i) + return 7; + cond_break; + } + + pg = bpf_arena_alloc_pages(&arena, NULL, 1, NUMA_NO_NODE, 0); + + if (!pg) + return 8; + /* + * The first PAGE_CNT pages are occupied. The new page + * must be above. + */ + if ((pg - base) / PAGE_SIZE < PAGE_CNT) + return 9; + return 0; +} +#endif char _license[] SEC("license") = "GPL"; -- 2.46.0

2 months

1
1
0 0

[PATCH] mm/ksm: Fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show()

by Nathan Chancellor

After a recent change in clang to expose uninitialized warnings from const variables [1], there is a warning from the if statement in advisor_mode_show(). mm/ksm.c:3687:11: error: variable 'output' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 3687 | else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/ksm.c:3690:33: note: uninitialized use occurs here 3690 | return sysfs_emit(buf, "%s\n", output); | ^~~~~~ Rewrite the if statement to implicitly make KSM_ADVISOR_NONE the else branch so that it is obvious to the compiler that ksm_advisor can only be KSM_ADVISOR_NONE or KSM_ADVISOR_SCAN_TIME due to the assignments in advisor_mode_store(). Cc: stable(a)vger.kernel.org Fixes: 66790e9a735b ("mm/ksm: add sysfs knobs for advisor") Closes: https://github.com/ClangBuiltLinux/linux/issues/2100 Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- mm/ksm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mm/ksm.c b/mm/ksm.c index 2b0210d41c55..160787bb121c 100644 --- a/mm/ksm.c +++ b/mm/ksm.c @@ -3682,10 +3682,10 @@ static ssize_t advisor_mode_show(struct kobject *kobj, { const char *output; - if (ksm_advisor == KSM_ADVISOR_NONE) - output = "[none] scan-time"; - else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) + if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) output = "none [scan-time]"; + else + output = "[none] scan-time"; return sysfs_emit(buf, "%s\n", output); } --- base-commit: fed48693bdfeca666f7536ba88a05e9a4e5523b6 change-id: 20250715-ksm-fix-clang-21-uninit-warning-bea5a6b886ce Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

3
2
0 0

+ mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Nathan Chancellor <nathan(a)kernel.org> Subject: mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() Date: Tue, 15 Jul 2025 12:56:16 -0700 After a recent change in clang to expose uninitialized warnings from const variables [1], there is a false positive warning from the if statement in advisor_mode_show(). mm/ksm.c:3687:11: error: variable 'output' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 3687 | else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/ksm.c:3690:33: note: uninitialized use occurs here 3690 | return sysfs_emit(buf, "%s\n", output); | ^~~~~~ Rewrite the if statement to implicitly make KSM_ADVISOR_NONE the else branch so that it is obvious to the compiler that ksm_advisor can only be KSM_ADVISOR_NONE or KSM_ADVISOR_SCAN_TIME due to the assignments in advisor_mode_store(). Link: https://lkml.kernel.org/r/20250715-ksm-fix-clang-21-uninit-warning-v1-1-f44… Fixes: 66790e9a735b ("mm/ksm: add sysfs knobs for advisor") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Closes: https://github.com/ClangBuiltLinux/linux/issues/2100 Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: David Hildenbrand <david(a)redhat.com> Cc: Stefan Roesch <shr(a)devkernel.io> Cc: xu xin <xu.xin16(a)zte.com.cn> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/ksm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/ksm.c~mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show +++ a/mm/ksm.c @@ -3669,10 +3669,10 @@ static ssize_t advisor_mode_show(struct { const char *output; - if (ksm_advisor == KSM_ADVISOR_NONE) - output = "[none] scan-time"; - else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) + if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) output = "none [scan-time]"; + else + output = "[none] scan-time"; return sysfs_emit(buf, "%s\n", output); } _ Patches currently in -mm which might be from nathan(a)kernel.org are mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch panic-add-panic_sys_info-sysctl-to-take-human-readable-string-parameter-fix.patch

2 months

1
0
0 0

[PATCH V6] efi/tpm: Fix the issue where the CC platforms event log header can't be correctly identified

by yangge1116＠126.com

From: Ge Yang <yangge1116(a)126.com> Since commit d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") reuses TPM2 support code for the CC platforms, when launching a TDX virtual machine with coco measurement enabled, the following error log is generated: [Firmware Bug]: Failed to parse event in TPM Final Events Log Call Trace: efi_config_parse_tables() efi_tpm_eventlog_init() tpm2_calc_event_log_size() __calc_tpm2_event_size() The pcr_idx value in the Intel TDX log header is 1, causing the function __calc_tpm2_event_size() to fail to recognize the log header, ultimately leading to the "Failed to parse event in TPM Final Events Log" error. Intel misread the spec and wrongly sets pcrIndex to 1 in the header and since they did this, we fear others might, so we're relaxing the header check. There's no danger of this causing problems because we check for the TCG_SPECID_SIG signature as the next thing. Fixes: d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") Signed-off-by: Ge Yang <yangge1116(a)126.com> Cc: stable(a)vger.kernel.org --- V6: - improve commit message suggested by James V5: - remove the pcr_index check without adding any replacement checks suggested by James and Sathyanarayanan V4: - remove cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT) suggested by Ard V3: - fix build error V2: - limit the fix for CC only suggested by Jarkko and Sathyanarayanan include/linux/tpm_eventlog.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 891368e..05c0ae5 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -202,8 +202,7 @@ static __always_inline u32 __calc_tpm2_event_size(struct tcg_pcr_event2_head *ev event_type = event->event_type; /* Verify that it's the log header */ - if (event_header->pcr_idx != 0 || - event_header->event_type != NO_ACTION || + if (event_header->event_type != NO_ACTION || memcmp(event_header->digest, zero_digest, sizeof(zero_digest))) { size = 0; goto out; -- 2.7.4

2 months

4
3
0 0

[PATCH 6.12] KVM: SVM: Set synthesized TSA CPUID flags

by Borislav Petkov

From: "Borislav Petkov (AMD)" <bp(a)alien8.de> VERW_CLEAR is supposed to be set only by the hypervisor to denote TSA mitigation support to a guest. SQ_NO and L1_NO are both synthesizable, and are going to be set by hw CPUID on future machines. So keep the kvm_cpu_cap_init_kvm_defined() invocation *and* set them when synthesized. This fix is stable-only. Co-developed-by: Jinpu Wang <jinpu.wang(a)ionos.com> Signed-off-by: Jinpu Wang <jinpu.wang(a)ionos.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> --- arch/x86/kvm/cpuid.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 02196db26a08..8f587c5bb6bc 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -822,6 +822,7 @@ void kvm_set_cpu_caps(void) kvm_cpu_cap_check_and_set(X86_FEATURE_SBPB); kvm_cpu_cap_check_and_set(X86_FEATURE_IBPB_BRTYPE); kvm_cpu_cap_check_and_set(X86_FEATURE_SRSO_NO); + kvm_cpu_cap_check_and_set(X86_FEATURE_VERW_CLEAR); kvm_cpu_cap_init_kvm_defined(CPUID_8000_0022_EAX, F(PERFMON_V2) @@ -831,6 +832,9 @@ void kvm_set_cpu_caps(void) F(TSA_SQ_NO) | F(TSA_L1_NO) ); + kvm_cpu_cap_check_and_set(X86_FEATURE_TSA_SQ_NO); + kvm_cpu_cap_check_and_set(X86_FEATURE_TSA_L1_NO); + /* * Synthesize "LFENCE is serializing" into the AMD-defined entry in * KVM's supported CPUID if the feature is reported as supported by the -- 2.43.0

2 months

1
0
0 0

[PATCH] net: dpaa2: Fix device reference count leak in MAC endpoint handling

by Ma Ke

The fsl_mc_get_endpoint() function uses device_find_child() for localization, which implicitly calls get_device() to increment the device's reference count before returning the pointer. However, the caller dpaa2_switch_port_connect_mac() and dpaa2_eth_connect_mac() fails to properly release this reference in multiple scenarios. We should call put_device() to decrement reference count properly. As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 719479230893 ("dpaa2-eth: add MAC/PHY support through phylink") Fixes: 84cba72956fd ("dpaa2-switch: integrate the MAC endpoint support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 ++++++++++++--- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 15 ++++++++++++--- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c index b82f121cadad..f1543039a5b6 100644 --- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c @@ -4666,12 +4666,19 @@ static int dpaa2_eth_connect_mac(struct dpaa2_eth_priv *priv) return PTR_ERR(dpmac_dev); } - if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) + if (IS_ERR(dpmac_dev)) return 0; + if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { + put_device(&dpmac_dev->dev); + return 0; + } + mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL); - if (!mac) + if (!mac) { + put_device(&dpmac_dev->dev); return -ENOMEM; + } mac->mc_dev = dpmac_dev; mac->mc_io = priv->mc_io; @@ -4679,7 +4686,7 @@ static int dpaa2_eth_connect_mac(struct dpaa2_eth_priv *priv) err = dpaa2_mac_open(mac); if (err) - goto err_free_mac; + goto err_put_device; if (dpaa2_mac_is_type_phy(mac)) { err = dpaa2_mac_connect(mac); @@ -4703,6 +4710,8 @@ static int dpaa2_eth_connect_mac(struct dpaa2_eth_priv *priv) err_close_mac: dpaa2_mac_close(mac); +err_put_device: + put_device(&dpmac_dev->dev); err_free_mac: kfree(mac); return err; diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c index 147a93bf9fa9..6bf1c164129a 100644 --- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c @@ -1448,12 +1448,20 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv) if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER) return PTR_ERR(dpmac_dev); - if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) + if (IS_ERR(dpmac_dev)) return 0; + + if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { + put_device(&dpmac_dev->dev); + return 0; + } mac = kzalloc(sizeof(*mac), GFP_KERNEL); - if (!mac) + if (!mac) { + put_device(&dpmac_dev->dev); return -ENOMEM; + } mac->mc_dev = dpmac_dev; mac->mc_io = port_priv->ethsw_data->mc_io; @@ -1461,7 +1469,7 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv) err = dpaa2_mac_open(mac); if (err) - goto err_free_mac; + goto err_put_device; if (dpaa2_mac_is_type_phy(mac)) { err = dpaa2_mac_connect(mac); @@ -1481,6 +1489,8 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv) err_close_mac: dpaa2_mac_close(mac); +err_put_device: + put_device(&dpmac_dev->dev); err_free_mac: kfree(mac); return err; -- 2.25.1

2 months

2
1
0 0

[PATCH v3 7/7] Revert "drm/gem-dma: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit e8afa1557f4f963c9a511bd2c6074a941c308685. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_dma_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_gem_dma_helper.c b/drivers/gpu/drm/drm_gem_dma_helper.c index b7f033d4352a..4f0320df858f 100644 --- a/drivers/gpu/drm/drm_gem_dma_helper.c +++ b/drivers/gpu/drm/drm_gem_dma_helper.c @@ -230,7 +230,7 @@ void drm_gem_dma_free(struct drm_gem_dma_object *dma_obj) if (drm_gem_is_imported(gem_obj)) { if (dma_obj->vaddr) - dma_buf_vunmap_unlocked(gem_obj->dma_buf, &map); + dma_buf_vunmap_unlocked(gem_obj->import_attach->dmabuf, &map); drm_prime_gem_destroy(gem_obj, dma_obj->sgt); } else if (dma_obj->vaddr) { if (dma_obj->map_noncoherent) -- 2.50.0

2 months

1
0
0 0

[PATCH v3 6/7] Revert "drm/gem-shmem: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit 1a148af06000e545e714fe3210af3d77ff903c11. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_shmem_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index 8ac0b1fa5287..5d1349c34afd 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -351,7 +351,7 @@ int drm_gem_shmem_vmap_locked(struct drm_gem_shmem_object *shmem, dma_resv_assert_held(obj->resv); if (drm_gem_is_imported(obj)) { - ret = dma_buf_vmap(obj->dma_buf, map); + ret = dma_buf_vmap(obj->import_attach->dmabuf, map); } else { pgprot_t prot = PAGE_KERNEL; @@ -413,7 +413,7 @@ void drm_gem_shmem_vunmap_locked(struct drm_gem_shmem_object *shmem, dma_resv_assert_held(obj->resv); if (drm_gem_is_imported(obj)) { - dma_buf_vunmap(obj->dma_buf, map); + dma_buf_vunmap(obj->import_attach->dmabuf, map); } else { dma_resv_assert_held(shmem->base.resv); -- 2.50.0

2 months

1
0
0 0

[PATCH v3 5/7] Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit cce16fcd7446dcff7480cd9d2b6417075ed81065. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index 618ce725cd75..fefb2a0f6b40 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -420,6 +420,7 @@ EXPORT_SYMBOL(drm_gem_fb_vunmap); static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_data_direction dir, unsigned int num_planes) { + struct dma_buf_attachment *import_attach; struct drm_gem_object *obj; int ret; @@ -428,9 +429,10 @@ static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_dat obj = drm_gem_fb_get_obj(fb, num_planes); if (!obj) continue; + import_attach = obj->import_attach; if (!drm_gem_is_imported(obj)) continue; - ret = dma_buf_end_cpu_access(obj->dma_buf, dir); + ret = dma_buf_end_cpu_access(import_attach->dmabuf, dir); if (ret) drm_err(fb->dev, "dma_buf_end_cpu_access(%u, %d) failed: %d\n", ret, num_planes, dir); @@ -453,6 +455,7 @@ static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_dat */ int drm_gem_fb_begin_cpu_access(struct drm_framebuffer *fb, enum dma_data_direction dir) { + struct dma_buf_attachment *import_attach; struct drm_gem_object *obj; unsigned int i; int ret; @@ -463,9 +466,10 @@ int drm_gem_fb_begin_cpu_access(struct drm_framebuffer *fb, enum dma_data_direct ret = -EINVAL; goto err___drm_gem_fb_end_cpu_access; } + import_attach = obj->import_attach; if (!drm_gem_is_imported(obj)) continue; - ret = dma_buf_begin_cpu_access(obj->dma_buf, dir); + ret = dma_buf_begin_cpu_access(import_attach->dmabuf, dir); if (ret) goto err___drm_gem_fb_end_cpu_access; } -- 2.50.0

2 months

1
0
0 0

[PATCH v3 4/7] Revert "drm/prime: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_prime.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c index b703f83874e1..a23fc712a8b7 100644 --- a/drivers/gpu/drm/drm_prime.c +++ b/drivers/gpu/drm/drm_prime.c @@ -453,7 +453,13 @@ struct dma_buf *drm_gem_prime_handle_to_dmabuf(struct drm_device *dev, } mutex_lock(&dev->object_name_lock); - /* re-export the original imported/exported object */ + /* re-export the original imported object */ + if (obj->import_attach) { + dmabuf = obj->import_attach->dmabuf; + get_dma_buf(dmabuf); + goto out_have_obj; + } + if (obj->dma_buf) { get_dma_buf(obj->dma_buf); dmabuf = obj->dma_buf; -- 2.50.0

2 months

1
0
0 0

[PATCH v2 1/1] x86/fred: Remove ENDBR64 from FRED entry points

by Xin Li (Intel)

The FRED specification v9.0 states that there is no need for FRED event handlers to begin with ENDBR64, because in the presence of supervisor indirect branch tracking, FRED event delivery does not enter the WAIT_FOR_ENDBRANCH state. As a result, remove ENDBR64 from FRED entry points. Then add ANNOTATE_NOENDBR to indicate that FRED entry points will never be used for indirect calls to suppress an objtool warning. This change implies that any indirect CALL/JMP to FRED entry points causes #CP in the presence of supervisor indirect branch tracking. Credit goes to Jennifer Miller <jmill(a)asu.edu> and other contributors from Arizona State University whose work led to this change. Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code") Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ Reviewed-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: Jennifer Miller <jmill(a)asu.edu> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Andrew Cooper <andrew.cooper3(a)citrix.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: stable(a)vger.kernel.org # v6.9+ --- Change in v2: *) CC stable and add a fixes tag (PeterZ). --- arch/x86/entry/entry_64_fred.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64_fred.S b/arch/x86/entry/entry_64_fred.S index 29c5c32c16c3..907bd233c6c1 100644 --- a/arch/x86/entry/entry_64_fred.S +++ b/arch/x86/entry/entry_64_fred.S @@ -16,7 +16,7 @@ .macro FRED_ENTER UNWIND_HINT_END_OF_STACK - ENDBR + ANNOTATE_NOENDBR PUSH_AND_CLEAR_REGS movq %rsp, %rdi /* %rdi -> pt_regs */ .endm -- 2.50.1

2 months

1
0
0 0

[PATCH net] hv_netvsc: Switch VF namespace in netvsc_open instead

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the VF namespace switching code from the NETDEV_REGISTER event handler to netvsc_open(). Cc: stable(a)vger.kernel.org Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Reported-by: Cathy Avery <cavery(a)redhat.com> Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- drivers/net/hyperv/netvsc_drv.c | 43 ++++++++++----------------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 42d98e99566e..074ecc346108 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -135,6 +135,19 @@ static int netvsc_open(struct net_device *net) } if (vf_netdev) { + if (!net_eq(dev_net(net), dev_net(vf_netdev))) { + ret = dev_change_net_namespace(vf_netdev, dev_net(net), + "eth%d"); + if (ret) + netdev_err(vf_netdev, + "Cannot move to same ns as %s: %d\n", + net->name, ret); + else + netdev_info(vf_netdev, + "Moved VF to namespace with: %s\n", + net->name); + } + /* Setting synthetic device up transparently sets * slave as up. If open fails, then slave will be * still be offline (and not used). @@ -2772,31 +2785,6 @@ static struct hv_driver netvsc_drv = { }, }; -/* Set VF's namespace same as the synthetic NIC */ -static void netvsc_event_set_vf_ns(struct net_device *ndev) -{ - struct net_device_context *ndev_ctx = netdev_priv(ndev); - struct net_device *vf_netdev; - int ret; - - vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); - if (!vf_netdev) - return; - - if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) { - ret = dev_change_net_namespace(vf_netdev, dev_net(ndev), - "eth%d"); - if (ret) - netdev_err(vf_netdev, - "Cannot move to same namespace as %s: %d\n", - ndev->name, ret); - else - netdev_info(vf_netdev, - "Moved VF to namespace with: %s\n", - ndev->name); - } -} - /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2809,11 +2797,6 @@ static int netvsc_netdev_event(struct notifier_block *this, struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); int ret = 0; - if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); - return NOTIFY_DONE; - } - ret = check_dev_is_matching_vf(event_dev); if (ret != 0) return NOTIFY_DONE; -- 2.34.1

2 months

3
2
0 0

[PATCH net,v2] hv_netvsc: Switch VF namespace in netvsc_open instead

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the VF namespace switching code from the NETDEV_REGISTER event handler to netvsc_open(). Cc: stable(a)vger.kernel.org Cc: cavery(a)redhat.com Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- v2: verified it's applicable to net, fixed cc list. --- drivers/net/hyperv/netvsc_drv.c | 43 ++++++++++----------------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 42d98e99566e..074ecc346108 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -135,6 +135,19 @@ static int netvsc_open(struct net_device *net) } if (vf_netdev) { + if (!net_eq(dev_net(net), dev_net(vf_netdev))) { + ret = dev_change_net_namespace(vf_netdev, dev_net(net), + "eth%d"); + if (ret) + netdev_err(vf_netdev, + "Cannot move to same ns as %s: %d\n", + net->name, ret); + else + netdev_info(vf_netdev, + "Moved VF to namespace with: %s\n", + net->name); + } + /* Setting synthetic device up transparently sets * slave as up. If open fails, then slave will be * still be offline (and not used). @@ -2772,31 +2785,6 @@ static struct hv_driver netvsc_drv = { }, }; -/* Set VF's namespace same as the synthetic NIC */ -static void netvsc_event_set_vf_ns(struct net_device *ndev) -{ - struct net_device_context *ndev_ctx = netdev_priv(ndev); - struct net_device *vf_netdev; - int ret; - - vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); - if (!vf_netdev) - return; - - if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) { - ret = dev_change_net_namespace(vf_netdev, dev_net(ndev), - "eth%d"); - if (ret) - netdev_err(vf_netdev, - "Cannot move to same namespace as %s: %d\n", - ndev->name, ret); - else - netdev_info(vf_netdev, - "Moved VF to namespace with: %s\n", - ndev->name); - } -} - /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2809,11 +2797,6 @@ static int netvsc_netdev_event(struct notifier_block *this, struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); int ret = 0; - if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); - return NOTIFY_DONE; - } - ret = check_dev_is_matching_vf(event_dev); if (ret != 0) return NOTIFY_DONE; -- 2.34.1

2 months

3
2
0 0

[PATCH 5.10 000/208] 5.10.240-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.240 release. There are 208 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 15:03:34 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.240-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.240-rc2 Borislav Petkov <bp(a)kernel.org> x86/process: Move the buffer clearing before MONITOR Borislav Petkov <bp(a)kernel.org> KVM: SVM: Advertise TSA CPUID bits to guests Borislav Petkov <bp(a)kernel.org> KVM: x86: add support for CPUID leaf 0x80000021 Borislav Petkov <bp(a)kernel.org> x86/bugs: Add a Transient Scheduler Attacks mitigation Borislav Petkov <bp(a)kernel.org> x86/bugs: Rename MDS machinery to something more generic Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - add VID for Turtle Beach controllers Matt Reynolds <mattreynolds(a)chromium.org> Input: xpad - add support for Amazon Game Controller Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: lib_test: add MODULE_LICENSE Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Peter Zijlstra <peterz(a)infradead.org> x86/its: FineIBT-paranoid vs ITS Eric Biggers <ebiggers(a)google.com> x86/its: Fix build errors when CONFIG_MODULES=n Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Thomas Gleixner <tglx(a)linutronix.de> x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Fix undefined reference to cpu_wants_rethunk_at() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Josh Poimboeuf <jpoimboe(a)kernel.org> x86/alternatives: Remove faulty optimization Borislav Petkov (AMD) <bp(a)alien8.de> x86/alternative: Optimize returns patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Introduce int3_emulate_jcc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bhi: Define SPEC_CTRL_BHI_DIS_S Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use __for_each_thread() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Assign the vsock transport considering the vsock address flags Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add flags field in the vsock address data structure Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Flush queued requests before stopping dbc Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbctty: disable ECHO flag by default Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Ioana Ciornei <ioana.ciornei(a)nxp.com> net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update SINGLE_STEP register access Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update dpni_get_single_step_cfg command Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Yue Hu <huyue2(a)yulong.com> mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu: Return early if callback is not specified Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Maurizio Lombardi <mlombard(a)redhat.com> scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Gustavo A. R. Silva <gustavoars(a)kernel.org> net: rose: Fix fall-through warnings for Clang Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() Benjamin Coddington <bcodding(a)redhat.com> NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Mateusz Jończyk <mat.jonczyk(a)o2.pl> rtc: cmos: use spin_lock_irqsave in cmos_interrupt Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Brett A C Sheffield (Librecast) <bacs(a)librecast.net> Revert "ipv6: save dontfrag in cork" Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: reject invalid perturb period Niklas Cassel <cassel(a)kernel.org> PCI: cadence-ep: Correct PBA offset in .set_msix() callback Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Query the ringbuffer size for device Saurabh Sengar <ssengar(a)linux.microsoft.com> Drivers: hv: vmbus: Add utility function for querying ring size Vitaly Kuznetsov <vkuznets(a)redhat.com> Drivers: hv: Rename 'alloced' to 'allocated' Haiyang Zhang <haiyangz(a)microsoft.com> Drivers: hv: vmbus: Fix duplicate CPU assignments within a device Alexandru Ardelean <alexandru.ardelean(a)analog.com> uio: uio_hv_generic: use devm_kzalloc() for private data alloc Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Weihang Li <liweihang(a)huawei.com> RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Brett Werling <brett.werling(a)garmin.com> can: tcan4x5x: fix power regulator retrieval during probe Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: add terminating newlines to logging Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: remove redundant assignment Badhri Jagan Sridharan <badhri(a)google.com> usb: typec: tcpci_maxim: Fix uninitialized return variable Wupeng Ma <mawupeng1(a)huawei.com> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify George Kennedy <george.kennedy(a)oracle.com> VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix read_stb function and get_stb ioctl Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Add USBTMC_IOCTL_GET_STB Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Fix reading stale status byte Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 2 + Documentation/ABI/testing/sysfs-driver-ufs | 2 +- Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 +++++++++++ .../hw-vuln/processor_mmio_stale_data.rst | 4 +- Documentation/admin-guide/kernel-parameters.txt | 28 ++ Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/drivers/vector_kern.c | 42 +-- arch/um/include/asm/asm-prototypes.h | 5 + arch/x86/Kconfig | 22 +- arch/x86/entry/entry.S | 8 +- arch/x86/include/asm/alternative.h | 26 ++ arch/x86/include/asm/cpu.h | 13 + arch/x86/include/asm/cpufeature.h | 5 +- arch/x86/include/asm/cpufeatures.h | 14 +- arch/x86/include/asm/disabled-features.h | 2 +- arch/x86/include/asm/irqflags.h | 4 +- arch/x86/include/asm/msr-index.h | 13 +- arch/x86/include/asm/mwait.h | 19 +- arch/x86/include/asm/nospec-branch.h | 50 ++-- arch/x86/include/asm/required-features.h | 2 +- arch/x86/include/asm/text-patching.h | 31 +++ arch/x86/kernel/alternative.c | 308 ++++++++++++++++++++- arch/x86/kernel/cpu/amd.c | 58 ++++ arch/x86/kernel/cpu/bugs.c | 272 +++++++++++++++++- arch/x86/kernel/cpu/common.c | 77 +++++- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/kprobes/core.c | 39 +-- arch/x86/kernel/module.c | 14 +- arch/x86/kernel/process.c | 15 +- arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 8 + arch/x86/kvm/cpuid.c | 31 ++- arch/x86/kvm/cpuid.h | 1 + arch/x86/kvm/svm/vmenter.S | 3 + arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 +++ arch/x86/net/bpf_jit_comp.c | 8 +- arch/x86/um/asm/checksum.h | 3 + drivers/acpi/acpi_pad.c | 7 +- drivers/acpi/acpica/dsmethod.c | 7 + drivers/acpi/battery.c | 19 +- drivers/ata/pata_cs5536.c | 2 +- drivers/atm/idt77252.c | 5 + drivers/base/cpu.c | 15 + drivers/dma-buf/dma-resv.c | 2 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- drivers/gpu/drm/bridge/cdns-dsi.c | 27 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/v3d/v3d_drv.h | 7 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 38 ++- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-quirks.c | 3 + drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 121 +++++--- drivers/hv/hyperv_vmbus.h | 19 +- drivers/hv/vmbus_drv.c | 2 +- drivers/hwmon/pmbus/max34440.c | 48 +++- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/core/iwcm.c | 38 +-- drivers/infiniband/core/iwcm.h | 2 +- drivers/infiniband/hw/mlx5/counters.c | 2 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 33 +++ drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/atkbd.c | 3 +- drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/md/raid1.c | 1 + drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 61 ++-- drivers/mfd/max14577.c | 1 + drivers/misc/vmw_vmci/vmci_host.c | 9 +- drivers/mmc/host/mtk-sd.c | 39 ++- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 ++ drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/m_can/tcan4x5x.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 ++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 141 ++++++++-- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 20 +- .../net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 +- drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 +- drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 + drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/sun/niu.c | 31 ++- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +- drivers/pci/controller/pci-hyperv.c | 17 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- drivers/pwm/pwm-mediatek.c | 15 +- drivers/regulator/gpio-regulator.c | 4 +- drivers/rtc/lib_test.c | 2 + drivers/rtc/rtc-cmos.c | 10 +- drivers/scsi/qla2xxx/qla_mbx.c | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 11 +- drivers/staging/rtl8723bs/core/rtw_security.c | 46 +-- drivers/target/target_core_pr.c | 4 +- drivers/tty/vt/vt.c | 1 + drivers/uio/uio_hv_generic.c | 18 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/class/usbtmc.c | 53 ++-- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-dbgcap.c | 4 + drivers/usb/host/xhci-dbgtty.c | 1 + drivers/usb/typec/altmodes/displayport.c | 5 +- drivers/usb/typec/tcpm/tcpci_maxim.c | 20 +- drivers/vhost/scsi.c | 7 +- fs/btrfs/inode.c | 36 +-- fs/btrfs/tree-log.c | 4 +- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 121 +++++--- fs/nfs/inode.c | 17 +- fs/nfs/nfs4proc.c | 12 +- fs/nfs/pnfs.c | 4 +- fs/overlayfs/util.c | 4 +- fs/proc/array.c | 6 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- include/drm/spsc_queue.h | 4 +- include/linux/cpu.h | 3 + include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/linux/module.h | 5 + include/linux/usb/typec_dp.h | 1 + include/uapi/linux/usb/tmc.h | 2 + include/uapi/linux/vm_sockets.h | 30 +- kernel/events/core.c | 2 +- kernel/rcu/tree.c | 4 + lib/test_objagg.c | 4 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 75 +++-- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/netlink/af_netlink.c | 90 +++--- net/rose/rose_route.c | 15 +- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 42 +-- net/sched/sch_sfq.c | 10 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 78 +++++- net/vmw_vsock/vmci_transport.c | 4 +- sound/isa/sb/sb16_main.c | 4 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/soc/fsl/fsl_asrc.c | 3 +- sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 203 files changed, 2702 insertions(+), 809 deletions(-)

2 months

1
0
0 0

[PATCH] Revert "soundwire: qcom: Add set_channel_map api support"

by Amit Pundir

This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5. This patch broke Dragonboard 845c (sdm845). I see: Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f20003e8 [#1] SMP pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] lr : snd_soc_dai_set_channel_map+0x34/0x78 Call trace: qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P) sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845] snd_soc_link_init+0x28/0x6c snd_soc_bind_card+0x5f4/0xb0c snd_soc_register_card+0x148/0x1a4 devm_snd_soc_register_card+0x50/0xb0 sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845] platform_probe+0x6c/0xd0 really_probe+0xc0/0x2a4 __driver_probe_device+0x7c/0x130 driver_probe_device+0x40/0x118 __device_attach_driver+0xc4/0x108 bus_for_each_drv+0x8c/0xf0 __device_attach+0xa4/0x198 device_initial_probe+0x18/0x28 bus_probe_device+0xb8/0xbc deferred_probe_work_func+0xac/0xfc process_one_work+0x244/0x658 worker_thread+0x1b4/0x360 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Kernel panic - not syncing: BRK handler: Fatal exception Dan has also reported following issues with the original patch https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mo… Bug #1: The zeroeth element of ctrl->pconfig[] is supposed to be unused. We start counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128. Bug #2: There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts memory like Yongqin Liu pointed out. Bug 3: Like Jie Gan pointed out, it erases all the tx information with the rx information. Cc: <stable(a)vger.kernel.org> # v6.15+ Signed-off-by: Amit Pundir <amit.pundir(a)linaro.org> --- drivers/soundwire/qcom.c | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c index 295a46dc2be7..0f45e3404756 100644 --- a/drivers/soundwire/qcom.c +++ b/drivers/soundwire/qcom.c @@ -156,7 +156,6 @@ struct qcom_swrm_port_config { u8 word_length; u8 blk_group_count; u8 lane_control; - u8 ch_mask; }; /* @@ -1049,13 +1048,9 @@ static int qcom_swrm_port_enable(struct sdw_bus *bus, { u32 reg = SWRM_DP_PORT_CTRL_BANK(enable_ch->port_num, bank); struct qcom_swrm_ctrl *ctrl = to_qcom_sdw(bus); - struct qcom_swrm_port_config *pcfg; u32 val; - pcfg = &ctrl->pconfig[enable_ch->port_num]; ctrl->reg_read(ctrl, reg, &val); - if (pcfg->ch_mask != SWR_INVALID_PARAM && pcfg->ch_mask != 0) - enable_ch->ch_mask = pcfg->ch_mask; if (enable_ch->enable) val |= (enable_ch->ch_mask << SWRM_DP_PORT_CTRL_EN_CHAN_SHFT); @@ -1275,26 +1270,6 @@ static void *qcom_swrm_get_sdw_stream(struct snd_soc_dai *dai, int direction) return ctrl->sruntime[dai->id]; } -static int qcom_swrm_set_channel_map(struct snd_soc_dai *dai, - unsigned int tx_num, const unsigned int *tx_slot, - unsigned int rx_num, const unsigned int *rx_slot) -{ - struct qcom_swrm_ctrl *ctrl = dev_get_drvdata(dai->dev); - int i; - - if (tx_slot) { - for (i = 0; i < tx_num; i++) - ctrl->pconfig[i].ch_mask = tx_slot[i]; - } - - if (rx_slot) { - for (i = 0; i < rx_num; i++) - ctrl->pconfig[i].ch_mask = rx_slot[i]; - } - - return 0; -} - static int qcom_swrm_startup(struct snd_pcm_substream *substream, struct snd_soc_dai *dai) { @@ -1331,7 +1306,6 @@ static const struct snd_soc_dai_ops qcom_swrm_pdm_dai_ops = { .shutdown = qcom_swrm_shutdown, .set_stream = qcom_swrm_set_sdw_stream, .get_stream = qcom_swrm_get_sdw_stream, - .set_channel_map = qcom_swrm_set_channel_map, }; static const struct snd_soc_component_driver qcom_swrm_dai_component = { -- 2.43.0

2 months

3
2
0 0

[PATCH 6.12.y] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented

by Mark Brown

[ Upstream commit a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac ] We have a number of hwcaps for various SME subfeatures enumerated via ID_AA64SMFR0_EL1. Currently we advertise these without cross checking against the main SME feature, advertised in ID_AA64PFR1_EL1.SME which means that if the two are out of sync userspace can see a confusing situation where SME subfeatures are advertised without the base SME hwcap. This can be readily triggered by using the arm64.nosme override which only masks out ID_AA64PFR1_EL1.SME, and there have also been reports of VMMs which do the same thing. Fix this as we did previously for SVE in 064737920bdb ("arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented") by filtering out the SME subfeature hwcaps when FEAT_SME is not present. Fixes: 5e64b862c482 ("arm64/sme: Basic enumeration support") Reported-by: Yury Khrustalev <yury.khrustalev(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250620-arm64-sme-filter-hwcaps-v1-1-02b9d3c2d8e… Signed-off-by: Will Deacon <will(a)kernel.org> --- arch/arm64/kernel/cpufeature.c | 45 ++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 05ccf4ec278f..9ca5ffd8d817 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -2959,6 +2959,13 @@ static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) } #endif +#ifdef CONFIG_ARM64_SME +static bool has_sme_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sme() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3037,25 +3044,25 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR2_EL1, BC, IMP, CAP_HWCAP, KERNEL_HWCAP_HBC), #ifdef CONFIG_ARM64_SME HWCAP_CAP(ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), - HWCAP_CAP(ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), - HWCAP_CAP(ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), - HWCAP_CAP(ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), #endif /* CONFIG_ARM64_SME */ HWCAP_CAP(ID_AA64FPFR0_EL1, F8CVT, IMP, CAP_HWCAP, KERNEL_HWCAP_F8CVT), HWCAP_CAP(ID_AA64FPFR0_EL1, F8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_F8FMA), --- base-commit: fbad404f04d758c52bae79ca20d0e7fe5fef91d3 change-id: 20250714-stable-6-12-sme-feat-filt-8e58f0a8c08d Best regards, -- Mark Brown <broonie(a)kernel.org>

2 months

2
2
0 0

FAILED: patch "[PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x fea18c686320a53fce7ad62a87a3e1d10ad02f31 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071315-rural-exploring-3260@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fea18c686320a53fce7ad62a87a3e1d10ad02f31 Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Mon, 23 Jun 2025 09:57:21 +0200 Subject: [PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error vmap_pages_pte_range() enters the lazy MMU mode, but fails to leave it in case an error is encountered. Link: https://lkml.kernel.org/r/20250623075721.2817094-1-agordeev@linux.ibm.com Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202506132017.T1l1l6ME-lkp@intel.com/ Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ab986dd09b6a..6dbcdceecae1 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -514,6 +514,7 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, int *nr, pgtbl_mod_mask *mask) { + int err = 0; pte_t *pte; /* @@ -530,12 +531,18 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, do { struct page *page = pages[*nr]; - if (WARN_ON(!pte_none(ptep_get(pte)))) - return -EBUSY; - if (WARN_ON(!page)) - return -ENOMEM; - if (WARN_ON(!pfn_valid(page_to_pfn(page)))) - return -EINVAL; + if (WARN_ON(!pte_none(ptep_get(pte)))) { + err = -EBUSY; + break; + } + if (WARN_ON(!page)) { + err = -ENOMEM; + break; + } + if (WARN_ON(!pfn_valid(page_to_pfn(page)))) { + err = -EINVAL; + break; + } set_pte_at(&init_mm, addr, pte, mk_pte(page, prot)); (*nr)++; @@ -543,7 +550,8 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, arch_leave_lazy_mmu_mode(); *mask |= PGTBL_PTE_MODIFIED; - return 0; + + return err; } static int vmap_pages_pmd_range(pud_t *pud, unsigned long addr,

2 months

2
1
0 0

FAILED: patch "[PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x fea18c686320a53fce7ad62a87a3e1d10ad02f31 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071316-jawed-backward-2063@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fea18c686320a53fce7ad62a87a3e1d10ad02f31 Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Mon, 23 Jun 2025 09:57:21 +0200 Subject: [PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error vmap_pages_pte_range() enters the lazy MMU mode, but fails to leave it in case an error is encountered. Link: https://lkml.kernel.org/r/20250623075721.2817094-1-agordeev@linux.ibm.com Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202506132017.T1l1l6ME-lkp@intel.com/ Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ab986dd09b6a..6dbcdceecae1 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -514,6 +514,7 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, int *nr, pgtbl_mod_mask *mask) { + int err = 0; pte_t *pte; /* @@ -530,12 +531,18 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, do { struct page *page = pages[*nr]; - if (WARN_ON(!pte_none(ptep_get(pte)))) - return -EBUSY; - if (WARN_ON(!page)) - return -ENOMEM; - if (WARN_ON(!pfn_valid(page_to_pfn(page)))) - return -EINVAL; + if (WARN_ON(!pte_none(ptep_get(pte)))) { + err = -EBUSY; + break; + } + if (WARN_ON(!page)) { + err = -ENOMEM; + break; + } + if (WARN_ON(!pfn_valid(page_to_pfn(page)))) { + err = -EINVAL; + break; + } set_pte_at(&init_mm, addr, pte, mk_pte(page, prot)); (*nr)++; @@ -543,7 +550,8 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, arch_leave_lazy_mmu_mode(); *mask |= PGTBL_PTE_MODIFIED; - return 0; + + return err; } static int vmap_pages_pmd_range(pud_t *pud, unsigned long addr,

2 months

2
1
0 0

FAILED: patch "[PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x fea18c686320a53fce7ad62a87a3e1d10ad02f31 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071323-settling-calculus-60b3@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fea18c686320a53fce7ad62a87a3e1d10ad02f31 Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Mon, 23 Jun 2025 09:57:21 +0200 Subject: [PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error vmap_pages_pte_range() enters the lazy MMU mode, but fails to leave it in case an error is encountered. Link: https://lkml.kernel.org/r/20250623075721.2817094-1-agordeev@linux.ibm.com Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202506132017.T1l1l6ME-lkp@intel.com/ Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ab986dd09b6a..6dbcdceecae1 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -514,6 +514,7 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, int *nr, pgtbl_mod_mask *mask) { + int err = 0; pte_t *pte; /* @@ -530,12 +531,18 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, do { struct page *page = pages[*nr]; - if (WARN_ON(!pte_none(ptep_get(pte)))) - return -EBUSY; - if (WARN_ON(!page)) - return -ENOMEM; - if (WARN_ON(!pfn_valid(page_to_pfn(page)))) - return -EINVAL; + if (WARN_ON(!pte_none(ptep_get(pte)))) { + err = -EBUSY; + break; + } + if (WARN_ON(!page)) { + err = -ENOMEM; + break; + } + if (WARN_ON(!pfn_valid(page_to_pfn(page)))) { + err = -EINVAL; + break; + } set_pte_at(&init_mm, addr, pte, mk_pte(page, prot)); (*nr)++; @@ -543,7 +550,8 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, arch_leave_lazy_mmu_mode(); *mask |= PGTBL_PTE_MODIFIED; - return 0; + + return err; } static int vmap_pages_pmd_range(pud_t *pud, unsigned long addr,

2 months

2
1
0 0

Re: Patch "Bluetooth: HCI: Set extended advertising data synchronously" has been added to the 5.10-stable tree

by Christian Eggers

Hi Sasha, the changes in hci_request.c look quite different from what I submitted for mainline (and also from the version for 6.6 LTS). Are you sure that everything went correctly? regards, Christian On Monday, 14 July 2025, 19:37:07 CEST, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > Bluetooth: HCI: Set extended advertising data synchronously > > to the 5.10-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > bluetooth-hci-set-extended-advertising-data-synchron.patch > and it can be found in the queue-5.10 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 8766e406adb9b3c4bd8c0506a71bbbf99a43906d > Author: Christian Eggers <ceggers(a)arri.de> > Date: Sat Jul 12 02:08:03 2025 -0400 > > Bluetooth: HCI: Set extended advertising data synchronously > > [ Upstream commit 89fb8acc38852116d38d721ad394aad7f2871670 ] > > Currently, for controllers with extended advertising, the advertising > data is set in the asynchronous response handler for extended > adverstising params. As most advertising settings are performed in a > synchronous context, the (asynchronous) setting of the advertising data > is done too late (after enabling the advertising). > > Move setting of adverstising data from asynchronous response handler > into synchronous context to fix ordering of HCI commands. > > Signed-off-by: Christian Eggers <ceggers(a)arri.de> > Fixes: a0fb3726ba55 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports") > Cc: stable(a)vger.kernel.org > v2: https://lore.kernel.org/linux-bluetooth/20250626115209.17839-1-ceggers@arri… > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 7f26c1aab9a06..2cc4aaba09abe 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -1726,36 +1726,6 @@ static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) > hci_dev_unlock(hdev); > } > > -static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb) > -{ > - struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data; > - struct hci_cp_le_set_ext_adv_params *cp; > - struct adv_info *adv_instance; > - > - BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); > - > - if (rp->status) > - return; > - > - cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); > - if (!cp) > - return; > - > - hci_dev_lock(hdev); > - hdev->adv_addr_type = cp->own_addr_type; > - if (!hdev->cur_adv_instance) { > - /* Store in hdev for instance 0 */ > - hdev->adv_tx_power = rp->tx_power; > - } else { > - adv_instance = hci_find_adv_instance(hdev, > - hdev->cur_adv_instance); > - if (adv_instance) > - adv_instance->tx_power = rp->tx_power; > - } > - /* Update adv data as tx power is known now */ > - hci_req_update_adv_data(hdev, hdev->cur_adv_instance); > - hci_dev_unlock(hdev); > -} > > static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) > { > @@ -3601,9 +3571,6 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, > hci_cc_le_read_num_adv_sets(hdev, skb); > break; > > - case HCI_OP_LE_SET_EXT_ADV_PARAMS: > - hci_cc_set_ext_adv_param(hdev, skb); > - break; > > case HCI_OP_LE_SET_EXT_ADV_ENABLE: > hci_cc_le_set_ext_adv_enable(hdev, skb); > diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c > index 7ce6db1ac558a..743ba58941f8b 100644 > --- a/net/bluetooth/hci_request.c > +++ b/net/bluetooth/hci_request.c > @@ -2179,6 +2179,9 @@ int __hci_req_setup_ext_adv_instance(struct hci_request *req, u8 instance) > > hci_req_add(req, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(cp), &cp); > > + /* Update adv data after setting ext adv params */ > + __hci_req_update_adv_data(req, instance); > + > if (own_addr_type == ADDR_LE_DEV_RANDOM && > bacmp(&random_addr, BDADDR_ANY)) { > struct hci_cp_le_set_adv_set_rand_addr cp; >

2 months

2
1
0 0

temporary hung tasks on XFS since updating to 6.6.92

by Christian Theune

Hi, in the last week, after updating to 6.6.92, we’ve encountered a number of VMs reporting temporarily hung tasks blocking the whole system for a few minutes. They unblock by themselves and have similar tracebacks. The IO PSIs show 100% pressure for that time, but the underlying devices are still processing read and write IO (well within their capacity). I’ve eliminated the underlying storage (Ceph) as the source of problems as I couldn’t find any latency outliers or significant queuing during that time. I’ve seen somewhat similar reports on 6.6.88 and 6.6.77, but those might have been different outliers. I’m attaching 3 logs - my intuition and the data so far leads me to consider this might be a kernel bug. I haven’t found a way to reproduce this, yet. Regards, Christian -- Christian Theune · ct(a)flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · https://flyingcircus.io Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick

2 months

3
13
0 0

[PATCH v3 2/9] vsock/virtio: Validate length in packet header before skb_put()

by Will Deacon

When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put(). Cc: <stable(a)vger.kernel.org> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Signed-off-by: Will Deacon <will(a)kernel.org> --- net/vmw_vsock/virtio_transport.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index f0e48e6911fc..bd2c6aaa1a93 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -624,8 +624,9 @@ static void virtio_transport_rx_work(struct work_struct *work) do { virtqueue_disable_cb(vq); for (;;) { + unsigned int len, payload_len; + struct virtio_vsock_hdr *hdr; struct sk_buff *skb; - unsigned int len; if (!virtio_transport_more_replies(vsock)) { /* Stop rx until the device processes already @@ -642,12 +643,19 @@ static void virtio_transport_rx_work(struct work_struct *work) vsock->rx_buf_nr--; /* Drop short/long packets */ - if (unlikely(len < sizeof(struct virtio_vsock_hdr) || + if (unlikely(len < sizeof(*hdr) || len > virtio_vsock_skb_len(skb))) { kfree_skb(skb); continue; } + hdr = virtio_vsock_hdr(skb); + payload_len = le32_to_cpu(hdr->len); + if (payload_len > len - sizeof(*hdr)) { + kfree_skb(skb); + continue; + } + virtio_vsock_skb_rx_put(skb); virtio_transport_deliver_tap_pkt(skb); virtio_transport_recv_pkt(&virtio_transport, skb); -- 2.50.0.727.gbf7dc18ff4-goog

2 months

2
1
0 0

[PATCH RESEND] fs/ntfs3: Fix a resource leak bug in wnd_extend()

by Haoxiang Li

Add put_bh() to decrease the refcount of 'bh' after the job is finished, preventing a resource leak. Fixes: 3f3b442b5ad2 ("fs/ntfs3: Add bitmap") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- fs/ntfs3/bitmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c index 04107b950717..65d05e6a0566 100644 --- a/fs/ntfs3/bitmap.c +++ b/fs/ntfs3/bitmap.c @@ -1371,6 +1371,7 @@ int wnd_extend(struct wnd_bitmap *wnd, size_t new_bits) mark_buffer_dirty(bh); unlock_buffer(bh); /* err = sync_dirty_buffer(bh); */ + put_bh(bh); b0 = 0; bits -= op; -- 2.25.1

2 months

1
0
0 0

[PATCH v3 1/9] vhost/vsock: Avoid allocating arbitrarily-sized SKBs

by Will Deacon

vhost_vsock_alloc_skb() returns NULL for packets advertising a length larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However, this is only checked once the SKB has been allocated and, if the length in the packet header is zero, the SKB may not be freed immediately. Hoist the size check before the SKB allocation so that an iovec larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected outright. The subsequent check on the length field in the header can then simply check that the allocated SKB is indeed large enough to hold the packet. Cc: <stable(a)vger.kernel.org> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Signed-off-by: Will Deacon <will(a)kernel.org> --- drivers/vhost/vsock.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index 802153e23073..66a0f060770e 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -344,6 +344,9 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq, len = iov_length(vq->iov, out); + if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) + return NULL; + /* len contains both payload and hdr */ skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); if (!skb) @@ -367,8 +370,7 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq, return skb; /* The pkt is too big or the length in the header is invalid */ - if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || - payload_len + sizeof(*hdr) > len) { + if (payload_len + sizeof(*hdr) > len) { kfree_skb(skb); return NULL; } -- 2.50.0.727.gbf7dc18ff4-goog

2 months

2
1
0 0

[PATCH net 0/2] selftests: mptcp: connect: cover alt modes

by Matthieu Baerts (NGI0)

mptcp_connect.sh can be executed manually with "-m <MODE>" and "-C" to make sure everything works as expected when using "mmap" and "sendfile" modes instead of "poll", and with the MPTCP checksum support. These modes should be validated, but they are not when the selftests are executed via the kselftest helpers. It means that most CIs validating these selftests, like NIPA for the net development trees and LKFT for the stable ones, are not covering these modes. To fix that, new test programs have been added, simply calling mptcp_connect.sh with the right parameters. The first patch can be backported up to v5.6, and the second one up to v5.14. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (2): selftests: mptcp: connect: also cover alt modes selftests: mptcp: connect: also cover checksum tools/testing/selftests/net/mptcp/Makefile | 3 ++- tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh | 4 ++++ tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh | 4 ++++ tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh | 4 ++++ 4 files changed, 14 insertions(+), 1 deletion(-) --- base-commit: b640daa2822a39ff76e70200cb2b7b892b896dce change-id: 20250714-net-mptcp-sft-connect-alt-c1aaf073ef4e Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

2 months

2
3
0 0

[PATCH 5.4] net: ipv6: Discard next-hop MTU less than minimum link MTU

by WangYuli

From: Georg Kohmann <geokohma(a)cisco.com> [ Upstream commit 4a65dff81a04f874fa6915c7f069b4dc2c4010e4 ] When a ICMPV6_PKT_TOOBIG report a next-hop MTU that is less than the IPv6 minimum link MTU, the estimated path MTU is reduced to the minimum link MTU. This behaviour breaks TAHI IPv6 Core Conformance Test v6LC4.1.6: Packet Too Big Less than IPv6 MTU. Referring to RFC 8201 section 4: "If a node receives a Packet Too Big message reporting a next-hop MTU that is less than the IPv6 minimum link MTU, it must discard it. A node must not reduce its estimate of the Path MTU below the IPv6 minimum link MTU on receipt of a Packet Too Big message." Drop the path MTU update if reported MTU is less than the minimum link MTU. Signed-off-by: Georg Kohmann <geokohma(a)cisco.com> Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- net/ipv6/route.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index b321cec71127..93bae134e730 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2765,7 +2765,8 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, if (confirm_neigh) dst_confirm_neigh(dst, daddr); - mtu = max_t(u32, mtu, IPV6_MIN_MTU); + if (mtu < IPV6_MIN_MTU) + return; if (mtu >= dst_mtu(dst)) return; -- 2.50.0

2 months

1
0
0 0

[PATCH 5.4/5.10/5.15/6.1/6.6] Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID

by Wang Hai

From: Hans de Goede <hdegoede(a)redhat.com> commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 upstream. After commit 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in translated mode") not only the getid command is skipped, but also the de-activating of the keyboard at the end of atkbd_probe(), potentially re-introducing the problem fixed by commit be2d7e4233a4 ("Input: atkbd - fix multi-byte scancode handling on reconnect"). Make sure multi-byte scancode handling on reconnect is still handled correctly by not skipping the atkbd_deactivate() call. Fixes: 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in translated mode") Tested-by: Paul Menzel <pmenzel(a)molgen.mpg.de> Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Link: https://lore.kernel.org/r/20240126160724.13278-3-hdegoede@redhat.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/input/keyboard/atkbd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/input/keyboard/atkbd.c b/drivers/input/keyboard/atkbd.c index b3a856333d4e..de59fc1a24bc 100644 --- a/drivers/input/keyboard/atkbd.c +++ b/drivers/input/keyboard/atkbd.c @@ -805,11 +805,11 @@ static int atkbd_probe(struct atkbd *atkbd) "keyboard reset failed on %s\n", ps2dev->serio->phys); if (atkbd_skip_getid(atkbd)) { atkbd->id = 0xab83; - return 0; + goto deactivate_kbd; } /* * Then we check the keyboard ID. We should get 0xab83 under normal conditions. * Some keyboards report different values, but the first byte is always 0xab or @@ -842,10 +842,11 @@ static int atkbd_probe(struct atkbd *atkbd) "NCD terminal keyboards are only supported on non-translating controllers. " "Use i8042.direct=1 to disable translation.\n"); return -1; } +deactivate_kbd: /* * Make sure nothing is coming from the keyboard and disturbs our * internal state. */ if (!atkbd_skip_deactivate) -- 2.17.1

2 months

2
1
0 0

[PATCH] media: pci: intel: Balance device refcount when destroying devices

by Ma Ke

Using ipu_bridge_get_ivsc_csi_dev() to locate the device could cause an imbalance in the device's reference count. ipu_bridge_get_ivsc_csi_dev() calls device_find_child_by_name() to implement the localization, and device_find_child_by_name() calls an implicit get_device() to increment the device's reference count before returning the pointer. Throughout the entire implementation process, no mechanism releases resources properly. This leads to a memory leak because the reference count of the device is never decremented. As the comment of device_find_child_by_name() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: c66821f381ae ("media: pci: intel: Add IVSC support for IPU bridge driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/media/pci/intel/ipu-bridge.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/pci/intel/ipu-bridge.c b/drivers/media/pci/intel/ipu-bridge.c index 83e682e1a4b7..f8b4672accab 100644 --- a/drivers/media/pci/intel/ipu-bridge.c +++ b/drivers/media/pci/intel/ipu-bridge.c @@ -192,6 +192,7 @@ static int ipu_bridge_check_ivsc_dev(struct ipu_sensor *sensor, sensor->csi_dev = csi_dev; sensor->ivsc_adev = adev; + put_device(csi_dev); } return 0; -- 2.25.1

2 months

2
1
0 0

[PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

by Nikunj A Dadhania

Require a minimum GHCB version of 2 when starting SEV-SNP guests through KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an incompatible GHCB version (less than 2), reject the request early rather than allowing the guest to start with an incorrect protocol version and fail later. Fixes: 4af663c2f64a ("KVM: SEV: Allow per-guest configuration of GHCB protocol version") Cc: Thomas Lendacky <thomas.lendacky(a)amd.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Michael Roth <michael.roth(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Nikunj A Dadhania <nikunj(a)amd.com> --- arch/x86/kvm/svm/sev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index a12e78b67466..91d06fb91ba2 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -435,6 +435,9 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp, if (unlikely(sev->active)) return -EINVAL; + if (snp_active && data->ghcb_version && data->ghcb_version < 2) + return -EINVAL; + sev->active = true; sev->es_active = es_active; sev->vmsa_features = data->vmsa_features; -- 2.43.0

2 months

3
6
0 0

[REGRESSION] thunderbolt: Fix a logic error in wake on connect

by Alyssa Ross

On Fri, Apr 11, 2025 at 10:14:44AM -0500, Mario Limonciello wrote: > From: Mario Limonciello <mario.limonciello(a)amd.com> > > commit a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect > on USB4 ports") introduced a sysfs file to control wake up policy > for a given USB4 port that defaulted to disabled. > > However when testing commit 4bfeea6ec1c02 ("thunderbolt: Use wake > on connect and disconnect over suspend") I found that it was working > even without making changes to the power/wakeup file (which defaults > to disabled). This is because of a logic error doing a bitwise or > of the wake-on-connect flag with device_may_wakeup() which should > have been a logical AND. > > Adjust the logic so that policy is only applied when wakeup is > actually enabled. > > Fixes: a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect on USB4 ports") > Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Hi! There have been a couple of reports of a Thunderbolt regression in recent stable kernels, and one reporter has now bisected it to this change: • https://bugzilla.kernel.org/show_bug.cgi?id=220284 • https://github.com/NixOS/nixpkgs/issues/420730 Both reporters are CCed, and say it starts working after the module is reloaded. Link: https://lore.kernel.org/r/bug-220284-208809@https.bugzilla.kernel.org%2F/ (for regzbot) > --- > drivers/thunderbolt/usb4.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/thunderbolt/usb4.c b/drivers/thunderbolt/usb4.c > index e51d01671d8e7..3e96f1afd4268 100644 > --- a/drivers/thunderbolt/usb4.c > +++ b/drivers/thunderbolt/usb4.c > @@ -440,10 +440,10 @@ int usb4_switch_set_wake(struct tb_switch *sw, unsigned int flags) > bool configured = val & PORT_CS_19_PC; > usb4 = port->usb4; > > - if (((flags & TB_WAKE_ON_CONNECT) | > + if (((flags & TB_WAKE_ON_CONNECT) && > device_may_wakeup(&usb4->dev)) && !configured) > val |= PORT_CS_19_WOC; > - if (((flags & TB_WAKE_ON_DISCONNECT) | > + if (((flags & TB_WAKE_ON_DISCONNECT) && > device_may_wakeup(&usb4->dev)) && configured) > val |= PORT_CS_19_WOD; > if ((flags & TB_WAKE_ON_USB4) && configured) > -- > 2.43.0 >

2 months

3
5
0 0

Re: [PATCH 6.6 087150] Input atkbd - skip ATKBD_CMD_GETID in translated mode

by Wang Hai

On 1970/1/1 8:00, wrote: > 6.6-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From Hans de Goede hdegoede(a)redhat.com > > [ Upstream commit 936e4d49ecbc8c404790504386e1422b599dec39 ] > > There have been multiple reports of keyboard issues on recent laptop models > which can be worked around by setting i8042.dumbkbd, with the downside > being this breaks the capslock LED. > > It seems that these issues are caused by recent laptops getting confused by > ATKBD_CMD_GETID. Rather then adding and endless growing list of quirks for > this, just skip ATKBD_CMD_GETID alltogether on laptops in translated mode. > > The main goal of sending ATKBD_CMD_GETID is to skip binding to ps2 > micetouchpads and those are never used in translated mode. > > Examples of laptop models which benefit from skipping ATKBD_CMD_GETID > > HP Laptop 15s-fq2xxx, HP laptop 15s-fq4xxx and HP Laptop 15-dy2xxx > models the kbd stops working for the first 2 - 5 minutes after boot > (waiting for EC watchdog reset) > > On HP Spectre x360 13-aw2xxx atkbd fails to probe the keyboard > > At least 9 different Lenovo models have issues with ATKBD_CMD_GETID, see > httpsgithub.comyescallopatkbd-nogetid > > This has been tested on > > 1. A MSI B550M PRO-VDH WIFI desktop, where the i8042 controller is not > in translated mode when no keyboard is plugged in and with a ps2 kbd > a AT Translated Set 2 keyboard devinputevent# node shows up > > 2. A Lenovo ThinkPad X1 Yoga gen 8 (always has a translated set 2 keyboard) > > Reported-by Shang Ye yesh25(a)mail2.sysu.edu.cn > Closes httpslore.kernel.orglinux-input886D6167733841AE+20231017135318.11142-1-yesh25(a)mail2.sysu.edu.cn > Closes httpsgithub.comyescallopatkbd-nogetid > Reported-by gurevitch mail(a)gurevit.ch > Closes httpslore.kernel.orglinux-input2iAJTwqZV6lQs26cTb38RNYqxvsink6SRmrZ5h0cBUSuf9NT0tZTsf9fEAbbto2maavHJEOP8GA1evlKa6xjKOsaskDhtJWxjcnrgPigzVo=(a)gurevit.ch > Reported-by Egor Ignatov egori(a)altlinux.org > Closes httpslore.kernel.orgall20210609073333.8425-1-egori(a)altlinux.org > Reported-by Anton Zhilyaev anton(a)cpp.in > Closes httpslore.kernel.orglinux-input20210201160336.16008-1-anton(a)cpp.in > Closes httpsbugzilla.redhat.comshow_bug.cgiid=2086156 > Signed-off-by Hans de Goede hdegoede(a)redhat.com > Link httpslore.kernel.orgr20231115174625.7462-1-hdegoede(a)redhat.com > Signed-off-by Dmitry Torokhov dmitry.torokhov(a)gmail.com > Signed-off-by Sasha Levin sashal(a)kernel.org > --- Hi, Hans I noticed there's a subsequent bugfix [1] for this patch, but it hasn't been merged into the stable-6.6 branch. Based on the bugfix description, the issue should exist there as well. Would you like this patch to be merged into the stable-6.6 branch?" [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…

2 months

2
2
0 0

[PATCH v6.1] vhost-scsi: protect vq->log_used with vq->mutex

by Xinyu Zheng

From: Dongli Zhang <dongli.zhang(a)oracle.com> [ Upstream commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 ] The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. Cc: stable(a)vger.kernel.org#6.1.x Cc: gregkh(a)linuxfoundation.org Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Mike Christie <michael.christie(a)oracle.com> Message-Id: <20250403063028.16045-2-dongli.zhang(a)oracle.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [ Conflicts in drivers/vhost/scsi.c bacause vhost_scsi_complete_cmd_work() has been refactored. ] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- drivers/vhost/scsi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index 3077cb9d58d6..87f2f56fd20a 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -568,8 +568,10 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work) ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); if (likely(ret == sizeof(v_rsp))) { struct vhost_scsi_virtqueue *q; - vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq); + mutex_lock(&q->vq.mutex); + vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); + mutex_unlock(&q->vq.mutex); vq = q - vs->vqs; __set_bit(vq, vs->compl_bitmap); } else @@ -1173,8 +1175,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work) else resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED; + mutex_lock(&tmf->svq->vq.mutex); vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs, tmf->vq_desc, &tmf->resp_iov, resp_code); + mutex_unlock(&tmf->svq->vq.mutex); + vhost_scsi_release_tmf_res(tmf); } -- 2.34.1

2 months

1
0
0 0

[PATCH v5.15] vhost-scsi: protect vq->log_used with vq->mutex

by Xinyu Zheng

From: Dongli Zhang <dongli.zhang(a)oracle.com> [ Upstream commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 ] The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. Cc: stable(a)vger.kernel.org#5.15.x Cc: gregkh(a)linuxfoundation.org Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Mike Christie <michael.christie(a)oracle.com> Message-Id: <20250403063028.16045-2-dongli.zhang(a)oracle.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [ Conflicts in drivers/vhost/scsi.c bacause vhost_scsi_complete_cmd_work() has been refactored. ] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- drivers/vhost/scsi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index f9930887fdd2..2c19fa02141d 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -563,8 +563,10 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work) ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); if (likely(ret == sizeof(v_rsp))) { struct vhost_scsi_virtqueue *q; - vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq); + mutex_lock(&q->vq.mutex); + vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); + mutex_unlock(&q->vq.mutex); vq = q - vs->vqs; __set_bit(vq, signal); } else @@ -1166,8 +1168,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work) else resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED; + mutex_lock(&tmf->svq->vq.mutex); vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs, tmf->vq_desc, &tmf->resp_iov, resp_code); + mutex_unlock(&tmf->svq->vq.mutex); + vhost_scsi_release_tmf_res(tmf); } -- 2.34.1

2 months

1
0
0 0

[PATCH v5.10 v2] vhost-scsi: protect vq->log_used with vq->mutex

by Xinyu Zheng

From: Dongli Zhang <dongli.zhang(a)oracle.com> [ Upstream commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 ] The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. Cc: stable(a)vger.kernel.org#5.10.x Cc: gregkh(a)linuxfoundation.org Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Mike Christie <michael.christie(a)oracle.com> Message-Id: <20250403063028.16045-2-dongli.zhang(a)oracle.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [ Conflicts in drivers/vhost/scsi.c bacause vhost_scsi_complete_cmd_work() has been refactored. ] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- V1 -> V2: Remove unnecessary CVE tag drivers/vhost/scsi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index a23a65e7d828..fcde3752b4f1 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -579,8 +579,10 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work) ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); if (likely(ret == sizeof(v_rsp))) { struct vhost_scsi_virtqueue *q; - vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq); + mutex_lock(&q->vq.mutex); + vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); + mutex_unlock(&q->vq.mutex); vq = q - vs->vqs; __set_bit(vq, signal); } else @@ -1193,8 +1195,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work) else resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED; + mutex_lock(&tmf->svq->vq.mutex); vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs, tmf->vq_desc, &tmf->resp_iov, resp_code); + mutex_unlock(&tmf->svq->vq.mutex); + vhost_scsi_release_tmf_res(tmf); } -- 2.34.1

2 months

1
0
0 0

Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel

by Aaron Lu

Hello, Wei reported when loading his bpf prog in 5.10.200 kernel, host would panic, this didn't happen in 5.10.135 kernel. Test on latest v5.10.238 still has this panic. [ 26.531718] BUG: kernel NULL pointer dereference, address: 0000000000000168 [ 26.538093] #PF: supervisor read access in kernel mode [ 26.542727] #PF: error_code(0x0000) - not-present page [ 26.548093] PGD 10f3e9067 P4D 10f332067 PUD 10f0c5067 PMD 0 [ 26.553211] Oops: 0000 [#1] SMP NOPTI [ 26.556531] CPU: 2 PID: 541 Comm: main Not tainted 5.10.238-00267-g01e7e36b8606 #63 [ 26.563816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 26.572357] RIP: 0010:__mark_chain_precision+0x24b/0x4d0 [ 26.576572] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6 [ 26.589100] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216 [ 26.592612] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003 [ 26.597416] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78 [ 26.601362] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004 [ 26.604261] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000 [ 26.607202] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140 [ 26.610327] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000 [ 26.613678] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.616105] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0 [ 26.619059] Call Trace: [ 26.620118] adjust_reg_min_max_vals+0x133/0x340 [ 26.622048] ? krealloc+0x63/0xe0 [ 26.623435] do_check+0x38c/0xa80 [ 26.624859] do_check_common+0x15b/0x280 [ 26.626496] bpf_check+0xbe1/0xd30 [ 26.627939] ? srso_alias_return_thunk+0x5/0x7f [ 26.629796] ? trace_hardirqs_on+0x1a/0xd0 [ 26.631503] ? srso_alias_return_thunk+0x5/0x7f [ 26.633402] bpf_prog_load+0x422/0x8a0 [ 26.634987] ? srso_alias_return_thunk+0x5/0x7f [ 26.636864] ? __handle_mm_fault+0x3cb/0x6d0 [ 26.638658] ? srso_alias_return_thunk+0x5/0x7f [ 26.640543] ? lock_release+0xe3/0x110 [ 26.642114] __do_sys_bpf+0x485/0xdf0 [ 26.643624] do_syscall_64+0x33/0x40 [ 26.645110] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ 26.647190] RIP: 0033:0x409a6e [ 26.648470] Code: 24 28 44 8b 44 24 2c e9 70 ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48 [ 26.656154] RSP: 002b:000000c00199edc0 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 [ 26.659451] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000409a6e [ 26.662375] RDX: 0000000000000098 RSI: 000000c00199f290 RDI: 0000000000000005 [ 26.665267] RBP: 000000c00199ee00 R08: 0000000000000000 R09: 0000000000000000 [ 26.668204] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 26.671125] R13: 0000000000000080 R14: 000000c000002380 R15: 8080808080808080 [ 26.674085] Modules linked in: [ 26.675363] CR2: 0000000000000168 [ 26.676772] ---[ end trace 3fc192ee4dabbf12 ]--- [ 26.678667] RIP: 0010:__mark_chain_precision+0x24b/0x4d0 [ 26.680926] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6 [ 26.688665] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216 [ 26.690828] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003 [ 26.693777] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78 [ 26.696680] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004 [ 26.699651] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000 [ 26.702561] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140 [ 26.705522] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000 [ 26.708806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.711179] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0 [ 26.714143] Kernel panic - not syncing: Fatal exception [ 26.716893] Kernel Offset: disabled [ 26.718911] Rebooting in 5 seconds.. I did a bisect in linux-5.10.y branch and found the fbc is commit 2474ec58b96d("bpf: allow precision tracking for programs with subprogs"). I noticed there is a commit in Linus master branch that has a fix tag for this bisected commit: commit 81335f90e8a8("bpf: unconditionally reset backtrack_state masks on global func exit"), I tried to apply it in this 5.10.y branch but since the bases are quite different, clean apply is not possible, I end up with the following diff: diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 40ac67a04ab75..71da33fb96552 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2118,11 +2118,9 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int r bitmap_from_u64(mask, reg_mask); for_each_set_bit(i, mask, 32) { reg = &st->frame[0]->regs[i]; - if (reg->type != SCALAR_VALUE) { - reg_mask &= ~(1u << i); - continue; - } - reg->precise = true; + reg_mask &= ~(1u << i); + if (reg->type == SCALAR_VALUE) + reg->precise = true; } return 0; } But it didn't make any difference. Here are the reproduce steps: 1 clone this repo https://github.com/bytedance/vArmor-ebpf and switch to panic-analysis branch; 2 make build A binary named main should be built. I used golang compiler downloaded here: https://go.dev/dl/go1.24.3.linux-amd64.tar.gz but other golang compiler may also work. Run main as root and it will panic the host(kernel needs CONFIG_BPF_LSM). Full dmesg and config are attached, feel free to let me know if you need any additional info, thanks. P.S. linux-5.15.y has the same situation.

2 months

3
11
0 0

[PATCH 1/1] iommu/sva: Invalidate KVA range on kernel TLB flush

by Lu Baolu

The vmalloc() and vfree() functions manage virtually contiguous, but not necessarily physically contiguous, kernel memory regions. When vfree() unmaps such a region, it tears down the associated kernel page table entries and frees the physical pages. In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. Architectures like x86 share static kernel address mappings across all user page tables, allowing the IOMMU to access the kernel portion of these tables. Modern IOMMUs often cache page table entries to optimize walk performance, even for intermediate page table levels. If kernel page table mappings are changed (e.g., by vfree()), but the IOMMU's internal caches retain stale entries, Use-After-Free (UAF) vulnerability condition arises. If these freed page table pages are reallocated for a different purpose, potentially by an attacker, the IOMMU could misinterpret the new data as valid page table entries. This allows the IOMMU to walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. To mitigate this, introduce a new iommu interface to flush IOMMU caches and fence pending page table walks when kernel page mappings are updated. This interface should be invoked from architecture-specific code that manages combined user and kernel page tables. Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Cc: stable(a)vger.kernel.org Co-developed-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- arch/x86/mm/tlb.c | 2 ++ drivers/iommu/iommu-sva.c | 32 +++++++++++++++++++++++++++++++- include/linux/iommu.h | 4 ++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c index 39f80111e6f1..a41499dfdc3f 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -12,6 +12,7 @@ #include <linux/task_work.h> #include <linux/mmu_notifier.h> #include <linux/mmu_context.h> +#include <linux/iommu.h> #include <asm/tlbflush.h> #include <asm/mmu_context.h> @@ -1540,6 +1541,7 @@ void flush_tlb_kernel_range(unsigned long start, unsigned long end) kernel_tlb_flush_range(info); put_flush_tlb_info(); + iommu_sva_invalidate_kva_range(start, end); } /* diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c index 1a51cfd82808..154384eab8a3 100644 --- a/drivers/iommu/iommu-sva.c +++ b/drivers/iommu/iommu-sva.c @@ -10,6 +10,8 @@ #include "iommu-priv.h" static DEFINE_MUTEX(iommu_sva_lock); +static DEFINE_STATIC_KEY_FALSE(iommu_sva_present); +static LIST_HEAD(iommu_sva_mms); static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, struct mm_struct *mm); @@ -42,6 +44,7 @@ static struct iommu_mm_data *iommu_alloc_mm_data(struct mm_struct *mm, struct de return ERR_PTR(-ENOSPC); } iommu_mm->pasid = pasid; + iommu_mm->mm = mm; INIT_LIST_HEAD(&iommu_mm->sva_domains); /* * Make sure the write to mm->iommu_mm is not reordered in front of @@ -132,8 +135,13 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm if (ret) goto out_free_domain; domain->users = 1; - list_add(&domain->next, &mm->iommu_mm->sva_domains); + if (list_empty(&iommu_mm->sva_domains)) { + if (list_empty(&iommu_sva_mms)) + static_branch_enable(&iommu_sva_present); + list_add(&iommu_mm->mm_list_elm, &iommu_sva_mms); + } + list_add(&domain->next, &iommu_mm->sva_domains); out: refcount_set(&handle->users, 1); mutex_unlock(&iommu_sva_lock); @@ -175,6 +183,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle) list_del(&domain->next); iommu_domain_free(domain); } + + if (list_empty(&iommu_mm->sva_domains)) { + list_del(&iommu_mm->mm_list_elm); + if (list_empty(&iommu_sva_mms)) + static_branch_disable(&iommu_sva_present); + } + mutex_unlock(&iommu_sva_lock); kfree(handle); } @@ -312,3 +327,18 @@ static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, return domain; } + +void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) +{ + struct iommu_mm_data *iommu_mm; + + might_sleep(); + + if (!static_branch_unlikely(&iommu_sva_present)) + return; + + guard(mutex)(&iommu_sva_lock); + list_for_each_entry(iommu_mm, &iommu_sva_mms, mm_list_elm) + mmu_notifier_arch_invalidate_secondary_tlbs(iommu_mm->mm, start, end); +} +EXPORT_SYMBOL_GPL(iommu_sva_invalidate_kva_range); diff --git a/include/linux/iommu.h b/include/linux/iommu.h index 156732807994..31330c12b8ee 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -1090,7 +1090,9 @@ struct iommu_sva { struct iommu_mm_data { u32 pasid; + struct mm_struct *mm; struct list_head sva_domains; + struct list_head mm_list_elm; }; int iommu_fwspec_init(struct device *dev, struct fwnode_handle *iommu_fwnode); @@ -1571,6 +1573,7 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm); void iommu_sva_unbind_device(struct iommu_sva *handle); u32 iommu_sva_get_pasid(struct iommu_sva *handle); +void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end); #else static inline struct iommu_sva * iommu_sva_bind_device(struct device *dev, struct mm_struct *mm) @@ -1595,6 +1598,7 @@ static inline u32 mm_get_enqcmd_pasid(struct mm_struct *mm) } static inline void mm_pasid_drop(struct mm_struct *mm) {} +static inline void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) {} #endif /* CONFIG_IOMMU_SVA */ #ifdef CONFIG_IOMMU_IOPF -- 2.43.0

2 months

11
22
0 0

[PATCH net-next v2 1/2] net: ipv4: fix incorrect MTU in broadcast routes

by Oscar Maes

Currently, __mkroute_output overrules the MTU value configured for broadcast routes. This buggy behaviour can be reproduced with: ip link set dev eth1 mtu 9000 ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500 The maximum packet size should be 1500, but it is actually 8000: ping -b 192.168.0.255 -s 8000 Fix __mkroute_output to allow MTU values to be configured for for broadcast routes (to support a mixed-MTU local-area-network). Signed-off-by: Oscar Maes <oscmaes92(a)gmail.com> --- net/ipv4/route.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 64ba377cd..f639a2ae8 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2588,7 +2588,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res, do_cache = true; if (type == RTN_BROADCAST) { flags |= RTCF_BROADCAST | RTCF_LOCAL; - fi = NULL; } else if (type == RTN_MULTICAST) { flags |= RTCF_MULTICAST | RTCF_LOCAL; if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, -- 2.39.5

2 months

3
3
0 0

[PATCH AUTOSEL 5.4] rxrpc: Fix oops due to non-existence of prealloc backlog struct

by Sasha Levin

From: David Howells <dhowells(a)redhat.com> [ Upstream commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 ] If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Willy Tarreau <w(a)1wt.eu> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Fixes a Critical Kernel Oops**: The commit addresses a NULL pointer dereference that causes a kernel crash when `rx->backlog` is NULL. At line 257 of the original code, `smp_load_acquire(&b->call_backlog_head)` would dereference a NULL pointer if no preallocation was done. 2. **Minimal and Safe Fix**: The fix is a simple defensive check: ```c + if (!b) + return NULL; ``` This is placed immediately after obtaining the backlog pointer and before any usage. The fix has zero risk of regression - if `b` is NULL, the code would have crashed anyway. 3. **Clear Reproducible Scenario**: The bug occurs in a specific but realistic scenario - when an AF_RXRPC service socket is opened and bound but no calls are preallocated (meaning `rxrpc_service_prealloc()` was never called to allocate the backlog structure). 4. **Follows Stable Kernel Rules**: This fix meets all criteria for stable backporting: - Fixes a real bug that users can hit - Small and contained change (2 lines) - Obviously correct with no side effects - Already tested and merged upstream 5. **Similar to Previously Backported Fixes**: Looking at Similar Commit #2 which was marked YES, it also fixed an oops in the rxrpc preallocation/backlog system with minimal changes. The commit prevents a kernel crash with a trivial NULL check, making it an ideal candidate for stable backporting. net/rxrpc/call_accept.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 55fb3744552de..99f05057e4c90 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -281,6 +281,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, unsigned short call_tail, conn_tail, peer_tail; unsigned short call_count, conn_count; + if (!b) + return NULL; + /* #calls >= #conns >= #peers must hold true. */ call_head = smp_load_acquire(&b->call_backlog_head); call_tail = b->call_backlog_tail; -- 2.39.5

2 months

1
0
0 0

[PATCH AUTOSEL 5.10] rxrpc: Fix oops due to non-existence of prealloc backlog struct

by Sasha Levin

From: David Howells <dhowells(a)redhat.com> [ Upstream commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 ] If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Willy Tarreau <w(a)1wt.eu> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Fixes a Critical Kernel Oops**: The commit addresses a NULL pointer dereference that causes a kernel crash when `rx->backlog` is NULL. At line 257 of the original code, `smp_load_acquire(&b->call_backlog_head)` would dereference a NULL pointer if no preallocation was done. 2. **Minimal and Safe Fix**: The fix is a simple defensive check: ```c + if (!b) + return NULL; ``` This is placed immediately after obtaining the backlog pointer and before any usage. The fix has zero risk of regression - if `b` is NULL, the code would have crashed anyway. 3. **Clear Reproducible Scenario**: The bug occurs in a specific but realistic scenario - when an AF_RXRPC service socket is opened and bound but no calls are preallocated (meaning `rxrpc_service_prealloc()` was never called to allocate the backlog structure). 4. **Follows Stable Kernel Rules**: This fix meets all criteria for stable backporting: - Fixes a real bug that users can hit - Small and contained change (2 lines) - Obviously correct with no side effects - Already tested and merged upstream 5. **Similar to Previously Backported Fixes**: Looking at Similar Commit #2 which was marked YES, it also fixed an oops in the rxrpc preallocation/backlog system with minimal changes. The commit prevents a kernel crash with a trivial NULL check, making it an ideal candidate for stable backporting. net/rxrpc/call_accept.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 2a14d69b171f3..b96af42a1b041 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -271,6 +271,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, unsigned short call_tail, conn_tail, peer_tail; unsigned short call_count, conn_count; + if (!b) + return NULL; + /* #calls >= #conns >= #peers must hold true. */ call_head = smp_load_acquire(&b->call_backlog_head); call_tail = b->call_backlog_tail; -- 2.39.5

2 months

1
0
0 0

[PATCH AUTOSEL 5.15 1/3] rxrpc: Fix oops due to non-existence of prealloc backlog struct

by Sasha Levin

From: David Howells <dhowells(a)redhat.com> [ Upstream commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 ] If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Willy Tarreau <w(a)1wt.eu> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Fixes a Critical Kernel Oops**: The commit addresses a NULL pointer dereference that causes a kernel crash when `rx->backlog` is NULL. At line 257 of the original code, `smp_load_acquire(&b->call_backlog_head)` would dereference a NULL pointer if no preallocation was done. 2. **Minimal and Safe Fix**: The fix is a simple defensive check: ```c + if (!b) + return NULL; ``` This is placed immediately after obtaining the backlog pointer and before any usage. The fix has zero risk of regression - if `b` is NULL, the code would have crashed anyway. 3. **Clear Reproducible Scenario**: The bug occurs in a specific but realistic scenario - when an AF_RXRPC service socket is opened and bound but no calls are preallocated (meaning `rxrpc_service_prealloc()` was never called to allocate the backlog structure). 4. **Follows Stable Kernel Rules**: This fix meets all criteria for stable backporting: - Fixes a real bug that users can hit - Small and contained change (2 lines) - Obviously correct with no side effects - Already tested and merged upstream 5. **Similar to Previously Backported Fixes**: Looking at Similar Commit #2 which was marked YES, it also fixed an oops in the rxrpc preallocation/backlog system with minimal changes. The commit prevents a kernel crash with a trivial NULL check, making it an ideal candidate for stable backporting. net/rxrpc/call_accept.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 99e10eea37321..658b592e58e05 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -270,6 +270,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, unsigned short call_tail, conn_tail, peer_tail; unsigned short call_count, conn_count; + if (!b) + return NULL; + /* #calls >= #conns >= #peers must hold true. */ call_head = smp_load_acquire(&b->call_backlog_head); call_tail = b->call_backlog_tail; -- 2.39.5

2 months

1
2
0 0

[PATCH AUTOSEL 6.1 1/4] net/sched: sch_qfq: Fix null-deref in agg_dequeue

by Sasha Levin

From: Xiang Mei <xmei5(a)asu.edu> [ Upstream commit dd831ac8221e691e9e918585b1003c7071df0379 ] To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes are made: 1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static inline function. 2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to include/net/pkt_sched.h so that sch_qfq can reuse it. 3. Applied qdisc_peek_len in agg_dequeue to avoid crashing. Signed-off-by: Xiang Mei <xmei5(a)asu.edu> Reviewed-by: Cong Wang <xiyou.wangcong(a)gmail.com> Link: https://patch.msgid.link/20250705212143.3982664-1-xmei5@asu.edu Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and related code, here is my assessment: **YES** - This commit should be backported to stable kernel trees. Here's my extensive explanation: ## Reason for Backporting 1. **Real Bug Fix**: This commit fixes a NULL pointer dereference bug in `agg_dequeue()` function in `net/sched/sch_qfq.c`. The bug occurs when `cl->qdisc->ops->peek(cl->qdisc)` returns NULL, but the code at line 992 (before the fix) directly uses this potentially NULL value in `qdisc_pkt_len()` without checking: ```c else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) ``` 2. **Crash Prevention**: This is not a theoretical issue - it causes an actual kernel crash (NULL pointer dereference) that can affect system stability. This meets the stable kernel criteria of fixing "a real bug that bothers people" including "an oops, a hang, data corruption." 3. **Similar Patterns in Other Schedulers**: The commit shows that this pattern of NULL checking after peek operations is already implemented in other packet schedulers: - `sch_hfsc.c` already has the `qdisc_peek_len()` function with NULL checking - `sch_drr.c` checks for NULL after peek operations (lines 385-387) - The similar commit #1 shows DRR had a similar issue fixed 4. **Minimal and Contained Fix**: The fix is: - Small in size (well under 100 lines) - Obviously correct - it adds proper NULL checking - Moves existing code to be reusable - Makes the code more consistent across schedulers 5. **Precedent from Similar Commits**: Looking at the historical commits: - Similar commit #2 (sch_codel NULL check) was backported (Status: YES) - Similar commit #3 (multiple schedulers NULL handling) was backported (Status: YES) - Both dealt with NULL pointer handling in packet scheduler dequeue paths 6. **Code Consolidation**: The fix properly consolidates the NULL checking logic: - Converts `qdisc_warn_nonwc` from a regular function to static inline (reducing overhead) - Moves `qdisc_peek_len` from sch_hfsc.c to the common header so it can be reused - Uses the same pattern across multiple schedulers for consistency 7. **Tested Pattern**: The `qdisc_peek_len()` function being moved has been in use in sch_hfsc.c, proving it's a tested and working solution. 8. **Security Consideration**: While not explicitly a security vulnerability, NULL pointer dereferences can potentially be exploited for denial of service attacks, making this fix important for system stability. The commit follows all the stable kernel rules: it fixes a real bug (NULL pointer dereference), is obviously correct (adds NULL check), is small and contained, and improves consistency across the codebase. The pattern of backporting similar NULL check fixes in packet schedulers (as seen in similar commits #2 and #3) supports backporting this fix as well. include/net/pkt_sched.h | 25 ++++++++++++++++++++++++- net/sched/sch_api.c | 10 ---------- net/sched/sch_hfsc.c | 16 ---------------- net/sched/sch_qfq.c | 2 +- 4 files changed, 25 insertions(+), 28 deletions(-) diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h index f99a513b40a92..76f9fb651faff 100644 --- a/include/net/pkt_sched.h +++ b/include/net/pkt_sched.h @@ -113,7 +113,6 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct netlink_ext_ack *extack); void qdisc_put_rtab(struct qdisc_rate_table *tab); void qdisc_put_stab(struct qdisc_size_table *tab); -void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc); bool sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q, struct net_device *dev, struct netdev_queue *txq, spinlock_t *root_lock, bool validate); @@ -247,4 +246,28 @@ static inline bool tc_qdisc_stats_dump(struct Qdisc *sch, return true; } +static inline void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) +{ + if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { + pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", + txt, qdisc->ops->id, qdisc->handle >> 16); + qdisc->flags |= TCQ_F_WARN_NONWC; + } +} + +static inline unsigned int qdisc_peek_len(struct Qdisc *sch) +{ + struct sk_buff *skb; + unsigned int len; + + skb = sch->ops->peek(sch); + if (unlikely(skb == NULL)) { + qdisc_warn_nonwc("qdisc_peek_len", sch); + return 0; + } + len = qdisc_pkt_len(skb); + + return len; +} + #endif diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 7c5df62421bbd..6a2d258b01daa 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -593,16 +593,6 @@ void __qdisc_calculate_pkt_len(struct sk_buff *skb, qdisc_skb_cb(skb)->pkt_len = pkt_len; } -void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) -{ - if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { - pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", - txt, qdisc->ops->id, qdisc->handle >> 16); - qdisc->flags |= TCQ_F_WARN_NONWC; - } -} -EXPORT_SYMBOL(qdisc_warn_nonwc); - static enum hrtimer_restart qdisc_watchdog(struct hrtimer *timer) { struct qdisc_watchdog *wd = container_of(timer, struct qdisc_watchdog, diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c index 61b91de8065f0..302413e0aceff 100644 --- a/net/sched/sch_hfsc.c +++ b/net/sched/sch_hfsc.c @@ -836,22 +836,6 @@ update_vf(struct hfsc_class *cl, unsigned int len, u64 cur_time) } } -static unsigned int -qdisc_peek_len(struct Qdisc *sch) -{ - struct sk_buff *skb; - unsigned int len; - - skb = sch->ops->peek(sch); - if (unlikely(skb == NULL)) { - qdisc_warn_nonwc("qdisc_peek_len", sch); - return 0; - } - len = qdisc_pkt_len(skb); - - return len; -} - static void hfsc_adjust_levels(struct hfsc_class *cl) { diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c index 6462468bf77c7..cde6c7026ab1d 100644 --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -991,7 +991,7 @@ static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */ list_del_init(&cl->alist); - else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) { + else if (cl->deficit < qdisc_peek_len(cl->qdisc)) { cl->deficit += agg->lmax; list_move_tail(&cl->alist, &agg->active); } -- 2.39.5

2 months

1
3
0 0

[PATCH AUTOSEL 6.6 1/6] net/sched: sch_qfq: Fix null-deref in agg_dequeue

by Sasha Levin

From: Xiang Mei <xmei5(a)asu.edu> [ Upstream commit dd831ac8221e691e9e918585b1003c7071df0379 ] To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes are made: 1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static inline function. 2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to include/net/pkt_sched.h so that sch_qfq can reuse it. 3. Applied qdisc_peek_len in agg_dequeue to avoid crashing. Signed-off-by: Xiang Mei <xmei5(a)asu.edu> Reviewed-by: Cong Wang <xiyou.wangcong(a)gmail.com> Link: https://patch.msgid.link/20250705212143.3982664-1-xmei5@asu.edu Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and related code, here is my assessment: **YES** - This commit should be backported to stable kernel trees. Here's my extensive explanation: ## Reason for Backporting 1. **Real Bug Fix**: This commit fixes a NULL pointer dereference bug in `agg_dequeue()` function in `net/sched/sch_qfq.c`. The bug occurs when `cl->qdisc->ops->peek(cl->qdisc)` returns NULL, but the code at line 992 (before the fix) directly uses this potentially NULL value in `qdisc_pkt_len()` without checking: ```c else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) ``` 2. **Crash Prevention**: This is not a theoretical issue - it causes an actual kernel crash (NULL pointer dereference) that can affect system stability. This meets the stable kernel criteria of fixing "a real bug that bothers people" including "an oops, a hang, data corruption." 3. **Similar Patterns in Other Schedulers**: The commit shows that this pattern of NULL checking after peek operations is already implemented in other packet schedulers: - `sch_hfsc.c` already has the `qdisc_peek_len()` function with NULL checking - `sch_drr.c` checks for NULL after peek operations (lines 385-387) - The similar commit #1 shows DRR had a similar issue fixed 4. **Minimal and Contained Fix**: The fix is: - Small in size (well under 100 lines) - Obviously correct - it adds proper NULL checking - Moves existing code to be reusable - Makes the code more consistent across schedulers 5. **Precedent from Similar Commits**: Looking at the historical commits: - Similar commit #2 (sch_codel NULL check) was backported (Status: YES) - Similar commit #3 (multiple schedulers NULL handling) was backported (Status: YES) - Both dealt with NULL pointer handling in packet scheduler dequeue paths 6. **Code Consolidation**: The fix properly consolidates the NULL checking logic: - Converts `qdisc_warn_nonwc` from a regular function to static inline (reducing overhead) - Moves `qdisc_peek_len` from sch_hfsc.c to the common header so it can be reused - Uses the same pattern across multiple schedulers for consistency 7. **Tested Pattern**: The `qdisc_peek_len()` function being moved has been in use in sch_hfsc.c, proving it's a tested and working solution. 8. **Security Consideration**: While not explicitly a security vulnerability, NULL pointer dereferences can potentially be exploited for denial of service attacks, making this fix important for system stability. The commit follows all the stable kernel rules: it fixes a real bug (NULL pointer dereference), is obviously correct (adds NULL check), is small and contained, and improves consistency across the codebase. The pattern of backporting similar NULL check fixes in packet schedulers (as seen in similar commits #2 and #3) supports backporting this fix as well. include/net/pkt_sched.h | 25 ++++++++++++++++++++++++- net/sched/sch_api.c | 10 ---------- net/sched/sch_hfsc.c | 16 ---------------- net/sched/sch_qfq.c | 2 +- 4 files changed, 25 insertions(+), 28 deletions(-) diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h index 15960564e0c36..4d72d24b1f33e 100644 --- a/include/net/pkt_sched.h +++ b/include/net/pkt_sched.h @@ -112,7 +112,6 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct netlink_ext_ack *extack); void qdisc_put_rtab(struct qdisc_rate_table *tab); void qdisc_put_stab(struct qdisc_size_table *tab); -void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc); bool sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q, struct net_device *dev, struct netdev_queue *txq, spinlock_t *root_lock, bool validate); @@ -306,4 +305,28 @@ static inline bool tc_qdisc_stats_dump(struct Qdisc *sch, return true; } +static inline void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) +{ + if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { + pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", + txt, qdisc->ops->id, qdisc->handle >> 16); + qdisc->flags |= TCQ_F_WARN_NONWC; + } +} + +static inline unsigned int qdisc_peek_len(struct Qdisc *sch) +{ + struct sk_buff *skb; + unsigned int len; + + skb = sch->ops->peek(sch); + if (unlikely(skb == NULL)) { + qdisc_warn_nonwc("qdisc_peek_len", sch); + return 0; + } + len = qdisc_pkt_len(skb); + + return len; +} + #endif diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 282423106f15d..ae63b3199b1d1 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -594,16 +594,6 @@ void __qdisc_calculate_pkt_len(struct sk_buff *skb, qdisc_skb_cb(skb)->pkt_len = pkt_len; } -void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) -{ - if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { - pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", - txt, qdisc->ops->id, qdisc->handle >> 16); - qdisc->flags |= TCQ_F_WARN_NONWC; - } -} -EXPORT_SYMBOL(qdisc_warn_nonwc); - static enum hrtimer_restart qdisc_watchdog(struct hrtimer *timer) { struct qdisc_watchdog *wd = container_of(timer, struct qdisc_watchdog, diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c index afcb83d469ff6..751b1e2c35b3f 100644 --- a/net/sched/sch_hfsc.c +++ b/net/sched/sch_hfsc.c @@ -835,22 +835,6 @@ update_vf(struct hfsc_class *cl, unsigned int len, u64 cur_time) } } -static unsigned int -qdisc_peek_len(struct Qdisc *sch) -{ - struct sk_buff *skb; - unsigned int len; - - skb = sch->ops->peek(sch); - if (unlikely(skb == NULL)) { - qdisc_warn_nonwc("qdisc_peek_len", sch); - return 0; - } - len = qdisc_pkt_len(skb); - - return len; -} - static void hfsc_adjust_levels(struct hfsc_class *cl) { diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c index 5e557b960bde3..e0cefa21ce21c 100644 --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -992,7 +992,7 @@ static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */ list_del_init(&cl->alist); - else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) { + else if (cl->deficit < qdisc_peek_len(cl->qdisc)) { cl->deficit += agg->lmax; list_move_tail(&cl->alist, &agg->active); } -- 2.39.5

2 months

1
5
0 0

[PATCH AUTOSEL 6.12 01/12] wifi: mac80211: always initialize sdata::key_list

by Sasha Levin

From: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> [ Upstream commit d7a54d02db41f72f0581a3c77c75b0993ed3f6e2 ] This is currently not initialized for a virtual monitor, leading to a NULL pointer dereference when - for example - iterating over all the keys of all the vifs. Reviewed-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://patch.msgid.link/20250709233400.8dcefe578497.I4c90a00ae3256520e0631… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and the code changes, here is my assessment: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Critical NULL Pointer Dereference Fix**: The commit fixes a NULL pointer dereference that occurs when iterating over the key_list of virtual monitor interfaces. This is a crash-inducing bug that affects system stability. 2. **Clear Bug with Simple Fix**: The issue is straightforward - the `key_list` was not initialized for virtual monitor interfaces created via `ieee80211_add_virtual_monitor()`. The fix is minimal and contained - it simply moves the `INIT_LIST_HEAD(&sdata->key_list)` initialization from `ieee80211_if_add()` into `ieee80211_sdata_init()`, ensuring all sdata structures have their key_list properly initialized. 3. **Real-World Impact**: The bug can be triggered when any code iterates over all interfaces and their keys. Looking at the code, functions like `ieee80211_iter_keys()` and `ieee80211_iter_keys_rcu()` iterate through all interfaces when called without a specific vif parameter: ```c list_for_each_entry(sdata, &local->interfaces, list) list_for_each_entry_safe(key, tmp, &sdata->key_list, list) ``` This would cause a NULL pointer dereference when it encounters a virtual monitor interface. 4. **Minimal Risk**: The change is extremely low risk - it only adds initialization of a list head that should have been initialized all along. There are no architectural changes or feature additions. 5. **Follows Stable Rules**: This perfectly fits the stable kernel criteria: - Fixes a real bug (NULL pointer dereference/crash) - Small and contained change (2 lines moved) - Obviously correct fix - No new features or behaviors introduced The commit is similar in nature to commit #5 in the reference list which was marked as suitable for backporting - both fix NULL pointer dereferences in the wifi/mac80211 subsystem with minimal, targeted changes. net/mac80211/iface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 209d6ffa8e426..adfdc14bd91ac 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -1121,6 +1121,8 @@ static void ieee80211_sdata_init(struct ieee80211_local *local, { sdata->local = local; + INIT_LIST_HEAD(&sdata->key_list); + /* * Initialize the default link, so we can use link_id 0 for non-MLD, * and that continues to work for non-MLD-aware drivers that use just @@ -2162,8 +2164,6 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name, ieee80211_init_frag_cache(&sdata->frags); - INIT_LIST_HEAD(&sdata->key_list); - wiphy_delayed_work_init(&sdata->dec_tailroom_needed_wk, ieee80211_delayed_tailroom_dec); -- 2.39.5

2 months

1
11
0 0

[PATCH AUTOSEL 6.15 01/15] wifi: mac80211: always initialize sdata::key_list

by Sasha Levin

From: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> [ Upstream commit d7a54d02db41f72f0581a3c77c75b0993ed3f6e2 ] This is currently not initialized for a virtual monitor, leading to a NULL pointer dereference when - for example - iterating over all the keys of all the vifs. Reviewed-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://patch.msgid.link/20250709233400.8dcefe578497.I4c90a00ae3256520e0631… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and the code changes, here is my assessment: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Critical NULL Pointer Dereference Fix**: The commit fixes a NULL pointer dereference that occurs when iterating over the key_list of virtual monitor interfaces. This is a crash-inducing bug that affects system stability. 2. **Clear Bug with Simple Fix**: The issue is straightforward - the `key_list` was not initialized for virtual monitor interfaces created via `ieee80211_add_virtual_monitor()`. The fix is minimal and contained - it simply moves the `INIT_LIST_HEAD(&sdata->key_list)` initialization from `ieee80211_if_add()` into `ieee80211_sdata_init()`, ensuring all sdata structures have their key_list properly initialized. 3. **Real-World Impact**: The bug can be triggered when any code iterates over all interfaces and their keys. Looking at the code, functions like `ieee80211_iter_keys()` and `ieee80211_iter_keys_rcu()` iterate through all interfaces when called without a specific vif parameter: ```c list_for_each_entry(sdata, &local->interfaces, list) list_for_each_entry_safe(key, tmp, &sdata->key_list, list) ``` This would cause a NULL pointer dereference when it encounters a virtual monitor interface. 4. **Minimal Risk**: The change is extremely low risk - it only adds initialization of a list head that should have been initialized all along. There are no architectural changes or feature additions. 5. **Follows Stable Rules**: This perfectly fits the stable kernel criteria: - Fixes a real bug (NULL pointer dereference/crash) - Small and contained change (2 lines moved) - Obviously correct fix - No new features or behaviors introduced The commit is similar in nature to commit #5 in the reference list which was marked as suitable for backporting - both fix NULL pointer dereferences in the wifi/mac80211 subsystem with minimal, targeted changes. net/mac80211/iface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 7d93e5aa595b2..0485a78eda366 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -1117,6 +1117,8 @@ static void ieee80211_sdata_init(struct ieee80211_local *local, { sdata->local = local; + INIT_LIST_HEAD(&sdata->key_list); + /* * Initialize the default link, so we can use link_id 0 for non-MLD, * and that continues to work for non-MLD-aware drivers that use just @@ -2177,8 +2179,6 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name, ieee80211_init_frag_cache(&sdata->frags); - INIT_LIST_HEAD(&sdata->key_list); - wiphy_delayed_work_init(&sdata->dec_tailroom_needed_wk, ieee80211_delayed_tailroom_dec); -- 2.39.5

2 months

1
14
0 0

[PATCH] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()

by Qasim Ijaz

A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this vulnerability by ensuring the descriptor size is greater than or equal to 608 before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...] Fixes: c8000deb6836 ("HID: multitouch: Add support for GT7868Q") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/hid-multitouch.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index 7ac8e16e6158..af4abe3ba410 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -1461,18 +1461,25 @@ static const __u8 *mt_report_fixup(struct hid_device *hdev, __u8 *rdesc, if (hdev->vendor == I2C_VENDOR_ID_GOODIX && (hdev->product == I2C_DEVICE_ID_GOODIX_01E8 || hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) { - if (rdesc[607] == 0x15) { - rdesc[607] = 0x25; - dev_info( - &hdev->dev, - "GT7868Q report descriptor fixup is applied.\n"); + if (*size >= 608) { + if (rdesc[607] == 0x15) { + rdesc[607] = 0x25; + dev_info( + &hdev->dev, + "GT7868Q report descriptor fixup is applied.\n"); + } else { + dev_info( + &hdev->dev, + "The byte is not expected for fixing the report descriptor. \ + It's possible that the touchpad firmware is not suitable for applying the fix. \ + got: %x\n", + rdesc[607]); + } } else { dev_info( &hdev->dev, - "The byte is not expected for fixing the report descriptor. \ -It's possible that the touchpad firmware is not suitable for applying the fix. \ -got: %x\n", - rdesc[607]); + "GT7868Q fixup: report descriptor only %u bytes, skipping\n", + *size); } } -- 2.39.5

2 months

1
0
0 0

[PATCH] ARM: Fix allowing linker DCE with binutils < 2.36

by Nathan Chancellor

Commit e7607f7d6d81 ("ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE") accidentally broke the binutils version restriction that was added in commit 0d437918fb64 ("ARM: 9414/1: Fix build issue with LD_DEAD_CODE_DATA_ELIMINATION"), reintroducing the segmentation fault addressed by that workaround. Restore the binutils version dependency by using CONFIG_LD_CAN_USE_KEEP_IN_OVERLAY as an additional condition to ensure that CONFIG_HAVE_LD_DEAD_CODE_DATA_ELIMINATION is only enabled with binutils >= 2.36 and ld.lld >= 21.0.0. Cc: stable(a)vger.kernel.org Fixes: e7607f7d6d81 ("ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE") Reported-by: Rob Landley <rob(a)landley.net> Closes: https://lore.kernel.org/6739da7d-e555-407a-b5cb-e5681da71056@landley.net/ Tested-by: Rob Landley <rob(a)landley.net> Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- arch/arm/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 3072731fe09c..962451e54fdd 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -121,7 +121,7 @@ config ARM select HAVE_KERNEL_XZ select HAVE_KPROBES if !XIP_KERNEL && !CPU_ENDIAN_BE32 && !CPU_V7M select HAVE_KRETPROBES if HAVE_KPROBES - select HAVE_LD_DEAD_CODE_DATA_ELIMINATION if (LD_VERSION >= 23600 || LD_CAN_USE_KEEP_IN_OVERLAY) + select HAVE_LD_DEAD_CODE_DATA_ELIMINATION if (LD_VERSION >= 23600 || LD_IS_LLD) && LD_CAN_USE_KEEP_IN_OVERLAY select HAVE_MOD_ARCH_SPECIFIC select HAVE_NMI select HAVE_OPTPROBES if !THUMB2_KERNEL --- base-commit: d7b8f8e20813f0179d8ef519541a3527e7661d3a change-id: 20250707-arm-fix-dce-older-binutils-87a5a4b829d9 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months

1
1
0 0

[stable-6.1] x86: Fix X86_FEATURE_VERW_CLEAR definition

by Jack Wang

This is a mistake during backport. VERW_CLEAR is on bit 5, not bit 10. Fixes: d12145e8454f ("x86/bugs: Add a Transient Scheduler Attacks mitigation") Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Jack Wang <jinpu.wang(a)ionos.com> --- arch/x86/include/asm/cpufeatures.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 1c71f947b426..6f6ea3b9a95e 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -429,8 +429,8 @@ #define X86_FEATURE_V_TSC_AUX (19*32+ 9) /* "" Virtual TSC_AUX */ #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */ +#define X86_FEATURE_VERW_CLEAR (20*32+ 5) /* "" The memory form of VERW mitigates TSA */ #define X86_FEATURE_AUTOIBRS (20*32+ 8) /* "" Automatic IBRS */ -#define X86_FEATURE_VERW_CLEAR (20*32+ 10) /* "" The memory form of VERW mitigates TSA */ #define X86_FEATURE_SBPB (20*32+27) /* "" Selective Branch Prediction Barrier */ #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* "" MSR_PRED_CMD[IBPB] flushes all branch type predictions */ #define X86_FEATURE_SRSO_NO (20*32+29) /* "" CPU is not affected by SRSO */ -- 2.43.0

2 months

2
1
0 0

[stable-5.15] x86: Fix X86_FEATURE_VERW_CLEAR definition

by Jack Wang

This is a mistake during backport. VERW_CLEAR is on bit 5, not bit 10. Fixes: f2b75f1368af ("x86/bugs: Add a Transient Scheduler Attacks mitigation") Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Jack Wang <jinpu.wang(a)ionos.com> --- arch/x86/include/asm/cpufeatures.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 63b84540cfb3..b8d945d8d34f 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -418,8 +418,8 @@ #define X86_FEATURE_SEV_ES (19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */ #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */ +#define X86_FEATURE_VERW_CLEAR (20*32+ 5) /* "" The memory form of VERW mitigates TSA */ #define X86_FEATURE_AUTOIBRS (20*32+ 8) /* "" Automatic IBRS */ -#define X86_FEATURE_VERW_CLEAR (20*32+ 10) /* "" The memory form of VERW mitigates TSA */ #define X86_FEATURE_SBPB (20*32+27) /* "" Selective Branch Prediction Barrier */ #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* "" MSR_PRED_CMD[IBPB] flushes all branch type predictions */ #define X86_FEATURE_SRSO_NO (20*32+29) /* "" CPU is not affected by SRSO */ -- 2.43.0

2 months

1
0
0 0

TSA mitigation doesn't work on 6.6.y

by Thomas Voegtle

Hello, with kernel v6.16-rc5-121-gbc9ff192a6c9 I see this: cat /sys/devices/system/cpu/vulnerabilities/tsa Mitigation: Clear CPU buffers dmesg | grep micro [ 1.479203] microcode: Current revision: 0x0a20102e [ 1.479206] microcode: Updated early from: 0x0a201016 So, this works. but same machine with 6.6.97: dmesg | grep micro [ 0.451496] Transient Scheduler Attacks: Vulnerable: Clear CPU buffers attempted, no microcode [ 1.077149] microcode: Current revision: 0x0a20102e [ 1.077152] microcode: Updated early from: 0x0a201016 so: cat /sys/devices/system/cpu/vulnerabilities/tsa Vulnerable: Clear CPU buffers attempted, no microcode but it is switched on: zcat /proc/config.gz | grep TSA CONFIG_MITIGATION_TSA=y And other stuff which need microcode works: cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET without microcode you wwould see: Vulnerable: Safe RET, no microcode 6.12.37 broken too 6.15.6 works v6.16-rc5-121-gbc9ff192a6c9 works This is a: processor : 11 vendor_id : AuthenticAMD cpu family : 25 model : 33 model name : AMD Ryzen 5 5600X 6-Core Processor stepping : 0 microcode : 0xa20102e Is something missing in 6.6.y and 6.12.y? Thomas

2 months

4
23
0 0

[REGRESSION]: fwd: regression in 6.15.5: KVM guest launch FAILSs with missing CPU feature error (sbpb, ibpb-brtype)

by pgnd

(already submitted @ Fedora; advised to post here to upstream as well) -------- Forwarded Message -------- Subject: regression in 6.15.5: KVM guest launch FAILSs with missing CPU feature error (sbpb, ibpb-brtype) Date: Sun, 13 Jul 2025 17:37:57 -0400 From: pgnd <pgnd(a)dev-mail.net> Reply-To: pgnd(a)dev-mail.net To: kernel(a)lists.fedoraproject.org i'm seeing a regression on Fedora 42 kernel 6.15.4 -> 6.15.5 on AMD Ryzen 5 5600G host (x86_64) kvm guests that launch ok under kernels 6.15.[3,4] fail with the following error when attempting to autostart under 6.15.5: internal error: Failed to autostart VM: operation failed: guest CPU doesn't match specification: missing features: sbpb,ibpb-brtype no changes made to libvirt, qemu, or VM defs between kernel versions. re-booting to old kernel versions restores expected behavior. maybe related (?) to recent changes in AMD CPU feature exposure / mitigation handling in kernel 6.15.5? i've opened a bug: https://bugzilla.redhat.com/show_bug.cgi?id=2379784

2 months

1
0
0 0

[PATCH] spi: Add check for 8-bit transfer with 8 IO mode support

by Cheng Ming Lin

From: Cheng Ming Lin <chengminglin(a)mxic.com.tw> The current SPI framework does not verify if the SPI device supports 8 IO mode when doing an 8-bit transfer. This patch adds a check to ensure that if the transfer tx_nbits or rx_nbits is 8, the SPI mode must support 8 IO. If not, an error is returned, preventing undefined behavior. Fixes: d6a711a898672 ("spi: Fix OCTAL mode support") Cc: stable(a)vger.kernel.org Signed-off-by: Cheng Ming Lin <chengminglin(a)mxic.com.tw> --- drivers/spi/spi.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 1bc0fdbb1bd7..0ffa3f9f2870 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -4138,10 +4138,13 @@ static int __spi_validate(struct spi_device *spi, struct spi_message *message) xfer->tx_nbits != SPI_NBITS_OCTAL) return -EINVAL; if ((xfer->tx_nbits == SPI_NBITS_DUAL) && - !(spi->mode & (SPI_TX_DUAL | SPI_TX_QUAD))) + !(spi->mode & (SPI_TX_DUAL | SPI_TX_QUAD | SPI_TX_OCTAL))) return -EINVAL; if ((xfer->tx_nbits == SPI_NBITS_QUAD) && - !(spi->mode & SPI_TX_QUAD)) + !(spi->mode & (SPI_TX_QUAD | SPI_TX_OCTAL))) + return -EINVAL; + if ((xfer->tx_nbits == SPI_NBITS_OCTAL) && + !(spi->mode & SPI_TX_OCTAL)) return -EINVAL; } /* Check transfer rx_nbits */ @@ -4154,10 +4157,13 @@ static int __spi_validate(struct spi_device *spi, struct spi_message *message) xfer->rx_nbits != SPI_NBITS_OCTAL) return -EINVAL; if ((xfer->rx_nbits == SPI_NBITS_DUAL) && - !(spi->mode & (SPI_RX_DUAL | SPI_RX_QUAD))) + !(spi->mode & (SPI_RX_DUAL | SPI_RX_QUAD | SPI_RX_OCTAL))) return -EINVAL; if ((xfer->rx_nbits == SPI_NBITS_QUAD) && - !(spi->mode & SPI_RX_QUAD)) + !(spi->mode & (SPI_RX_QUAD | SPI_RX_OCTAL))) + return -EINVAL; + if ((xfer->rx_nbits == SPI_NBITS_OCTAL) && + !(spi->mode & SPI_RX_OCTAL)) return -EINVAL; } -- 2.25.1

2 months

2
1
0 0

[RFC V1 PATCH mm-hotfixes 1/3] mm: introduce and use {pgd,p4d}_populate_kernel()

by Harry Yoo

Intrdocue and use {pgd,p4d}_pouplate_kernel() in core MM code when populating PGD and P4D entries corresponding to the kernel address space. The main purpose of these helpers is to ensure synchronization of the kernel portion of the top-level page tables whenever such an entry is populated. Until now, the kernel has relied on each architecture to handle synchronization of top-level page tables in an ad-hoc manner. For example, see commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes"). However, this approach has proven fragile, as it's easy to forget to perform the necessary synchronization when introducing new changes. To address this, introduce _kernel() varients of the page table population helpers that invoke architecture-specific hooks to properly synchronize the page tables. For now, it only targets x86_64, so only PGD and P4D level helpers are introduced. In theory, PUD and PMD level helpers can be added later if needed by other architectures. Currently it is no-op as no arch defines __HAVE_ARCH_SYNC_KERNEL_PGTABLES. Cc: <stable(a)vger.kernel.org> Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- include/asm-generic/pgalloc.h | 4 ++++ include/linux/pgalloc.h | 0 mm/kasan/init.c | 10 +++++----- mm/percpu.c | 4 ++-- mm/sparse-vmemmap.c | 4 ++-- 5 files changed, 13 insertions(+), 9 deletions(-) create mode 100644 include/linux/pgalloc.h diff --git a/include/asm-generic/pgalloc.h b/include/asm-generic/pgalloc.h index 3c8ec3bfea44..6cac1ce64e01 100644 --- a/include/asm-generic/pgalloc.h +++ b/include/asm-generic/pgalloc.h @@ -295,6 +295,10 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) __pgd_free(mm, pgd); } #endif +#ifndef __HAVE_ARCH_SYNC_KERNEL_PGTABLE +#define pgd_populate_kernel(addr, pgd, p4d) pgd_populate(&init_mm, pgd, p4d) +#define p4d_populate_kernel(addr, p4d, pud) p4d_populate(&init_mm, p4d, pud) +#endif #endif /* CONFIG_MMU */ diff --git a/include/linux/pgalloc.h b/include/linux/pgalloc.h new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/mm/kasan/init.c b/mm/kasan/init.c index ced6b29fcf76..43de820ee282 100644 --- a/mm/kasan/init.c +++ b/mm/kasan/init.c @@ -191,7 +191,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, pud_t *pud; pmd_t *pmd; - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -212,7 +212,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, } else { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE); pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } zero_pud_populate(p4d, addr, next); @@ -251,10 +251,10 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, * puds,pmds, so pgd_populate(), pud_populate() * is noops. */ - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, lm_alias(kasan_early_shadow_p4d)); p4d = p4d_offset(pgd, addr); - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -273,7 +273,7 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, if (!p) return -ENOMEM; } else { - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, early_alloc(PAGE_SIZE, NUMA_NO_NODE)); } } diff --git a/mm/percpu.c b/mm/percpu.c index 782cc148b39c..57450a03c432 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -3134,13 +3134,13 @@ void __init __weak pcpu_populate_pte(unsigned long addr) if (pgd_none(*pgd)) { p4d = memblock_alloc_or_panic(P4D_TABLE_SIZE, P4D_TABLE_SIZE); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(addr, pgd, p4d); } p4d = p4d_offset(pgd, addr); if (p4d_none(*p4d)) { pud = memblock_alloc_or_panic(PUD_TABLE_SIZE, PUD_TABLE_SIZE); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(addr, p4d, pud); } pud = pud_offset(p4d, addr); diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c index fd2ab5118e13..e275310ac708 100644 --- a/mm/sparse-vmemmap.c +++ b/mm/sparse-vmemmap.c @@ -229,7 +229,7 @@ p4d_t * __meminit vmemmap_p4d_populate(pgd_t *pgd, unsigned long addr, int node) if (!p) return NULL; pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } return p4d; } @@ -241,7 +241,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node) void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); if (!p) return NULL; - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } return pgd; } -- 2.43.0

2 months

3
5
0 0

Linux 6.12.38

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.38 kernel. Only users of AMD x86-based processors need to upgrade, all others may skip this release. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- arch/x86/kernel/cpu/amd.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) Borislav Petkov (AMD) (1): x86/CPU/AMD: Properly check the TSA microcode Greg Kroah-Hartman (1): Linux 6.12.38

2 months

1
1
0 0

Linux 6.6.98

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.98 kernel. Only users of AMD x86-based processors need to upgrade, all others may skip this release. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- arch/x86/kernel/cpu/amd.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) Borislav Petkov (AMD) (1): x86/CPU/AMD: Properly check the TSA microcode Greg Kroah-Hartman (1): Linux 6.6.98

2 months

1
1
0 0

Linux 6.1.145

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.145 kernel. Only users of AMD x86-based processors need to upgrade, all others may skip this release. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- arch/x86/kernel/cpu/amd.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) Borislav Petkov (AMD) (1): x86/CPU/AMD: Properly check the TSA microcode Greg Kroah-Hartman (1): Linux 6.1.145

2 months

1
1
0 0

Linux 5.15.188

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.188 kernel. Only users of AMD x86-based processors need to upgrade, all others may skip this release. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- arch/x86/kernel/cpu/amd.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) Borislav Petkov (AMD) (1): x86/CPU/AMD: Properly check the TSA microcode Greg Kroah-Hartman (1): Linux 5.15.188

2 months

1
1
0 0

FAILED: patch "[PATCH] x86/mm: Disable hugetlb page table sharing on 32-bit" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071423-imbecile-slander-d8e9@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 2 Jul 2025 10:32:04 +0200 Subject: [PATCH] x86/mm: Disable hugetlb page table sharing on 32-bit Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86. Page table sharing requires at least three levels because it involves shared references to PMD tables; 32-bit x86 has either two-level paging (without PAE) or three-level paging (with PAE), but even with three-level paging, having a dedicated PGD entry for hugetlb is only barely possible (because the PGD only has four entries), and it seems unlikely anyone's actually using PMD sharing on 32-bit. Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which has 2-level paging) became particularly problematic after commit 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"), since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and the `pt_share_count` (for PMDs) share the same union storage - and with 2-level paging, PMDs are PGDs. (For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the configuration of page tables such that it is never enabled with 2-level paging.) Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.") Reported-by: Vitaly Chikunov <vt(a)altlinux.org> Suggested-by: Dave Hansen <dave.hansen(a)intel.com> Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: David Hildenbrand <david(a)redhat.com> Tested-by: Vitaly Chikunov <vt(a)altlinux.org> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%4… diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 71019b3b54ea..4e0fe688cc83 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -147,7 +147,7 @@ config X86 select ARCH_WANTS_DYNAMIC_TASK_STRUCT select ARCH_WANTS_NO_INSTR select ARCH_WANT_GENERAL_HUGETLB - select ARCH_WANT_HUGE_PMD_SHARE + select ARCH_WANT_HUGE_PMD_SHARE if X86_64 select ARCH_WANT_LD_ORPHAN_WARN select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64 select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64

2 months

2
1
0 0

FAILED: patch "[PATCH] x86/mm: Disable hugetlb page table sharing on 32-bit" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071422-target-professor-6f97@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 2 Jul 2025 10:32:04 +0200 Subject: [PATCH] x86/mm: Disable hugetlb page table sharing on 32-bit Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86. Page table sharing requires at least three levels because it involves shared references to PMD tables; 32-bit x86 has either two-level paging (without PAE) or three-level paging (with PAE), but even with three-level paging, having a dedicated PGD entry for hugetlb is only barely possible (because the PGD only has four entries), and it seems unlikely anyone's actually using PMD sharing on 32-bit. Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which has 2-level paging) became particularly problematic after commit 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"), since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and the `pt_share_count` (for PMDs) share the same union storage - and with 2-level paging, PMDs are PGDs. (For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the configuration of page tables such that it is never enabled with 2-level paging.) Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.") Reported-by: Vitaly Chikunov <vt(a)altlinux.org> Suggested-by: Dave Hansen <dave.hansen(a)intel.com> Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: David Hildenbrand <david(a)redhat.com> Tested-by: Vitaly Chikunov <vt(a)altlinux.org> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%4… diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 71019b3b54ea..4e0fe688cc83 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -147,7 +147,7 @@ config X86 select ARCH_WANTS_DYNAMIC_TASK_STRUCT select ARCH_WANTS_NO_INSTR select ARCH_WANT_GENERAL_HUGETLB - select ARCH_WANT_HUGE_PMD_SHARE + select ARCH_WANT_HUGE_PMD_SHARE if X86_64 select ARCH_WANT_LD_ORPHAN_WARN select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64 select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64

2 months

2
1
0 0

FAILED: patch "[PATCH] x86/mm: Disable hugetlb page table sharing on 32-bit" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071421-molar-theme-43d7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 2 Jul 2025 10:32:04 +0200 Subject: [PATCH] x86/mm: Disable hugetlb page table sharing on 32-bit Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86. Page table sharing requires at least three levels because it involves shared references to PMD tables; 32-bit x86 has either two-level paging (without PAE) or three-level paging (with PAE), but even with three-level paging, having a dedicated PGD entry for hugetlb is only barely possible (because the PGD only has four entries), and it seems unlikely anyone's actually using PMD sharing on 32-bit. Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which has 2-level paging) became particularly problematic after commit 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"), since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and the `pt_share_count` (for PMDs) share the same union storage - and with 2-level paging, PMDs are PGDs. (For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the configuration of page tables such that it is never enabled with 2-level paging.) Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.") Reported-by: Vitaly Chikunov <vt(a)altlinux.org> Suggested-by: Dave Hansen <dave.hansen(a)intel.com> Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: David Hildenbrand <david(a)redhat.com> Tested-by: Vitaly Chikunov <vt(a)altlinux.org> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%4… diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 71019b3b54ea..4e0fe688cc83 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -147,7 +147,7 @@ config X86 select ARCH_WANTS_DYNAMIC_TASK_STRUCT select ARCH_WANTS_NO_INSTR select ARCH_WANT_GENERAL_HUGETLB - select ARCH_WANT_HUGE_PMD_SHARE + select ARCH_WANT_HUGE_PMD_SHARE if X86_64 select ARCH_WANT_LD_ORPHAN_WARN select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64 select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64

2 months

2
1
0 0

FAILED: patch "[PATCH] x86/mm: Disable hugetlb page table sharing on 32-bit" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071420-occupy-vowel-a8a5@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Wed, 2 Jul 2025 10:32:04 +0200 Subject: [PATCH] x86/mm: Disable hugetlb page table sharing on 32-bit Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86. Page table sharing requires at least three levels because it involves shared references to PMD tables; 32-bit x86 has either two-level paging (without PAE) or three-level paging (with PAE), but even with three-level paging, having a dedicated PGD entry for hugetlb is only barely possible (because the PGD only has four entries), and it seems unlikely anyone's actually using PMD sharing on 32-bit. Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which has 2-level paging) became particularly problematic after commit 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"), since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and the `pt_share_count` (for PMDs) share the same union storage - and with 2-level paging, PMDs are PGDs. (For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the configuration of page tables such that it is never enabled with 2-level paging.) Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.") Reported-by: Vitaly Chikunov <vt(a)altlinux.org> Suggested-by: Dave Hansen <dave.hansen(a)intel.com> Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: David Hildenbrand <david(a)redhat.com> Tested-by: Vitaly Chikunov <vt(a)altlinux.org> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%4… diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 71019b3b54ea..4e0fe688cc83 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -147,7 +147,7 @@ config X86 select ARCH_WANTS_DYNAMIC_TASK_STRUCT select ARCH_WANTS_NO_INSTR select ARCH_WANT_GENERAL_HUGETLB - select ARCH_WANT_HUGE_PMD_SHARE + select ARCH_WANT_HUGE_PMD_SHARE if X86_64 select ARCH_WANT_LD_ORPHAN_WARN select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64 select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64

2 months

2
1
0 0

[PATCH 6.6] thermal/of: Fix mask mismatch when no trips subnode

by Hsin-Te Yuan

After commit 725f31f300e3 ("thermal/of: support thermal zones w/o trips subnode") was backported on 6.6 stable branch as commit d3304dbc2d5f ("thermal/of: support thermal zones w/o trips subnode"), thermal zones w/o trips subnode still fail to register since `mask` argument is not set correctly. When number of trips subnode is 0, `mask` must be 0 to pass the check in `thermal_zone_device_register_with_trips()`. Set `mask` to 0 when there's no trips subnode. Signed-off-by: Hsin-Te Yuan <yuanhsinte(a)chromium.org> --- drivers/thermal/thermal_of.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index 0f520cf923a1e684411a3077ad283551395eec11..97aeb869abf5179dfa512dd744725121ec7fd0d9 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -514,7 +514,7 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * of_ops->bind = thermal_of_bind; of_ops->unbind = thermal_of_unbind; - mask = GENMASK_ULL((ntrips) - 1, 0); + mask = ntrips ? GENMASK_ULL((ntrips) - 1, 0) : 0; tz = thermal_zone_device_register_with_trips(np->name, trips, ntrips, mask, data, of_ops, &tzp, --- base-commit: a5df3a702b2cba82bcfb066fa9f5e4a349c33924 change-id: 20250707-trip-point-73dae9fd9c74 Best regards, -- Hsin-Te Yuan <yuanhsinte(a)chromium.org>

2 months

4
7
0 0

[PATCH v3 11/17] ext4: fix largest free orders lists corruption on mb_optimize_scan switch

by Baokun Li

The grp->bb_largest_free_order is updated regardless of whether mb_optimize_scan is enabled. This can lead to inconsistencies between grp->bb_largest_free_order and the actual s_mb_largest_free_orders list index when mb_optimize_scan is repeatedly enabled and disabled via remount. For example, if mb_optimize_scan is initially enabled, largest free order is 3, and the group is in s_mb_largest_free_orders[3]. Then, mb_optimize_scan is disabled via remount, block allocations occur, updating largest free order to 2. Finally, mb_optimize_scan is re-enabled via remount, more block allocations update largest free order to 1. At this point, the group would be removed from s_mb_largest_free_orders[3] under the protection of s_mb_largest_free_orders_locks[2]. This lock mismatch can lead to list corruption. To fix this, whenever grp->bb_largest_free_order changes, we now always attempt to remove the group from its old order list. However, we only insert the group into the new order list if `mb_optimize_scan` is enabled. This approach helps prevent lock inconsistencies and ensures the data in the order lists remains reliable. Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning") CC: stable(a)vger.kernel.org Suggested-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- fs/ext4/mballoc.c | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 72b20fc52bbf..fada0d1b3fdb 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1152,33 +1152,28 @@ static void mb_set_largest_free_order(struct super_block *sb, struct ext4_group_info *grp) { struct ext4_sb_info *sbi = EXT4_SB(sb); - int i; + int new, old = grp->bb_largest_free_order; - for (i = MB_NUM_ORDERS(sb) - 1; i >= 0; i--) - if (grp->bb_counters[i] > 0) + for (new = MB_NUM_ORDERS(sb) - 1; new >= 0; new--) + if (grp->bb_counters[new] > 0) break; + /* No need to move between order lists? */ - if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || - i == grp->bb_largest_free_order) { - grp->bb_largest_free_order = i; + if (new == old) return; - } - if (grp->bb_largest_free_order >= 0) { - write_lock(&sbi->s_mb_largest_free_orders_locks[ - grp->bb_largest_free_order]); + if (old >= 0 && !list_empty(&grp->bb_largest_free_order_node)) { + write_lock(&sbi->s_mb_largest_free_orders_locks[old]); list_del_init(&grp->bb_largest_free_order_node); - write_unlock(&sbi->s_mb_largest_free_orders_locks[ - grp->bb_largest_free_order]); + write_unlock(&sbi->s_mb_largest_free_orders_locks[old]); } - grp->bb_largest_free_order = i; - if (grp->bb_largest_free_order >= 0 && grp->bb_free) { - write_lock(&sbi->s_mb_largest_free_orders_locks[ - grp->bb_largest_free_order]); + + grp->bb_largest_free_order = new; + if (test_opt2(sb, MB_OPTIMIZE_SCAN) && new >= 0 && grp->bb_free) { + write_lock(&sbi->s_mb_largest_free_orders_locks[new]); list_add_tail(&grp->bb_largest_free_order_node, - &sbi->s_mb_largest_free_orders[grp->bb_largest_free_order]); - write_unlock(&sbi->s_mb_largest_free_orders_locks[ - grp->bb_largest_free_order]); + &sbi->s_mb_largest_free_orders[new]); + write_unlock(&sbi->s_mb_largest_free_orders_locks[new]); } } -- 2.46.1

2 months

1
0
0 0

[PATCH v3 10/17] ext4: fix zombie groups in average fragment size lists

by Baokun Li

Groups with no free blocks shouldn't be in any average fragment size list. However, when all blocks in a group are allocated(i.e., bb_fragments or bb_free is 0), we currently skip updating the average fragment size, which means the group isn't removed from its previous s_mb_avg_fragment_size[old] list. This created "zombie" groups that were always skipped during traversal as they couldn't satisfy any block allocation requests, negatively impacting traversal efficiency. Therefore, when a group becomes completely full, bb_avg_fragment_size_order is now set to -1. If the old order was not -1, a removal operation is performed; if the new order is not -1, an insertion is performed. Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning") CC: stable(a)vger.kernel.org Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/mballoc.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 6d98f2a5afc4..72b20fc52bbf 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -841,30 +841,30 @@ static void mb_update_avg_fragment_size(struct super_block *sb, struct ext4_group_info *grp) { struct ext4_sb_info *sbi = EXT4_SB(sb); - int new_order; + int new, old; - if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_fragments == 0) + if (!test_opt2(sb, MB_OPTIMIZE_SCAN)) return; - new_order = mb_avg_fragment_size_order(sb, - grp->bb_free / grp->bb_fragments); - if (new_order == grp->bb_avg_fragment_size_order) + old = grp->bb_avg_fragment_size_order; + new = grp->bb_fragments == 0 ? -1 : + mb_avg_fragment_size_order(sb, grp->bb_free / grp->bb_fragments); + if (new == old) return; - if (grp->bb_avg_fragment_size_order != -1) { - write_lock(&sbi->s_mb_avg_fragment_size_locks[ - grp->bb_avg_fragment_size_order]); + if (old >= 0) { + write_lock(&sbi->s_mb_avg_fragment_size_locks[old]); list_del(&grp->bb_avg_fragment_size_node); - write_unlock(&sbi->s_mb_avg_fragment_size_locks[ - grp->bb_avg_fragment_size_order]); - } - grp->bb_avg_fragment_size_order = new_order; - write_lock(&sbi->s_mb_avg_fragment_size_locks[ - grp->bb_avg_fragment_size_order]); - list_add_tail(&grp->bb_avg_fragment_size_node, - &sbi->s_mb_avg_fragment_size[grp->bb_avg_fragment_size_order]); - write_unlock(&sbi->s_mb_avg_fragment_size_locks[ - grp->bb_avg_fragment_size_order]); + write_unlock(&sbi->s_mb_avg_fragment_size_locks[old]); + } + + grp->bb_avg_fragment_size_order = new; + if (new >= 0) { + write_lock(&sbi->s_mb_avg_fragment_size_locks[new]); + list_add_tail(&grp->bb_avg_fragment_size_node, + &sbi->s_mb_avg_fragment_size[new]); + write_unlock(&sbi->s_mb_avg_fragment_size_locks[new]); + } } /* -- 2.46.1

2 months

1
0
0 0

FAILED: patch "[PATCH] x86/its: explicitly manage permissions for ITS pages" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x a82b26451de126a5ae130361081986bc459afe9b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071433-smugly-husked-3295@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a82b26451de126a5ae130361081986bc459afe9b Mon Sep 17 00:00:00 2001 From: "Peter Zijlstra (Intel)" <peterz(a)infradead.org> Date: Tue, 3 Jun 2025 14:14:44 +0300 Subject: [PATCH] x86/its: explicitly manage permissions for ITS pages execmem_alloc() sets permissions differently depending on the kernel configuration, CPU support for PSE and whether a page is allocated before or after mark_rodata_ro(). Add tracking for pages allocated for ITS when patching the core kernel and make sure the permissions for ITS pages are explicitly managed for both kernel and module allocations. Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Co-developed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Signed-off-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Reviewed-by: Nikolay Borisov <nik.borisov(a)suse.com> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20250603111446.2609381-5-rppt@kernel.org diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index b50fe6ce4655..6455f7f751b3 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -116,6 +116,24 @@ static struct module *its_mod; #endif static void *its_page; static unsigned int its_offset; +struct its_array its_pages; + +static void *__its_alloc(struct its_array *pages) +{ + void *page __free(execmem) = execmem_alloc(EXECMEM_MODULE_TEXT, PAGE_SIZE); + if (!page) + return NULL; + + void *tmp = krealloc(pages->pages, (pages->num+1) * sizeof(void *), + GFP_KERNEL); + if (!tmp) + return NULL; + + pages->pages = tmp; + pages->pages[pages->num++] = page; + + return no_free_ptr(page); +} /* Initialize a thunk with the "jmp *reg; int3" instructions. */ static void *its_init_thunk(void *thunk, int reg) @@ -151,6 +169,21 @@ static void *its_init_thunk(void *thunk, int reg) return thunk + offset; } +static void its_pages_protect(struct its_array *pages) +{ + for (int i = 0; i < pages->num; i++) { + void *page = pages->pages[i]; + execmem_restore_rox(page, PAGE_SIZE); + } +} + +static void its_fini_core(void) +{ + if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX)) + its_pages_protect(&its_pages); + kfree(its_pages.pages); +} + #ifdef CONFIG_MODULES void its_init_mod(struct module *mod) { @@ -173,10 +206,8 @@ void its_fini_mod(struct module *mod) its_page = NULL; mutex_unlock(&text_mutex); - for (int i = 0; i < mod->arch.its_pages.num; i++) { - void *page = mod->arch.its_pages.pages[i]; - execmem_restore_rox(page, PAGE_SIZE); - } + if (IS_ENABLED(CONFIG_STRICT_MODULE_RWX)) + its_pages_protect(&mod->arch.its_pages); } void its_free_mod(struct module *mod) @@ -194,28 +225,23 @@ void its_free_mod(struct module *mod) static void *its_alloc(void) { - void *page __free(execmem) = execmem_alloc(EXECMEM_MODULE_TEXT, PAGE_SIZE); + struct its_array *pages = &its_pages; + void *page; +#ifdef CONFIG_MODULE + if (its_mod) + pages = &its_mod->arch.its_pages; +#endif + + page = __its_alloc(pages); if (!page) return NULL; -#ifdef CONFIG_MODULES - if (its_mod) { - struct its_array *pages = &its_mod->arch.its_pages; - void *tmp = krealloc(pages->pages, - (pages->num+1) * sizeof(void *), - GFP_KERNEL); - if (!tmp) - return NULL; + execmem_make_temp_rw(page, PAGE_SIZE); + if (pages == &its_pages) + set_memory_x((unsigned long)page, 1); - pages->pages = tmp; - pages->pages[pages->num++] = page; - - execmem_make_temp_rw(page, PAGE_SIZE); - } -#endif /* CONFIG_MODULES */ - - return no_free_ptr(page); + return page; } static void *its_allocate_thunk(int reg) @@ -269,7 +295,9 @@ u8 *its_static_thunk(int reg) return thunk; } -#endif +#else +static inline void its_fini_core(void) {} +#endif /* CONFIG_MITIGATION_ITS */ /* * Nomenclature for variable names to simplify and clarify this code and ease @@ -2339,6 +2367,8 @@ void __init alternative_instructions(void) apply_retpolines(__retpoline_sites, __retpoline_sites_end); apply_returns(__return_sites, __return_sites_end); + its_fini_core(); + /* * Adjust all CALL instructions to point to func()-10, including * those in .altinstr_replacement.

2 months

1
0
0 0

FAILED: patch "[PATCH] x86/its: move its_pages array to struct mod_arch_specific" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 0b0cae7119a0ec9449d7261b5e672a5fed765068 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071415-bullpen-error-57e3@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0b0cae7119a0ec9449d7261b5e672a5fed765068 Mon Sep 17 00:00:00 2001 From: "Mike Rapoport (Microsoft)" <rppt(a)kernel.org> Date: Tue, 3 Jun 2025 14:14:43 +0300 Subject: [PATCH] x86/its: move its_pages array to struct mod_arch_specific The of pages with ITS thunks allocated for modules are tracked by an array in 'struct module'. Since this is very architecture specific data structure, move it to 'struct mod_arch_specific'. No functional changes. Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") Suggested-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20250603111446.2609381-4-rppt@kernel.org diff --git a/arch/x86/include/asm/module.h b/arch/x86/include/asm/module.h index e988bac0a4a1..3c2de4ce3b10 100644 --- a/arch/x86/include/asm/module.h +++ b/arch/x86/include/asm/module.h @@ -5,12 +5,20 @@ #include <asm-generic/module.h> #include <asm/orc_types.h> +struct its_array { +#ifdef CONFIG_MITIGATION_ITS + void **pages; + int num; +#endif +}; + struct mod_arch_specific { #ifdef CONFIG_UNWINDER_ORC unsigned int num_orcs; int *orc_unwind_ip; struct orc_entry *orc_unwind; #endif + struct its_array its_pages; }; #endif /* _ASM_X86_MODULE_H */ diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index ecfe7b497cad..b50fe6ce4655 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -173,8 +173,8 @@ void its_fini_mod(struct module *mod) its_page = NULL; mutex_unlock(&text_mutex); - for (int i = 0; i < mod->its_num_pages; i++) { - void *page = mod->its_page_array[i]; + for (int i = 0; i < mod->arch.its_pages.num; i++) { + void *page = mod->arch.its_pages.pages[i]; execmem_restore_rox(page, PAGE_SIZE); } } @@ -184,11 +184,11 @@ void its_free_mod(struct module *mod) if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) return; - for (int i = 0; i < mod->its_num_pages; i++) { - void *page = mod->its_page_array[i]; + for (int i = 0; i < mod->arch.its_pages.num; i++) { + void *page = mod->arch.its_pages.pages[i]; execmem_free(page); } - kfree(mod->its_page_array); + kfree(mod->arch.its_pages.pages); } #endif /* CONFIG_MODULES */ @@ -201,14 +201,15 @@ static void *its_alloc(void) #ifdef CONFIG_MODULES if (its_mod) { - void *tmp = krealloc(its_mod->its_page_array, - (its_mod->its_num_pages+1) * sizeof(void *), + struct its_array *pages = &its_mod->arch.its_pages; + void *tmp = krealloc(pages->pages, + (pages->num+1) * sizeof(void *), GFP_KERNEL); if (!tmp) return NULL; - its_mod->its_page_array = tmp; - its_mod->its_page_array[its_mod->its_num_pages++] = page; + pages->pages = tmp; + pages->pages[pages->num++] = page; execmem_make_temp_rw(page, PAGE_SIZE); } diff --git a/include/linux/module.h b/include/linux/module.h index 92e1420fccdf..5faa1fb1f4b4 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -586,11 +586,6 @@ struct module { atomic_t refcnt; #endif -#ifdef CONFIG_MITIGATION_ITS - int its_num_pages; - void **its_page_array; -#endif - #ifdef CONFIG_CONSTRUCTORS /* Constructor functions. */ ctor_fn_t *ctors;

2 months

1
0
0 0

[PATCH v2] iommu/arm-smmu-qcom: Add SM6115 MDSS compatible

by Alexey Klimov

Add the SM6115 MDSS compatible to clients compatible list, as it also needs that workaround. Without this workaround, for example, QRB4210 RB2 which is based on SM4250/SM6115 generates a lot of smmu unhandled context faults during boot: arm_smmu_context_fault: 116854 callbacks suppressed arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402, iova=0x5c0ec600, fsynr=0x320021, cbfrsynra=0x420, cb=5 arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420 arm-smmu c600000.iommu: FSYNR0 = 00320021 [S1CBNDX=50 PNU PLVL=1] arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402, iova=0x5c0d7800, fsynr=0x320021, cbfrsynra=0x420, cb=5 arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420 and also failed initialisation of lontium lt9611uxc, gpu and dpu is observed: (binding MDSS components triggered by lt9611uxc have failed) ------------[ cut here ]------------ !aspace WARNING: CPU: 6 PID: 324 at drivers/gpu/drm/msm/msm_gem_vma.c:130 msm_gem_vma_init+0x150/0x18c [msm] Modules linked in: ... (long list of modules) CPU: 6 UID: 0 PID: 324 Comm: (udev-worker) Not tainted 6.15.0-03037-gaacc73ceeb8b #4 PREEMPT Hardware name: Qualcomm Technologies, Inc. QRB4210 RB2 (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : msm_gem_vma_init+0x150/0x18c [msm] lr : msm_gem_vma_init+0x150/0x18c [msm] sp : ffff80008144b280 ... Call trace: msm_gem_vma_init+0x150/0x18c [msm] (P) get_vma_locked+0xc0/0x194 [msm] msm_gem_get_and_pin_iova_range+0x4c/0xdc [msm] msm_gem_kernel_new+0x48/0x160 [msm] msm_gpu_init+0x34c/0x53c [msm] adreno_gpu_init+0x1b0/0x2d8 [msm] a6xx_gpu_init+0x1e8/0x9e0 [msm] adreno_bind+0x2b8/0x348 [msm] component_bind_all+0x100/0x230 msm_drm_bind+0x13c/0x3d0 [msm] try_to_bring_up_aggregate_device+0x164/0x1d0 __component_add+0xa4/0x174 component_add+0x14/0x20 dsi_dev_attach+0x20/0x34 [msm] dsi_host_attach+0x58/0x98 [msm] devm_mipi_dsi_attach+0x34/0x90 lt9611uxc_attach_dsi.isra.0+0x94/0x124 [lontium_lt9611uxc] lt9611uxc_probe+0x540/0x5fc [lontium_lt9611uxc] i2c_device_probe+0x148/0x2a8 really_probe+0xbc/0x2c0 __driver_probe_device+0x78/0x120 driver_probe_device+0x3c/0x154 __driver_attach+0x90/0x1a0 bus_for_each_dev+0x68/0xb8 driver_attach+0x24/0x30 bus_add_driver+0xe4/0x208 driver_register+0x68/0x124 i2c_register_driver+0x48/0xcc lt9611uxc_driver_init+0x20/0x1000 [lontium_lt9611uxc] do_one_initcall+0x60/0x1d4 do_init_module+0x54/0x1fc load_module+0x1748/0x1c8c init_module_from_file+0x74/0xa0 __arm64_sys_finit_module+0x130/0x2f8 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x2c/0x80 el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- msm_dpu 5e01000.display-controller: [drm:msm_gpu_init [msm]] *ERROR* could not allocate memptrs: -22 msm_dpu 5e01000.display-controller: failed to load adreno gpu platform a400000.remoteproc:glink-edge:apr:service@7:dais: Adding to iommu group 19 msm_dpu 5e01000.display-controller: failed to bind 5900000.gpu (ops a3xx_ops [msm]): -22 msm_dpu 5e01000.display-controller: adev bind failed: -22 lt9611uxc 0-002b: failed to attach dsi to host lt9611uxc 0-002b: probe with driver lt9611uxc failed with error -22 Suggested-by: Bjorn Andersson <andersson(a)kernel.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> Fixes: 3581b7062cec ("drm/msm/disp/dpu1: add support for display on SM6115") Cc: <stable(a)vger.kernel.org> Signed-off-by: Alexey Klimov <alexey.klimov(a)linaro.org> --- v2: - added tags as suggested by Dmitry; - slightly updated text in the commit message. Previous version: https://lore.kernel.org/linux-arm-msm/20250528003118.214093-1-alexey.klimov… drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c index 62874b18f645..c75023718595 100644 --- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c @@ -379,6 +379,7 @@ static const struct of_device_id qcom_smmu_client_of_match[] __maybe_unused = { { .compatible = "qcom,sdm670-mdss" }, { .compatible = "qcom,sdm845-mdss" }, { .compatible = "qcom,sdm845-mss-pil" }, + { .compatible = "qcom,sm6115-mdss" }, { .compatible = "qcom,sm6350-mdss" }, { .compatible = "qcom,sm6375-mdss" }, { .compatible = "qcom,sm8150-mdss" }, -- 2.47.2

2 months

3
3
0 0

[PATCH] extcon: fsa9480: Avoid buffer overflow in fsa9480_handle_change()

by Vladimir Moskovkin

Bit 7 of the 'Device Type 2' (0Bh) register is reserved in the FSA9480 device, but is used by the FSA880 and TSU6111 devices. From FSA9480 datasheet, Table 18. Device Type 2: Reset Value: x0000000 =========================================================================== Bit # | Name | Size (Bits) | Description --------------------------------------------------------------------------- 7 | Reserved | 1 | NA From FSA880 datasheet, Table 13. Device Type 2: Reset Value: 0xxx0000 =========================================================================== Bit # | Name | Size (Bits) | Description --------------------------------------------------------------------------- 7 | Unknown | 1 | 1: Any accessory detected as unknown | Accessory | | or an accessory that cannot be | | | detected as being valid even | | | though ID_CON is not floating | | | 0: Unknown accessory not detected From TSU6111 datasheet, Device Type 2: Reset Value:x0000000 =========================================================================== Bit # | Name | Size (Bits) | Description --------------------------------------------------------------------------- 7 | Audio Type 3 | 1 | Audio device type 3 So the value obtained from the FSA9480_REG_DEV_T2 register in the fsa9480_detect_dev() function may have the 7th bit set. In this case, the 'dev' parameter in the fsa9480_handle_change() function will be 15. And this will cause the 'cable_types' array to overflow when accessed at this index. Extend the 'cable_types' array with a new value 'DEV_RESERVED' as specified in the FSA9480 datasheet. Do not use it as it serves for various purposes in the listed devices. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: bad5b5e707a5 ("extcon: Add fsa9480 extcon driver") Cc: stable(a)vger.kernel.org Signed-off-by: Vladimir Moskovkin <Vladimir.Moskovkin(a)kaspersky.com> --- drivers/extcon/extcon-fsa9480.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/extcon/extcon-fsa9480.c b/drivers/extcon/extcon-fsa9480.c index b11b43171063..30972a7214f7 100644 --- a/drivers/extcon/extcon-fsa9480.c +++ b/drivers/extcon/extcon-fsa9480.c @@ -68,6 +68,7 @@ #define DEV_T1_CHARGER_MASK (DEV_DEDICATED_CHG | DEV_USB_CHG) /* Device Type 2 */ +#define DEV_RESERVED 15 #define DEV_AV 14 #define DEV_TTY 13 #define DEV_PPD 12 @@ -133,6 +134,7 @@ static const u64 cable_types[] = { [DEV_USB] = BIT_ULL(EXTCON_USB) | BIT_ULL(EXTCON_CHG_USB_SDP), [DEV_AUDIO_2] = BIT_ULL(EXTCON_JACK_LINE_OUT), [DEV_AUDIO_1] = BIT_ULL(EXTCON_JACK_LINE_OUT), + [DEV_RESERVED] = 0, [DEV_AV] = BIT_ULL(EXTCON_JACK_LINE_OUT) | BIT_ULL(EXTCON_JACK_VIDEO_OUT), [DEV_TTY] = BIT_ULL(EXTCON_JIG), @@ -228,7 +230,7 @@ static void fsa9480_detect_dev(struct fsa9480_usbsw *usbsw) dev_err(usbsw->dev, "%s: failed to read registers", __func__); return; } - val = val2 << 8 | val1; + val = val2 << 8 | (val1 & 0xFF); dev_info(usbsw->dev, "dev1: 0x%x, dev2: 0x%x\n", val1, val2); -- 2.25.1

2 months

2
1
0 0

[PATCH net v2 1/3] net: libwx: remove duplicate page_pool_put_full_page()

by Jiawen Wu

page_pool_put_full_page() should only be invoked when freeing Rx buffers or building a skb if the size is too short. At other times, the pages need to be reused. So remove the redundant page put. In the original code, double free pages cause kernel panic: [ 876.949834] __irq_exit_rcu+0xc7/0x130 [ 876.949836] common_interrupt+0xb8/0xd0 [ 876.949838] </IRQ> [ 876.949838] <TASK> [ 876.949840] asm_common_interrupt+0x22/0x40 [ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420 [ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246 [ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000 [ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e [ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed [ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580 [ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000 [ 876.949852] ? cpuidle_enter_state+0xb3/0x420 [ 876.949855] cpuidle_enter+0x29/0x40 [ 876.949857] cpuidle_idle_call+0xfd/0x170 [ 876.949859] do_idle+0x7a/0xc0 [ 876.949861] cpu_startup_entry+0x25/0x30 [ 876.949862] start_secondary+0x117/0x140 [ 876.949864] common_startup_64+0x13e/0x148 [ 876.949867] </TASK> [ 876.949868] ---[ end trace 0000000000000000 ]--- [ 876.949869] ------------[ cut here ]------------ [ 876.949870] list_del corruption, ffffead40445a348->next is NULL [ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120 [ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E) [ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi [ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary) [ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE [ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120 [ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8 [ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282 [ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000 [ 876.949942] RDX: 0000000000000105 RSI: 0000000000000001 RDI: 00000000ffffffff [ 876.949943] RBP: 0000000000000000 R08: 000000010006dfde R09: ffffffff8a47d150 [ 876.949944] R10: ffffffff8a47d150 R11: 0000000000000003 R12: dead000000000122 [ 876.949945] R13: ffff9e3e9e5af700 R14: ffffead40445a348 R15: ffff9e3e9e5af720 [ 876.949946] FS: 0000000000000000(0000) GS:ffff9e3f135be000(0000) knlGS:0000000000000000 [ 876.949947] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 876.949948] CR2: 00007fa58b480048 CR3: 0000000156724000 CR4: 0000000000750ef0 [ 876.949949] PKRU: 55555554 [ 876.949950] Call Trace: [ 876.949951] <IRQ> [ 876.949952] __rmqueue_pcplist+0x53/0x2c0 [ 876.949955] alloc_pages_bulk_noprof+0x2e0/0x660 [ 876.949958] __page_pool_alloc_pages_slow+0xa9/0x400 [ 876.949961] page_pool_alloc_pages+0xa/0x20 [ 876.949963] wx_alloc_rx_buffers+0xd7/0x110 [libwx] [ 876.949967] wx_clean_rx_irq+0x262/0x430 [libwx] [ 876.949971] wx_poll+0x92/0x130 [libwx] [ 876.949975] __napi_poll+0x28/0x190 [ 876.949977] net_rx_action+0x301/0x3f0 [ 876.949980] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949981] ? profile_tick+0x30/0x70 [ 876.949983] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949984] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949986] ? timerqueue_add+0xa3/0xc0 [ 876.949988] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949989] ? __raise_softirq_irqoff+0x16/0x70 [ 876.949991] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949993] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949994] ? wx_msix_clean_rings+0x41/0x50 [libwx] [ 876.949998] handle_softirqs+0xf9/0x2c0 Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 11 ----------- drivers/net/ethernet/wangxun/libwx/wx_type.h | 1 - 2 files changed, 12 deletions(-) diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c index 55e252789db3..7e3d7fb61a52 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c @@ -174,10 +174,6 @@ static void wx_dma_sync_frag(struct wx_ring *rx_ring, skb_frag_off(frag), skb_frag_size(frag), DMA_FROM_DEVICE); - - /* If the page was released, just unmap it. */ - if (unlikely(WX_CB(skb)->page_released)) - page_pool_put_full_page(rx_ring->page_pool, rx_buffer->page, false); } static struct wx_rx_buffer *wx_get_rx_buffer(struct wx_ring *rx_ring, @@ -227,10 +223,6 @@ static void wx_put_rx_buffer(struct wx_ring *rx_ring, struct sk_buff *skb, int rx_buffer_pgcnt) { - if (!IS_ERR(skb) && WX_CB(skb)->dma == rx_buffer->dma) - /* the page has been released from the ring */ - WX_CB(skb)->page_released = true; - /* clear contents of rx_buffer */ rx_buffer->page = NULL; rx_buffer->skb = NULL; @@ -2423,9 +2415,6 @@ static void wx_clean_rx_ring(struct wx_ring *rx_ring) if (rx_buffer->skb) { struct sk_buff *skb = rx_buffer->skb; - if (WX_CB(skb)->page_released) - page_pool_put_full_page(rx_ring->page_pool, rx_buffer->page, false); - dev_kfree_skb(skb); } diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h index c363379126c0..622f2bfe6cde 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_type.h +++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h @@ -909,7 +909,6 @@ enum wx_reset_type { struct wx_cb { dma_addr_t dma; u16 append_cnt; /* number of skb's appended */ - bool page_released; bool dma_released; }; -- 2.48.1

2 months

2
1
0 0

[PATCH] init: Handle bootloader head in kernel parameters

by Huacai Chen

BootLoader may pass a head such as "BOOT_IMAGE=/boot/vmlinuz-x.y.z" to kernel parameters. But this head is not recognized by the kernel so will be passed to user space. However, user space init program also doesn't recognized it. KEXEC may also pass a head such as "kexec" on some architectures. So the the best way is handle it by the kernel itself, which can avoid such boot warnings: Kernel command line: BOOT_IMAGE=(hd0,1)/vmlinuz-6.x root=/dev/sda3 ro console=tty Unknown kernel command line parameters "BOOT_IMAGE=(hd0,1)/vmlinuz-6.x", will be passed to user space. Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- init/main.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/init/main.c b/init/main.c index 225a58279acd..9e0a7e8913c0 100644 --- a/init/main.c +++ b/init/main.c @@ -545,6 +545,7 @@ static int __init unknown_bootoption(char *param, char *val, const char *unused, void *arg) { size_t len = strlen(param); + const char *bootloader[] = { "BOOT_IMAGE", "kexec", NULL }; /* Handle params aliased to sysctls */ if (sysctl_is_alias(param)) @@ -552,6 +553,12 @@ static int __init unknown_bootoption(char *param, char *val, repair_env_string(param, val); + /* Handle bootloader head */ + for (int i = 0; bootloader[i]; i++) { + if (!strncmp(param, bootloader[i], strlen(bootloader[i]))) + return 0; + } + /* Handle obsolete-style parameters */ if (obsolete_checksetup(param)) return 0; -- 2.47.1

2 months

3
10
0 0

[PATCH v5.10] vhost-scsi: protect vq->log_used with vq->mutex

by Xinyu Zheng

From: Dongli Zhang <dongli.zhang(a)oracle.com> [ Upstream commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 ] The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. CVE-2025-38074 Cc: stable(a)vger.kernel.org#5.10.x Cc: gregkh(a)linuxfoundation.org Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Mike Christie <michael.christie(a)oracle.com> Message-Id: <20250403063028.16045-2-dongli.zhang(a)oracle.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [ Conflicts in drivers/vhost/scsi.c bacause vhost_scsi_complete_cmd_work() has been refactored. ] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- drivers/vhost/scsi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index a23a65e7d828..fcde3752b4f1 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -579,8 +579,10 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work) ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); if (likely(ret == sizeof(v_rsp))) { struct vhost_scsi_virtqueue *q; - vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq); + mutex_lock(&q->vq.mutex); + vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); + mutex_unlock(&q->vq.mutex); vq = q - vs->vqs; __set_bit(vq, signal); } else @@ -1193,8 +1195,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work) else resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED; + mutex_lock(&tmf->svq->vq.mutex); vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs, tmf->vq_desc, &tmf->resp_iov, resp_code); + mutex_unlock(&tmf->svq->vq.mutex); + vhost_scsi_release_tmf_res(tmf); } -- 2.34.1

2 months

4
3
0 0

[PATCH] cxl/region: Balance device refcount when destroying devices

by Ma Ke

Using device_find_child() to lookup the proper device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device() to increment the device's reference count before returning the pointer. cxl_port_find_switch_decoder() directly converts this pointer to a cxl_decoder and returns it without releasing the reference properly. We should call put_device() to decrement reference count. As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: d6879d8cfb81 ("cxl/region: Add function to find a port's switch decoder by range") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/cxl/core/region.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index 6e5e1460068d..cae16d761261 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -3234,6 +3234,9 @@ cxl_port_find_switch_decoder(struct cxl_port *port, struct range *hpa) struct device *cxld_dev = device_find_child(&port->dev, hpa, match_decoder_by_range); + /* Drop the refcnt bumped implicitly by device_find_child */ + put_device(cxld_dev); + return cxld_dev ? to_cxl_decoder(cxld_dev) : NULL; } -- 2.25.1

2 months

2
1
0 0

FAILED: patch "[PATCH] ksmbd: fix a mount write count leak in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 277627b431a0a6401635c416a21b2a0f77a77347 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071424-payroll-posh-4e3e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 277627b431a0a6401635c416a21b2a0f77a77347 Mon Sep 17 00:00:00 2001 From: Al Viro <viro(a)zeniv.linux.org.uk> Date: Sun, 6 Jul 2025 02:26:45 +0100 Subject: [PATCH] ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path references and return an error. We need to drop the write access we just got on parent_path->mnt before we drop the mount reference - callers assume that ksmbd_vfs_kern_path_locked() returns with mount write access grabbed if and only if it has returned 0. Fixes: 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open") Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c index 0f3aad12e495..d3437f6644e3 100644 --- a/fs/smb/server/vfs.c +++ b/fs/smb/server/vfs.c @@ -1282,6 +1282,7 @@ int ksmbd_vfs_kern_path_locked(struct ksmbd_work *work, char *name, err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry); if (err) { + mnt_drop_write(parent_path->mnt); path_put(path); path_put(parent_path); }

2 months

1
0
0 0

FAILED: patch "[PATCH] smb: server: make use of rdma_destroy_qp()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071408-overarch-ashes-8fbd@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze(a)samba.org> Date: Wed, 2 Jul 2025 09:18:05 +0200 Subject: [PATCH] smb: server: make use of rdma_destroy_qp() The qp is created by rdma_create_qp() as t->cm_id->qp and t->qp is just a shortcut. rdma_destroy_qp() also calls ib_destroy_qp(cm_id->qp) internally, but it is protected by a mutex, clears the cm_id and also calls trace_cm_qp_destroy(). This should make the tracing more useful as both rdma_create_qp() and rdma_destroy_qp() are traces and it makes the code look more sane as functions from the same layer are used for the specific qp object. trace-cmd stream -e rdma_cma:cm_qp_create -e rdma_cma:cm_qp_destroy shows this now while doing a mount and unmount from a client: <...>-80 [002] 378.514182: cm_qp_create: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 pd.id=0 qp_type=RC send_wr=867 recv_wr=255 qp_num=1 rc=0 <...>-6283 [001] 381.686172: cm_qp_destroy: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 qp_num=1 Before we only saw the first line. Cc: Namjae Jeon <linkinjeon(a)kernel.org> Cc: Steve French <stfrench(a)microsoft.com> Cc: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: linux-cifs(a)vger.kernel.org Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Signed-off-by: Stefan Metzmacher <metze(a)samba.org> Reviewed-by: Tom Talpey <tom(a)talpey.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c index 64a428a06ace..c6cbe0d56e32 100644 --- a/fs/smb/server/transport_rdma.c +++ b/fs/smb/server/transport_rdma.c @@ -433,7 +433,8 @@ static void free_transport(struct smb_direct_transport *t) if (t->qp) { ib_drain_qp(t->qp); ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs); - ib_destroy_qp(t->qp); + t->qp = NULL; + rdma_destroy_qp(t->cm_id); } ksmbd_debug(RDMA, "drain the reassembly queue\n"); @@ -1940,8 +1941,8 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, return 0; err: if (t->qp) { - ib_destroy_qp(t->qp); t->qp = NULL; + rdma_destroy_qp(t->cm_id); } if (t->recv_cq) { ib_destroy_cq(t->recv_cq);

2 months

1
0
0 0

[PATCH 1/2] objtool/rust: add one more `noreturn` Rust function for Rust 1.89.0

by Miguel Ojeda

Starting with Rust 1.89.0 (expected 2025-08-07), under `CONFIG_RUST_DEBUG_ASSERTIONS=y`, `objtool` may report: rust/kernel.o: warning: objtool: _R..._6kernel4pageNtB5_4Page8read_raw() falls through to next function _R..._6kernel4pageNtB5_4Page9write_raw() (and many others) due to calls to the `noreturn` symbol: core::panicking::panic_nounwind_fmt Thus add the mangled one to the list so that `objtool` knows it is actually `noreturn`. See commit 56d680dd23c3 ("objtool/rust: list `noreturn` Rust functions") for more details. Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> --- tools/objtool/check.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index f23bdda737aa..3257eefc41ed 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -224,6 +224,7 @@ static bool is_rust_noreturn(const struct symbol *func) str_ends_with(func->name, "_4core9panicking14panic_explicit") || str_ends_with(func->name, "_4core9panicking14panic_nounwind") || str_ends_with(func->name, "_4core9panicking18panic_bounds_check") || + str_ends_with(func->name, "_4core9panicking18panic_nounwind_fmt") || str_ends_with(func->name, "_4core9panicking19assert_failed_inner") || str_ends_with(func->name, "_4core9panicking30panic_null_pointer_dereference") || str_ends_with(func->name, "_4core9panicking36panic_misaligned_pointer_dereference") || -- 2.50.1

2 months

3
3
0 0

[PATCH 2/2] rust: use `#[used(compiler)]` to fix build and `modpost` with Rust >= 1.89.0

by Miguel Ojeda

Starting with Rust 1.89.0 (expected 2025-08-07), the Rust compiler fails to build the `rusttest` target due to undefined references such as: kernel...-cgu.0:(.text....+0x116): undefined reference to `rust_helper_kunit_get_current_test' Moreover, tooling like `modpost` gets confused: WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/gpu/drm/nova/nova.o ERROR: modpost: missing MODULE_LICENSE() in drivers/gpu/nova-core/nova_core.o The reason behind both issues is that the Rust compiler will now [1] treat `#[used]` as `#[used(linker)]` instead of `#[used(compiler)]` for our targets. This means that the retain section flag (`R`, `SHF_GNU_RETAIN`) will be used and that they will be marked as `unique` too, with different IDs. In turn, that means we end up with undefined references that did not get discarded in `rusttest` and that multiple `.modinfo` sections are generated, which confuse tooling like `modpost` because they only expect one. Thus start using `#[used(compiler)]` to keep the previous behavior and to be explicit about what we want. Sadly, it is an unstable feature (`used_with_arg`) [2] -- we will talk to upstream Rust about it. The good news is that it has been available for a long time (Rust >= 1.60) [3]. The changes should also be fine for previous Rust versions, since they behave the same way as before [4]. Alternatively, we could use `#[no_mangle]` or `#[export_name = ...]` since those still behave like `#[used(compiler)]`, but of course it is not really what we want to express, and it requires other changes to avoid symbol conflicts. Cc: Björn Roy Baron <bjorn3_gh(a)protonmail.com> Cc: David Wood <david(a)davidtw.co> Cc: Wesley Wiser <wwiser(a)gmail.com> Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Link: https://github.com/rust-lang/rust/pull/140872 [1] Link: https://github.com/rust-lang/rust/issues/93798 [2] Link: https://github.com/rust-lang/rust/pull/91504 [3] Link: https://godbolt.org/z/sxzWTMfzW [4] Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> --- rust/Makefile | 1 + rust/kernel/firmware.rs | 2 +- rust/kernel/kunit.rs | 2 +- rust/kernel/lib.rs | 3 +++ rust/macros/module.rs | 10 +++++----- scripts/Makefile.build | 3 ++- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/rust/Makefile b/rust/Makefile index 27dec7904c3a..115b63b7d1e3 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -194,6 +194,7 @@ quiet_cmd_rustdoc_test = RUSTDOC T $< RUST_MODFILE=test.rs \ OBJTREE=$(abspath $(objtree)) \ $(RUSTDOC) --test $(rust_common_flags) \ + -Zcrate-attr='feature(used_with_arg)' \ @$(objtree)/include/generated/rustc_cfg \ $(rustc_target_flags) $(rustdoc_test_target_flags) \ $(rustdoc_test_quiet) \ diff --git a/rust/kernel/firmware.rs b/rust/kernel/firmware.rs index 2494c96e105f..4fe621f35716 100644 --- a/rust/kernel/firmware.rs +++ b/rust/kernel/firmware.rs @@ -202,7 +202,7 @@ macro_rules! module_firmware { }; #[link_section = ".modinfo"] - #[used] + #[used(compiler)] static __MODULE_FIRMWARE: [u8; $($builder)*::create(__MODULE_FIRMWARE_PREFIX) .build_length()] = $($builder)*::create(__MODULE_FIRMWARE_PREFIX).build(); }; diff --git a/rust/kernel/kunit.rs b/rust/kernel/kunit.rs index 4b8cdcb21e77..b9e65905e121 100644 --- a/rust/kernel/kunit.rs +++ b/rust/kernel/kunit.rs @@ -302,7 +302,7 @@ macro_rules! kunit_unsafe_test_suite { is_init: false, }; - #[used] + #[used(compiler)] #[allow(unused_unsafe)] #[cfg_attr(not(target_os = "macos"), link_section = ".kunit_test_suites")] static mut KUNIT_TEST_SUITE_ENTRY: *const ::kernel::bindings::kunit_suite = diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index 6b4774b2b1c3..e13d6ed88fa6 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -34,6 +34,9 @@ // Expected to become stable. #![feature(arbitrary_self_types)] // +// To be determined. +#![feature(used_with_arg)] +// // `feature(derive_coerce_pointee)` is expected to become stable. Before Rust // 1.84.0, it did not exist, so enable the predecessor features. #![cfg_attr(CONFIG_RUSTC_HAS_COERCE_POINTEE, feature(derive_coerce_pointee))] diff --git a/rust/macros/module.rs b/rust/macros/module.rs index 2ddd2eeb2852..75efc6eeeafc 100644 --- a/rust/macros/module.rs +++ b/rust/macros/module.rs @@ -57,7 +57,7 @@ fn emit_base(&mut self, field: &str, content: &str, builtin: bool) { {cfg} #[doc(hidden)] #[cfg_attr(not(target_os = \"macos\"), link_section = \".modinfo\")] - #[used] + #[used(compiler)] pub static __{module}_{counter}: [u8; {length}] = *{string}; ", cfg = if builtin { @@ -249,7 +249,7 @@ mod __module_init {{ // key or a new section. For the moment, keep it simple. #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] static __IS_RUST_MODULE: () = (); static mut __MOD: ::core::mem::MaybeUninit<{type_}> = @@ -273,7 +273,7 @@ mod __module_init {{ #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] #[link_section = \".init.data\"] static __UNIQUE_ID___addressable_init_module: unsafe extern \"C\" fn() -> i32 = init_module; @@ -293,7 +293,7 @@ mod __module_init {{ #[cfg(MODULE)] #[doc(hidden)] - #[used] + #[used(compiler)] #[link_section = \".exit.data\"] static __UNIQUE_ID___addressable_cleanup_module: extern \"C\" fn() = cleanup_module; @@ -303,7 +303,7 @@ mod __module_init {{ #[cfg(not(CONFIG_HAVE_ARCH_PREL32_RELOCATIONS))] #[doc(hidden)] #[link_section = \"{initcall_section}\"] - #[used] + #[used(compiler)] pub static __{ident}_initcall: extern \"C\" fn() -> ::kernel::ffi::c_int = __{ident}_init; diff --git a/scripts/Makefile.build b/scripts/Makefile.build index a6461ea411f7..ba71b27aa363 100644 --- a/scripts/Makefile.build +++ b/scripts/Makefile.build @@ -312,10 +312,11 @@ $(obj)/%.lst: $(obj)/%.c FORCE # - Stable since Rust 1.82.0: `feature(asm_const)`, `feature(raw_ref_op)`. # - Stable since Rust 1.87.0: `feature(asm_goto)`. # - Expected to become stable: `feature(arbitrary_self_types)`. +# - To be determined: `feature(used_with_arg)`. # # Please see https://github.com/Rust-for-Linux/linux/issues/2 for details on # the unstable features in use. -rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,raw_ref_op +rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,raw_ref_op,used_with_arg # `--out-dir` is required to avoid temporaries being created by `rustc` in the # current working directory, which may be not accessible in the out-of-tree -- 2.50.1

2 months

2
1
0 0

[PATCH] LoongArch: Make relocate_new_kernel_size be a .quad value

by Huacai Chen

Now relocate_new_kernel_size is a .long value, which means 32bit, so its high 32bit is undefined. This causes memcpy((void *)reboot_code_buffer, relocate_new_kernel, relocate_new_kernel_size) in machine_kexec_prepare() access out of range memories in some cases, and then end up with an ADE exception. So make relocate_new_kernel_size be a .quad value, which means 64bit, to avoid such errors. Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/kernel/relocate_kernel.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/loongarch/kernel/relocate_kernel.S b/arch/loongarch/kernel/relocate_kernel.S index 84e6de2fd973..8b5140ac9ea1 100644 --- a/arch/loongarch/kernel/relocate_kernel.S +++ b/arch/loongarch/kernel/relocate_kernel.S @@ -109,4 +109,4 @@ SYM_CODE_END(kexec_smp_wait) relocate_new_kernel_end: .section ".data" -SYM_DATA(relocate_new_kernel_size, .long relocate_new_kernel_end - relocate_new_kernel) +SYM_DATA(relocate_new_kernel_size, .quad relocate_new_kernel_end - relocate_new_kernel) -- 2.47.1

2 months

1
0
0 0

FAILED: patch "[PATCH] kasan: remove kasan_find_vm_area() to prevent possible" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 6ee9b3d84775944fb8c8a447961cd01274ac671c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071348-swizzle-utter-2496@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6ee9b3d84775944fb8c8a447961cd01274ac671c Mon Sep 17 00:00:00 2001 From: Yeoreum Yun <yeoreum.yun(a)arm.com> Date: Thu, 3 Jul 2025 19:10:18 +0100 Subject: [PATCH] kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock! To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> Reported-by: Yunseong Kim <ysk(a)kzalloc.com> Reviewed-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 8357e1a33699..b0877035491f 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -370,36 +370,6 @@ static inline bool init_task_stack_addr(const void *addr) sizeof(init_thread_union.stack)); } -/* - * This function is invoked with report_lock (a raw_spinlock) held. A - * PREEMPT_RT kernel cannot call find_vm_area() as it will acquire a sleeping - * rt_spinlock. - * - * For !RT kernel, the PROVE_RAW_LOCK_NESTING config option will print a - * lockdep warning for this raw_spinlock -> spinlock dependency. This config - * option is enabled by default to ensure better test coverage to expose this - * kind of RT kernel problem. This lockdep splat, however, can be suppressed - * by using DEFINE_WAIT_OVERRIDE_MAP() if it serves a useful purpose and the - * invalid PREEMPT_RT case has been taken care of. - */ -static inline struct vm_struct *kasan_find_vm_area(void *addr) -{ - static DEFINE_WAIT_OVERRIDE_MAP(vmalloc_map, LD_WAIT_SLEEP); - struct vm_struct *va; - - if (IS_ENABLED(CONFIG_PREEMPT_RT)) - return NULL; - - /* - * Suppress lockdep warning and fetch vmalloc area of the - * offending address. - */ - lock_map_acquire_try(&vmalloc_map); - va = find_vm_area(addr); - lock_map_release(&vmalloc_map); - return va; -} - static void print_address_description(void *addr, u8 tag, struct kasan_report_info *info) { @@ -429,19 +399,8 @@ static void print_address_description(void *addr, u8 tag, } if (is_vmalloc_addr(addr)) { - struct vm_struct *va = kasan_find_vm_area(addr); - - if (va) { - pr_err("The buggy address belongs to the virtual mapping at\n" - " [%px, %px) created by:\n" - " %pS\n", - va->addr, va->addr + va->size, va->caller); - pr_err("\n"); - - page = vmalloc_to_page(addr); - } else { - pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); - } + pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + page = vmalloc_to_page(addr); } if (page) {

2 months

2
1
0 0

[PATCH 6.12.y 1/1] kasan: remove kasan_find_vm_area() to prevent possible deadlock

by Yeoreum Yun

find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock! To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> Reported-by: Yunseong Kim <ysk(a)kzalloc.com> Reviewed-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> (cherry picked from commit 6ee9b3d84775944fb8c8a447961cd01274ac671c) --- mm/kasan/report.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/mm/kasan/report.c b/mm/kasan/report.c index c7c0083203cb..5675d6a412ef 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -398,17 +398,8 @@ static void print_address_description(void *addr, u8 tag, } if (is_vmalloc_addr(addr)) { - struct vm_struct *va = find_vm_area(addr); - - if (va) { - pr_err("The buggy address belongs to the virtual mapping at\n" - " [%px, %px) created by:\n" - " %pS\n", - va->addr, va->addr + va->size, va->caller); - pr_err("\n"); - - page = vmalloc_to_page(addr); - } + pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + page = vmalloc_to_page(addr); } if (page) { -- LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}

2 months

2
1
0 0

FAILED: patch "[PATCH] kasan: remove kasan_find_vm_area() to prevent possible" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 6ee9b3d84775944fb8c8a447961cd01274ac671c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071347-pregnant-dismount-40e9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6ee9b3d84775944fb8c8a447961cd01274ac671c Mon Sep 17 00:00:00 2001 From: Yeoreum Yun <yeoreum.yun(a)arm.com> Date: Thu, 3 Jul 2025 19:10:18 +0100 Subject: [PATCH] kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock! To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> Reported-by: Yunseong Kim <ysk(a)kzalloc.com> Reviewed-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 8357e1a33699..b0877035491f 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -370,36 +370,6 @@ static inline bool init_task_stack_addr(const void *addr) sizeof(init_thread_union.stack)); } -/* - * This function is invoked with report_lock (a raw_spinlock) held. A - * PREEMPT_RT kernel cannot call find_vm_area() as it will acquire a sleeping - * rt_spinlock. - * - * For !RT kernel, the PROVE_RAW_LOCK_NESTING config option will print a - * lockdep warning for this raw_spinlock -> spinlock dependency. This config - * option is enabled by default to ensure better test coverage to expose this - * kind of RT kernel problem. This lockdep splat, however, can be suppressed - * by using DEFINE_WAIT_OVERRIDE_MAP() if it serves a useful purpose and the - * invalid PREEMPT_RT case has been taken care of. - */ -static inline struct vm_struct *kasan_find_vm_area(void *addr) -{ - static DEFINE_WAIT_OVERRIDE_MAP(vmalloc_map, LD_WAIT_SLEEP); - struct vm_struct *va; - - if (IS_ENABLED(CONFIG_PREEMPT_RT)) - return NULL; - - /* - * Suppress lockdep warning and fetch vmalloc area of the - * offending address. - */ - lock_map_acquire_try(&vmalloc_map); - va = find_vm_area(addr); - lock_map_release(&vmalloc_map); - return va; -} - static void print_address_description(void *addr, u8 tag, struct kasan_report_info *info) { @@ -429,19 +399,8 @@ static void print_address_description(void *addr, u8 tag, } if (is_vmalloc_addr(addr)) { - struct vm_struct *va = kasan_find_vm_area(addr); - - if (va) { - pr_err("The buggy address belongs to the virtual mapping at\n" - " [%px, %px) created by:\n" - " %pS\n", - va->addr, va->addr + va->size, va->caller); - pr_err("\n"); - - page = vmalloc_to_page(addr); - } else { - pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); - } + pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + page = vmalloc_to_page(addr); } if (page) {

2 months

2
1
0 0

FAILED: patch "[PATCH] kasan: remove kasan_find_vm_area() to prevent possible" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 6ee9b3d84775944fb8c8a447961cd01274ac671c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071347-compel-crate-aeba@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6ee9b3d84775944fb8c8a447961cd01274ac671c Mon Sep 17 00:00:00 2001 From: Yeoreum Yun <yeoreum.yun(a)arm.com> Date: Thu, 3 Jul 2025 19:10:18 +0100 Subject: [PATCH] kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock! To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> Reported-by: Yunseong Kim <ysk(a)kzalloc.com> Reviewed-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 8357e1a33699..b0877035491f 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -370,36 +370,6 @@ static inline bool init_task_stack_addr(const void *addr) sizeof(init_thread_union.stack)); } -/* - * This function is invoked with report_lock (a raw_spinlock) held. A - * PREEMPT_RT kernel cannot call find_vm_area() as it will acquire a sleeping - * rt_spinlock. - * - * For !RT kernel, the PROVE_RAW_LOCK_NESTING config option will print a - * lockdep warning for this raw_spinlock -> spinlock dependency. This config - * option is enabled by default to ensure better test coverage to expose this - * kind of RT kernel problem. This lockdep splat, however, can be suppressed - * by using DEFINE_WAIT_OVERRIDE_MAP() if it serves a useful purpose and the - * invalid PREEMPT_RT case has been taken care of. - */ -static inline struct vm_struct *kasan_find_vm_area(void *addr) -{ - static DEFINE_WAIT_OVERRIDE_MAP(vmalloc_map, LD_WAIT_SLEEP); - struct vm_struct *va; - - if (IS_ENABLED(CONFIG_PREEMPT_RT)) - return NULL; - - /* - * Suppress lockdep warning and fetch vmalloc area of the - * offending address. - */ - lock_map_acquire_try(&vmalloc_map); - va = find_vm_area(addr); - lock_map_release(&vmalloc_map); - return va; -} - static void print_address_description(void *addr, u8 tag, struct kasan_report_info *info) { @@ -429,19 +399,8 @@ static void print_address_description(void *addr, u8 tag, } if (is_vmalloc_addr(addr)) { - struct vm_struct *va = kasan_find_vm_area(addr); - - if (va) { - pr_err("The buggy address belongs to the virtual mapping at\n" - " [%px, %px) created by:\n" - " %pS\n", - va->addr, va->addr + va->size, va->caller); - pr_err("\n"); - - page = vmalloc_to_page(addr); - } else { - pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); - } + pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + page = vmalloc_to_page(addr); } if (page) {

2 months

2
1
0 0

FAILED: patch "[PATCH] x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 52e1a03e6cf61ae165f59f41c44394a653a0a788 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071203-dime-overcook-61dc@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 52e1a03e6cf61ae165f59f41c44394a653a0a788 Mon Sep 17 00:00:00 2001 From: Nikunj A Dadhania <nikunj(a)amd.com> Date: Mon, 30 Jun 2025 13:48:58 +0530 Subject: [PATCH] x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation When using Secure TSC, the GUEST_TSC_FREQ MSR reports a frequency based on the nominal P0 frequency, which deviates slightly (typically ~0.2%) from the actual mean TSC frequency due to clocking parameters. Over extended VM uptime, this discrepancy accumulates, causing clock skew between the hypervisor and a SEV-SNP VM, leading to early timer interrupts as perceived by the guest. The guest kernel relies on the reported nominal frequency for TSC-based timekeeping, while the actual frequency set during SNP_LAUNCH_START may differ. This mismatch results in inaccurate time calculations, causing the guest to perceive hrtimers as firing earlier than expected. Utilize the TSC_FACTOR from the SEV firmware's secrets page (see "Secrets Page Format" in the SNP Firmware ABI Specification) to calculate the mean TSC frequency, ensuring accurate timekeeping and mitigating clock skew in SEV-SNP VMs. Use early_ioremap_encrypted() to map the secrets page as ioremap_encrypted() uses kmalloc() which is not available during early TSC initialization and causes a panic. [ bp: Drop the silly dummy var: https://lore.kernel.org/r/20250630192726.GBaGLlHl84xIopx4Pt@fat_crate.local ] Fixes: 73bbf3b0fbba ("x86/tsc: Init the TSC for Secure TSC guests") Signed-off-by: Nikunj A Dadhania <nikunj(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250630081858.485187-1-nikunj@amd.com diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index b6db4e0b936b..7543a8b52c67 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -88,7 +88,7 @@ static const char * const sev_status_feat_names[] = { */ static u64 snp_tsc_scale __ro_after_init; static u64 snp_tsc_offset __ro_after_init; -static u64 snp_tsc_freq_khz __ro_after_init; +static unsigned long snp_tsc_freq_khz __ro_after_init; DEFINE_PER_CPU(struct sev_es_runtime_data*, runtime_data); DEFINE_PER_CPU(struct sev_es_save_area *, sev_vmsa); @@ -2167,15 +2167,31 @@ static unsigned long securetsc_get_tsc_khz(void) void __init snp_secure_tsc_init(void) { - unsigned long long tsc_freq_mhz; + struct snp_secrets_page *secrets; + unsigned long tsc_freq_mhz; + void *mem; if (!cc_platform_has(CC_ATTR_GUEST_SNP_SECURE_TSC)) return; + mem = early_memremap_encrypted(sev_secrets_pa, PAGE_SIZE); + if (!mem) { + pr_err("Unable to get TSC_FACTOR: failed to map the SNP secrets page.\n"); + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_SECURE_TSC); + } + + secrets = (__force struct snp_secrets_page *)mem; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); rdmsrq(MSR_AMD64_GUEST_TSC_FREQ, tsc_freq_mhz); - snp_tsc_freq_khz = (unsigned long)(tsc_freq_mhz * 1000); + + /* Extract the GUEST TSC MHZ from BIT[17:0], rest is reserved space */ + tsc_freq_mhz &= GENMASK_ULL(17, 0); + + snp_tsc_freq_khz = SNP_SCALE_TSC_FREQ(tsc_freq_mhz * 1000, secrets->tsc_factor); x86_platform.calibrate_cpu = securetsc_get_tsc_khz; x86_platform.calibrate_tsc = securetsc_get_tsc_khz; + + early_memunmap(mem, PAGE_SIZE); } diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 58e028d42e41..a631f7d7c0c0 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -223,6 +223,18 @@ struct snp_tsc_info_resp { u8 rsvd2[100]; } __packed; +/* + * Obtain the mean TSC frequency by decreasing the nominal TSC frequency with + * TSC_FACTOR as documented in the SNP Firmware ABI specification: + * + * GUEST_TSC_FREQ * (1 - (TSC_FACTOR * 0.00001)) + * + * which is equivalent to: + * + * GUEST_TSC_FREQ -= (GUEST_TSC_FREQ * TSC_FACTOR) / 100000; + */ +#define SNP_SCALE_TSC_FREQ(freq, factor) ((freq) - (freq) * (factor) / 100000) + struct snp_guest_req { void *req_buf; size_t req_sz; @@ -282,8 +294,11 @@ struct snp_secrets_page { u8 svsm_guest_vmpl; u8 rsvd3[3]; + /* The percentage decrease from nominal to mean TSC frequency. */ + u32 tsc_factor; + /* Remainder of page */ - u8 rsvd4[3744]; + u8 rsvd4[3740]; } __packed; struct snp_msg_desc {

2 months

2
1
0 0

[PATCH 1/1] iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes

by Lu Baolu

The iotlb_sync_map iommu ops allows drivers to perform necessary cache flushes when new mappings are established. For the Intel iommu driver, this callback specifically serves two purposes: - To flush caches when a second-stage page table is attached to a device whose iommu is operating in caching mode (CAP_REG.CM==1). - To explicitly flush internal write buffers to ensure updates to memory- resident remapping structures are visible to hardware (CAP_REG.RWBF==1). However, in scenarios where neither caching mode nor the RWBF flag is active, the cache_tag_flush_range_np() helper, which is called in the iotlb_sync_map path, effectively becomes a no-op. Despite being a no-op, cache_tag_flush_range_np() involves iterating through all cache tags of the iommu's attached to the domain, protected by a spinlock. This unnecessary execution path introduces overhead, leading to a measurable I/O performance regression. On systems with NVMes under the same bridge, performance was observed to drop from approximately ~6150 MiB/s down to ~4985 MiB/s. Introduce a flag in the dmar_domain structure. This flag will only be set when iotlb_sync_map is required (i.e., when CM or RWBF is set). The cache_tag_flush_range_np() is called only for domains where this flag is set. Reported-by: Ioanna Alifieraki <ioanna-maria.alifieraki(a)canonical.com> Closes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2115738 Link: https://lore.kernel.org/r/20250701171154.52435-1-ioanna-maria.alifieraki@ca… Fixes: 129dab6e1286 ("iommu/vt-d: Use cache_tag_flush_range_np() in iotlb_sync_map") Cc: stable(a)vger.kernel.org Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- drivers/iommu/intel/iommu.c | 19 ++++++++++++++++++- drivers/iommu/intel/iommu.h | 3 +++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 7aa3932251b2..f60201ee4be0 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -1796,6 +1796,18 @@ static int domain_setup_first_level(struct intel_iommu *iommu, (pgd_t *)pgd, flags, old); } +static bool domain_need_iotlb_sync_map(struct dmar_domain *domain, + struct intel_iommu *iommu) +{ + if (cap_caching_mode(iommu->cap) && !domain->use_first_level) + return true; + + if (rwbf_quirk || cap_rwbf(iommu->cap)) + return true; + + return false; +} + static int dmar_domain_attach_device(struct dmar_domain *domain, struct device *dev) { @@ -1833,6 +1845,8 @@ static int dmar_domain_attach_device(struct dmar_domain *domain, if (ret) goto out_block_translation; + domain->iotlb_sync_map |= domain_need_iotlb_sync_map(domain, iommu); + return 0; out_block_translation: @@ -3945,7 +3959,10 @@ static bool risky_device(struct pci_dev *pdev) static int intel_iommu_iotlb_sync_map(struct iommu_domain *domain, unsigned long iova, size_t size) { - cache_tag_flush_range_np(to_dmar_domain(domain), iova, iova + size - 1); + struct dmar_domain *dmar_domain = to_dmar_domain(domain); + + if (dmar_domain->iotlb_sync_map) + cache_tag_flush_range_np(dmar_domain, iova, iova + size - 1); return 0; } diff --git a/drivers/iommu/intel/iommu.h b/drivers/iommu/intel/iommu.h index 3ddbcc603de2..7ab2c34a5ecc 100644 --- a/drivers/iommu/intel/iommu.h +++ b/drivers/iommu/intel/iommu.h @@ -614,6 +614,9 @@ struct dmar_domain { u8 has_mappings:1; /* Has mappings configured through * iommu_map() interface. */ + u8 iotlb_sync_map:1; /* Need to flush IOTLB cache or write + * buffer when creating mappings. + */ spinlock_t lock; /* Protect device tracking lists */ struct list_head devices; /* all devices' list */ -- 2.43.0

2 months

3
3
0 0

[PATCH net v2 3/3] net: libwx: properly reset Rx ring descriptor

by Jiawen Wu

When device reset is triggered by feature changes such as toggling Rx VLAN offload, wx->do_reset() is called to reinitialize Rx rings. The hardware descriptor ring may retain stale values from previous sessions. And only set the length to 0 in rx_desc[0] would result in building malformed SKBs. Fix it to ensure a clean slate after device reset. [ 549.186435] [ C16] ------------[ cut here ]------------ [ 549.186457] [ C16] kernel BUG at net/core/skbuff.c:2814! [ 549.186468] [ C16] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 549.186472] [ C16] CPU: 16 UID: 0 PID: 0 Comm: swapper/16 Kdump: loaded Not tainted 6.16.0-rc4+ #23 PREEMPT(voluntary) [ 549.186476] [ C16] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 549.186478] [ C16] RIP: 0010:__pskb_pull_tail+0x3ff/0x510 [ 549.186484] [ C16] Code: 06 f0 ff 4f 34 74 7b 4d 8b 8c 24 c8 00 00 00 45 8b 84 24 c0 00 00 00 e9 c8 fd ff ff 48 c7 44 24 08 00 00 00 00 e9 5e fe ff ff <0f> 0b 31 c0 e9 23 90 5b ff 41 f7 c6 ff 0f 00 00 75 bf 49 8b 06 a8 [ 549.186487] [ C16] RSP: 0018:ffffb391c0640d70 EFLAGS: 00010282 [ 549.186490] [ C16] RAX: 00000000fffffff2 RBX: ffff8fe7e4d40200 RCX: 00000000fffffff2 [ 549.186492] [ C16] RDX: ffff8fe7c3a4bf8e RSI: 0000000000000180 RDI: ffff8fe7c3a4bf40 [ 549.186494] [ C16] RBP: ffffb391c0640da8 R08: ffff8fe7c3a4c0c0 R09: 000000000000000e [ 549.186496] [ C16] R10: ffffb391c0640d88 R11: 000000000000000e R12: ffff8fe7e4d40200 [ 549.186497] [ C16] R13: 00000000fffffff2 R14: ffff8fe7fa01a000 R15: 00000000fffffff2 [ 549.186499] [ C16] FS: 0000000000000000(0000) GS:ffff8fef5ae40000(0000) knlGS:0000000000000000 [ 549.186502] [ C16] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 549.186503] [ C16] CR2: 00007f77d81d6000 CR3: 000000051a032000 CR4: 0000000000750ef0 [ 549.186505] [ C16] PKRU: 55555554 [ 549.186507] [ C16] Call Trace: [ 549.186510] [ C16] <IRQ> [ 549.186513] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186517] [ C16] __skb_pad+0xc7/0xf0 [ 549.186523] [ C16] wx_clean_rx_irq+0x355/0x3b0 [libwx] [ 549.186533] [ C16] wx_poll+0x92/0x120 [libwx] [ 549.186540] [ C16] __napi_poll+0x28/0x190 [ 549.186544] [ C16] net_rx_action+0x301/0x3f0 [ 549.186548] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186551] [ C16] ? __raw_spin_lock_irqsave+0x1e/0x50 [ 549.186554] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186557] [ C16] ? wake_up_nohz_cpu+0x35/0x160 [ 549.186559] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186563] [ C16] handle_softirqs+0xf9/0x2c0 [ 549.186568] [ C16] __irq_exit_rcu+0xc7/0x130 [ 549.186572] [ C16] common_interrupt+0xb8/0xd0 [ 549.186576] [ C16] </IRQ> [ 549.186577] [ C16] <TASK> [ 549.186579] [ C16] asm_common_interrupt+0x22/0x40 [ 549.186582] [ C16] RIP: 0010:cpuidle_enter_state+0xc2/0x420 [ 549.186585] [ C16] Code: 00 00 e8 11 0e 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 0d ed 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 549.186587] [ C16] RSP: 0018:ffffb391c0277e78 EFLAGS: 00000246 [ 549.186590] [ C16] RAX: ffff8fef5ae40000 RBX: 0000000000000003 RCX: 0000000000000000 [ 549.186591] [ C16] RDX: 0000007fde0faac5 RSI: ffffffff826e53f6 RDI: ffffffff826fa9b3 [ 549.186593] [ C16] RBP: ffff8fe7c3a20800 R08: 0000000000000002 R09: 0000000000000000 [ 549.186595] [ C16] R10: 0000000000000000 R11: 000000000000ffff R12: ffffffff82ed7a40 [ 549.186596] [ C16] R13: 0000007fde0faac5 R14: 0000000000000003 R15: 0000000000000000 [ 549.186601] [ C16] ? cpuidle_enter_state+0xb3/0x420 [ 549.186605] [ C16] cpuidle_enter+0x29/0x40 [ 549.186609] [ C16] cpuidle_idle_call+0xfd/0x170 [ 549.186613] [ C16] do_idle+0x7a/0xc0 [ 549.186616] [ C16] cpu_startup_entry+0x25/0x30 [ 549.186618] [ C16] start_secondary+0x117/0x140 [ 549.186623] [ C16] common_startup_64+0x13e/0x148 [ 549.186628] [ C16] </TASK> Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> Reviewed-by: Simon Horman <horms(a)kernel.org> --- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 +++---- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 5 +++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 7ae3786d90b8..f0823aa1ede6 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -1912,7 +1912,6 @@ static void wx_configure_rx_ring(struct wx *wx, struct wx_ring *ring) { u16 reg_idx = ring->reg_idx; - union wx_rx_desc *rx_desc; u64 rdba = ring->dma; u32 rxdctl; @@ -1942,9 +1941,9 @@ static void wx_configure_rx_ring(struct wx *wx, memset(ring->rx_buffer_info, 0, sizeof(struct wx_rx_buffer) * ring->count); - /* initialize Rx descriptor 0 */ - rx_desc = WX_RX_DESC(ring, 0); - rx_desc->wb.upper.length = 0; + /* reset ntu and ntc to place SW in sync with hardware */ + ring->next_to_clean = 0; + ring->next_to_use = 0; /* enable receive descriptor ring */ wr32m(wx, WX_PX_RR_CFG(reg_idx), diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c index c91487909811..0213ad5a6ceb 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c @@ -357,6 +357,8 @@ void wx_alloc_rx_buffers(struct wx_ring *rx_ring, u16 cleaned_count) /* clear the status bits for the next_to_use descriptor */ rx_desc->wb.upper.status_error = 0; + /* clear the length for the next_to_use descriptor */ + rx_desc->wb.upper.length = 0; cleaned_count--; } while (cleaned_count); @@ -2438,6 +2440,9 @@ static void wx_clean_rx_ring(struct wx_ring *rx_ring) } } + /* Zero out the descriptor ring */ + memset(rx_ring->desc, 0, rx_ring->size); + rx_ring->next_to_alloc = 0; rx_ring->next_to_clean = 0; rx_ring->next_to_use = 0; -- 2.48.1

2 months

1
0
0 0

[PATCH net v2 2/3] net: libwx: fix the using of Rx buffer DMA

by Jiawen Wu

The wx_rx_buffer structure contained two DMA address fields: 'dma' and 'page_dma'. However, only 'page_dma' was actually initialized and used to program the Rx descriptor. But 'dma' was uninitialized and used in some paths. This could lead to undefined behavior, including DMA errors or use-after-free, if the uninitialized 'dma' was used. Althrough such error has not yet occurred, it is worth fixing in the code. Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> Reviewed-by: Simon Horman <horms(a)kernel.org> --- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 4 ++-- drivers/net/ethernet/wangxun/libwx/wx_type.h | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c index 7e3d7fb61a52..c91487909811 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c @@ -307,7 +307,7 @@ static bool wx_alloc_mapped_page(struct wx_ring *rx_ring, return false; dma = page_pool_get_dma_addr(page); - bi->page_dma = dma; + bi->dma = dma; bi->page = page; bi->page_offset = 0; @@ -344,7 +344,7 @@ void wx_alloc_rx_buffers(struct wx_ring *rx_ring, u16 cleaned_count) DMA_FROM_DEVICE); rx_desc->read.pkt_addr = - cpu_to_le64(bi->page_dma + bi->page_offset); + cpu_to_le64(bi->dma + bi->page_offset); rx_desc++; bi++; diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h index 622f2bfe6cde..1a90fcede86b 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_type.h +++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h @@ -997,7 +997,6 @@ struct wx_tx_buffer { struct wx_rx_buffer { struct sk_buff *skb; dma_addr_t dma; - dma_addr_t page_dma; struct page *page; unsigned int page_offset; }; -- 2.48.1

2 months

1
0
0 0

FAILED: patch "[PATCH] net: wangxun: revert the adjustment of the IRQ vector" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x e37546ad1f9b2c777d3a21d7e50ce265ee3dece8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070625-walnut-bargraph-970b@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e37546ad1f9b2c777d3a21d7e50ce265ee3dece8 Mon Sep 17 00:00:00 2001 From: Jiawen Wu <jiawenwu(a)trustnetic.com> Date: Tue, 1 Jul 2025 14:30:29 +0800 Subject: [PATCH] net: wangxun: revert the adjustment of the IRQ vector sequence Due to hardware limitations of NGBE, queue IRQs can only be requested on vector 0 to 7. When the number of queues is set to the maximum 8, the PCI IRQ vectors are allocated from 0 to 8. The vector 0 is used by MISC interrupt, and althrough the vector 8 is used by queue interrupt, it is unable to receive packets. This will cause some packets to be dropped when RSS is enabled and they are assigned to queue 8. So revert the adjustment of the MISC IRQ location, to make it be the last one in IRQ vectors. Fixes: 937d46ecc5f9 ("net: wangxun: add ethtool_ops for channel number") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://patch.msgid.link/20250701063030.59340-3-jiawenwu@trustnetic.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c index 59840ba9c1fe..835d60bd5fbc 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c @@ -1747,7 +1747,7 @@ static void wx_set_num_queues(struct wx *wx) */ static int wx_acquire_msix_vectors(struct wx *wx) { - struct irq_affinity affd = { .pre_vectors = 1 }; + struct irq_affinity affd = { .post_vectors = 1 }; int nvecs, i; /* We start by asking for one vector per queue pair */ @@ -1784,16 +1784,17 @@ static int wx_acquire_msix_vectors(struct wx *wx) return nvecs; } - wx->msix_entry->entry = 0; - wx->msix_entry->vector = pci_irq_vector(wx->pdev, 0); nvecs -= 1; for (i = 0; i < nvecs; i++) { wx->msix_q_entries[i].entry = i; - wx->msix_q_entries[i].vector = pci_irq_vector(wx->pdev, i + 1); + wx->msix_q_entries[i].vector = pci_irq_vector(wx->pdev, i); } wx->num_q_vectors = nvecs; + wx->msix_entry->entry = nvecs; + wx->msix_entry->vector = pci_irq_vector(wx->pdev, nvecs); + return 0; } @@ -2300,8 +2301,6 @@ static void wx_set_ivar(struct wx *wx, s8 direction, wr32(wx, WX_PX_MISC_IVAR, ivar); } else { /* tx or rx causes */ - if (!(wx->mac.type == wx_mac_em && wx->num_vfs == 7)) - msix_vector += 1; /* offset for queue vectors */ msix_vector |= WX_PX_IVAR_ALLOC_VAL; index = ((16 * (queue & 1)) + (8 * direction)); ivar = rd32(wx, WX_PX_IVAR(queue >> 1)); @@ -2340,7 +2339,7 @@ void wx_write_eitr(struct wx_q_vector *q_vector) itr_reg |= WX_PX_ITR_CNT_WDIS; - wr32(wx, WX_PX_ITR(v_idx + 1), itr_reg); + wr32(wx, WX_PX_ITR(v_idx), itr_reg); } /** @@ -2393,9 +2392,9 @@ void wx_configure_vectors(struct wx *wx) wx_write_eitr(q_vector); } - wx_set_ivar(wx, -1, 0, 0); + wx_set_ivar(wx, -1, 0, v_idx); if (pdev->msix_enabled) - wr32(wx, WX_PX_ITR(0), 1950); + wr32(wx, WX_PX_ITR(v_idx), 1950); } EXPORT_SYMBOL(wx_configure_vectors); diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h index 7730c9fc3e02..d392394791b3 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_type.h +++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h @@ -1343,7 +1343,7 @@ struct wx { }; #define WX_INTR_ALL (~0ULL) -#define WX_INTR_Q(i) BIT((i) + 1) +#define WX_INTR_Q(i) BIT((i)) /* register operations */ #define wr32(a, reg, value) writel((value), ((a)->hw_addr + (reg))) diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c index b5022c49dc5e..68415a7ef12f 100644 --- a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c +++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c @@ -161,7 +161,7 @@ static void ngbe_irq_enable(struct wx *wx, bool queues) if (queues) wx_intr_enable(wx, NGBE_INTR_ALL); else - wx_intr_enable(wx, NGBE_INTR_MISC); + wx_intr_enable(wx, NGBE_INTR_MISC(wx)); } /** diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h b/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h index bb74263f0498..6eca6de475f7 100644 --- a/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h +++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h @@ -87,7 +87,7 @@ #define NGBE_PX_MISC_IC_TIMESYNC BIT(11) /* time sync */ #define NGBE_INTR_ALL 0x1FF -#define NGBE_INTR_MISC BIT(0) +#define NGBE_INTR_MISC(A) BIT((A)->num_q_vectors) #define NGBE_PHY_CONFIG(reg_offset) (0x14000 + ((reg_offset) * 4)) #define NGBE_CFG_LAN_SPEED 0x14440 diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c index dc468053bdf8..3885283681ec 100644 --- a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c +++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c @@ -31,7 +31,7 @@ void txgbe_irq_enable(struct wx *wx, bool queues) wr32(wx, WX_PX_MISC_IEN, misc_ien); /* unmask interrupt */ - wx_intr_enable(wx, TXGBE_INTR_MISC); + wx_intr_enable(wx, TXGBE_INTR_MISC(wx)); if (queues) wx_intr_enable(wx, TXGBE_INTR_QALL(wx)); } @@ -131,7 +131,7 @@ static irqreturn_t txgbe_misc_irq_handle(int irq, void *data) txgbe->eicr = eicr; if (eicr & TXGBE_PX_MISC_IC_VF_MBOX) { wx_msg_task(txgbe->wx); - wx_intr_enable(wx, TXGBE_INTR_MISC); + wx_intr_enable(wx, TXGBE_INTR_MISC(wx)); } return IRQ_WAKE_THREAD; } @@ -183,7 +183,7 @@ static irqreturn_t txgbe_misc_irq_thread_fn(int irq, void *data) nhandled++; } - wx_intr_enable(wx, TXGBE_INTR_MISC); + wx_intr_enable(wx, TXGBE_INTR_MISC(wx)); return (nhandled > 0 ? IRQ_HANDLED : IRQ_NONE); } diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h index 42ec815159e8..41915d7dd372 100644 --- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h @@ -302,8 +302,8 @@ struct txgbe_fdir_filter { #define TXGBE_DEFAULT_RX_WORK 128 #endif -#define TXGBE_INTR_MISC BIT(0) -#define TXGBE_INTR_QALL(A) GENMASK((A)->num_q_vectors, 1) +#define TXGBE_INTR_MISC(A) BIT((A)->num_q_vectors) +#define TXGBE_INTR_QALL(A) (TXGBE_INTR_MISC(A) - 1) #define TXGBE_MAX_EITR GENMASK(11, 3)

2 months

2
1
0 0

FAILED: patch "[PATCH] net: wangxun: revert the adjustment of the IRQ vector" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x e37546ad1f9b2c777d3a21d7e50ce265ee3dece8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070626-come-nappy-3fec@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e37546ad1f9b2c777d3a21d7e50ce265ee3dece8 Mon Sep 17 00:00:00 2001 From: Jiawen Wu <jiawenwu(a)trustnetic.com> Date: Tue, 1 Jul 2025 14:30:29 +0800 Subject: [PATCH] net: wangxun: revert the adjustment of the IRQ vector sequence Due to hardware limitations of NGBE, queue IRQs can only be requested on vector 0 to 7. When the number of queues is set to the maximum 8, the PCI IRQ vectors are allocated from 0 to 8. The vector 0 is used by MISC interrupt, and althrough the vector 8 is used by queue interrupt, it is unable to receive packets. This will cause some packets to be dropped when RSS is enabled and they are assigned to queue 8. So revert the adjustment of the MISC IRQ location, to make it be the last one in IRQ vectors. Fixes: 937d46ecc5f9 ("net: wangxun: add ethtool_ops for channel number") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://patch.msgid.link/20250701063030.59340-3-jiawenwu@trustnetic.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c index 59840ba9c1fe..835d60bd5fbc 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c @@ -1747,7 +1747,7 @@ static void wx_set_num_queues(struct wx *wx) */ static int wx_acquire_msix_vectors(struct wx *wx) { - struct irq_affinity affd = { .pre_vectors = 1 }; + struct irq_affinity affd = { .post_vectors = 1 }; int nvecs, i; /* We start by asking for one vector per queue pair */ @@ -1784,16 +1784,17 @@ static int wx_acquire_msix_vectors(struct wx *wx) return nvecs; } - wx->msix_entry->entry = 0; - wx->msix_entry->vector = pci_irq_vector(wx->pdev, 0); nvecs -= 1; for (i = 0; i < nvecs; i++) { wx->msix_q_entries[i].entry = i; - wx->msix_q_entries[i].vector = pci_irq_vector(wx->pdev, i + 1); + wx->msix_q_entries[i].vector = pci_irq_vector(wx->pdev, i); } wx->num_q_vectors = nvecs; + wx->msix_entry->entry = nvecs; + wx->msix_entry->vector = pci_irq_vector(wx->pdev, nvecs); + return 0; } @@ -2300,8 +2301,6 @@ static void wx_set_ivar(struct wx *wx, s8 direction, wr32(wx, WX_PX_MISC_IVAR, ivar); } else { /* tx or rx causes */ - if (!(wx->mac.type == wx_mac_em && wx->num_vfs == 7)) - msix_vector += 1; /* offset for queue vectors */ msix_vector |= WX_PX_IVAR_ALLOC_VAL; index = ((16 * (queue & 1)) + (8 * direction)); ivar = rd32(wx, WX_PX_IVAR(queue >> 1)); @@ -2340,7 +2339,7 @@ void wx_write_eitr(struct wx_q_vector *q_vector) itr_reg |= WX_PX_ITR_CNT_WDIS; - wr32(wx, WX_PX_ITR(v_idx + 1), itr_reg); + wr32(wx, WX_PX_ITR(v_idx), itr_reg); } /** @@ -2393,9 +2392,9 @@ void wx_configure_vectors(struct wx *wx) wx_write_eitr(q_vector); } - wx_set_ivar(wx, -1, 0, 0); + wx_set_ivar(wx, -1, 0, v_idx); if (pdev->msix_enabled) - wr32(wx, WX_PX_ITR(0), 1950); + wr32(wx, WX_PX_ITR(v_idx), 1950); } EXPORT_SYMBOL(wx_configure_vectors); diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h index 7730c9fc3e02..d392394791b3 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_type.h +++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h @@ -1343,7 +1343,7 @@ struct wx { }; #define WX_INTR_ALL (~0ULL) -#define WX_INTR_Q(i) BIT((i) + 1) +#define WX_INTR_Q(i) BIT((i)) /* register operations */ #define wr32(a, reg, value) writel((value), ((a)->hw_addr + (reg))) diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c index b5022c49dc5e..68415a7ef12f 100644 --- a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c +++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c @@ -161,7 +161,7 @@ static void ngbe_irq_enable(struct wx *wx, bool queues) if (queues) wx_intr_enable(wx, NGBE_INTR_ALL); else - wx_intr_enable(wx, NGBE_INTR_MISC); + wx_intr_enable(wx, NGBE_INTR_MISC(wx)); } /** diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h b/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h index bb74263f0498..6eca6de475f7 100644 --- a/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h +++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h @@ -87,7 +87,7 @@ #define NGBE_PX_MISC_IC_TIMESYNC BIT(11) /* time sync */ #define NGBE_INTR_ALL 0x1FF -#define NGBE_INTR_MISC BIT(0) +#define NGBE_INTR_MISC(A) BIT((A)->num_q_vectors) #define NGBE_PHY_CONFIG(reg_offset) (0x14000 + ((reg_offset) * 4)) #define NGBE_CFG_LAN_SPEED 0x14440 diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c index dc468053bdf8..3885283681ec 100644 --- a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c +++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c @@ -31,7 +31,7 @@ void txgbe_irq_enable(struct wx *wx, bool queues) wr32(wx, WX_PX_MISC_IEN, misc_ien); /* unmask interrupt */ - wx_intr_enable(wx, TXGBE_INTR_MISC); + wx_intr_enable(wx, TXGBE_INTR_MISC(wx)); if (queues) wx_intr_enable(wx, TXGBE_INTR_QALL(wx)); } @@ -131,7 +131,7 @@ static irqreturn_t txgbe_misc_irq_handle(int irq, void *data) txgbe->eicr = eicr; if (eicr & TXGBE_PX_MISC_IC_VF_MBOX) { wx_msg_task(txgbe->wx); - wx_intr_enable(wx, TXGBE_INTR_MISC); + wx_intr_enable(wx, TXGBE_INTR_MISC(wx)); } return IRQ_WAKE_THREAD; } @@ -183,7 +183,7 @@ static irqreturn_t txgbe_misc_irq_thread_fn(int irq, void *data) nhandled++; } - wx_intr_enable(wx, TXGBE_INTR_MISC); + wx_intr_enable(wx, TXGBE_INTR_MISC(wx)); return (nhandled > 0 ? IRQ_HANDLED : IRQ_NONE); } diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h index 42ec815159e8..41915d7dd372 100644 --- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h @@ -302,8 +302,8 @@ struct txgbe_fdir_filter { #define TXGBE_DEFAULT_RX_WORK 128 #endif -#define TXGBE_INTR_MISC BIT(0) -#define TXGBE_INTR_QALL(A) GENMASK((A)->num_q_vectors, 1) +#define TXGBE_INTR_MISC(A) BIT((A)->num_q_vectors) +#define TXGBE_INTR_QALL(A) (TXGBE_INTR_MISC(A) - 1) #define TXGBE_MAX_EITR GENMASK(11, 3)

2 months

2
1
0 0

[PATCH for 5.4 and 5.10] ACPI: PAD: fix crash in exit_round_robin()

by Nobuhiro Iwamatsu

From: Seiji Nishikawa <snishika(a)redhat.com> commit 0a2ed70a549e61c5181bad5db418d223b68ae932 upstream. The kernel occasionally crashes in cpumask_clear_cpu(), which is called within exit_round_robin(), because when executing clear_bit(nr, addr) with nr set to 0xffffffff, the address calculation may cause misalignment within the memory, leading to access to an invalid memory address. ---------- BUG: unable to handle kernel paging request at ffffffffe0740618 ... CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 ... RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad] Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31 RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? acpi_pad_add+0x120/0x120 [acpi_pad] kthread+0x10b/0x130 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x40 ... CR2: ffffffffe0740618 crash> dis -lr ffffffffc0726923 ... /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114 0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325 0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80 0xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits> crash> px tsk_in_cpu[14] $66 = 0xffffffff crash> px 0xffffffffc072692c+0x19cf4 $99 = 0xffffffffc0740620 crash> sym 0xffffffffc0740620 ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad] crash> px pad_busy_cpus_bits[0] $42 = 0xfffc0 ---------- To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling cpumask_clear_cpu() in exit_round_robin(), just as it is done in round_robin_cpu(). Signed-off-by: Seiji Nishikawa <snishika(a)redhat.com> Link: https://patch.msgid.link/20240825141352.25280-1-snishika@redhat.com [ rjw: Subject edit, avoid updates to the same value ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Link: https://nvd.nist.gov/vuln/detail/CVE-2024-49935 Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu(a)toshiba.co.jp> --- drivers/acpi/acpi_pad.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/acpi/acpi_pad.c b/drivers/acpi/acpi_pad.c index 35de23ff50d6..3e7e28b7947e 100644 --- a/drivers/acpi/acpi_pad.c +++ b/drivers/acpi/acpi_pad.c @@ -128,8 +128,11 @@ static void round_robin_cpu(unsigned int tsk_index) static void exit_round_robin(unsigned int tsk_index) { struct cpumask *pad_busy_cpus = to_cpumask(pad_busy_cpus_bits); - cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus); - tsk_in_cpu[tsk_index] = -1; + + if (tsk_in_cpu[tsk_index] != -1) { + cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus); + tsk_in_cpu[tsk_index] = -1; + } } static unsigned int idle_pct = 5; /* percentage */ -- 2.25.1

2 months

4
3
0 0

[merged mm-stable] samples-damon-mtier-support-boot-time-enable-setup.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: samples/damon/mtier: support boot time enable setup has been removed from the -mm tree. Its filename was samples-damon-mtier-support-boot-time-enable-setup.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: samples/damon/mtier: support boot time enable setup Date: Sun, 6 Jul 2025 12:32:04 -0700 If 'enable' parameter of the 'mtier' DAMON sample module is set at boot time via the kernel command line, memory allocation is tried before the slab is initialized. As a result kernel NULL pointer dereference BUG can happen. Fix it by checking the initialization status. Link: https://lkml.kernel.org/r/20250706193207.39810-4-sj@kernel.org Fixes: 82a08bde3cf7 ("samples/damon: implement a DAMON module for memory tiering") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/mtier.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/samples/damon/mtier.c~samples-damon-mtier-support-boot-time-enable-setup +++ a/samples/damon/mtier.c @@ -157,6 +157,8 @@ static void damon_sample_mtier_stop(void damon_destroy_ctx(ctxs[1]); } +static bool init_called; + static int damon_sample_mtier_enable_store( const char *val, const struct kernel_param *kp) { @@ -182,6 +184,14 @@ static int damon_sample_mtier_enable_sto static int __init damon_sample_mtier_init(void) { + int err = 0; + + init_called = true; + if (enable) { + err = damon_sample_mtier_start(); + if (err) + enable = false; + } return 0; } _ Patches currently in -mm which might be from sj(a)kernel.org are samples-damon-wsse-rename-to-have-damon_sample_-prefix.patch samples-damon-prcl-rename-to-have-damon_sample_-prefix.patch samples-damon-mtier-rename-to-have-damon_sample_-prefix.patch mm-damon-sysfs-use-damon-core-api-damon_is_running.patch mm-damon-sysfs-dont-hold-kdamond_lock-in-before_terminate.patch docs-mm-damon-maintainer-profile-update-for-mm-new-tree.patch mm-damon-add-struct-damos_migrate_dests.patch mm-damon-core-add-damos-migrate_dests-field.patch mm-damon-sysfs-schemes-implement-damos-action-destinations-directory.patch mm-damon-sysfs-schemes-set-damos-migrate_dests.patch docs-abi-damon-document-schemes-dests-directory.patch docs-admin-guide-mm-damon-usage-document-dests-directory.patch mm-damon-accept-parallel-damon_call-requests.patch mm-damon-core-introduce-repeat-mode-damon_call.patch mm-damon-stat-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-reclaim-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-lru_sort-use-damon_call-repeat-mode-instead-of-damon_callback.patch samples-damon-prcl-use-damon_call-repeat-mode-instead-of-damon_callback.patch samples-damon-wsse-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-core-do-not-call-opscleanup-when-destroying-targets.patch mm-damon-core-add-cleanup_target-ops-callback.patch mm-damon-vaddr-put-pid-in-cleanup_target.patch mm-damon-sysfs-remove-damon_sysfs_destroy_targets.patch mm-damon-core-destroy-targets-when-kdamond_fn-finish.patch mm-damon-sysfs-remove-damon_sysfs_before_terminate.patch mm-damon-core-remove-damon_callback.patch

2 months

1
0
0 0

[merged mm-stable] samples-damon-wsse-fix-boot-time-enable-handling.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: samples/damon/wsse: fix boot time enable handling has been removed from the -mm tree. Its filename was samples-damon-wsse-fix-boot-time-enable-handling.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: samples/damon/wsse: fix boot time enable handling Date: Sun, 6 Jul 2025 12:32:02 -0700 Patch series "mm/damon: fix misc bugs in DAMON modules". From manual code review, I found below bugs in DAMON modules. DAMON sample modules crash if those are enabled at boot time, via kernel command line. A similar issue was found and fixed on DAMON non-sample modules in the past, but we didn't check that for sample modules. DAMON non-sample modules are not setting 'enabled' parameters accordingly when real enabling is failed. Honggyu found and fixed[1] this type of bugs in DAMON sample modules, and my inspection was motivated by the great work. Kudos to Honggyu. Finally, DAMON_RECLIAM is mistakenly losing scheme internal status due to misuse of damon_commit_ctx(). DAMON_LRU_SORT has a similar misuse, but fortunately it is not causing real status loss. Fix the bugs. Since these are similar patterns of bugs that were found in the past, it would be better to add tests or refactor the code, in future. This patch (of 6): If 'enable' parameter of the 'wsse' DAMON sample module is set at boot time via the kernel command line, memory allocation is tried before the slab is initialized. As a result kernel NULL pointer dereference BUG can happen. Fix it by checking the initialization status. Link: https://lkml.kernel.org/r/20250706193207.39810-1-sj@kernel.org Link: https://lkml.kernel.org/r/20250706193207.39810-2-sj@kernel.org Link: https://lore.kernel.org/20250702000205.1921-1-honggyu.kim@sk.com [1] Fixes: b757c6cfc696 ("samples/damon/wsse: start and stop DAMON as the user requests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/wsse.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/samples/damon/wsse.c~samples-damon-wsse-fix-boot-time-enable-handling +++ a/samples/damon/wsse.c @@ -89,6 +89,8 @@ static void damon_sample_wsse_stop(void) put_pid(target_pidp); } +static bool init_called; + static int damon_sample_wsse_enable_store( const char *val, const struct kernel_param *kp) { @@ -114,7 +116,15 @@ static int damon_sample_wsse_enable_stor static int __init damon_sample_wsse_init(void) { - return 0; + int err = 0; + + init_called = true; + if (enable) { + err = damon_sample_wsse_start(); + if (err) + enable = false; + } + return err; } module_init(damon_sample_wsse_init); _ Patches currently in -mm which might be from sj(a)kernel.org are samples-damon-wsse-rename-to-have-damon_sample_-prefix.patch samples-damon-prcl-rename-to-have-damon_sample_-prefix.patch samples-damon-mtier-rename-to-have-damon_sample_-prefix.patch mm-damon-sysfs-use-damon-core-api-damon_is_running.patch mm-damon-sysfs-dont-hold-kdamond_lock-in-before_terminate.patch docs-mm-damon-maintainer-profile-update-for-mm-new-tree.patch mm-damon-add-struct-damos_migrate_dests.patch mm-damon-core-add-damos-migrate_dests-field.patch mm-damon-sysfs-schemes-implement-damos-action-destinations-directory.patch mm-damon-sysfs-schemes-set-damos-migrate_dests.patch docs-abi-damon-document-schemes-dests-directory.patch docs-admin-guide-mm-damon-usage-document-dests-directory.patch mm-damon-accept-parallel-damon_call-requests.patch mm-damon-core-introduce-repeat-mode-damon_call.patch mm-damon-stat-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-reclaim-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-lru_sort-use-damon_call-repeat-mode-instead-of-damon_callback.patch samples-damon-prcl-use-damon_call-repeat-mode-instead-of-damon_callback.patch samples-damon-wsse-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-core-do-not-call-opscleanup-when-destroying-targets.patch mm-damon-core-add-cleanup_target-ops-callback.patch mm-damon-vaddr-put-pid-in-cleanup_target.patch mm-damon-sysfs-remove-damon_sysfs_destroy_targets.patch mm-damon-core-destroy-targets-when-kdamond_fn-finish.patch mm-damon-sysfs-remove-damon_sysfs_before_terminate.patch mm-damon-core-remove-damon_callback.patch

2 months

1
0
0 0

Follow up: Your response [Q3]

by Elena Fernanda

Hello, Could you kindly respond to me? I am Elena Victoria fernanda from Bradford and I'd like to share something very important with you right now. Provide your names to help me verify I m addressing the correct contact. I would be pleased to receive your swift response. Best wishes E1ena V!ct0ria F3rnanda

2 months

1
0
0 0

[PATCH v8 01/13] platform/x86/intel/pmt: fix a crashlog NULL pointer access

by Michael J. Ruhl

Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The current use of the endpoint value is only valid for telemetry endpoint usage. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Augment struct intel_pmt_entry with a pointer to the pcidev to avoid the NULL pointer exception. Reviewed-by: David E. Box <david.e.box(a)linux.intel.com> Reviewed-by: Tejas Upadhyay <tejas.upadhyay(a)intel.com> Fixes: 045a513040cc ("platform/x86/intel/pmt: Use PMT callbacks") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmt/class.c | 3 ++- drivers/platform/x86/intel/pmt/class.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel/pmt/class.c b/drivers/platform/x86/intel/pmt/class.c index 7233b654bbad..d046e8752173 100644 --- a/drivers/platform/x86/intel/pmt/class.c +++ b/drivers/platform/x86/intel/pmt/class.c @@ -97,7 +97,7 @@ intel_pmt_read(struct file *filp, struct kobject *kobj, if (count > entry->size - off) count = entry->size - off; - count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf, + count = pmt_telem_read_mmio(entry->pcidev, entry->cb, entry->header.guid, buf, entry->base, off, count); return count; @@ -252,6 +252,7 @@ static int intel_pmt_populate_entry(struct intel_pmt_entry *entry, return -EINVAL; } + entry->pcidev = pci_dev; entry->guid = header->guid; entry->size = header->size; entry->cb = ivdev->priv_data; diff --git a/drivers/platform/x86/intel/pmt/class.h b/drivers/platform/x86/intel/pmt/class.h index b2006d57779d..f6ce80c4e051 100644 --- a/drivers/platform/x86/intel/pmt/class.h +++ b/drivers/platform/x86/intel/pmt/class.h @@ -39,6 +39,7 @@ struct intel_pmt_header { struct intel_pmt_entry { struct telem_endpoint *ep; + struct pci_dev *pcidev; struct intel_pmt_header header; struct bin_attribute pmt_bin_attr; struct kobject *kobj; -- 2.50.0

2 months

1
0
0 0

[PATCH] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access

by Seungjin Bae

In the max3420_set_clear_feature() function, the endpoint index `id` can have a value from 0 to 15. However, the udc->ep array is initialized with a maximum of 4 endpoints in max3420_eps_init(). If host sends a request with a wIndex greater than 3, the access to `udc->ep[id]` will go out-of-bounds, leading to memory corruption or a potential kernel crash. This bug was found by code inspection and has not been tested on hardware. Fixes: 48ba02b2e2b1a ("usb: gadget: add udc driver for max3420") Cc: stable(a)vger.kernel.org Signed-off-by: Seungjin Bae <eeodqql09(a)gmail.com> --- drivers/usb/gadget/udc/max3420_udc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c index 7349ea774adf..e4ecc7f7f3be 100644 --- a/drivers/usb/gadget/udc/max3420_udc.c +++ b/drivers/usb/gadget/udc/max3420_udc.c @@ -596,6 +596,8 @@ static void max3420_set_clear_feature(struct max3420_udc *udc) break; id = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (id >= MAX3420_MAX_EPS) + break; ep = &udc->ep[id]; spin_lock_irqsave(&ep->lock, flags); -- 2.43.0

2 months, 1 week

3
4
0 0

[REGRESSION] v6.12.35: (build) kallsyms.h:21:10: fatal error: execinfo.h: No such file or directory

by Natanael Copa

Hi! I bumped into a build regression when building Alpine Linux kernel 6.12.35 on x86_64: In file included from ../arch/x86/tools/insn_decoder_test.c:13: ../tools/include/linux/kallsyms.h:21:10: fatal error: execinfo.h: No such file or directory 21 | #include <execinfo.h> | ^~~~~~~~~~~~ compilation terminated. The 6.12.34 kernel built just fine. I bisected it to: commit b8abcba6e4aec53868dfe44f97270fc4dee0df2a (HEAD) Author: Sergio Gonz_lez Collado <sergio.collado(a)gmail.com> Date: Sun Mar 2 23:15:18 2025 +0100 Kunit to check the longest symbol length commit c104c16073b7fdb3e4eae18f66f4009f6b073d6f upstream. which has this hunk: diff --git a/arch/x86/tools/insn_decoder_test.c b/arch/x86/tools/insn_decoder_test.c index 472540aeabc2..6c2986d2ad11 100644 --- a/arch/x86/tools/insn_decoder_test.c +++ b/arch/x86/tools/insn_decoder_test.c @@ -10,6 +10,7 @@ #include <assert.h> #include <unistd.h> #include <stdarg.h> +#include <linux/kallsyms.h> #define unlikely(cond) (cond) @@ -106,7 +107,7 @@ static void parse_args(int argc, char **argv) } } -#define BUFSIZE 256 +#define BUFSIZE (256 + KSYM_NAME_LEN) int main(int argc, char **argv) { It looks like the linux/kallsyms.h was included to get KSYM_NAME_LEN. Unfortunately it also introduced the include of execinfo.h, which does not exist on musl libc. This has previously been reported to and tried fixed: https://lore.kernel.org/stable/DB0OSTC6N4TL.2NK75K2CWE9JV@pwned.life/T/#t Would it be an idea to revert commit b8abcba6e4ae til we have a proper solution for this? Thanks! -nc

2 months, 1 week

4
7
0 0

[PATCH 6.12.y] rust: init: allow `dead_code` warnings for Rust >= 1.89.0

by Miguel Ojeda

Starting with Rust 1.89.0 (expected 2025-08-07), the Rust compiler may warn: error: trait `MustNotImplDrop` is never used --> rust/kernel/init/macros.rs:927:15 | 927 | trait MustNotImplDrop {} | ^^^^^^^^^^^^^^^ | ::: rust/kernel/sync/arc.rs:133:1 | 133 | #[pin_data] | ----------- in this procedural macro expansion | = note: `-D dead-code` implied by `-D warnings` = help: to override `-D warnings` add `#[allow(dead_code)]` = note: this error originates in the macro `$crate::__pin_data` which comes from the expansion of the attribute macro `pin_data` (in Nightly builds, run with -Z macro-backtrace for more info) Thus `allow` it to clean it up. This does not happen in mainline nor 6.15.y, because there the macro was moved out of the `kernel` crate, and `dead_code` warnings are not emitted if the macro is foreign to the crate. Thus this patch is directly sent to stable and intended for 6.12.y only. Similarly, it is not needed in previous LTSs, because there the Rust version is pinned. Cc: Benno Lossin <lossin(a)kernel.org> Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> --- Greg, Sasha: please note that an equivalent patch is _not_ in mainline. We could put these `allow`s in mainline (they wouldn't hurt), but it isn't a good idea to add things in mainline for the only reason of backporting them, thus I am sending this directly to stable. The patch is pretty safe -- there is no actual code change. rust/kernel/init/macros.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/kernel/init/macros.rs b/rust/kernel/init/macros.rs index b7213962a6a5..e530028bb9ed 100644 --- a/rust/kernel/init/macros.rs +++ b/rust/kernel/init/macros.rs @@ -924,6 +924,7 @@ impl<'__pin, $($impl_generics)*> ::core::marker::Unpin for $name<$($ty_generics) // We prevent this by creating a trait that will be implemented for all types implementing // `Drop`. Additionally we will implement this trait for the struct leading to a conflict, // if it also implements `Drop` + #[allow(dead_code)] trait MustNotImplDrop {} #[expect(drop_bounds)] impl<T: ::core::ops::Drop> MustNotImplDrop for T {} @@ -932,6 +933,7 @@ impl<$($impl_generics)*> MustNotImplDrop for $name<$($ty_generics)*> // We also take care to prevent users from writing a useless `PinnedDrop` implementation. // They might implement `PinnedDrop` correctly for the struct, but forget to give // `PinnedDrop` as the parameter to `#[pin_data]`. + #[allow(dead_code)] #[expect(non_camel_case_types)] trait UselessPinnedDropImpl_you_need_to_specify_PinnedDrop {} impl<T: $crate::init::PinnedDrop> base-commit: fbad404f04d758c52bae79ca20d0e7fe5fef91d3 -- 2.50.1

2 months, 1 week

3
2
0 0

FAILED: patch "[PATCH] pwm: mediatek: Ensure to disable clocks in error path" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 505b730ede7f5c4083ff212aa955155b5b92e574 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071236-generous-jazz-41e4@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 505b730ede7f5c4083ff212aa955155b5b92e574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 4 Jul 2025 19:27:27 +0200 Subject: [PATCH] pwm: mediatek: Ensure to disable clocks in error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After enabling the clocks each error path must disable the clocks again. One of them failed to do so. Unify the error paths to use goto to make it harder for future changes to add a similar bug. Fixes: 7ca59947b5fc ("pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/20250704172728.626815-2-u.kleine-koenig@baylibre.… Cc: stable(a)vger.kernel.org Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c index 7eaab5831499..33d3554b9197 100644 --- a/drivers/pwm/pwm-mediatek.c +++ b/drivers/pwm/pwm-mediatek.c @@ -130,8 +130,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, return ret; clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]); - if (!clk_rate) - return -EINVAL; + if (!clk_rate) { + ret = -EINVAL; + goto out; + } /* Make sure we use the bus clock and not the 26MHz clock */ if (pc->soc->has_ck_26m_sel) @@ -150,9 +152,9 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, } if (clkdiv > PWM_CLK_DIV_MAX) { - pwm_mediatek_clk_disable(chip, pwm); dev_err(pwmchip_parent(chip), "period of %d ns not supported\n", period_ns); - return -EINVAL; + ret = -EINVAL; + goto out; } if (pc->soc->pwm45_fixup && pwm->hwpwm > 2) { @@ -169,9 +171,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); +out: pwm_mediatek_clk_disable(chip, pwm); - return 0; + return ret; } static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)

2 months, 1 week

3
2
0 0

TSA-mitigation not working: "no microcode" although microcode-revision should suffice

by Rainer Fiebig

Built 6.12.37 with CONFIG_MITIGATION_TSA=y on a Ryzen 5700G system. According to [1] the minimum BIOS revision should be ComboAM4v2PI 1.2.0.E which is installed. According to [2] the minimum microcode revision required for that CPU is 0x0A500012. Installed is 0x0A500014. So I think the mitigating should work. But this is not the case: ~> dmesg | grep -Ei 'ryzen|microcode' [ 0.171006] Transient Scheduler Attacks: Vulnerable: Clear CPU buffers attempted, no microcode [ 0.288006] smpboot: CPU0: AMD Ryzen 7 5700G with Radeon Graphics (family: 0x19, model: 0x50, stepping: 0x0) [ 0.480729] microcode: Current revision: 0x0a500014 I'm wondering why the mitigation isn't working. Thanks. Rainer [1] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html [2] https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technic… -- The truth always turns out to be simpler than you thought. Richard Feynman

2 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] pwm: mediatek: Ensure to disable clocks in error path" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 505b730ede7f5c4083ff212aa955155b5b92e574 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071235-ebook-definite-e54a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 505b730ede7f5c4083ff212aa955155b5b92e574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 4 Jul 2025 19:27:27 +0200 Subject: [PATCH] pwm: mediatek: Ensure to disable clocks in error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After enabling the clocks each error path must disable the clocks again. One of them failed to do so. Unify the error paths to use goto to make it harder for future changes to add a similar bug. Fixes: 7ca59947b5fc ("pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/20250704172728.626815-2-u.kleine-koenig@baylibre.… Cc: stable(a)vger.kernel.org Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c index 7eaab5831499..33d3554b9197 100644 --- a/drivers/pwm/pwm-mediatek.c +++ b/drivers/pwm/pwm-mediatek.c @@ -130,8 +130,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, return ret; clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]); - if (!clk_rate) - return -EINVAL; + if (!clk_rate) { + ret = -EINVAL; + goto out; + } /* Make sure we use the bus clock and not the 26MHz clock */ if (pc->soc->has_ck_26m_sel) @@ -150,9 +152,9 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, } if (clkdiv > PWM_CLK_DIV_MAX) { - pwm_mediatek_clk_disable(chip, pwm); dev_err(pwmchip_parent(chip), "period of %d ns not supported\n", period_ns); - return -EINVAL; + ret = -EINVAL; + goto out; } if (pc->soc->pwm45_fixup && pwm->hwpwm > 2) { @@ -169,9 +171,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); +out: pwm_mediatek_clk_disable(chip, pwm); - return 0; + return ret; } static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)

2 months, 1 week

3
2
0 0

FAILED: patch "[PATCH] pwm: mediatek: Ensure to disable clocks in error path" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 505b730ede7f5c4083ff212aa955155b5b92e574 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071234-appealing-unless-4a54@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 505b730ede7f5c4083ff212aa955155b5b92e574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 4 Jul 2025 19:27:27 +0200 Subject: [PATCH] pwm: mediatek: Ensure to disable clocks in error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After enabling the clocks each error path must disable the clocks again. One of them failed to do so. Unify the error paths to use goto to make it harder for future changes to add a similar bug. Fixes: 7ca59947b5fc ("pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/20250704172728.626815-2-u.kleine-koenig@baylibre.… Cc: stable(a)vger.kernel.org Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c index 7eaab5831499..33d3554b9197 100644 --- a/drivers/pwm/pwm-mediatek.c +++ b/drivers/pwm/pwm-mediatek.c @@ -130,8 +130,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, return ret; clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]); - if (!clk_rate) - return -EINVAL; + if (!clk_rate) { + ret = -EINVAL; + goto out; + } /* Make sure we use the bus clock and not the 26MHz clock */ if (pc->soc->has_ck_26m_sel) @@ -150,9 +152,9 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, } if (clkdiv > PWM_CLK_DIV_MAX) { - pwm_mediatek_clk_disable(chip, pwm); dev_err(pwmchip_parent(chip), "period of %d ns not supported\n", period_ns); - return -EINVAL; + ret = -EINVAL; + goto out; } if (pc->soc->pwm45_fixup && pwm->hwpwm > 2) { @@ -169,9 +171,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); +out: pwm_mediatek_clk_disable(chip, pwm); - return 0; + return ret; } static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)

2 months, 1 week

3
2
0 0

[PATCH 6.6.y] smb: client: support kvec iterators in async read path

by Henrique Carvalho

commit 3ee1a1fc39819906f04d6c62c180e760cd3a689d upstream. Add cifs_limit_kvec_subset() and select the appropriate limiter in cifs_send_async_read() to handle kvec iterators in async read path, fixing the EIO bug when running executables in cifs shares mounted with nolease. This patch -- or equivalent patch, does not exist upstream, as the upstream code has suffered considerable API changes. The affected path is currently handled by netfs lib and located under netfs/direct_read.c. Reproducer: $ mount.cifs //server/share /mnt -o nolease $ cat - > /mnt/test.sh <<EOL echo hallo EOL $ chmod +x /mnt/test.sh $ /mnt/test.sh bash: /mnt/test.sh: /bin/bash: Defekter Interpreter: Eingabe-/Ausgabefehler $ rm -f /mnt/test.sh Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") Reported-by: Laura Kerner <laura.kerner(a)ichaus.de> Closes: https://bugzilla.suse.com/show_bug.cgi?id=1245449 Signed-off-by: Henrique Carvalho <henrique.carvalho(a)suse.com> --- fs/smb/client/file.c | 46 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index d883ed75022c..4878c74bae6f 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -3527,6 +3527,42 @@ static size_t cifs_limit_bvec_subset(const struct iov_iter *iter, size_t max_siz return span; } +static size_t cifs_limit_kvec_subset(const struct iov_iter *iter, size_t max_size, + size_t max_segs, unsigned int *_nsegs) +{ + const struct kvec *kvecs = iter->kvec; + unsigned int nkv = iter->nr_segs, ix = 0, nsegs = 0; + size_t len, span = 0, n = iter->count; + size_t skip = iter->iov_offset; + + if (WARN_ON(!iov_iter_is_kvec(iter)) || n == 0) + return 0; + + while (n && ix < nkv && skip) { + len = kvecs[ix].iov_len; + if (skip < len) + break; + skip -= len; + n -= len; + ix++; + } + + while (n && ix < nkv) { + len = min3(n, kvecs[ix].iov_len - skip, max_size); + span += len; + max_size -= len; + nsegs++; + ix++; + if (max_size == 0 || nsegs >= max_segs) + break; + skip = 0; + n -= len; + } + + *_nsegs = nsegs; + return span; +} + static int cifs_write_from_iter(loff_t fpos, size_t len, struct iov_iter *from, struct cifsFileInfo *open_file, @@ -4079,6 +4115,13 @@ cifs_send_async_read(loff_t fpos, size_t len, struct cifsFileInfo *open_file, int rc; pid_t pid; struct TCP_Server_Info *server; + size_t (*limit_iov_subset)(const struct iov_iter *iter, size_t max_size, + size_t max_segs, unsigned int *_nsegs); + + if (iov_iter_is_kvec(&ctx->iter)) + limit_iov_subset = cifs_limit_kvec_subset; + else + limit_iov_subset = cifs_limit_bvec_subset; server = cifs_pick_channel(tlink_tcon(open_file->tlink)->ses); @@ -4113,8 +4156,7 @@ cifs_send_async_read(loff_t fpos, size_t len, struct cifsFileInfo *open_file, max_len = min_t(size_t, len, rsize); - cur_len = cifs_limit_bvec_subset(&ctx->iter, max_len, - max_segs, &nsegs); + cur_len = limit_iov_subset(&ctx->iter, max_len, max_segs, &nsegs); cifs_dbg(FYI, "read-to-iter len=%zx/%zx nsegs=%u/%lu/%u\n", cur_len, max_len, nsegs, ctx->iter.nr_segs, max_segs); if (cur_len == 0) { -- 2.47.0

2 months, 1 week

3
3
0 0

[PATCH] arm64: dts: fsl-lx2160a: define pinctrl for iic2 sd-cd/-wp functions

by Josua Mayer

LX2160 SoC uses a densely packed configuration area in memory for pin muxing - configuring a variable number of IOs at a time. Since pinctrl nodes were added for the i2c signals of LX2160 SoC, boot errors have been observed on SolidRun LX2162A Clearfog board when rootfs is located on SD-Card (esdhc0): [ 1.961035] mmc0: new ultra high speed SDR104 SDHC card at address aaaa ... [ 5.220655] i2c i2c-1: using pinctrl states for GPIO recovery [ 5.226425] i2c i2c-1: using generic GPIOs for recovery ... [ 5.440471] mmc0: card aaaa removed The card-detect and write-protect signals of esdhc0 are an alternate function of IIC2 (in dts i2c1 - on lx2162 clearfog status disabled). By use of u-boot "md", and linux "devmem" command it was confirmed that RCWSR12 (at 0x01e0012c) with IIC2_PMUX (at bits 0-2) changes from 0x08000006 to 0x0000000 after starting Linux. This means that the card-detect pin function has changed to i2c function - which will cause the controller to detect card removal. The respective i2c1-scl-pins node is only linked to i2c1 node that has status disabled in device-tree for the solidrun boards. How the memory is changed has not been investigated. As a workaround add a new pinctrl definition for the card-detect/write-protect function of IIC2 pins. It seems unwise to link this directly from the SoC dtsi as boards may rely on other functions such as flextimer. Instead add the pinctrl to each board's esdhc0 node if it is known to rely on native card-detect function. These boards have esdhc0 node enabled and do not define broken-cd property: - fsl-lx2160a-bluebox3.dts - fsl-lx2160a-clearfog-itx.dtsi - fsl-lx2160a-qds.dts - fsl-lx2160a-rdb.dts - fsl-lx2160a-tqmlx2160a-mblx2160a.dts - fsl-lx2162a-clearfog.dts - fsl-lx2162a-qds.dts This was tested on the SolidRun LX2162 Clearfog with Linux v6.12.33. Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery") Cc: stable(a)vger.kernel.org Signed-off-by: Josua Mayer <josua(a)solid-run.com> --- arch/arm64/boot/dts/freescale/fsl-lx2160a-bluebox3.dts | 2 ++ arch/arm64/boot/dts/freescale/fsl-lx2160a-clearfog-itx.dtsi | 2 ++ arch/arm64/boot/dts/freescale/fsl-lx2160a-qds.dts | 2 ++ arch/arm64/boot/dts/freescale/fsl-lx2160a-rdb.dts | 2 ++ arch/arm64/boot/dts/freescale/fsl-lx2160a-tqmlx2160a-mblx2160a.dts | 2 ++ arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 4 ++++ arch/arm64/boot/dts/freescale/fsl-lx2162a-clearfog.dts | 2 ++ arch/arm64/boot/dts/freescale/fsl-lx2162a-qds.dts | 2 ++ 8 files changed, 18 insertions(+) diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a-bluebox3.dts b/arch/arm64/boot/dts/freescale/fsl-lx2160a-bluebox3.dts index 042c486bdda2..298fcdce6c6b 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2160a-bluebox3.dts +++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a-bluebox3.dts @@ -152,6 +152,8 @@ &esdhc0 { sd-uhs-sdr50; sd-uhs-sdr25; sd-uhs-sdr12; + pinctrl-0 = <&i2c1_sdhc_cdwp>; + pinctrl-names = "default"; status = "okay"; }; diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a-clearfog-itx.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a-clearfog-itx.dtsi index a7dcbecc1f41..67ffe2e1b0bc 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2160a-clearfog-itx.dtsi +++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a-clearfog-itx.dtsi @@ -93,6 +93,8 @@ &esdhc0 { sd-uhs-sdr50; sd-uhs-sdr25; sd-uhs-sdr12; + pinctrl-0 = <&i2c1_sdhc_cdwp>; + pinctrl-names = "default"; status = "okay"; }; diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a-qds.dts b/arch/arm64/boot/dts/freescale/fsl-lx2160a-qds.dts index 4d721197d837..17fe4a8fd35e 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2160a-qds.dts +++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a-qds.dts @@ -214,6 +214,8 @@ &emdio2 { }; &esdhc0 { + pinctrl-0 = <&i2c1_sdhc_cdwp>; + pinctrl-names = "default"; status = "okay"; }; diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a-rdb.dts b/arch/arm64/boot/dts/freescale/fsl-lx2160a-rdb.dts index 0c44b3cbef77..faa486d6a5b1 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2160a-rdb.dts +++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a-rdb.dts @@ -131,6 +131,8 @@ &esdhc0 { sd-uhs-sdr50; sd-uhs-sdr25; sd-uhs-sdr12; + pinctrl-0 = <&i2c1_sdhc_cdwp>; + pinctrl-names = "default"; status = "okay"; }; diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a-tqmlx2160a-mblx2160a.dts b/arch/arm64/boot/dts/freescale/fsl-lx2160a-tqmlx2160a-mblx2160a.dts index f6a4f8d54301..4ba55feb18b2 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2160a-tqmlx2160a-mblx2160a.dts +++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a-tqmlx2160a-mblx2160a.dts @@ -177,6 +177,8 @@ &esdhc0 { no-sdio; wp-gpios = <&gpio0 30 GPIO_ACTIVE_LOW>; cd-gpios = <&gpio0 31 GPIO_ACTIVE_LOW>; + pinctrl-0 = <&i2c1_scl_gpio>; + pinctrl-names = "default"; status = "okay"; }; diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi index c9541403bcd8..555a191b0bb4 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi +++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi @@ -1717,6 +1717,10 @@ i2c1_scl_gpio: i2c1-scl-gpio-pins { pinctrl-single,bits = <0x0 0x1 0x7>; }; + i2c1_sdhc_cdwp: i2c1-esdhc0-cd-wp-pins { + pinctrl-single,bits = <0x0 0x6 0x7>; + }; + i2c2_scl: i2c2-scl-pins { pinctrl-single,bits = <0x0 0 (0x7 << 3)>; }; diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2162a-clearfog.dts b/arch/arm64/boot/dts/freescale/fsl-lx2162a-clearfog.dts index eafef8718a0f..4b58105c3ffa 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2162a-clearfog.dts +++ b/arch/arm64/boot/dts/freescale/fsl-lx2162a-clearfog.dts @@ -227,6 +227,8 @@ &esdhc0 { sd-uhs-sdr50; sd-uhs-sdr25; sd-uhs-sdr12; + pinctrl-0 = <&i2c1_sdhc_cdwp>; + pinctrl-names = "default"; status = "okay"; }; diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2162a-qds.dts b/arch/arm64/boot/dts/freescale/fsl-lx2162a-qds.dts index 9f5ff1ffe7d5..caa079df35f6 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2162a-qds.dts +++ b/arch/arm64/boot/dts/freescale/fsl-lx2162a-qds.dts @@ -238,6 +238,8 @@ &esdhc0 { sd-uhs-sdr50; sd-uhs-sdr25; sd-uhs-sdr12; + pinctrl-0 = <&i2c1_sdhc_cdwp>; + pinctrl-names = "default"; status = "okay"; }; --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250710-lx2160-sd-cd-00bf38ae169e Best regards, -- Josua Mayer <josua(a)solid-run.com>

2 months, 1 week

1
2
0 0

[PATCH v2 0/4] HID: core: fix __hid_request when no report ID is used

by Benjamin Tissoires

New version (unchanged for patches 1-3), with a test added so we can detect this. Followup of https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@ro… This initial series attempt at fixing the various bugs discovered by Alan regarding __hid_request(). Syzbot managed to create a report descriptor which presents a feature request of size 0 (still trying to extract it) and this exposed the fact that __hid_request() was incorrectly handling the case when the report ID is not used. Send a first batch of fixes now so we get the feedback from syzbot ASAP. Note: in the series, I also mentioned that the report of size 0 should be stripped out of the HID device, but I'm not entirely sure this would be a good idea in the end. Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> --- Changes in v2: - added Tested-by from syzbot (https://lore.kernel.org/r/686e9113.050a0220.385921.0008.GAE@google.com) - added a python test for it - Link to v1: https://lore.kernel.org/r/20250709-report-size-null-v1-0-194912215cbc@kerne… --- Benjamin Tissoires (4): HID: core: ensure the allocated report buffer can contain the reserved report ID HID: core: ensure __hid_request reserves the report ID as the first byte HID: core: do not bypass hid_hw_raw_request selftests/hid: add a test case for the recent syzbot underflow drivers/hid/hid-core.c | 19 +++++-- tools/testing/selftests/hid/tests/test_mouse.py | 70 +++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 5 deletions(-) --- base-commit: 1f988d0788f50d8464f957e793fab356e2937369 change-id: 20250709-report-size-null-37619ea20288 Best regards, -- Benjamin Tissoires <bentiss(a)kernel.org>

2 months, 1 week

1
4
0 0

FAILED: patch "[PATCH] pwm: mediatek: Ensure to disable clocks in error path" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 505b730ede7f5c4083ff212aa955155b5b92e574 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071235-disagree-dolly-ab52@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 505b730ede7f5c4083ff212aa955155b5b92e574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 4 Jul 2025 19:27:27 +0200 Subject: [PATCH] pwm: mediatek: Ensure to disable clocks in error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After enabling the clocks each error path must disable the clocks again. One of them failed to do so. Unify the error paths to use goto to make it harder for future changes to add a similar bug. Fixes: 7ca59947b5fc ("pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/20250704172728.626815-2-u.kleine-koenig@baylibre.… Cc: stable(a)vger.kernel.org Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c index 7eaab5831499..33d3554b9197 100644 --- a/drivers/pwm/pwm-mediatek.c +++ b/drivers/pwm/pwm-mediatek.c @@ -130,8 +130,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, return ret; clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]); - if (!clk_rate) - return -EINVAL; + if (!clk_rate) { + ret = -EINVAL; + goto out; + } /* Make sure we use the bus clock and not the 26MHz clock */ if (pc->soc->has_ck_26m_sel) @@ -150,9 +152,9 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, } if (clkdiv > PWM_CLK_DIV_MAX) { - pwm_mediatek_clk_disable(chip, pwm); dev_err(pwmchip_parent(chip), "period of %d ns not supported\n", period_ns); - return -EINVAL; + ret = -EINVAL; + goto out; } if (pc->soc->pwm45_fixup && pwm->hwpwm > 2) { @@ -169,9 +171,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); +out: pwm_mediatek_clk_disable(chip, pwm); - return 0; + return ret; } static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)

2 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] pwm: mediatek: Ensure to disable clocks in error path" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 505b730ede7f5c4083ff212aa955155b5b92e574 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071236-propeller-quality-54b9@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 505b730ede7f5c4083ff212aa955155b5b92e574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig(a)baylibre.com> Date: Fri, 4 Jul 2025 19:27:27 +0200 Subject: [PATCH] pwm: mediatek: Ensure to disable clocks in error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After enabling the clocks each error path must disable the clocks again. One of them failed to do so. Unify the error paths to use goto to make it harder for future changes to add a similar bug. Fixes: 7ca59947b5fc ("pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Link: https://lore.kernel.org/r/20250704172728.626815-2-u.kleine-koenig@baylibre.… Cc: stable(a)vger.kernel.org Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c index 7eaab5831499..33d3554b9197 100644 --- a/drivers/pwm/pwm-mediatek.c +++ b/drivers/pwm/pwm-mediatek.c @@ -130,8 +130,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, return ret; clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]); - if (!clk_rate) - return -EINVAL; + if (!clk_rate) { + ret = -EINVAL; + goto out; + } /* Make sure we use the bus clock and not the 26MHz clock */ if (pc->soc->has_ck_26m_sel) @@ -150,9 +152,9 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, } if (clkdiv > PWM_CLK_DIV_MAX) { - pwm_mediatek_clk_disable(chip, pwm); dev_err(pwmchip_parent(chip), "period of %d ns not supported\n", period_ns); - return -EINVAL; + ret = -EINVAL; + goto out; } if (pc->soc->pwm45_fixup && pwm->hwpwm > 2) { @@ -169,9 +171,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); +out: pwm_mediatek_clk_disable(chip, pwm); - return 0; + return ret; } static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)

2 months, 1 week

2
1
0 0

[PATCH 2/2] nvmem: imx-ocotp: fix MAC address byte length

by srini＠kernel.org

From: Steffen Bätz <steffen(a)innosonix.de> The commit "13bcd440f2ff nvmem: core: verify cell's raw_len" caused an extension of the "mac-address" cell from 6 to 8 bytes due to word_size of 4 bytes. This led to a required byte swap of the full buffer length, which caused truncation of the mac-address when read. Previously, the mac-address was incorrectly truncated from 70:B3:D5:14:E9:0E to 00:00:70:B3:D5:14. Fix the issue by swapping only the first 6 bytes to correctly pass the mac-address to the upper layers. Fixes: 13bcd440f2ff ("nvmem: core: verify cell's raw_len") Cc: stable(a)vger.kernel.org Signed-off-by: Steffen Bätz <steffen(a)innosonix.de> Tested-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> --- drivers/nvmem/imx-ocotp-ele.c | 5 ++++- drivers/nvmem/imx-ocotp.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/nvmem/imx-ocotp-ele.c b/drivers/nvmem/imx-ocotp-ele.c index ca6dd71d8a2e..7807ec0e2d18 100644 --- a/drivers/nvmem/imx-ocotp-ele.c +++ b/drivers/nvmem/imx-ocotp-ele.c @@ -12,6 +12,7 @@ #include <linux/of.h> #include <linux/platform_device.h> #include <linux/slab.h> +#include <linux/if_ether.h> /* ETH_ALEN */ enum fuse_type { FUSE_FSB = BIT(0), @@ -118,9 +119,11 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, int i; /* Deal with some post processing of nvmem cell data */ - if (id && !strcmp(id, "mac-address")) + if (id && !strcmp(id, "mac-address")) { + bytes = min(bytes, ETH_ALEN); for (i = 0; i < bytes / 2; i++) swap(buf[i], buf[bytes - i - 1]); + } return 0; } diff --git a/drivers/nvmem/imx-ocotp.c b/drivers/nvmem/imx-ocotp.c index 79dd4fda0329..7bf7656d4f96 100644 --- a/drivers/nvmem/imx-ocotp.c +++ b/drivers/nvmem/imx-ocotp.c @@ -23,6 +23,7 @@ #include <linux/platform_device.h> #include <linux/slab.h> #include <linux/delay.h> +#include <linux/if_ether.h> /* ETH_ALEN */ #define IMX_OCOTP_OFFSET_B0W0 0x400 /* Offset from base address of the * OTP Bank0 Word0 @@ -227,9 +228,11 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, int i; /* Deal with some post processing of nvmem cell data */ - if (id && !strcmp(id, "mac-address")) + if (id && !strcmp(id, "mac-address")) { + bytes = min(bytes, ETH_ALEN); for (i = 0; i < bytes / 2; i++) swap(buf[i], buf[bytes - i - 1]); + } return 0; } -- 2.43.0

2 months, 1 week

1
0
0 0

[PATCH 5.15.y] ocfs2: fix deadlock in ocfs2_get_system_file_inode

by Pranav Tyagi

From: Mohammed Anees <pvmohammedanees2003(a)gmail.com> [ Upstream commit 7bf1823e010e8db2fb649c790bd1b449a75f52d8 ] syzbot has found a possible deadlock in ocfs2_get_system_file_inode [1]. The scenario is depicted here, CPU0 CPU1 lock(&ocfs2_file_ip_alloc_sem_key); lock(&osb->system_file_mutex); lock(&ocfs2_file_ip_alloc_sem_key); lock(&osb->system_file_mutex); The function calls which could lead to this are: CPU0 ocfs2_mknod - lock(&ocfs2_file_ip_alloc_sem_key); . . . ocfs2_get_system_file_inode - lock(&osb->system_file_mutex); CPU1 - ocfs2_fill_super - lock(&osb->system_file_mutex); . . . ocfs2_read_virt_blocks - lock(&ocfs2_file_ip_alloc_sem_key); This issue can be resolved by making the down_read -> down_read_try in the ocfs2_read_virt_blocks. [1] https://syzkaller.appspot.com/bug?extid=e0055ea09f1f5e6fabdd [ Backport to 5.15: context cleanly applied with no semantic changes. Build-tested. ] Link: https://lkml.kernel.org/r/20240924093257.7181-1-pvmohammedanees2003@gmail.c… Signed-off-by: Mohammed Anees <pvmohammedanees2003(a)gmail.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: <syzbot+e0055ea09f1f5e6fabdd(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=e0055ea09f1f5e6fabdd Tested-by: syzbot+e0055ea09f1f5e6fabdd(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Pranav Tyagi <pranav.tyagi03(a)gmail.com> --- fs/ocfs2/extent_map.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c index 70a768b623cf..f7672472fa82 100644 --- a/fs/ocfs2/extent_map.c +++ b/fs/ocfs2/extent_map.c @@ -973,7 +973,13 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr, } while (done < nr) { - down_read(&OCFS2_I(inode)->ip_alloc_sem); + if (!down_read_trylock(&OCFS2_I(inode)->ip_alloc_sem)) { + rc = -EAGAIN; + mlog(ML_ERROR, + "Inode #%llu ip_alloc_sem is temporarily unavailable\n", + (unsigned long long)OCFS2_I(inode)->ip_blkno); + break; + } rc = ocfs2_extent_map_get_blocks(inode, v_block + done, &p_block, &p_count, NULL); up_read(&OCFS2_I(inode)->ip_alloc_sem); -- 2.49.0

2 months, 1 week

3
3
0 0

[stable 6.12+] x86/pkeys: Simplify PKRU update in signal frame

by Ben Hutchings

Hi stable maintainers, Please apply commit d1e420772cd1 ("x86/pkeys: Simplify PKRU update in signal frame") to the stable branches for 6.12 and later. This fixes a regression introduced in 6.13 by commit ae6012d72fa6 ("x86/pkeys: Ensure updated PKRU value is XRSTOR'd"), which was also backported in 6.12.5. Ben. -- Ben Hutchings 73.46% of all statistics are made up.

2 months, 1 week

3
5
0 0

FAILED: patch "[PATCH] KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x fa787ac07b3ceb56dd88a62d1866038498e96230 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071240-smugly-detergent-14e4@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fa787ac07b3ceb56dd88a62d1866038498e96230 Mon Sep 17 00:00:00 2001 From: Manuel Andreas <manuel.andreas(a)tum.de> Date: Wed, 25 Jun 2025 15:53:19 +0200 Subject: [PATCH] KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption, and manual testing on Azure confirms "real" Hyper-V interprets the specification in the same way. Skip non-canonical GVAs when processing the list of address to avoid tripping the INVVPID failure. Alternatively, KVM could filter out "bad" GVAs before inserting into the FIFO, but practically speaking the only downside of pushing validation to the final processing is that doing so is suboptimal for the guest, and no well-behaved guest will request TLB flushes for non-canonical addresses. Fixes: 260970862c88 ("KVM: x86: hyper-v: Handle HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST{,EX} calls gently") Cc: stable(a)vger.kernel.org Signed-off-by: Manuel Andreas <manuel.andreas(a)tum.de> Suggested-by: Vitaly Kuznetsov <vkuznets(a)redhat.com> Link: https://lore.kernel.org/r/c090efb3-ef82-499f-a5e0-360fc8420fb7@tum.de Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index 75221a11e15e..ee27064dd72f 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -1979,6 +1979,9 @@ int kvm_hv_vcpu_flush_tlb(struct kvm_vcpu *vcpu) if (entries[i] == KVM_HV_TLB_FLUSHALL_ENTRY) goto out_flush_all; + if (is_noncanonical_invlpg_address(entries[i], vcpu)) + continue; + /* * Lower 12 bits of 'address' encode the number of additional * pages to flush.

2 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] drm/amdkfd: Don't call mmput from MMU notifier callback" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x cf234231fcbc7d391e2135b9518613218cc5347f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071246-carol-kung-5103@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cf234231fcbc7d391e2135b9518613218cc5347f Mon Sep 17 00:00:00 2001 From: Philip Yang <Philip.Yang(a)amd.com> Date: Fri, 20 Jun 2025 18:32:32 -0400 Subject: [PATCH] drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadlock will leak kfd process as mmu notifier release is not called and cause VRAM leaking. The fix is to take mm reference mmget_non_zero when adding prange to the deferred list to pair with mmput in deferred list work. If prange split and add into pchild list, the pchild work_item.mm is not used, so remove the mm parameter from svm_range_unmap_split and svm_range_add_child. The backtrace of hung task: INFO: task python:348105 blocked for more than 64512 seconds. Call Trace: __schedule+0x1c3/0x550 schedule+0x46/0xb0 rwsem_down_write_slowpath+0x24b/0x4c0 unlink_anon_vmas+0xb1/0x1c0 free_pgtables+0xa9/0x130 exit_mmap+0xbc/0x1a0 mmput+0x5a/0x140 svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu] mn_itree_invalidate+0x72/0xc0 __mmu_notifier_invalidate_range_start+0x48/0x60 try_to_unmap_one+0x10fa/0x1400 rmap_walk_anon+0x196/0x460 try_to_unmap+0xbb/0x210 migrate_page_unmap+0x54d/0x7e0 migrate_pages_batch+0x1c3/0xae0 migrate_pages_sync+0x98/0x240 migrate_pages+0x25c/0x520 compact_zone+0x29d/0x590 compact_zone_order+0xb6/0xf0 try_to_compact_pages+0xbe/0x220 __alloc_pages_direct_compact+0x96/0x1a0 __alloc_pages_slowpath+0x410/0x930 __alloc_pages_nodemask+0x3a9/0x3e0 do_huge_pmd_anonymous_page+0xd7/0x3e0 __handle_mm_fault+0x5e3/0x5f0 handle_mm_fault+0xf7/0x2e0 hmm_vma_fault.isra.0+0x4d/0xa0 walk_pmd_range.isra.0+0xa8/0x310 walk_pud_range+0x167/0x240 walk_pgd_range+0x55/0x100 __walk_page_range+0x87/0x90 walk_page_range+0xf6/0x160 hmm_range_fault+0x4f/0x90 amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu] amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu] init_user_pages+0xb1/0x2a0 [amdgpu] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu] kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu] kfd_ioctl+0x29d/0x500 [amdgpu] Fixes: fa582c6f3684 ("drm/amdkfd: Use mmget_not_zero in MMU notifier") Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c index 7763e4742080..a0f22ea6d15a 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c @@ -1171,13 +1171,12 @@ svm_range_split_head(struct svm_range *prange, uint64_t new_start, } static void -svm_range_add_child(struct svm_range *prange, struct mm_struct *mm, - struct svm_range *pchild, enum svm_work_list_ops op) +svm_range_add_child(struct svm_range *prange, struct svm_range *pchild, enum svm_work_list_ops op) { pr_debug("add child 0x%p [0x%lx 0x%lx] to prange 0x%p child list %d\n", pchild, pchild->start, pchild->last, prange, op); - pchild->work_item.mm = mm; + pchild->work_item.mm = NULL; pchild->work_item.op = op; list_add_tail(&pchild->child_list, &prange->child_list); } @@ -2394,15 +2393,17 @@ svm_range_add_list_work(struct svm_range_list *svms, struct svm_range *prange, prange->work_item.op != SVM_OP_UNMAP_RANGE) prange->work_item.op = op; } else { - prange->work_item.op = op; - - /* Pairs with mmput in deferred_list_work */ - mmget(mm); - prange->work_item.mm = mm; - list_add_tail(&prange->deferred_list, - &prange->svms->deferred_range_list); - pr_debug("add prange 0x%p [0x%lx 0x%lx] to work list op %d\n", - prange, prange->start, prange->last, op); + /* Pairs with mmput in deferred_list_work. + * If process is exiting and mm is gone, don't update mmu notifier. + */ + if (mmget_not_zero(mm)) { + prange->work_item.mm = mm; + prange->work_item.op = op; + list_add_tail(&prange->deferred_list, + &prange->svms->deferred_range_list); + pr_debug("add prange 0x%p [0x%lx 0x%lx] to work list op %d\n", + prange, prange->start, prange->last, op); + } } spin_unlock(&svms->deferred_list_lock); } @@ -2416,8 +2417,7 @@ void schedule_deferred_list_work(struct svm_range_list *svms) } static void -svm_range_unmap_split(struct mm_struct *mm, struct svm_range *parent, - struct svm_range *prange, unsigned long start, +svm_range_unmap_split(struct svm_range *parent, struct svm_range *prange, unsigned long start, unsigned long last) { struct svm_range *head; @@ -2438,12 +2438,12 @@ svm_range_unmap_split(struct mm_struct *mm, struct svm_range *parent, svm_range_split(tail, last + 1, tail->last, &head); if (head != prange && tail != prange) { - svm_range_add_child(parent, mm, head, SVM_OP_UNMAP_RANGE); - svm_range_add_child(parent, mm, tail, SVM_OP_ADD_RANGE); + svm_range_add_child(parent, head, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, tail, SVM_OP_ADD_RANGE); } else if (tail != prange) { - svm_range_add_child(parent, mm, tail, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, tail, SVM_OP_UNMAP_RANGE); } else if (head != prange) { - svm_range_add_child(parent, mm, head, SVM_OP_UNMAP_RANGE); + svm_range_add_child(parent, head, SVM_OP_UNMAP_RANGE); } else if (parent != prange) { prange->work_item.op = SVM_OP_UNMAP_RANGE; } @@ -2520,14 +2520,14 @@ svm_range_unmap_from_cpu(struct mm_struct *mm, struct svm_range *prange, l = min(last, pchild->last); if (l >= s) svm_range_unmap_from_gpus(pchild, s, l, trigger); - svm_range_unmap_split(mm, prange, pchild, start, last); + svm_range_unmap_split(prange, pchild, start, last); mutex_unlock(&pchild->lock); } s = max(start, prange->start); l = min(last, prange->last); if (l >= s) svm_range_unmap_from_gpus(prange, s, l, trigger); - svm_range_unmap_split(mm, prange, prange, start, last); + svm_range_unmap_split(prange, prange, start, last); if (unmap_parent) svm_range_add_list_work(svms, prange, mm, SVM_OP_UNMAP_RANGE); @@ -2570,8 +2570,6 @@ svm_range_cpu_invalidate_pagetables(struct mmu_interval_notifier *mni, if (range->event == MMU_NOTIFY_RELEASE) return true; - if (!mmget_not_zero(mni->mm)) - return true; start = mni->interval_tree.start; last = mni->interval_tree.last; @@ -2598,7 +2596,6 @@ svm_range_cpu_invalidate_pagetables(struct mmu_interval_notifier *mni, } svm_range_unlock(prange); - mmput(mni->mm); return true; }

2 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x e0a911ac86857a73182edde9e50d9b4b949b7f01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071242-dropout-seldom-e04a@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e0a911ac86857a73182edde9e50d9b4b949b7f01 Mon Sep 17 00:00:00 2001 From: Daniel Dadap <ddadap(a)nvidia.com> Date: Thu, 26 Jun 2025 16:16:30 -0500 Subject: [PATCH] ALSA: hda: Add missing NVIDIA HDA codec IDs Add codec IDs for several NVIDIA products with HDA controllers to the snd_hda_id_hdmi[] patch table. Signed-off-by: Daniel Dadap <ddadap(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/aF24rqwMKFWoHu12@ddadap-lakeline.nvidia.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index 08308231b4ed..9a7793eb16e9 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -4551,7 +4551,9 @@ HDA_CODEC_ENTRY(0x10de002e, "Tegra186 HDMI/DP1", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de002f, "Tegra194 HDMI/DP2", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0030, "Tegra194 HDMI/DP3", patch_tegra_hdmi), HDA_CODEC_ENTRY(0x10de0031, "Tegra234 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0033, "SoC 33 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0034, "Tegra264 HDMI/DP", patch_tegra234_hdmi), +HDA_CODEC_ENTRY(0x10de0035, "SoC 35 HDMI/DP", patch_tegra234_hdmi), HDA_CODEC_ENTRY(0x10de0040, "GPU 40 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0041, "GPU 41 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0042, "GPU 42 HDMI/DP", patch_nvhdmi), @@ -4590,15 +4592,32 @@ HDA_CODEC_ENTRY(0x10de0097, "GPU 97 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0098, "GPU 98 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de0099, "GPU 99 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009a, "GPU 9a HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009b, "GPU 9b HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de009c, "GPU 9c HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a1, "GPU a1 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a8, "GPU a8 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00a9, "GPU a9 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00aa, "GPU aa HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ab, "GPU ab HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ad, "GPU ad HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00ae, "GPU ae HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00af, "GPU af HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b0, "GPU b0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00b1, "GPU b1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c0, "GPU c0 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c1, "GPU c1 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c3, "GPU c3 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c4, "GPU c4 HDMI/DP", patch_nvhdmi), +HDA_CODEC_ENTRY(0x10de00c5, "GPU c5 HDMI/DP", patch_nvhdmi), HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi),

2 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071235-marbling-sizably-bdbb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac Mon Sep 17 00:00:00 2001 From: Mark Brown <broonie(a)kernel.org> Date: Fri, 20 Jun 2025 12:28:48 +0100 Subject: [PATCH] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented We have a number of hwcaps for various SME subfeatures enumerated via ID_AA64SMFR0_EL1. Currently we advertise these without cross checking against the main SME feature, advertised in ID_AA64PFR1_EL1.SME which means that if the two are out of sync userspace can see a confusing situation where SME subfeatures are advertised without the base SME hwcap. This can be readily triggered by using the arm64.nosme override which only masks out ID_AA64PFR1_EL1.SME, and there have also been reports of VMMs which do the same thing. Fix this as we did previously for SVE in 064737920bdb ("arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented") by filtering out the SME subfeature hwcaps when FEAT_SME is not present. Fixes: 5e64b862c482 ("arm64/sme: Basic enumeration support") Reported-by: Yury Khrustalev <yury.khrustalev(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250620-arm64-sme-filter-hwcaps-v1-1-02b9d3c2d8e… Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index b34044e20128..e151585c6cca 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -3135,6 +3135,13 @@ static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) } #endif +#ifdef CONFIG_ARM64_SME +static bool has_sme_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sme() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3223,31 +3230,31 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR2_EL1, BC, IMP, CAP_HWCAP, KERNEL_HWCAP_HBC), #ifdef CONFIG_ARM64_SME HWCAP_CAP(ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), - HWCAP_CAP(ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), - HWCAP_CAP(ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p2, CAP_HWCAP, KERNEL_HWCAP_SME2P2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), - HWCAP_CAP(ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SBitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SBITPERM), - HWCAP_CAP(ID_AA64SMFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_AES), - HWCAP_CAP(ID_AA64SMFR0_EL1, SFEXPA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SFEXPA), - HWCAP_CAP(ID_AA64SMFR0_EL1, STMOP, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_STMOP), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMOP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SMOP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p2, CAP_HWCAP, KERNEL_HWCAP_SME2P2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SBitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SBITPERM), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_AES), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SFEXPA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SFEXPA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, STMOP, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_STMOP), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMOP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SMOP4), #endif /* CONFIG_ARM64_SME */ HWCAP_CAP(ID_AA64FPFR0_EL1, F8CVT, IMP, CAP_HWCAP, KERNEL_HWCAP_F8CVT), HWCAP_CAP(ID_AA64FPFR0_EL1, F8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_F8FMA),

2 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071235-trowel-void-fe33@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac Mon Sep 17 00:00:00 2001 From: Mark Brown <broonie(a)kernel.org> Date: Fri, 20 Jun 2025 12:28:48 +0100 Subject: [PATCH] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented We have a number of hwcaps for various SME subfeatures enumerated via ID_AA64SMFR0_EL1. Currently we advertise these without cross checking against the main SME feature, advertised in ID_AA64PFR1_EL1.SME which means that if the two are out of sync userspace can see a confusing situation where SME subfeatures are advertised without the base SME hwcap. This can be readily triggered by using the arm64.nosme override which only masks out ID_AA64PFR1_EL1.SME, and there have also been reports of VMMs which do the same thing. Fix this as we did previously for SVE in 064737920bdb ("arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented") by filtering out the SME subfeature hwcaps when FEAT_SME is not present. Fixes: 5e64b862c482 ("arm64/sme: Basic enumeration support") Reported-by: Yury Khrustalev <yury.khrustalev(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250620-arm64-sme-filter-hwcaps-v1-1-02b9d3c2d8e… Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index b34044e20128..e151585c6cca 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -3135,6 +3135,13 @@ static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) } #endif +#ifdef CONFIG_ARM64_SME +static bool has_sme_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sme() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3223,31 +3230,31 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR2_EL1, BC, IMP, CAP_HWCAP, KERNEL_HWCAP_HBC), #ifdef CONFIG_ARM64_SME HWCAP_CAP(ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), - HWCAP_CAP(ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), - HWCAP_CAP(ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p2, CAP_HWCAP, KERNEL_HWCAP_SME2P2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), - HWCAP_CAP(ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SBitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SBITPERM), - HWCAP_CAP(ID_AA64SMFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_AES), - HWCAP_CAP(ID_AA64SMFR0_EL1, SFEXPA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SFEXPA), - HWCAP_CAP(ID_AA64SMFR0_EL1, STMOP, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_STMOP), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMOP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SMOP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p2, CAP_HWCAP, KERNEL_HWCAP_SME2P2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SBitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SBITPERM), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_AES), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SFEXPA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SFEXPA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, STMOP, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_STMOP), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMOP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SMOP4), #endif /* CONFIG_ARM64_SME */ HWCAP_CAP(ID_AA64FPFR0_EL1, F8CVT, IMP, CAP_HWCAP, KERNEL_HWCAP_F8CVT), HWCAP_CAP(ID_AA64FPFR0_EL1, F8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_F8FMA),

2 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071234-upturned-graves-62a7@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac Mon Sep 17 00:00:00 2001 From: Mark Brown <broonie(a)kernel.org> Date: Fri, 20 Jun 2025 12:28:48 +0100 Subject: [PATCH] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented We have a number of hwcaps for various SME subfeatures enumerated via ID_AA64SMFR0_EL1. Currently we advertise these without cross checking against the main SME feature, advertised in ID_AA64PFR1_EL1.SME which means that if the two are out of sync userspace can see a confusing situation where SME subfeatures are advertised without the base SME hwcap. This can be readily triggered by using the arm64.nosme override which only masks out ID_AA64PFR1_EL1.SME, and there have also been reports of VMMs which do the same thing. Fix this as we did previously for SVE in 064737920bdb ("arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented") by filtering out the SME subfeature hwcaps when FEAT_SME is not present. Fixes: 5e64b862c482 ("arm64/sme: Basic enumeration support") Reported-by: Yury Khrustalev <yury.khrustalev(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250620-arm64-sme-filter-hwcaps-v1-1-02b9d3c2d8e… Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index b34044e20128..e151585c6cca 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -3135,6 +3135,13 @@ static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) } #endif +#ifdef CONFIG_ARM64_SME +static bool has_sme_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sme() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3223,31 +3230,31 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR2_EL1, BC, IMP, CAP_HWCAP, KERNEL_HWCAP_HBC), #ifdef CONFIG_ARM64_SME HWCAP_CAP(ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), - HWCAP_CAP(ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), - HWCAP_CAP(ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p2, CAP_HWCAP, KERNEL_HWCAP_SME2P2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), - HWCAP_CAP(ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SBitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SBITPERM), - HWCAP_CAP(ID_AA64SMFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_AES), - HWCAP_CAP(ID_AA64SMFR0_EL1, SFEXPA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SFEXPA), - HWCAP_CAP(ID_AA64SMFR0_EL1, STMOP, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_STMOP), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMOP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SMOP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p2, CAP_HWCAP, KERNEL_HWCAP_SME2P2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SBitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SBITPERM), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_AES), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SFEXPA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SFEXPA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, STMOP, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_STMOP), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMOP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SMOP4), #endif /* CONFIG_ARM64_SME */ HWCAP_CAP(ID_AA64FPFR0_EL1, F8CVT, IMP, CAP_HWCAP, KERNEL_HWCAP_F8CVT), HWCAP_CAP(ID_AA64FPFR0_EL1, F8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_F8FMA),

2 months, 1 week

1
0
0 0

[PATCH 5.10 v2 00/16] ITS mitigation for 5.10

by Pawan Gupta

v2: - Fixed the sign-offs. v1: https://lore.kernel.org/stable/20250610-its-5-10-v1-0-64f0ae98c98d@linux.in… This is the backport for Indirect Target Selection(ITS) mitigation for 5.10. This is only boot tested, so sending it as an RFC for now. I hope some bot picks this up for some at-scale testing. Meanwhile I am doing basic tests around ITS mitigation. In addition to commits in 5.15 ITS backport, below commits are required to make the ITS mitigation work on 5.10. These are the prime target of scrutiny: x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions x86/alternatives: Introduce int3_emulate_jcc() x86/bhi: Define SPEC_CTRL_BHI_DIS_S --- Borislav Petkov (AMD) (1): x86/alternative: Optimize returns patching Daniel Sneddon (1): x86/bhi: Define SPEC_CTRL_BHI_DIS_S Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Josh Poimboeuf (1): x86/alternatives: Remove faulty optimization Pawan Gupta (7): Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Fix undefined reference to cpu_wants_rethunk_at() x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs Peter Zijlstra (4): x86/alternatives: Introduce int3_emulate_jcc() x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions x86/its: Use dynamic thunks for indirect branches x86/its: FineIBT-paranoid vs ITS Thomas Gleixner (1): x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 +++++++++++ Documentation/admin-guide/kernel-parameters.txt | 15 + arch/x86/Kconfig | 11 + arch/x86/include/asm/alternative.h | 26 ++ arch/x86/include/asm/cpufeatures.h | 6 +- arch/x86/include/asm/msr-index.h | 13 +- arch/x86/include/asm/nospec-branch.h | 11 + arch/x86/include/asm/text-patching.h | 31 +++ arch/x86/kernel/alternative.c | 308 ++++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 139 +++++++++- arch/x86/kernel/cpu/common.c | 63 ++++- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/kprobes/core.c | 39 +-- arch/x86/kernel/module.c | 14 +- arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 8 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 +++ arch/x86/net/bpf_jit_comp.c | 8 +- drivers/base/cpu.c | 8 + include/linux/cpu.h | 2 + include/linux/module.h | 5 + 25 files changed, 842 insertions(+), 73 deletions(-) --- base-commit: 01e7e36b8606e5d4fddf795938010f7bfa3aa277 change-id: 20250617-its-5-10-43d1e195b345

2 months, 1 week

3
36
0 0

6.12 drm/amdgpu ip discovery for legacy asics

by Jonathan Gray

After 6.12.36, amdgpu on a picasso apu prints an error: "get invalid ip discovery binary signature". Both with and without picasso_ip_discovery.bin from linux-firmware 20250708. The error is avoided by backporting more ip discovery patches. 25f602fbbcc8 drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics 2f6dd741cdcd drm/amdgpu/ip_discovery: add missing ip_discovery fw second is a fix for the first

2 months, 1 week

2
1
0 0

[PATCH 1/2] netfs: Fix copy-to-cache so that it performs collection with ceph+fscache

by David Howells

The netfs copy-to-cache that is used by Ceph with local caching sets up a new request to write data just read to the cache. The request is started and then left to look after itself whilst the app continues. The request gets notified by the backing fs upon completion of the async DIO write, but then tries to wake up the app because NETFS_RREQ_OFFLOAD_COLLECTION isn't set - but the app isn't waiting there, and so the request just hangs. Fix this by setting NETFS_RREQ_OFFLOAD_COLLECTION which causes the notification from the backing filesystem to put the collection onto a work queue instead. Fixes: e2d46f2ec332 ("netfs: Change the read result collector to only use one work item") Reported-by: Max Kellermann <max.kellermann(a)ionos.com> Link: https://lore.kernel.org/r/CAKPOu+8z_ijTLHdiCYGU_Uk7yYD=shxyGLwfe-L7AV3DhebS… Signed-off-by: David Howells <dhowells(a)redhat.com> cc: Paulo Alcantara <pc(a)manguebit.org> cc: Viacheslav Dubeyko <slava(a)dubeyko.com> cc: Alex Markuze <amarkuze(a)redhat.com> cc: Ilya Dryomov <idryomov(a)gmail.com> cc: netfs(a)lists.linux.dev cc: ceph-devel(a)vger.kernel.org cc: linux-fsdevel(a)vger.kernel.org cc: stable(a)vger.kernel.org --- fs/netfs/read_pgpriv2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/netfs/read_pgpriv2.c b/fs/netfs/read_pgpriv2.c index 5bbe906a551d..080d2a6a51d9 100644 --- a/fs/netfs/read_pgpriv2.c +++ b/fs/netfs/read_pgpriv2.c @@ -110,6 +110,7 @@ static struct netfs_io_request *netfs_pgpriv2_begin_copy_to_cache( if (!creq->io_streams[1].avail) goto cancel_put; + __set_bit(NETFS_RREQ_OFFLOAD_COLLECTION, &creq->flags); trace_netfs_write(creq, netfs_write_trace_copy_to_cache); netfs_stat(&netfs_n_wh_copy_to_cache); rreq->copy_to_cache = creq;

2 months, 1 week

2
1
0 0

[PATCH V5] efi/tpm: Fix the issue where the CC platforms event log header can't be correctly identified

by yangge1116＠126.com

From: Ge Yang <yangge1116(a)126.com> Since commit d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") reuses TPM2 support code for the CC platforms, when launching a TDX virtual machine with coco measurement enabled, the following error log is generated: [Firmware Bug]: Failed to parse event in TPM Final Events Log Call Trace: efi_config_parse_tables() efi_tpm_eventlog_init() tpm2_calc_event_log_size() __calc_tpm2_event_size() The pcr_idx value in the Intel TDX log header is 1, causing the function __calc_tpm2_event_size() to fail to recognize the log header, ultimately leading to the "Failed to parse event in TPM Final Events Log" error. According to UEFI Specification 2.10, Section 38.4.1: For TDX, TPM PCR 0 maps to MRTD, so the log header uses TPM PCR 1 instead. To successfully parse the TDX event log header, the check for a pcr_idx value of 0 must be skipped. There's no danger of this causing problems because we check for the TCG_SPECID_SIG signature as the next thing. Link: https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html#intel-trust… Fixes: d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") Signed-off-by: Ge Yang <yangge1116(a)126.com> Cc: stable(a)vger.kernel.org --- V5: - remove the pcr_index check without adding any replacement checks suggested by James and Sathyanarayanan V4: - remove cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT) suggested by Ard V3: - fix build error V2: - limit the fix for CC only suggested by Jarkko and Sathyanarayanan include/linux/tpm_eventlog.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 891368e..05c0ae5 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -202,8 +202,7 @@ static __always_inline u32 __calc_tpm2_event_size(struct tcg_pcr_event2_head *ev event_type = event->event_type; /* Verify that it's the log header */ - if (event_header->pcr_idx != 0 || - event_header->event_type != NO_ACTION || + if (event_header->event_type != NO_ACTION || memcmp(event_header->digest, zero_digest, sizeof(zero_digest))) { size = 0; goto out; -- 2.7.4

2 months, 1 week

3
2
0 0

[PATCH V4] efi/tpm: Fix the issue where the CC platforms event log header can't be correctly identified

by yangge1116＠126.com

From: Ge Yang <yangge1116(a)126.com> Since commit d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") reuses TPM2 support code for the CC platforms, when launching a TDX virtual machine with coco measurement enabled, the following error log is generated: [Firmware Bug]: Failed to parse event in TPM Final Events Log Call Trace: efi_config_parse_tables() efi_tpm_eventlog_init() tpm2_calc_event_log_size() __calc_tpm2_event_size() The pcr_idx value in the Intel TDX log header is 1, causing the function __calc_tpm2_event_size() to fail to recognize the log header, ultimately leading to the "Failed to parse event in TPM Final Events Log" error. According to UEFI Specification 2.10, Section 38.4.1: For TDX, TPM PCR 0 maps to MRTD, so the log header uses TPM PCR 1 instead. To successfully parse the TDX event log header, the check for a pcr_idx value of 0 must be skipped. According to Table 6 in Section 10.2.1 of the TCG PC Client Specification, the index field does not require the PCR index to be fixed at zero. Therefore, skipping the check for a pcr_idx value of 0 for CC platforms is safe. Link: https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html#intel-trust… Link: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05… Fixes: d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") Signed-off-by: Ge Yang <yangge1116(a)126.com> Cc: stable(a)vger.kernel.org --- V4: - remove cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT) suggested by Ard V3: - fix build error V2: - limit the fix for CC only suggested by Jarkko and Sathyanarayanan drivers/char/tpm/eventlog/tpm2.c | 6 +++++- drivers/firmware/efi/efi.c | 8 ++++++-- drivers/firmware/efi/libstub/tpm.c | 13 +++++++++---- drivers/firmware/efi/tpm.c | 36 ++++++++++++++++++++---------------- include/linux/efi.h | 4 +++- include/linux/tpm_eventlog.h | 14 +++++++++++--- 6 files changed, 54 insertions(+), 27 deletions(-) diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c index 37a0580..e9484fd 100644 --- a/drivers/char/tpm/eventlog/tpm2.c +++ b/drivers/char/tpm/eventlog/tpm2.c @@ -36,7 +36,11 @@ static size_t calc_tpm2_event_size(struct tcg_pcr_event2_head *event, struct tcg_pcr_event *event_header) { - return __calc_tpm2_event_size(event, event_header, false); + /* + * This function is only used by TPM2 and will not be used by CC. + * Therefore, the argument is_cc_event is set to 0. + */ + return __calc_tpm2_event_size(event, event_header, false, 0); } static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index e57bff7..954b8f7 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -45,6 +45,7 @@ struct efi __read_mostly efi = { .esrt = EFI_INVALID_TABLE_ADDR, .tpm_log = EFI_INVALID_TABLE_ADDR, .tpm_final_log = EFI_INVALID_TABLE_ADDR, + .cc_final_log = EFI_INVALID_TABLE_ADDR, #ifdef CONFIG_LOAD_UEFI_KEYS .mokvar_table = EFI_INVALID_TABLE_ADDR, #endif @@ -613,7 +614,7 @@ static const efi_config_table_type_t common_tables[] __initconst = { {LINUX_EFI_RANDOM_SEED_TABLE_GUID, &efi_rng_seed, "RNG" }, {LINUX_EFI_TPM_EVENT_LOG_GUID, &efi.tpm_log, "TPMEventLog" }, {EFI_TCG2_FINAL_EVENTS_TABLE_GUID, &efi.tpm_final_log, "TPMFinalLog" }, - {EFI_CC_FINAL_EVENTS_TABLE_GUID, &efi.tpm_final_log, "CCFinalLog" }, + {EFI_CC_FINAL_EVENTS_TABLE_GUID, &efi.cc_final_log, "CCFinalLog" }, {LINUX_EFI_MEMRESERVE_TABLE_GUID, &mem_reserve, "MEMRESERVE" }, {LINUX_EFI_INITRD_MEDIA_GUID, &initrd, "INITRD" }, {EFI_RT_PROPERTIES_TABLE_GUID, &rt_prop, "RTPROP" }, @@ -752,7 +753,10 @@ int __init efi_config_parse_tables(const efi_config_table_t *config_tables, if (!IS_ENABLED(CONFIG_X86_32) && efi_enabled(EFI_MEMMAP)) efi_memattr_init(); - efi_tpm_eventlog_init(); + if (efi.tpm_final_log != EFI_INVALID_TABLE_ADDR) + efi_tcg2_eventlog_init(&efi.tpm_log, &efi.tpm_final_log, 0); + else if (efi.cc_final_log != EFI_INVALID_TABLE_ADDR) + efi_tcg2_eventlog_init(&efi.tpm_log, &efi.cc_final_log, 1); if (mem_reserve != EFI_INVALID_TABLE_ADDR) { unsigned long prsv = mem_reserve; diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.c index a5c6c4f..9728060 100644 --- a/drivers/firmware/efi/libstub/tpm.c +++ b/drivers/firmware/efi/libstub/tpm.c @@ -50,7 +50,8 @@ void efi_enable_reset_attack_mitigation(void) static void efi_retrieve_tcg2_eventlog(int version, efi_physical_addr_t log_location, efi_physical_addr_t log_last_entry, efi_bool_t truncated, - struct efi_tcg2_final_events_table *final_events_table) + struct efi_tcg2_final_events_table *final_events_table, + bool is_cc_event) { efi_guid_t linux_eventlog_guid = LINUX_EFI_TPM_EVENT_LOG_GUID; efi_status_t status; @@ -87,7 +88,8 @@ static void efi_retrieve_tcg2_eventlog(int version, efi_physical_addr_t log_loca last_entry_size = __calc_tpm2_event_size((void *)last_entry_addr, (void *)(long)log_location, - false); + false, + is_cc_event); } else { last_entry_size = sizeof(struct tcpa_event) + ((struct tcpa_event *) last_entry_addr)->event_size; @@ -123,7 +125,8 @@ static void efi_retrieve_tcg2_eventlog(int version, efi_physical_addr_t log_loca header = data + offset + final_events_size; event_size = __calc_tpm2_event_size(header, (void *)(long)log_location, - false); + false, + is_cc_event); /* If calc fails this is a malformed log */ if (!event_size) break; @@ -157,6 +160,7 @@ void efi_retrieve_eventlog(void) efi_tcg2_protocol_t *tpm2 = NULL; efi_bool_t truncated; efi_status_t status; + bool is_cc_event = false; status = efi_bs_call(locate_protocol, &tpm2_guid, NULL, (void **)&tpm2); if (status == EFI_SUCCESS) { @@ -186,11 +190,12 @@ void efi_retrieve_eventlog(void) final_events_table = get_efi_config_table(EFI_CC_FINAL_EVENTS_TABLE_GUID); + is_cc_event = true; } if (status != EFI_SUCCESS || !log_location) return; efi_retrieve_tcg2_eventlog(version, log_location, log_last_entry, - truncated, final_events_table); + truncated, final_events_table, is_cc_event); } diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index cdd4310..d79291d 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -16,14 +16,16 @@ int efi_tpm_final_log_size; EXPORT_SYMBOL(efi_tpm_final_log_size); -static int __init tpm2_calc_event_log_size(void *data, int count, void *size_info) +static int __init tpm2_calc_event_log_size(void *data, int count, + void *size_info, bool is_cc_event) { struct tcg_pcr_event2_head *header; u32 event_size, size = 0; while (count > 0) { header = data + size; - event_size = __calc_tpm2_event_size(header, size_info, true); + event_size = __calc_tpm2_event_size(header, size_info, true, + is_cc_event); if (event_size == 0) return -1; size += event_size; @@ -36,7 +38,8 @@ static int __init tpm2_calc_event_log_size(void *data, int count, void *size_inf /* * Reserve the memory associated with the TPM Event Log configuration table. */ -int __init efi_tpm_eventlog_init(void) +int __init efi_tcg2_eventlog_init(unsigned long *log, unsigned long *final_log, + bool is_cc_event) { struct linux_efi_tpm_eventlog *log_tbl; struct efi_tcg2_final_events_table *final_tbl; @@ -44,7 +47,7 @@ int __init efi_tpm_eventlog_init(void) int final_tbl_size; int ret = 0; - if (efi.tpm_log == EFI_INVALID_TABLE_ADDR) { + if (*log == EFI_INVALID_TABLE_ADDR) { /* * We can't calculate the size of the final events without the * first entry in the TPM log, so bail here. @@ -52,23 +55,23 @@ int __init efi_tpm_eventlog_init(void) return 0; } - log_tbl = early_memremap(efi.tpm_log, sizeof(*log_tbl)); + log_tbl = early_memremap(*log, sizeof(*log_tbl)); if (!log_tbl) { pr_err("Failed to map TPM Event Log table @ 0x%lx\n", - efi.tpm_log); - efi.tpm_log = EFI_INVALID_TABLE_ADDR; + *log); + *log = EFI_INVALID_TABLE_ADDR; return -ENOMEM; } tbl_size = sizeof(*log_tbl) + log_tbl->size; - if (memblock_reserve(efi.tpm_log, tbl_size)) { + if (memblock_reserve(*log, tbl_size)) { pr_err("TPM Event Log memblock reserve fails (0x%lx, 0x%x)\n", - efi.tpm_log, tbl_size); + *log, tbl_size); ret = -ENOMEM; goto out; } - if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR) { + if (*final_log == EFI_INVALID_TABLE_ADDR) { pr_info("TPM Final Events table not present\n"); goto out; } else if (log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) { @@ -76,25 +79,26 @@ int __init efi_tpm_eventlog_init(void) goto out; } - final_tbl = early_memremap(efi.tpm_final_log, sizeof(*final_tbl)); + final_tbl = early_memremap(*final_log, sizeof(*final_tbl)); if (!final_tbl) { pr_err("Failed to map TPM Final Event Log table @ 0x%lx\n", - efi.tpm_final_log); - efi.tpm_final_log = EFI_INVALID_TABLE_ADDR; + *final_log); + *final_log = EFI_INVALID_TABLE_ADDR; ret = -ENOMEM; goto out; } final_tbl_size = 0; if (final_tbl->nr_events != 0) { - void *events = (void *)efi.tpm_final_log + void *events = (void *)*final_log + sizeof(final_tbl->version) + sizeof(final_tbl->nr_events); final_tbl_size = tpm2_calc_event_log_size(events, final_tbl->nr_events, - log_tbl->log); + log_tbl->log, + is_cc_event); } if (final_tbl_size < 0) { @@ -103,7 +107,7 @@ int __init efi_tpm_eventlog_init(void) goto out_calc; } - memblock_reserve(efi.tpm_final_log, + memblock_reserve(*final_log, final_tbl_size + sizeof(*final_tbl)); efi_tpm_final_log_size = final_tbl_size; diff --git a/include/linux/efi.h b/include/linux/efi.h index 7d63d1d..71efec0 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -642,6 +642,7 @@ extern struct efi { unsigned long esrt; /* ESRT table */ unsigned long tpm_log; /* TPM2 Event Log table */ unsigned long tpm_final_log; /* TPM2 Final Events Log table */ + unsigned long cc_final_log; /* CC Final Events Log table */ unsigned long mokvar_table; /* MOK variable config table */ unsigned long coco_secret; /* Confidential computing secret table */ unsigned long unaccepted; /* Unaccepted memory table */ @@ -1209,7 +1210,8 @@ struct linux_efi_tpm_eventlog { u8 log[]; }; -extern int efi_tpm_eventlog_init(void); +extern int efi_tcg2_eventlog_init(unsigned long *log, unsigned long *final_log, + bool is_cc_event); struct efi_tcg2_final_events_table { u64 version; diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 891368e..b3380c9 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -143,6 +143,7 @@ struct tcg_algorithm_info { * @event: Pointer to the event whose size should be calculated * @event_header: Pointer to the initial event containing the digest lengths * @do_mapping: Whether or not the event needs to be mapped + * @is_cc_event: Whether or not the event is from a CC platform * * The TPM2 event log format can contain multiple digests corresponding to * separate PCR banks, and also contains a variable length of the data that @@ -159,7 +160,8 @@ struct tcg_algorithm_info { static __always_inline u32 __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, struct tcg_pcr_event *event_header, - bool do_mapping) + bool do_mapping, + bool is_cc_event) { struct tcg_efi_specid_event_head *efispecid; struct tcg_event_field *event_field; @@ -201,8 +203,14 @@ static __always_inline u32 __calc_tpm2_event_size(struct tcg_pcr_event2_head *ev count = event->count; event_type = event->event_type; - /* Verify that it's the log header */ - if (event_header->pcr_idx != 0 || + /* + * Verify that it's the log header. According to the TCG PC Client + * Specification, when identifying a log header, the check for a + * pcr_idx value of 0 is not required. For CC platforms, skipping + * this check during log header is necessary; otherwise, the CC + * platform's log header may fail to be recognized. + */ + if ((!is_cc_event && event_header->pcr_idx != 0) || event_header->event_type != NO_ACTION || memcmp(event_header->digest, zero_digest, sizeof(zero_digest))) { size = 0; -- 2.7.4

2 months, 1 week

4
3
0 0

[PATCH v7 01/12] platform/x86/intel/pmt: fix a crashlog NULL pointer access

by Michael J. Ruhl

Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The current use of the endpoint value is only valid for telemetry endpoint usage. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Augment struct intel_pmt_entry with a pointer to the pcidev to avoid the NULL pointer exception. Reviewed-by: Tejas Upadhyay <tejas.upadhyay(a)intel.com> Fixes: 045a513040cc ("platform/x86/intel/pmt: Use PMT callbacks") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmt/class.c | 3 ++- drivers/platform/x86/intel/pmt/class.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel/pmt/class.c b/drivers/platform/x86/intel/pmt/class.c index 7233b654bbad..d046e8752173 100644 --- a/drivers/platform/x86/intel/pmt/class.c +++ b/drivers/platform/x86/intel/pmt/class.c @@ -97,7 +97,7 @@ intel_pmt_read(struct file *filp, struct kobject *kobj, if (count > entry->size - off) count = entry->size - off; - count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf, + count = pmt_telem_read_mmio(entry->pcidev, entry->cb, entry->header.guid, buf, entry->base, off, count); return count; @@ -252,6 +252,7 @@ static int intel_pmt_populate_entry(struct intel_pmt_entry *entry, return -EINVAL; } + entry->pcidev = pci_dev; entry->guid = header->guid; entry->size = header->size; entry->cb = ivdev->priv_data; diff --git a/drivers/platform/x86/intel/pmt/class.h b/drivers/platform/x86/intel/pmt/class.h index b2006d57779d..f6ce80c4e051 100644 --- a/drivers/platform/x86/intel/pmt/class.h +++ b/drivers/platform/x86/intel/pmt/class.h @@ -39,6 +39,7 @@ struct intel_pmt_header { struct intel_pmt_entry { struct telem_endpoint *ep; + struct pci_dev *pcidev; struct intel_pmt_header header; struct bin_attribute pmt_bin_attr; struct kobject *kobj; -- 2.50.0

2 months, 1 week

2
1
0 0

[PATCH v4] nvmem: imx-ocotp: fix MAC address byte length

by Steffen Bätz

The commit "13bcd440f2ff nvmem: core: verify cell's raw_len" caused an extension of the "mac-address" cell from 6 to 8 bytes due to word_size of 4 bytes. This led to a required byte swap of the full buffer length, which caused truncation of the mac-address when read. Previously, the mac-address was incorrectly truncated from 70:B3:D5:14:E9:0E to 00:00:70:B3:D5:14. Fix the issue by swapping only the first 6 bytes to correctly pass the mac-address to the upper layers. Fixes: 13bcd440f2ff ("nvmem: core: verify cell's raw_len") Cc: stable(a)vger.kernel.org Signed-off-by: Steffen Bätz <steffen(a)innosonix.de> Tested-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> --- v4: - Adopted the commit message wording recommended by Frank.li(a)nxp.com to improve clarity. - Simplified byte count determination by using min() instead of an explicit conditional statement. - Kept the Tested-by tag from the previous patch as the change remains trivial but tested. v3: - replace magic number 6 with ETH_ALEN - Fix misleading indentation and properly group 'mac-address' statements v2: - Add Cc: stable(a)vger.kernel.org as requested by Greg KH's patch bot drivers/nvmem/imx-ocotp-ele.c | 5 ++++- drivers/nvmem/imx-ocotp.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/nvmem/imx-ocotp-ele.c b/drivers/nvmem/imx-ocotp-ele.c index ca6dd71d8a2e..7807ec0e2d18 100644 --- a/drivers/nvmem/imx-ocotp-ele.c +++ b/drivers/nvmem/imx-ocotp-ele.c @@ -12,6 +12,7 @@ #include <linux/of.h> #include <linux/platform_device.h> #include <linux/slab.h> +#include <linux/if_ether.h> /* ETH_ALEN */ enum fuse_type { FUSE_FSB = BIT(0), @@ -118,9 +119,11 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, int i; /* Deal with some post processing of nvmem cell data */ - if (id && !strcmp(id, "mac-address")) + if (id && !strcmp(id, "mac-address")) { + bytes = min(bytes, ETH_ALEN); for (i = 0; i < bytes / 2; i++) swap(buf[i], buf[bytes - i - 1]); + } return 0; } diff --git a/drivers/nvmem/imx-ocotp.c b/drivers/nvmem/imx-ocotp.c index 79dd4fda0329..7bf7656d4f96 100644 --- a/drivers/nvmem/imx-ocotp.c +++ b/drivers/nvmem/imx-ocotp.c @@ -23,6 +23,7 @@ #include <linux/platform_device.h> #include <linux/slab.h> #include <linux/delay.h> +#include <linux/if_ether.h> /* ETH_ALEN */ #define IMX_OCOTP_OFFSET_B0W0 0x400 /* Offset from base address of the * OTP Bank0 Word0 @@ -227,9 +228,11 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, int i; /* Deal with some post processing of nvmem cell data */ - if (id && !strcmp(id, "mac-address")) + if (id && !strcmp(id, "mac-address")) { + bytes = min(bytes, ETH_ALEN); for (i = 0; i < bytes / 2; i++) swap(buf[i], buf[bytes - i - 1]); + } return 0; } -- 2.43.0 -- *innosonix GmbH* Hauptstr. 35 96482 Ahorn central: +49 9561 7459980 www.innosonix.de <http://www.innosonix.de> innosonix GmbH Geschäftsführer: Markus Bätz, Steffen Bätz USt.-IdNr / VAT-Nr.: DE266020313 EORI-Nr.: DE240121536680271 HRB 5192 Coburg WEEE-Reg.-Nr. DE88021242

2 months, 1 week

2
1
0 0

[PATCH] Revert "leds: trigger: netdev: Configure LED blink interval for HW offload"

by Daniel Golle

This reverts commit c629c972b310af41e9e072febb6dae9a299edde6. Fixes: c629c972b310a ("leds: trigger: netdev: Configure LED blink interval for HW offload") Suggested-by: Andrew Lunn <andrew(a)lunn.ch> Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Golle <daniel(a)makrotopia.org> --- drivers/leds/trigger/ledtrig-netdev.c | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c index 4e048e08c4fde..c15efe3e50780 100644 --- a/drivers/leds/trigger/ledtrig-netdev.c +++ b/drivers/leds/trigger/ledtrig-netdev.c @@ -68,7 +68,6 @@ struct led_netdev_data { unsigned int last_activity; unsigned long mode; - unsigned long blink_delay; int link_speed; __ETHTOOL_DECLARE_LINK_MODE_MASK(supported_link_modes); u8 duplex; @@ -87,10 +86,6 @@ static void set_baseline_state(struct led_netdev_data *trigger_data) /* Already validated, hw control is possible with the requested mode */ if (trigger_data->hw_control) { led_cdev->hw_control_set(led_cdev, trigger_data->mode); - if (led_cdev->blink_set) { - led_cdev->blink_set(led_cdev, &trigger_data->blink_delay, - &trigger_data->blink_delay); - } return; } @@ -459,11 +454,10 @@ static ssize_t interval_store(struct device *dev, size_t size) { struct led_netdev_data *trigger_data = led_trigger_get_drvdata(dev); - struct led_classdev *led_cdev = trigger_data->led_cdev; unsigned long value; int ret; - if (trigger_data->hw_control && !led_cdev->blink_set) + if (trigger_data->hw_control) return -EINVAL; ret = kstrtoul(buf, 0, &value); @@ -472,13 +466,9 @@ static ssize_t interval_store(struct device *dev, /* impose some basic bounds on the timer interval */ if (value >= 5 && value <= 10000) { - if (trigger_data->hw_control) { - trigger_data->blink_delay = value; - } else { - cancel_delayed_work_sync(&trigger_data->work); + cancel_delayed_work_sync(&trigger_data->work); - atomic_set(&trigger_data->interval, msecs_to_jiffies(value)); - } + atomic_set(&trigger_data->interval, msecs_to_jiffies(value)); set_baseline_state(trigger_data); /* resets timer */ } -- 2.50.0

2 months, 1 week

2
1
0 0

[PATCH 2/2] netfs: Fix race between cache write completion and ALL_QUEUED being set

by David Howells

When netfslib is issuing subrequests, the subrequests start processing immediately and may complete before we reach the end of the issuing function. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED to indicate to the collector that we aren't going to issue any more subreqs and that it can do the final notifications and cleanup. Now, this isn't a problem if the request is synchronous (NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be done in-thread and we're guaranteed an opportunity to run the collector. However, if the request is asynchronous, collection is primarily triggered by the termination of subrequests queuing it on a workqueue. Now, a race can occur here if the app thread sets ALL_QUEUED after the last subrequest terminates. This can happen most easily with the copy2cache code (as used by Ceph) where, in the collection routine of a read request, an asynchronous write request is spawned to copy data to the cache. Folios are added to the write request as they're unlocked, but there may be a delay before ALL_QUEUED is set as the write subrequests may complete before we get there. If all the write subreqs have finished by the ALL_QUEUED point, no further events happen and the collection never happens, leaving the request hanging. Fix this by queuing the collector after setting ALL_QUEUED. This is a bit heavy-handed and it may be sufficient to do it only if there are no extant subreqs. Also add a tracepoint to cross-reference both requests in a copy-to-request operation and add a trace to the netfs_rreq tracepoint to indicate the setting of ALL_QUEUED. Fixes: e2d46f2ec332 ("netfs: Change the read result collector to only use one work item") Reported-by: Max Kellermann <max.kellermann(a)ionos.com> Link: https://lore.kernel.org/r/CAKPOu+8z_ijTLHdiCYGU_Uk7yYD=shxyGLwfe-L7AV3DhebS… Signed-off-by: David Howells <dhowells(a)redhat.com> cc: Paulo Alcantara <pc(a)manguebit.org> cc: Viacheslav Dubeyko <slava(a)dubeyko.com> cc: Alex Markuze <amarkuze(a)redhat.com> cc: Ilya Dryomov <idryomov(a)gmail.com> cc: netfs(a)lists.linux.dev cc: ceph-devel(a)vger.kernel.org cc: linux-fsdevel(a)vger.kernel.org cc: stable(a)vger.kernel.org --- fs/netfs/read_pgpriv2.c | 4 ++++ include/trace/events/netfs.h | 30 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/fs/netfs/read_pgpriv2.c b/fs/netfs/read_pgpriv2.c index 080d2a6a51d9..8097bc069c1d 100644 --- a/fs/netfs/read_pgpriv2.c +++ b/fs/netfs/read_pgpriv2.c @@ -111,6 +111,7 @@ static struct netfs_io_request *netfs_pgpriv2_begin_copy_to_cache( goto cancel_put; __set_bit(NETFS_RREQ_OFFLOAD_COLLECTION, &creq->flags); + trace_netfs_copy2cache(rreq, creq); trace_netfs_write(creq, netfs_write_trace_copy_to_cache); netfs_stat(&netfs_n_wh_copy_to_cache); rreq->copy_to_cache = creq; @@ -155,6 +156,9 @@ void netfs_pgpriv2_end_copy_to_cache(struct netfs_io_request *rreq) netfs_issue_write(creq, &creq->io_streams[1]); smp_wmb(); /* Write lists before ALL_QUEUED. */ set_bit(NETFS_RREQ_ALL_QUEUED, &creq->flags); + trace_netfs_rreq(rreq, netfs_rreq_trace_end_copy_to_cache); + if (list_empty_careful(&creq->io_streams[1].subrequests)) + netfs_wake_collector(creq); netfs_put_request(creq, netfs_rreq_trace_put_return); creq->copy_to_cache = NULL; diff --git a/include/trace/events/netfs.h b/include/trace/events/netfs.h index 73e96ccbe830..64a382fbc31a 100644 --- a/include/trace/events/netfs.h +++ b/include/trace/events/netfs.h @@ -55,6 +55,7 @@ EM(netfs_rreq_trace_copy, "COPY ") \ EM(netfs_rreq_trace_dirty, "DIRTY ") \ EM(netfs_rreq_trace_done, "DONE ") \ + EM(netfs_rreq_trace_end_copy_to_cache, "END-C2C") \ EM(netfs_rreq_trace_free, "FREE ") \ EM(netfs_rreq_trace_ki_complete, "KI-CMPL") \ EM(netfs_rreq_trace_recollect, "RECLLCT") \ @@ -559,6 +560,35 @@ TRACE_EVENT(netfs_write, __entry->start, __entry->start + __entry->len - 1) ); +TRACE_EVENT(netfs_copy2cache, + TP_PROTO(const struct netfs_io_request *rreq, + const struct netfs_io_request *creq), + + TP_ARGS(rreq, creq), + + TP_STRUCT__entry( + __field(unsigned int, rreq) + __field(unsigned int, creq) + __field(unsigned int, cookie) + __field(unsigned int, ino) + ), + + TP_fast_assign( + struct netfs_inode *__ctx = netfs_inode(rreq->inode); + struct fscache_cookie *__cookie = netfs_i_cookie(__ctx); + __entry->rreq = rreq->debug_id; + __entry->creq = creq->debug_id; + __entry->cookie = __cookie ? __cookie->debug_id : 0; + __entry->ino = rreq->inode->i_ino; + ), + + TP_printk("R=%08x CR=%08x c=%08x i=%x ", + __entry->rreq, + __entry->creq, + __entry->cookie, + __entry->ino) + ); + TRACE_EVENT(netfs_collect, TP_PROTO(const struct netfs_io_request *wreq),

2 months, 1 week

1
0
0 0

[PATCH V3] efi/tpm: Fix the issue where the CC platforms event log header can't be correctly identified

by yangge1116＠126.com

From: Ge Yang <yangge1116(a)126.com> Since commit d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") reuses TPM2 support code for the CC platforms, when launching a TDX virtual machine with coco measurement enabled, the following error log is generated: [Firmware Bug]: Failed to parse event in TPM Final Events Log Call Trace: efi_config_parse_tables() efi_tpm_eventlog_init() tpm2_calc_event_log_size() __calc_tpm2_event_size() The pcr_idx value in the Intel TDX log header is 1, causing the function __calc_tpm2_event_size() to fail to recognize the log header, ultimately leading to the "Failed to parse event in TPM Final Events Log" error. According to UEFI Specification 2.10, Section 38.4.1: For TDX, TPM PCR 0 maps to MRTD, so the log header uses TPM PCR 1 instead. To successfully parse the TDX event log header, the check for a pcr_idx value of 0 must be skipped. According to Table 6 in Section 10.2.1 of the TCG PC Client Specification, the index field does not require the PCR index to be fixed at zero. Therefore, skipping the check for a pcr_idx value of 0 for CC platforms is safe. Link: https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html#intel-trust… Link: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05… Fixes: d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") Signed-off-by: Ge Yang <yangge1116(a)126.com> Cc: stable(a)vger.kernel.org --- V3: - fix build error V2: - limit the fix for CC only suggested by Jarkko and Sathyanarayanan drivers/char/tpm/eventlog/tpm2.c | 4 +++- drivers/firmware/efi/libstub/tpm.c | 13 +++++++++---- drivers/firmware/efi/tpm.c | 4 +++- include/linux/tpm_eventlog.h | 14 +++++++++++--- 4 files changed, 26 insertions(+), 9 deletions(-) diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c index 37a0580..30ef47c 100644 --- a/drivers/char/tpm/eventlog/tpm2.c +++ b/drivers/char/tpm/eventlog/tpm2.c @@ -18,6 +18,7 @@ #include <linux/module.h> #include <linux/slab.h> #include <linux/tpm_eventlog.h> +#include <linux/cc_platform.h> #include "../tpm.h" #include "common.h" @@ -36,7 +37,8 @@ static size_t calc_tpm2_event_size(struct tcg_pcr_event2_head *event, struct tcg_pcr_event *event_header) { - return __calc_tpm2_event_size(event, event_header, false); + return __calc_tpm2_event_size(event, event_header, false, + cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT)); } static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.c index a5c6c4f..9728060 100644 --- a/drivers/firmware/efi/libstub/tpm.c +++ b/drivers/firmware/efi/libstub/tpm.c @@ -50,7 +50,8 @@ void efi_enable_reset_attack_mitigation(void) static void efi_retrieve_tcg2_eventlog(int version, efi_physical_addr_t log_location, efi_physical_addr_t log_last_entry, efi_bool_t truncated, - struct efi_tcg2_final_events_table *final_events_table) + struct efi_tcg2_final_events_table *final_events_table, + bool is_cc_event) { efi_guid_t linux_eventlog_guid = LINUX_EFI_TPM_EVENT_LOG_GUID; efi_status_t status; @@ -87,7 +88,8 @@ static void efi_retrieve_tcg2_eventlog(int version, efi_physical_addr_t log_loca last_entry_size = __calc_tpm2_event_size((void *)last_entry_addr, (void *)(long)log_location, - false); + false, + is_cc_event); } else { last_entry_size = sizeof(struct tcpa_event) + ((struct tcpa_event *) last_entry_addr)->event_size; @@ -123,7 +125,8 @@ static void efi_retrieve_tcg2_eventlog(int version, efi_physical_addr_t log_loca header = data + offset + final_events_size; event_size = __calc_tpm2_event_size(header, (void *)(long)log_location, - false); + false, + is_cc_event); /* If calc fails this is a malformed log */ if (!event_size) break; @@ -157,6 +160,7 @@ void efi_retrieve_eventlog(void) efi_tcg2_protocol_t *tpm2 = NULL; efi_bool_t truncated; efi_status_t status; + bool is_cc_event = false; status = efi_bs_call(locate_protocol, &tpm2_guid, NULL, (void **)&tpm2); if (status == EFI_SUCCESS) { @@ -186,11 +190,12 @@ void efi_retrieve_eventlog(void) final_events_table = get_efi_config_table(EFI_CC_FINAL_EVENTS_TABLE_GUID); + is_cc_event = true; } if (status != EFI_SUCCESS || !log_location) return; efi_retrieve_tcg2_eventlog(version, log_location, log_last_entry, - truncated, final_events_table); + truncated, final_events_table, is_cc_event); } diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index cdd4310..ca8535d 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -12,6 +12,7 @@ #include <linux/init.h> #include <linux/memblock.h> #include <linux/tpm_eventlog.h> +#include <linux/cc_platform.h> int efi_tpm_final_log_size; EXPORT_SYMBOL(efi_tpm_final_log_size); @@ -23,7 +24,8 @@ static int __init tpm2_calc_event_log_size(void *data, int count, void *size_inf while (count > 0) { header = data + size; - event_size = __calc_tpm2_event_size(header, size_info, true); + event_size = __calc_tpm2_event_size(header, size_info, true, + cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT)); if (event_size == 0) return -1; size += event_size; diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 891368e..b3380c9 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -143,6 +143,7 @@ struct tcg_algorithm_info { * @event: Pointer to the event whose size should be calculated * @event_header: Pointer to the initial event containing the digest lengths * @do_mapping: Whether or not the event needs to be mapped + * @is_cc_event: Whether or not the event is from a CC platform * * The TPM2 event log format can contain multiple digests corresponding to * separate PCR banks, and also contains a variable length of the data that @@ -159,7 +160,8 @@ struct tcg_algorithm_info { static __always_inline u32 __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, struct tcg_pcr_event *event_header, - bool do_mapping) + bool do_mapping, + bool is_cc_event) { struct tcg_efi_specid_event_head *efispecid; struct tcg_event_field *event_field; @@ -201,8 +203,14 @@ static __always_inline u32 __calc_tpm2_event_size(struct tcg_pcr_event2_head *ev count = event->count; event_type = event->event_type; - /* Verify that it's the log header */ - if (event_header->pcr_idx != 0 || + /* + * Verify that it's the log header. According to the TCG PC Client + * Specification, when identifying a log header, the check for a + * pcr_idx value of 0 is not required. For CC platforms, skipping + * this check during log header is necessary; otherwise, the CC + * platform's log header may fail to be recognized. + */ + if ((!is_cc_event && event_header->pcr_idx != 0) || event_header->event_type != NO_ACTION || memcmp(event_header->digest, zero_digest, sizeof(zero_digest))) { size = 0; -- 2.7.4

2 months, 1 week

4
5
0 0

[PATCH 2/2] nvmem: imx: Swap only the first 6 bytes of the MAC address

by Christian Eggers

Since commit 55d4980ce55b ("nvmem: core: support specifying both: cell raw data & post read lengths"), the aligned length (e.g. '8' instead of '6') is passed to the read_post_process callback. This causes that the 2 bytes following the MAC address in the ocotp are swapped to the beginning of the address. As a result, an invalid MAC address is returned and to make it even worse, this address can be equal on boards with the same OUI vendor prefix. Fixes: 55d4980ce55b ("nvmem: core: support specifying both: cell raw data & post read lengths") Signed-off-by: Christian Eggers <ceggers(a)arri.de> Cc: stable(a)vger.kernel.org --- Tested on i.MX6ULL, but I assume that this is also required for. imx-ocotp-ele.c (i.MX93). drivers/nvmem/imx-ocotp-ele.c | 5 +++-- drivers/nvmem/imx-ocotp.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/nvmem/imx-ocotp-ele.c b/drivers/nvmem/imx-ocotp-ele.c index 83617665c8d7..07830785ebf1 100644 --- a/drivers/nvmem/imx-ocotp-ele.c +++ b/drivers/nvmem/imx-ocotp-ele.c @@ -6,6 +6,7 @@ */ #include <linux/device.h> +#include <linux/if_ether.h> #include <linux/io.h> #include <linux/module.h> #include <linux/nvmem-provider.h> @@ -119,8 +120,8 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, /* Deal with some post processing of nvmem cell data */ if (id && !strcmp(id, "mac-address")) - for (i = 0; i < bytes / 2; i++) - swap(buf[i], buf[bytes - i - 1]); + for (i = 0; i < ETH_ALEN / 2; i++) + swap(buf[i], buf[ETH_ALEN - i - 1]); return 0; } diff --git a/drivers/nvmem/imx-ocotp.c b/drivers/nvmem/imx-ocotp.c index 22cc77908018..4dd3b0f94de2 100644 --- a/drivers/nvmem/imx-ocotp.c +++ b/drivers/nvmem/imx-ocotp.c @@ -16,6 +16,7 @@ #include <linux/clk.h> #include <linux/device.h> +#include <linux/if_ether.h> #include <linux/io.h> #include <linux/module.h> #include <linux/nvmem-provider.h> @@ -228,8 +229,8 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, /* Deal with some post processing of nvmem cell data */ if (id && !strcmp(id, "mac-address")) - for (i = 0; i < bytes / 2; i++) - swap(buf[i], buf[bytes - i - 1]); + for (i = 0; i < ETH_ALEN / 2; i++) + swap(buf[i], buf[ETH_ALEN - i - 1]); return 0; } -- 2.43.0

2 months, 1 week

2
2
0 0

[PATCH 1/2] nvmem: imx: assign nvmem_cell_info::raw_len

by Christian Eggers

Avoid getting error messages at startup like the following on i.MX6ULL: nvmem imx-ocotp0: cell mac-addr raw len 6 unaligned to nvmem word size 4 nvmem imx-ocotp0: cell mac-addr raw len 6 unaligned to nvmem word size 4 This shouldn't cause any functional change as this alignment would otherwise be done in nvmem_cell_info_to_nvmem_cell_entry_nodup(). Fixes: 4327479e559c ("nvmem: core: verify cell's raw_len") Signed-off-by: Christian Eggers <ceggers(a)arri.de> Cc: stable(a)vger.kernel.org --- Tested on i.MX6ULL, but I assume that this is also required for imx-ocotp-ele.c (i.MX93). drivers/nvmem/imx-ocotp-ele.c | 1 + drivers/nvmem/imx-ocotp.c | 1 + 2 files changed, 2 insertions(+) diff --git a/drivers/nvmem/imx-ocotp-ele.c b/drivers/nvmem/imx-ocotp-ele.c index ca6dd71d8a2e..83617665c8d7 100644 --- a/drivers/nvmem/imx-ocotp-ele.c +++ b/drivers/nvmem/imx-ocotp-ele.c @@ -128,6 +128,7 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem, struct nvmem_cell_info *cell) { + cell->raw_len = round_up(cell->bytes, 4); cell->read_post_process = imx_ocotp_cell_pp; } diff --git a/drivers/nvmem/imx-ocotp.c b/drivers/nvmem/imx-ocotp.c index 79dd4fda0329..22cc77908018 100644 --- a/drivers/nvmem/imx-ocotp.c +++ b/drivers/nvmem/imx-ocotp.c @@ -586,6 +586,7 @@ MODULE_DEVICE_TABLE(of, imx_ocotp_dt_ids); static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem, struct nvmem_cell_info *cell) { + cell->raw_len = round_up(cell->bytes, 4); cell->read_post_process = imx_ocotp_cell_pp; } -- 2.43.0

2 months, 1 week

1
0
0 0

[PATCH] isofs: Verify inode mode when loading from disk

by Jan Kara

Verify that the inode mode is sane when loading it from the disk to avoid complaints from VFS about setting up invalid inodes. Reported-by: syzbot+895c23f6917da440ed0d(a)syzkaller.appspotmail.com CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/isofs/inode.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) I plan to merge this fix through my tree. diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c index d5da9817df9b..33e6a620c103 100644 --- a/fs/isofs/inode.c +++ b/fs/isofs/inode.c @@ -1440,9 +1440,16 @@ static int isofs_read_inode(struct inode *inode, int relocated) inode->i_op = &page_symlink_inode_operations; inode_nohighmem(inode); inode->i_data.a_ops = &isofs_symlink_aops; - } else + } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || + S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { /* XXX - parse_rock_ridge_inode() had already set i_rdev. */ init_special_inode(inode, inode->i_mode, inode->i_rdev); + } else { + printk(KERN_DEBUG "ISOFS: Invalid file type 0%04o for inode %lu.\n", + inode->i_mode, inode->i_ino); + ret = -EIO; + goto fail; + } ret = 0; out: -- 2.43.0

2 months, 1 week

2
3
0 0

[PATCH v1 1/1] Documentation: ACPI: Fix parent device references

by Andy Shevchenko

The _CRS resources in many cases want to have ResourceSource field to be a type of ACPI String. This means that to compile properly we need to enclosure the name path into double quotes. This will in practice defer the interpretation to a run-time stage, However, this may be interpreted differently on different OSes and ACPI interpreter implementations. In particular ACPICA might not correctly recognize the leading '^' (caret) character and will not resolve the relative name path properly. On top of that, this piece may be used in SSDTs which are loaded after the DSDT and on itself may also not resolve relative name paths outside of their own scopes. With this all said, fix documentation to use fully-qualified name paths always to avoid any misinterpretations, which is proven to work. Fixes: 8eb5c87a92c0 ("i2c: add ACPI support for I2C mux ports") Reported-by: Yevhen Kondrashyn <e.kondrashyn(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> --- Rafael, I prefer, if no objections, to push this as v6.16-rc6 material since the reported issue was detected on old (v5.10.y) and still LTS kernel. Would be nice for people to not trap to it in older kernels. Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Documentation/firmware-guide/acpi/i2c-muxes.rst b/Documentation/firmware-guide/acpi/i2c-muxes.rst index 3a8997ccd7c4..f366539acd79 100644 --- a/Documentation/firmware-guide/acpi/i2c-muxes.rst +++ b/Documentation/firmware-guide/acpi/i2c-muxes.rst @@ -14,7 +14,7 @@ Consider this topology:: | | | 0x70 |--CH01--> i2c client B (0x50) +------+ +------+ -which corresponds to the following ASL:: +which corresponds to the following ASL (in the scope of \_SB):: Device (SMB1) { @@ -24,7 +24,7 @@ which corresponds to the following ASL:: Name (_HID, ...) Name (_CRS, ResourceTemplate () { I2cSerialBus (0x70, ControllerInitiated, I2C_SPEED, - AddressingMode7Bit, "^SMB1", 0x00, + AddressingMode7Bit, "\\_SB.SMB1", 0x00, ResourceConsumer,,) } @@ -37,7 +37,7 @@ which corresponds to the following ASL:: Name (_HID, ...) Name (_CRS, ResourceTemplate () { I2cSerialBus (0x50, ControllerInitiated, I2C_SPEED, - AddressingMode7Bit, "^CH00", 0x00, + AddressingMode7Bit, "\\_SB.SMB1.CH00", 0x00, ResourceConsumer,,) } } @@ -52,7 +52,7 @@ which corresponds to the following ASL:: Name (_HID, ...) Name (_CRS, ResourceTemplate () { I2cSerialBus (0x50, ControllerInitiated, I2C_SPEED, - AddressingMode7Bit, "^CH01", 0x00, + AddressingMode7Bit, "\\_SB.SMB1.CH01", 0x00, ResourceConsumer,,) } } -- 2.47.2

2 months, 1 week

2
1
0 0

[PATCH 1/7] arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed

by Tim Harvey

The IMX8M reference manuals indicate in the USDHC Clock generator section that the clock rate for DDR is 1/2 the input clock therefore HS400 rates clocked at 200Mhz require a 400Mhz SDHC clock. This showed about a 1.5x improvement in read performance for the eMMC's used on the various imx8m{m,n,p}-venice boards. Fixes: 6f30b27c5ef5 ("arm64: dts: imx8mm: Add Gateworks i.MX 8M Mini Development Kits") Signed-off-by: Tim Harvey <tharvey(a)gateworks.com> --- arch/arm64/boot/dts/freescale/imx8mm-venice-gw700x.dtsi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw700x.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw700x.dtsi index 5a3b1142ddf4..37db4f0dd505 100644 --- a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw700x.dtsi +++ b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw700x.dtsi @@ -418,6 +418,8 @@ &usdhc3 { pinctrl-0 = <&pinctrl_usdhc3>; pinctrl-1 = <&pinctrl_usdhc3_100mhz>; pinctrl-2 = <&pinctrl_usdhc3_200mhz>; + assigned-clocks = <&clk IMX8MM_CLK_USDHC3>; + assigned-clock-rates = <400000000>; bus-width = <8>; non-removable; status = "okay"; -- 2.25.1

2 months, 1 week

3
8
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror