- Linux-stable-mirror - lists.linaro.org

[PATCH 0/8] media: uvcvideo: Add support for V4L2_CID_CAMERA_SENSOR_ORIENTATION

by Ricardo Ribalda

The ACPI has ways to annotate the location of a USB device. Wire that annotation to a v4l2 control. To support all possible devices, add a way to annotate USB devices on DT as well. The original binding discussion happened here: https://lore.kernel.org/linux-devicetree/20241212-usb-orientation-v1-1-0b69… This set includes a couple of patches that are "under review" but conflict. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Ricardo Ribalda (8): media: uvcvideo: Fix deferred probing error media: uvcvideo: Use dev_err_probe for devm_gpiod_get_optional media: v4l: fwnode: Support acpi devices for v4l2_fwnode_device_parse media: ipu-bridge: Use v4l2_fwnode_device_parse helper dt-bindings: usb: usb-device: Add orientation media: uvcvideo: Factor out gpio functions to its own file media: uvcvideo: Add support for V4L2_CID_CAMERA_ORIENTATION media: uvcvideo: Do not create MC entities for virtual entities .../devicetree/bindings/usb/usb-device.yaml | 5 + drivers/media/pci/intel/ipu-bridge.c | 32 +---- drivers/media/usb/uvc/Makefile | 3 +- drivers/media/usb/uvc/uvc_ctrl.c | 21 +++ drivers/media/usb/uvc/uvc_driver.c | 159 +++++---------------- drivers/media/usb/uvc/uvc_entity.c | 11 ++ drivers/media/usb/uvc/uvc_fwnode.c | 73 ++++++++++ drivers/media/usb/uvc/uvc_gpio.c | 123 ++++++++++++++++ drivers/media/usb/uvc/uvcvideo.h | 21 +++ drivers/media/v4l2-core/v4l2-fwnode.c | 58 +++++++- include/linux/usb/uvc.h | 3 + 11 files changed, 349 insertions(+), 160 deletions(-) --- base-commit: 4e82c87058f45e79eeaa4d5bcc3b38dd3dce7209 change-id: 20250403-uvc-orientation-5f7f19da5adb Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

2 months, 2 weeks

1
1
0 0

[PATCH AUTOSEL 6.13 01/37] drm: allow encoder mode_set even when connectors change for crtc

by Sasha Levin

From: Abhinav Kumar <quic_abhinavk(a)quicinc.com> [ Upstream commit 7e182cb4f5567f53417b762ec0d679f0b6f0039d ] In certain use-cases, a CRTC could switch between two encoders and because the mode being programmed on the CRTC remains the same during this switch, the CRTC's mode_changed remains false. In such cases, the encoder's mode_set also gets skipped. Skipping mode_set on the encoder for such cases could cause an issue because even though the same CRTC mode was being used, the encoder type could have changed like the CRTC could have switched from a real time encoder to a writeback encoder OR vice-versa. Allow encoder's mode_set to happen even when connectors changed on a CRTC and not just when the mode changed. Signed-off-by: Abhinav Kumar <quic_abhinavk(a)quicinc.com> Signed-off-by: Jessica Zhang <quic_jesszhan(a)quicinc.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20241211-abhinavk-modeset-fix… Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/drm_atomic_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index 5186d2114a503..32902f77f00dd 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -1376,7 +1376,7 @@ crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *old_state) mode = &new_crtc_state->mode; adjusted_mode = &new_crtc_state->adjusted_mode; - if (!new_crtc_state->mode_changed) + if (!new_crtc_state->mode_changed && !new_crtc_state->connectors_changed) continue; drm_dbg_atomic(dev, "modeset on [ENCODER:%d:%s]\n", -- 2.39.5

2 months, 2 weeks

1
35
0 0

[PATCH AUTOSEL 6.14 01/44] drm: allow encoder mode_set even when connectors change for crtc

by Sasha Levin

From: Abhinav Kumar <quic_abhinavk(a)quicinc.com> [ Upstream commit 7e182cb4f5567f53417b762ec0d679f0b6f0039d ] In certain use-cases, a CRTC could switch between two encoders and because the mode being programmed on the CRTC remains the same during this switch, the CRTC's mode_changed remains false. In such cases, the encoder's mode_set also gets skipped. Skipping mode_set on the encoder for such cases could cause an issue because even though the same CRTC mode was being used, the encoder type could have changed like the CRTC could have switched from a real time encoder to a writeback encoder OR vice-versa. Allow encoder's mode_set to happen even when connectors changed on a CRTC and not just when the mode changed. Signed-off-by: Abhinav Kumar <quic_abhinavk(a)quicinc.com> Signed-off-by: Jessica Zhang <quic_jesszhan(a)quicinc.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20241211-abhinavk-modeset-fix… Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/drm_atomic_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index 5186d2114a503..32902f77f00dd 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -1376,7 +1376,7 @@ crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *old_state) mode = &new_crtc_state->mode; adjusted_mode = &new_crtc_state->adjusted_mode; - if (!new_crtc_state->mode_changed) + if (!new_crtc_state->mode_changed && !new_crtc_state->connectors_changed) continue; drm_dbg_atomic(dev, "modeset on [ENCODER:%d:%s]\n", -- 2.39.5

2 months, 2 weeks

1
43
0 0

[PATCH v1 net] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.

by Kuniyuki Iwashima

When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not immediately die to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in __sk_destruct(). [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.sh" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) ip_list_rcv_finish (net/ipv4/ip_input.c:628) ip_list_rcv (net/ipv4/ip_input.c:670) __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) __napi_poll.constprop.0 (net/core/dev.c:7191) net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) handle_softirqs (kernel/softirq.c:561) __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) irq_exit_rcu (kernel/softirq.c:680) common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) </IRQ> <TASK> asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:315) common_startup_64 (arch/x86/kernel/head_64.S:421) </TASK> Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CR2: 00000000000000c4 Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: stable(a)vger.kernel.org --- include/net/sock.h | 17 +++++++++++++++-- net/core/sock.c | 6 ++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index 8daf1b3b12c6..5864c4c66c6d 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -547,6 +547,10 @@ struct sock { struct rcu_head sk_rcu; netns_tracker ns_tracker; struct xarray sk_user_frags; + +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) + struct module *sk_owner; +#endif }; struct sock_bh_locked { @@ -1583,6 +1587,14 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) sk_mem_reclaim(sk); } +static inline void sk_set_owner(struct sock *sk, struct module *owner) +{ +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) + __module_get(owner); + sk->sk_owner = owner; +#endif +} + /* * Macro so as to not evaluate some arguments when * lockdep is not enabled. @@ -1592,13 +1604,14 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) */ #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ do { \ + sk_set_owner(sk, THIS_MODULE); \ sk->sk_lock.owned = 0; \ init_waitqueue_head(&sk->sk_lock.wq); \ spin_lock_init(&(sk)->sk_lock.slock); \ debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ - sizeof((sk)->sk_lock)); \ + sizeof((sk)->sk_lock)); \ lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ - (skey), (sname)); \ + (skey), (sname)); \ lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ } while (0) diff --git a/net/core/sock.c b/net/core/sock.c index 323892066def..b54f12faad1c 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2324,6 +2324,12 @@ static void __sk_destruct(struct rcu_head *head) __netns_tracker_free(net, &sk->ns_tracker, false); net_passive_dec(net); } + +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) + if (sk->sk_owner) + module_put(sk->sk_owner); +#endif + sk_prot_free(sk->sk_prot_creator, sk); } -- 2.48.1

2 months, 2 weeks

2
2
0 0

[PATCH AUTOSEL 5.4 01/14] page_pool: avoid infinite loop to schedule delayed worker

by Sasha Levin

From: Jason Xing <kerneljasonxing(a)gmail.com> [ Upstream commit 43130d02baa137033c25297aaae95fd0edc41654 ] We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes negative, it means we should not expect the whole page_pool to get back to work normally. This patch mitigates the adverse effect by not rescheduling the kworker when detecting the inflight negative in page_pool_release_retry(). [1] [Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ [Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages ... [Mon Feb 10 20:36:11 2025] Call Trace: [Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 [Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 [Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 [Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 [Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 [Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 [Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 [Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- Note: before this patch, the above calltrace would flood the dmesg due to repeated reschedule of release_dw kworker. Signed-off-by: Jason Xing <kerneljasonxing(a)gmail.com> Reviewed-by: Mina Almasry <almasrymina(a)google.com> Link: https://patch.msgid.link/20250214064250.85987-1-kerneljasonxing@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/core/page_pool.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/core/page_pool.c b/net/core/page_pool.c index 335f68eaaa05c..dbe0489e46035 100644 --- a/net/core/page_pool.c +++ b/net/core/page_pool.c @@ -387,7 +387,13 @@ static void page_pool_release_retry(struct work_struct *wq) int inflight; inflight = page_pool_release(pool); - if (!inflight) + /* In rare cases, a driver bug may cause inflight to go negative. + * Don't reschedule release if inflight is 0 or negative. + * - If 0, the page_pool has been destroyed + * - if negative, we will never recover + * in both cases no reschedule is necessary. + */ + if (inflight <= 0) return; /* Periodic warning */ -- 2.39.5

2 months, 2 weeks

1
13
0 0

[PATCH AUTOSEL 5.15 01/16] page_pool: avoid infinite loop to schedule delayed worker

by Sasha Levin

From: Jason Xing <kerneljasonxing(a)gmail.com> [ Upstream commit 43130d02baa137033c25297aaae95fd0edc41654 ] We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes negative, it means we should not expect the whole page_pool to get back to work normally. This patch mitigates the adverse effect by not rescheduling the kworker when detecting the inflight negative in page_pool_release_retry(). [1] [Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ [Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages ... [Mon Feb 10 20:36:11 2025] Call Trace: [Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 [Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 [Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 [Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 [Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 [Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 [Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 [Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- Note: before this patch, the above calltrace would flood the dmesg due to repeated reschedule of release_dw kworker. Signed-off-by: Jason Xing <kerneljasonxing(a)gmail.com> Reviewed-by: Mina Almasry <almasrymina(a)google.com> Link: https://patch.msgid.link/20250214064250.85987-1-kerneljasonxing@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/core/page_pool.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/core/page_pool.c b/net/core/page_pool.c index 069d6ba0e33fb..416be038e1cae 100644 --- a/net/core/page_pool.c +++ b/net/core/page_pool.c @@ -699,7 +699,13 @@ static void page_pool_release_retry(struct work_struct *wq) int inflight; inflight = page_pool_release(pool); - if (!inflight) + /* In rare cases, a driver bug may cause inflight to go negative. + * Don't reschedule release if inflight is 0 or negative. + * - If 0, the page_pool has been destroyed + * - if negative, we will never recover + * in both cases no reschedule is necessary. + */ + if (inflight <= 0) return; /* Periodic warning */ -- 2.39.5

2 months, 2 weeks

1
15
0 0

[PATCH AUTOSEL 6.1 01/18] f2fs: don't retry IO for corrupted data scenario

by Sasha Levin

From: Chao Yu <chao(a)kernel.org> [ Upstream commit 1534747d3170646ddeb9ea5f7caaac90359707cf ] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942] If node block is loaded successfully, but its content is inconsistent, it doesn't need to retry IO. Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/f2fs/inode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index 0f350368dea73..b8296b0414fcb 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -695,8 +695,12 @@ void f2fs_update_inode_page(struct inode *inode) if (err == -ENOENT) return; + if (err == -EFSCORRUPTED) + goto stop_checkpoint; + if (err == -ENOMEM || ++count <= DEFAULT_RETRY_IO_COUNT) goto retry; +stop_checkpoint: f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_UPDATE_INODE); return; } -- 2.39.5

2 months, 2 weeks

1
17
0 0

[PATCH AUTOSEL 6.12 01/47] wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues

by Sasha Levin

From: P Praneesh <quic_ppranees(a)quicinc.com> [ Upstream commit 1bcd20981834928ccc5d981aacb806bb523d8b29 ] Currently, the driver allocates cacheable DMA buffers for rings like HAL_REO_DST and HAL_WBM2SW_RELEASE. The buffers for HAL_WBM2SW_RELEASE are large (1024 KiB), exceeding the SWIOTLB slot size of 256 KiB. This leads to "swiotlb buffer is full" error messages on systems without an IOMMU that use SWIOTLB, causing driver initialization failures. The driver calls dma_map_single() with these large buffers obtained from kzalloc(), resulting in ring initialization errors on systems without an IOMMU that use SWIOTLB. To address these issues, replace the flawed buffer allocation mechanism with the appropriate DMA API. Specifically, use dma_alloc_noncoherent() for cacheable DMA buffers, ensuring proper freeing of buffers with dma_free_noncoherent(). Error log: [ 10.194343] ath11k_pci 0000:04:00.0: swiotlb buffer is full (sz:1048583 bytes), total 32768 (slots), used 2529 (slots) [ 10.194406] ath11k_pci 0000:04:00.0: failed to set up tcl_comp ring (0) :-12 [ 10.194781] ath11k_pci 0000:04:00.0: failed to init DP: -12 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 Reported-by: Tim Harvey <tharvey(a)gateworks.com> Closes: https://lore.kernel.org/all/20241210041133.GA17116@lst.de/ Signed-off-by: P Praneesh <quic_ppranees(a)quicinc.com> Tested-by: Tim Harvey <tharvey(a)gateworks.com> Link: https://patch.msgid.link/20250119164219.647059-2-quic_ppranees@quicinc.com Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/ath/ath11k/dp.c | 35 +++++++++------------------- 1 file changed, 11 insertions(+), 24 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c index fbf666d0ecf1d..f124b7329e1ac 100644 --- a/drivers/net/wireless/ath/ath11k/dp.c +++ b/drivers/net/wireless/ath/ath11k/dp.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: BSD-3-Clause-Clear /* * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. - * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. */ #include <crypto/hash.h> @@ -104,14 +104,12 @@ void ath11k_dp_srng_cleanup(struct ath11k_base *ab, struct dp_srng *ring) if (!ring->vaddr_unaligned) return; - if (ring->cached) { - dma_unmap_single(ab->dev, ring->paddr_unaligned, ring->size, - DMA_FROM_DEVICE); - kfree(ring->vaddr_unaligned); - } else { + if (ring->cached) + dma_free_noncoherent(ab->dev, ring->size, ring->vaddr_unaligned, + ring->paddr_unaligned, DMA_FROM_DEVICE); + else dma_free_coherent(ab->dev, ring->size, ring->vaddr_unaligned, ring->paddr_unaligned); - } ring->vaddr_unaligned = NULL; } @@ -249,25 +247,14 @@ int ath11k_dp_srng_setup(struct ath11k_base *ab, struct dp_srng *ring, default: cached = false; } - - if (cached) { - ring->vaddr_unaligned = kzalloc(ring->size, GFP_KERNEL); - if (!ring->vaddr_unaligned) - return -ENOMEM; - - ring->paddr_unaligned = dma_map_single(ab->dev, - ring->vaddr_unaligned, - ring->size, - DMA_FROM_DEVICE); - if (dma_mapping_error(ab->dev, ring->paddr_unaligned)) { - kfree(ring->vaddr_unaligned); - ring->vaddr_unaligned = NULL; - return -ENOMEM; - } - } } - if (!cached) + if (cached) + ring->vaddr_unaligned = dma_alloc_noncoherent(ab->dev, ring->size, + &ring->paddr_unaligned, + DMA_FROM_DEVICE, + GFP_KERNEL); + else ring->vaddr_unaligned = dma_alloc_coherent(ab->dev, ring->size, &ring->paddr_unaligned, GFP_KERNEL); -- 2.39.5

2 months, 2 weeks

1
46
0 0

[PATCH AUTOSEL 6.13 01/49] wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues

by Sasha Levin

From: P Praneesh <quic_ppranees(a)quicinc.com> [ Upstream commit 1bcd20981834928ccc5d981aacb806bb523d8b29 ] Currently, the driver allocates cacheable DMA buffers for rings like HAL_REO_DST and HAL_WBM2SW_RELEASE. The buffers for HAL_WBM2SW_RELEASE are large (1024 KiB), exceeding the SWIOTLB slot size of 256 KiB. This leads to "swiotlb buffer is full" error messages on systems without an IOMMU that use SWIOTLB, causing driver initialization failures. The driver calls dma_map_single() with these large buffers obtained from kzalloc(), resulting in ring initialization errors on systems without an IOMMU that use SWIOTLB. To address these issues, replace the flawed buffer allocation mechanism with the appropriate DMA API. Specifically, use dma_alloc_noncoherent() for cacheable DMA buffers, ensuring proper freeing of buffers with dma_free_noncoherent(). Error log: [ 10.194343] ath11k_pci 0000:04:00.0: swiotlb buffer is full (sz:1048583 bytes), total 32768 (slots), used 2529 (slots) [ 10.194406] ath11k_pci 0000:04:00.0: failed to set up tcl_comp ring (0) :-12 [ 10.194781] ath11k_pci 0000:04:00.0: failed to init DP: -12 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 Reported-by: Tim Harvey <tharvey(a)gateworks.com> Closes: https://lore.kernel.org/all/20241210041133.GA17116@lst.de/ Signed-off-by: P Praneesh <quic_ppranees(a)quicinc.com> Tested-by: Tim Harvey <tharvey(a)gateworks.com> Link: https://patch.msgid.link/20250119164219.647059-2-quic_ppranees@quicinc.com Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/ath/ath11k/dp.c | 35 +++++++++------------------- 1 file changed, 11 insertions(+), 24 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c index fbf666d0ecf1d..f124b7329e1ac 100644 --- a/drivers/net/wireless/ath/ath11k/dp.c +++ b/drivers/net/wireless/ath/ath11k/dp.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: BSD-3-Clause-Clear /* * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. - * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. */ #include <crypto/hash.h> @@ -104,14 +104,12 @@ void ath11k_dp_srng_cleanup(struct ath11k_base *ab, struct dp_srng *ring) if (!ring->vaddr_unaligned) return; - if (ring->cached) { - dma_unmap_single(ab->dev, ring->paddr_unaligned, ring->size, - DMA_FROM_DEVICE); - kfree(ring->vaddr_unaligned); - } else { + if (ring->cached) + dma_free_noncoherent(ab->dev, ring->size, ring->vaddr_unaligned, + ring->paddr_unaligned, DMA_FROM_DEVICE); + else dma_free_coherent(ab->dev, ring->size, ring->vaddr_unaligned, ring->paddr_unaligned); - } ring->vaddr_unaligned = NULL; } @@ -249,25 +247,14 @@ int ath11k_dp_srng_setup(struct ath11k_base *ab, struct dp_srng *ring, default: cached = false; } - - if (cached) { - ring->vaddr_unaligned = kzalloc(ring->size, GFP_KERNEL); - if (!ring->vaddr_unaligned) - return -ENOMEM; - - ring->paddr_unaligned = dma_map_single(ab->dev, - ring->vaddr_unaligned, - ring->size, - DMA_FROM_DEVICE); - if (dma_mapping_error(ab->dev, ring->paddr_unaligned)) { - kfree(ring->vaddr_unaligned); - ring->vaddr_unaligned = NULL; - return -ENOMEM; - } - } } - if (!cached) + if (cached) + ring->vaddr_unaligned = dma_alloc_noncoherent(ab->dev, ring->size, + &ring->paddr_unaligned, + DMA_FROM_DEVICE, + GFP_KERNEL); + else ring->vaddr_unaligned = dma_alloc_coherent(ab->dev, ring->size, &ring->paddr_unaligned, GFP_KERNEL); -- 2.39.5

2 months, 2 weeks

1
48
0 0

[PATCH] USB: storage: quirk for ADATA Portable HDD CH94

by Oliver Neukum

Version 1.60 specifically needs this quirk. Version 2.00 is known good. Cc: stable(a)vger.kernel.org Signed-off-by: Oliver Neukum <oneukum(a)suse.com> --- drivers/usb/storage/unusual_uas.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h index 1f8c9b16a0fb..d460d71b4257 100644 --- a/drivers/usb/storage/unusual_uas.h +++ b/drivers/usb/storage/unusual_uas.h @@ -83,6 +83,13 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x9999, USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_NO_REPORT_LUNS), +/* Reported-by: Oliver Neukum <oneukum(a)suse.com> */ +UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160, + "ADATA", + "Portable HDD CH94", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_ATA_1X), + /* Reported-by: Benjamin Tissoires <benjamin.tissoires(a)redhat.com> */ UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999, "Initio Corporation", -- 2.49.0

2 months, 2 weeks

1
0
0 0

[PATCH v3 0/2] Add wcslen()

by Nathan Chancellor

Hi all, A recent LLVM change [1] introduces a call to wcslen() in fs/smb/client/smb2pdu.c through UniStrcat() via alloc_path_with_tree_prefix(). Similar to the bcmp() and stpcpy() additions that happened in 5f074f3e192f and 1e1b6d63d634, add wcslen() to fix the linkage failure. [1]: https://github.com/llvm/llvm-project/commit/9694844d7e36fd5e01011ab56b64f27… --- Changes in v3: - During comment shuffle in patch 1, move to standard multi-line comment kernel style (Andy). Carry forward Andy's review. - Move nls_types.h include in string.c in patch 2 to a better place alphabetically (Andy). - Drop 'extern' from wcslen() declaration in string.h, as external linkage is the default for functions and the coding style explicitly forbids it (Andy). - Link to v2: https://lore.kernel.org/r/20250326-string-add-wcslen-for-llvm-opt-v2-0-d864… Changes in v2: - Refactor typedefs from nls.h into nls_types.h to make it safe to include in string.h, which may be included in many places throughout the kernel that may not like the other stuff nls.h brings in: https://lore.kernel.org/202503260611.MDurOUhF-lkp@intel.com/ - Drop libstub change due to the above change, as it is no longer necessary. - Move prototype shuffle of patch 2 into the patch that adds wcslen() (Andy) - Use new nls_types.h in string.{c,h} - Link to v1: https://lore.kernel.org/r/20250325-string-add-wcslen-for-llvm-opt-v1-0-b8f1… --- Nathan Chancellor (2): include: Move typedefs in nls.h to their own header lib/string.c: Add wcslen() include/linux/nls.h | 19 +------------------ include/linux/nls_types.h | 26 ++++++++++++++++++++++++++ include/linux/string.h | 2 ++ lib/string.c | 11 +++++++++++ 4 files changed, 40 insertions(+), 18 deletions(-) --- base-commit: 78ab93c78fb31c5dfe207318aa2b7bd4e41f8dba change-id: 20250324-string-add-wcslen-for-llvm-opt-705791db92c0 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 months, 2 weeks

2
3
0 0

[PATCH 5.15 v2 00/10] KVM: arm64: Backport of SVE fixes to v5.15

by Mark Brown

This series backports some recent fixes for SVE/KVM interactions from Mark Rutland to v5.15. Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Changes in v2: - Resend with Greg and the stable list added. - Link to v1: https://lore.kernel.org/r/20250402-stable-sve-5-15-v1-0-84d0e5ff1102@kernel… --- Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Marc Zyngier (1): KVM: arm64: Get rid of host SVE tracking/saving Mark Brown (4): KVM: arm64: Discard any SVE state when entering KVM guests arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE arm64/fpsimd: Have KVM explicitly say which FP registers to save arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM Mark Rutland (4): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Eagerly switch ZCR_EL{1,2} arch/arm64/include/asm/fpsimd.h | 4 +- arch/arm64/include/asm/kvm_host.h | 17 +++-- arch/arm64/include/asm/kvm_hyp.h | 7 ++ arch/arm64/include/asm/processor.h | 7 ++ arch/arm64/kernel/fpsimd.c | 117 +++++++++++++++++++++++--------- arch/arm64/kernel/process.c | 3 + arch/arm64/kernel/ptrace.c | 3 + arch/arm64/kernel/signal.c | 3 + arch/arm64/kvm/arm.c | 1 - arch/arm64/kvm/fpsimd.c | 72 +++++++++----------- arch/arm64/kvm/hyp/entry.S | 5 ++ arch/arm64/kvm/hyp/include/hyp/switch.h | 86 +++++++++++++++-------- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 9 ++- arch/arm64/kvm/hyp/nvhe/switch.c | 52 +++++++++----- arch/arm64/kvm/hyp/vhe/switch.c | 4 ++ arch/arm64/kvm/reset.c | 3 + 16 files changed, 266 insertions(+), 127 deletions(-) --- base-commit: 0c935c049b5c196b83b968c72d348ae6fff83ea2 change-id: 20250326-stable-sve-5-15-bfd75482dcfa Best regards, -- Mark Brown <broonie(a)kernel.org>

2 months, 2 weeks

2
23
0 0

[PATCH v4 2/2] ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels

by srinivas.kandagatla＠linaro.org

From: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Existing code only configures one of WSA_MACRO_TX0 or WSA_MACRO_TX1 paths eventhough we enable both of them. Fix this bug by adding proper checks and rearranging some of the common code to able to allow setting both TX0 and TX1 paths Without this patch only one channel gets enabled in VI path instead of 2 channels. End result would be 1 channel recording instead of 2. Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route") Cc: stable(a)vger.kernel.org Co-developed-by: Manikantan R <quic_manrav(a)quicinc.com> Signed-off-by: Manikantan R <quic_manrav(a)quicinc.com> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- sound/soc/codecs/lpass-wsa-macro.c | 108 +++++++++++++++++------------ 1 file changed, 63 insertions(+), 45 deletions(-) diff --git a/sound/soc/codecs/lpass-wsa-macro.c b/sound/soc/codecs/lpass-wsa-macro.c index ac119847bc22..81bab8299eae 100644 --- a/sound/soc/codecs/lpass-wsa-macro.c +++ b/sound/soc/codecs/lpass-wsa-macro.c @@ -1459,6 +1459,67 @@ static void wsa_macro_mclk_enable(struct wsa_macro *wsa, bool mclk_enable) } } +static void wsa_macro_enable_disable_vi_sense(struct snd_soc_component *component, bool enable, + u32 tx_reg0, u32 tx_reg1, u32 val) +{ + if (enable) { + /* Enable V&I sensing */ + snd_soc_component_update_bits(component, tx_reg0, + CDC_WSA_TX_SPKR_PROT_RESET_MASK, + CDC_WSA_TX_SPKR_PROT_RESET); + snd_soc_component_update_bits(component, tx_reg1, + CDC_WSA_TX_SPKR_PROT_RESET_MASK, + CDC_WSA_TX_SPKR_PROT_RESET); + snd_soc_component_update_bits(component, tx_reg0, + CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, + val); + snd_soc_component_update_bits(component, tx_reg1, + CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, + val); + snd_soc_component_update_bits(component, tx_reg0, + CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, + CDC_WSA_TX_SPKR_PROT_CLK_ENABLE); + snd_soc_component_update_bits(component, tx_reg1, + CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, + CDC_WSA_TX_SPKR_PROT_CLK_ENABLE); + snd_soc_component_update_bits(component, tx_reg0, + CDC_WSA_TX_SPKR_PROT_RESET_MASK, + CDC_WSA_TX_SPKR_PROT_NO_RESET); + snd_soc_component_update_bits(component, tx_reg1, + CDC_WSA_TX_SPKR_PROT_RESET_MASK, + CDC_WSA_TX_SPKR_PROT_NO_RESET); + } else { + snd_soc_component_update_bits(component, tx_reg0, + CDC_WSA_TX_SPKR_PROT_RESET_MASK, + CDC_WSA_TX_SPKR_PROT_RESET); + snd_soc_component_update_bits(component, tx_reg1, + CDC_WSA_TX_SPKR_PROT_RESET_MASK, + CDC_WSA_TX_SPKR_PROT_RESET); + snd_soc_component_update_bits(component, tx_reg0, + CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, + CDC_WSA_TX_SPKR_PROT_CLK_DISABLE); + snd_soc_component_update_bits(component, tx_reg1, + CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, + CDC_WSA_TX_SPKR_PROT_CLK_DISABLE); + } +} + +static void wsa_macro_enable_disable_vi_feedback(struct snd_soc_component *component, + bool enable, u32 rate) +{ + struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); + + if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) + wsa_macro_enable_disable_vi_sense(component, enable, + CDC_WSA_TX0_SPKR_PROT_PATH_CTL, + CDC_WSA_TX1_SPKR_PROT_PATH_CTL, rate); + + if (test_bit(WSA_MACRO_TX1, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) + wsa_macro_enable_disable_vi_sense(component, enable, + CDC_WSA_TX2_SPKR_PROT_PATH_CTL, + CDC_WSA_TX3_SPKR_PROT_PATH_CTL, rate); +} + static int wsa_macro_mclk_event(struct snd_soc_dapm_widget *w, struct snd_kcontrol *kcontrol, int event) { @@ -1475,7 +1536,6 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, { struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); - u32 tx_reg0, tx_reg1; u32 rate_val; switch (wsa->pcm_rate_vi) { @@ -1499,56 +1559,14 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, break; } - if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { - tx_reg0 = CDC_WSA_TX0_SPKR_PROT_PATH_CTL; - tx_reg1 = CDC_WSA_TX1_SPKR_PROT_PATH_CTL; - } else if (test_bit(WSA_MACRO_TX1, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { - tx_reg0 = CDC_WSA_TX2_SPKR_PROT_PATH_CTL; - tx_reg1 = CDC_WSA_TX3_SPKR_PROT_PATH_CTL; - } - switch (event) { case SND_SOC_DAPM_POST_PMU: /* Enable V&I sensing */ - snd_soc_component_update_bits(component, tx_reg0, - CDC_WSA_TX_SPKR_PROT_RESET_MASK, - CDC_WSA_TX_SPKR_PROT_RESET); - snd_soc_component_update_bits(component, tx_reg1, - CDC_WSA_TX_SPKR_PROT_RESET_MASK, - CDC_WSA_TX_SPKR_PROT_RESET); - snd_soc_component_update_bits(component, tx_reg0, - CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - rate_val); - snd_soc_component_update_bits(component, tx_reg1, - CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - rate_val); - snd_soc_component_update_bits(component, tx_reg0, - CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, - CDC_WSA_TX_SPKR_PROT_CLK_ENABLE); - snd_soc_component_update_bits(component, tx_reg1, - CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, - CDC_WSA_TX_SPKR_PROT_CLK_ENABLE); - snd_soc_component_update_bits(component, tx_reg0, - CDC_WSA_TX_SPKR_PROT_RESET_MASK, - CDC_WSA_TX_SPKR_PROT_NO_RESET); - snd_soc_component_update_bits(component, tx_reg1, - CDC_WSA_TX_SPKR_PROT_RESET_MASK, - CDC_WSA_TX_SPKR_PROT_NO_RESET); + wsa_macro_enable_disable_vi_feedback(component, true, rate_val); break; case SND_SOC_DAPM_POST_PMD: /* Disable V&I sensing */ - snd_soc_component_update_bits(component, tx_reg0, - CDC_WSA_TX_SPKR_PROT_RESET_MASK, - CDC_WSA_TX_SPKR_PROT_RESET); - snd_soc_component_update_bits(component, tx_reg1, - CDC_WSA_TX_SPKR_PROT_RESET_MASK, - CDC_WSA_TX_SPKR_PROT_RESET); - snd_soc_component_update_bits(component, tx_reg0, - CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, - CDC_WSA_TX_SPKR_PROT_CLK_DISABLE); - snd_soc_component_update_bits(component, tx_reg1, - CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, - CDC_WSA_TX_SPKR_PROT_CLK_DISABLE); + wsa_macro_enable_disable_vi_feedback(component, false, rate_val); break; } -- 2.39.5

2 months, 2 weeks

2
1
0 0

[PATCH v4 1/2] ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate

by srinivas.kandagatla＠linaro.org

From: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Currently the VI feedback rate is set to fixed 8K, fix this by getting the correct rate from params_rate. Without this patch incorrect rate will be set on the VI feedback recording resulting in rate miss match and audio artifacts. Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route") Cc: stable(a)vger.kernel.org Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> --- sound/soc/codecs/lpass-wsa-macro.c | 39 +++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/sound/soc/codecs/lpass-wsa-macro.c b/sound/soc/codecs/lpass-wsa-macro.c index c989d82d1d3c..ac119847bc22 100644 --- a/sound/soc/codecs/lpass-wsa-macro.c +++ b/sound/soc/codecs/lpass-wsa-macro.c @@ -63,6 +63,10 @@ #define CDC_WSA_TX_SPKR_PROT_CLK_DISABLE 0 #define CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK GENMASK(3, 0) #define CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K 0 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K 1 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K 2 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K 3 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K 4 #define CDC_WSA_TX0_SPKR_PROT_PATH_CFG0 (0x0248) #define CDC_WSA_TX1_SPKR_PROT_PATH_CTL (0x0264) #define CDC_WSA_TX1_SPKR_PROT_PATH_CFG0 (0x0268) @@ -407,6 +411,7 @@ struct wsa_macro { int ear_spkr_gain; int spkr_gain_offset; int spkr_mode; + u32 pcm_rate_vi; int is_softclip_on[WSA_MACRO_SOFTCLIP_MAX]; int softclip_clk_users[WSA_MACRO_SOFTCLIP_MAX]; struct regmap *regmap; @@ -1280,6 +1285,7 @@ static int wsa_macro_hw_params(struct snd_pcm_substream *substream, struct snd_soc_dai *dai) { struct snd_soc_component *component = dai->component; + struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); int ret; switch (substream->stream) { @@ -1291,6 +1297,11 @@ static int wsa_macro_hw_params(struct snd_pcm_substream *substream, __func__, params_rate(params)); return ret; } + break; + case SNDRV_PCM_STREAM_CAPTURE: + if (dai->id == WSA_MACRO_AIF_VI) + wsa->pcm_rate_vi = params_rate(params); + break; default: break; @@ -1465,6 +1476,28 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); u32 tx_reg0, tx_reg1; + u32 rate_val; + + switch (wsa->pcm_rate_vi) { + case 8000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; + break; + case 16000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K; + break; + case 24000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K; + break; + case 32000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K; + break; + case 48000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K; + break; + default: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; + break; + } if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { tx_reg0 = CDC_WSA_TX0_SPKR_PROT_PATH_CTL; @@ -1476,7 +1509,7 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, switch (event) { case SND_SOC_DAPM_POST_PMU: - /* Enable V&I sensing */ + /* Enable V&I sensing */ snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_RESET_MASK, CDC_WSA_TX_SPKR_PROT_RESET); @@ -1485,10 +1518,10 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, CDC_WSA_TX_SPKR_PROT_RESET); snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K); + rate_val); snd_soc_component_update_bits(component, tx_reg1, CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K); + rate_val); snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, CDC_WSA_TX_SPKR_PROT_CLK_ENABLE); -- 2.39.5

2 months, 2 weeks

1
0
0 0

[PATCH v3 2/2] ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels

by srinivas.kandagatla＠linaro.org

From: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Existing code only configures one of WSA_MACRO_TX0 or WSA_MACRO_TX1 paths eventhough we enable both of them. Fix this bug by adding proper checks and rearranging some of the common code to able to allow setting both TX0 and TX1 paths Without this patch only one channel gets enabled in VI path instead of 2 channels. End result would be 1 channel recording instead of 2. Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route") Cc: stable(a)vger.kernel.org Co-developed-by: Manikantan R <quic_manrav(a)quicinc.com> Signed-off-by: Manikantan R <quic_manrav(a)quicinc.com> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- sound/soc/codecs/lpass-wsa-macro.c | 112 +++++++++++++++++------------ 1 file changed, 68 insertions(+), 44 deletions(-) diff --git a/sound/soc/codecs/lpass-wsa-macro.c b/sound/soc/codecs/lpass-wsa-macro.c index ac119847bc22..c9e7f185f2bc 100644 --- a/sound/soc/codecs/lpass-wsa-macro.c +++ b/sound/soc/codecs/lpass-wsa-macro.c @@ -1469,46 +1469,11 @@ static int wsa_macro_mclk_event(struct snd_soc_dapm_widget *w, return 0; } -static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, - struct snd_kcontrol *kcontrol, - int event) -{ - struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); - struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); - u32 tx_reg0, tx_reg1; - u32 rate_val; - switch (wsa->pcm_rate_vi) { - case 8000: - rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; - break; - case 16000: - rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K; - break; - case 24000: - rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K; - break; - case 32000: - rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K; - break; - case 48000: - rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K; - break; - default: - rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; - break; - } - - if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { - tx_reg0 = CDC_WSA_TX0_SPKR_PROT_PATH_CTL; - tx_reg1 = CDC_WSA_TX1_SPKR_PROT_PATH_CTL; - } else if (test_bit(WSA_MACRO_TX1, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { - tx_reg0 = CDC_WSA_TX2_SPKR_PROT_PATH_CTL; - tx_reg1 = CDC_WSA_TX3_SPKR_PROT_PATH_CTL; - } - - switch (event) { - case SND_SOC_DAPM_POST_PMU: +static void wsa_macro_enable_disable_vi_sense(struct snd_soc_component *component, bool enable, + u32 tx_reg0, u32 tx_reg1, u32 val) +{ + if (enable) { /* Enable V&I sensing */ snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_RESET_MASK, @@ -1518,10 +1483,10 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, CDC_WSA_TX_SPKR_PROT_RESET); snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - rate_val); + val); snd_soc_component_update_bits(component, tx_reg1, CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - rate_val); + val); snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, CDC_WSA_TX_SPKR_PROT_CLK_ENABLE); @@ -1534,9 +1499,7 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, snd_soc_component_update_bits(component, tx_reg1, CDC_WSA_TX_SPKR_PROT_RESET_MASK, CDC_WSA_TX_SPKR_PROT_NO_RESET); - break; - case SND_SOC_DAPM_POST_PMD: - /* Disable V&I sensing */ + } else { snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_RESET_MASK, CDC_WSA_TX_SPKR_PROT_RESET); @@ -1549,6 +1512,67 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, snd_soc_component_update_bits(component, tx_reg1, CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, CDC_WSA_TX_SPKR_PROT_CLK_DISABLE); + } +} + +static void wsa_macro_enable_disable_vi_feedback(struct snd_soc_component *component, + bool enable, u32 rate) +{ + struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); + u32 tx_reg0, tx_reg1; + + if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { + tx_reg0 = CDC_WSA_TX0_SPKR_PROT_PATH_CTL; + tx_reg1 = CDC_WSA_TX1_SPKR_PROT_PATH_CTL; + wsa_macro_enable_disable_vi_sense(component, enable, tx_reg0, tx_reg1, rate); + } + + if (test_bit(WSA_MACRO_TX1, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { + tx_reg0 = CDC_WSA_TX2_SPKR_PROT_PATH_CTL; + tx_reg1 = CDC_WSA_TX3_SPKR_PROT_PATH_CTL; + wsa_macro_enable_disable_vi_sense(component, enable, tx_reg0, tx_reg1, rate); + + } + +} + +static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, + struct snd_kcontrol *kcontrol, + int event) +{ + struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); + struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); + u32 rate_val; + + switch (wsa->pcm_rate_vi) { + case 8000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; + break; + case 16000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K; + break; + case 24000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K; + break; + case 32000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K; + break; + case 48000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K; + break; + default: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; + break; + } + + switch (event) { + case SND_SOC_DAPM_POST_PMU: + /* Enable V&I sensing */ + wsa_macro_enable_disable_vi_feedback(component, true, rate_val); + break; + case SND_SOC_DAPM_POST_PMD: + /* Disable V&I sensing */ + wsa_macro_enable_disable_vi_feedback(component, false, rate_val); break; } -- 2.39.5

2 months, 2 weeks

3
2
0 0

[PATCH 5.15.y 0/2] Fix CVE-2024-53095

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> Backport commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") to fix CVE-2024-53095 This required 1 extra commit to make sure the picks are clean: commit d477eb900484 ("net: make sock_inuse_add() available") Eric Dumazet (1): net: make sock_inuse_add() available Kuniyuki Iwashima (1): smb: client: Fix use-after-free of network namespace. fs/cifs/connect.c | 13 ++++++++++--- include/net/sock.h | 10 ++++++++++ net/core/sock.c | 10 ---------- net/mptcp/subflow.c | 4 +--- 4 files changed, 21 insertions(+), 16 deletions(-) -- 2.43.0

2 months, 2 weeks

2
4
0 0

[PATCH 6.1.y] usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c

by jianqi.ren.cn＠windriver.com

From: Abhishek Tamboli <abhishektamboli9(a)gmail.com> [ Upstream commit a7bb96b18864225a694e3887ac2733159489e4b0 ] Fix potential dereferencing of ERR_PTR() in find_format_by_pix() and uvc_v4l2_enum_format(). Fix the following smatch errors: drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix() error: 'fmtdesc' dereferencing possible ERR_PTR() drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format() error: 'fmtdesc' dereferencing possible ERR_PTR() Also, fix similar issue in uvc_v4l2_try_format() for potential dereferencing of ERR_PTR(). Signed-off-by: Abhishek Tamboli <abhishektamboli9(a)gmail.com> Link: https://lore.kernel.org/r/20240815102202.594812-1-abhishektamboli9@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/usb/gadget/function/uvc_v4l2.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index a189b08bba80..5aeeaff7b283 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -121,6 +121,9 @@ static struct uvcg_format *find_format_by_pix(struct uvc_device *uvc, list_for_each_entry(format, &uvc->header->formats, entry) { struct uvc_format_desc *fmtdesc = to_uvc_format(format->fmt); + if (IS_ERR(fmtdesc)) + continue; + if (fmtdesc->fcc == pixelformat) { uformat = format->fmt; break; @@ -240,6 +243,7 @@ uvc_v4l2_try_format(struct file *file, void *fh, struct v4l2_format *fmt) struct uvc_video *video = &uvc->video; struct uvcg_format *uformat; struct uvcg_frame *uframe; + const struct uvc_format_desc *fmtdesc; u8 *fcc; if (fmt->type != video->queue.queue.type) @@ -265,7 +269,10 @@ uvc_v4l2_try_format(struct file *file, void *fh, struct v4l2_format *fmt) fmt->fmt.pix.field = V4L2_FIELD_NONE; fmt->fmt.pix.bytesperline = uvc_v4l2_get_bytesperline(uformat, uframe); fmt->fmt.pix.sizeimage = uvc_get_frame_size(uformat, uframe); - fmt->fmt.pix.pixelformat = to_uvc_format(uformat)->fcc; + fmtdesc = to_uvc_format(uformat); + if (IS_ERR(fmtdesc)) + return PTR_ERR(fmtdesc); + fmt->fmt.pix.pixelformat = fmtdesc->fcc; fmt->fmt.pix.colorspace = V4L2_COLORSPACE_SRGB; fmt->fmt.pix.priv = 0; @@ -378,6 +385,9 @@ uvc_v4l2_enum_format(struct file *file, void *fh, struct v4l2_fmtdesc *f) f->flags |= V4L2_FMT_FLAG_COMPRESSED; fmtdesc = to_uvc_format(uformat); + if (IS_ERR(fmtdesc)) + return PTR_ERR(fmtdesc); + f->pixelformat = fmtdesc->fcc; strscpy(f->description, fmtdesc->name, sizeof(f->description)); -- 2.34.1

2 months, 2 weeks

2
1
0 0

[PATCH 5.15.y] bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers

by Cliff Liu

From: Hou Tao <houtao1(a)huawei.com> [ Upstream commit 169410eba271afc9f0fb476d996795aa26770c6d ] These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be reported when a sleepable bpf program manipulates bpf map under interpreter mode (aka bpf_jit_enable=0): WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:bpf_map_lookup_elem+0x54/0x60 ...... Call Trace: <TASK> ? __warn+0xa5/0x240 ? bpf_map_lookup_elem+0x54/0x60 ? report_bug+0x1ba/0x1f0 ? handle_bug+0x40/0x80 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1b/0x20 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ? rcu_lockdep_current_cpu_online+0x65/0xb0 ? rcu_is_watching+0x23/0x50 ? bpf_map_lookup_elem+0x54/0x60 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ___bpf_prog_run+0x513/0x3b70 __bpf_prog_run32+0x9d/0xd0 ? __bpf_prog_enter_sleepable_recur+0xad/0x120 ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 bpf_trampoline_6442580665+0x4d/0x1000 __x64_sys_getpgid+0x5/0x30 ? do_syscall_64+0x36/0xb0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> Signed-off-by: Hou Tao <houtao1(a)huawei.com> Link: https://lore.kernel.org/r/20231204140425.1480317-2-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Cliff Liu <donghua.liu(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- kernel/bpf/helpers.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 13f870e47ab6..d3feaf6d68eb 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -3,6 +3,7 @@ */ #include <linux/bpf.h> #include <linux/rcupdate.h> +#include <linux/rcupdate_trace.h> #include <linux/random.h> #include <linux/smp.h> #include <linux/topology.h> @@ -24,12 +25,13 @@ * * Different map implementations will rely on rcu in map methods * lookup/update/delete, therefore eBPF programs must run under rcu lock - * if program is allowed to access maps, so check rcu_read_lock_held in - * all three functions. + * if program is allowed to access maps, so check rcu_read_lock_held() or + * rcu_read_lock_trace_held() in all three functions. */ BPF_CALL_2(bpf_map_lookup_elem, struct bpf_map *, map, void *, key) { - WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); + WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held() && + !rcu_read_lock_bh_held()); return (unsigned long) map->ops->map_lookup_elem(map, key); } @@ -45,7 +47,8 @@ const struct bpf_func_proto bpf_map_lookup_elem_proto = { BPF_CALL_4(bpf_map_update_elem, struct bpf_map *, map, void *, key, void *, value, u64, flags) { - WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); + WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held() && + !rcu_read_lock_bh_held()); return map->ops->map_update_elem(map, key, value, flags); } @@ -62,7 +65,8 @@ const struct bpf_func_proto bpf_map_update_elem_proto = { BPF_CALL_2(bpf_map_delete_elem, struct bpf_map *, map, void *, key) { - WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); + WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held() && + !rcu_read_lock_bh_held()); return map->ops->map_delete_elem(map, key); } -- 2.34.1

2 months, 2 weeks

2
1
0 0

[PATCH 6.6.y] usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c

by jianqi.ren.cn＠windriver.com

From: Abhishek Tamboli <abhishektamboli9(a)gmail.com> [ Upstream commit a7bb96b18864225a694e3887ac2733159489e4b0 ] Fix potential dereferencing of ERR_PTR() in find_format_by_pix() and uvc_v4l2_enum_format(). Fix the following smatch errors: drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix() error: 'fmtdesc' dereferencing possible ERR_PTR() drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format() error: 'fmtdesc' dereferencing possible ERR_PTR() Also, fix similar issue in uvc_v4l2_try_format() for potential dereferencing of ERR_PTR(). Signed-off-by: Abhishek Tamboli <abhishektamboli9(a)gmail.com> Link: https://lore.kernel.org/r/20240815102202.594812-1-abhishektamboli9@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/usb/gadget/function/uvc_v4l2.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 3f0a9795c0d4..0195625bef53 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -121,6 +121,9 @@ static struct uvcg_format *find_format_by_pix(struct uvc_device *uvc, list_for_each_entry(format, &uvc->header->formats, entry) { const struct uvc_format_desc *fmtdesc = to_uvc_format(format->fmt); + if (IS_ERR(fmtdesc)) + continue; + if (fmtdesc->fcc == pixelformat) { uformat = format->fmt; break; @@ -240,6 +243,7 @@ uvc_v4l2_try_format(struct file *file, void *fh, struct v4l2_format *fmt) struct uvc_video *video = &uvc->video; struct uvcg_format *uformat; struct uvcg_frame *uframe; + const struct uvc_format_desc *fmtdesc; u8 *fcc; if (fmt->type != video->queue.queue.type) @@ -265,7 +269,10 @@ uvc_v4l2_try_format(struct file *file, void *fh, struct v4l2_format *fmt) fmt->fmt.pix.field = V4L2_FIELD_NONE; fmt->fmt.pix.bytesperline = uvc_v4l2_get_bytesperline(uformat, uframe); fmt->fmt.pix.sizeimage = uvc_get_frame_size(uformat, uframe); - fmt->fmt.pix.pixelformat = to_uvc_format(uformat)->fcc; + fmtdesc = to_uvc_format(uformat); + if (IS_ERR(fmtdesc)) + return PTR_ERR(fmtdesc); + fmt->fmt.pix.pixelformat = fmtdesc->fcc; fmt->fmt.pix.colorspace = V4L2_COLORSPACE_SRGB; fmt->fmt.pix.priv = 0; @@ -375,6 +382,9 @@ uvc_v4l2_enum_format(struct file *file, void *fh, struct v4l2_fmtdesc *f) return -EINVAL; fmtdesc = to_uvc_format(uformat); + if (IS_ERR(fmtdesc)) + return PTR_ERR(fmtdesc); + f->pixelformat = fmtdesc->fcc; return 0; -- 2.34.1

2 months, 2 weeks

2
1
0 0

[PATCH v2 1/2] HID: amd_sfh: Fix SRA sensor when it's the only sensor

by Mario Limonciello

From: Mario Limonciello <mario.limonciello(a)amd.com> On systems that only have an SRA sensor connected to SFH the sensor doesn't get enabled due to a bad optimization condition of breaking the sensor walk loop. This optimization is unnecessary in the first place because if there is only one device then the loop only runs once. Drop the condition and explicitly mark sensor as enabled. Reported-by: Yijun Shen <Yijun.Shen(a)dell.com> Tested-By: Yijun Shen <Yijun_Shen(a)Dell.com> Fixes: d1c444b47100d ("HID: amd_sfh: Add support to export device operating states") Cc: stable(a)vger.kernel.org Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- v2: * Add tag --- drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c index 25f0ebfcbd5f5..c1bdf1e0d44af 100644 --- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c @@ -134,9 +134,6 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata) for (i = 0; i < cl_data->num_hid_devices; i++) { cl_data->sensor_sts[i] = SENSOR_DISABLED; - if (cl_data->num_hid_devices == 1 && cl_data->sensor_idx[0] == SRA_IDX) - break; - if (cl_data->sensor_idx[i] == SRA_IDX) { info.sensor_idx = cl_data->sensor_idx[i]; writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0)); @@ -145,8 +142,10 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata) (privdata, cl_data->sensor_idx[i], ENABLE_SENSOR); cl_data->sensor_sts[i] = (status == 0) ? SENSOR_ENABLED : SENSOR_DISABLED; - if (cl_data->sensor_sts[i] == SENSOR_ENABLED) + if (cl_data->sensor_sts[i] == SENSOR_ENABLED) { + cl_data->is_any_sensor_enabled = true; privdata->dev_en.is_sra_present = true; + } continue; } -- 2.43.0

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] serial: stm32: do not deassert RS485 RTS GPIO prematurely" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2790ce23951f0c497810c44ad60a126a59c8d84c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040347-submersed-twice-ed97@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2790ce23951f0c497810c44ad60a126a59c8d84c Mon Sep 17 00:00:00 2001 From: Cheick Traore <cheick.traore(a)foss.st.com> Date: Thu, 20 Mar 2025 16:25:40 +0100 Subject: [PATCH] serial: stm32: do not deassert RS485 RTS GPIO prematurely If stm32_usart_start_tx is called with an empty xmit buffer, RTS GPIO could be deasserted prematurely, as bytes in TX FIFO are still transmitting. So this patch remove rts disable when xmit buffer is empty. Fixes: d7c76716169d ("serial: stm32: Use TC interrupt to deassert GPIO RTS in RS485 mode") Cc: stable <stable(a)kernel.org> Signed-off-by: Cheick Traore <cheick.traore(a)foss.st.com> Link: https://lore.kernel.org/r/20250320152540.709091-1-cheick.traore@foss.st.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c index 4c97965ec43b..ad06b760cfca 100644 --- a/drivers/tty/serial/stm32-usart.c +++ b/drivers/tty/serial/stm32-usart.c @@ -965,10 +965,8 @@ static void stm32_usart_start_tx(struct uart_port *port) { struct tty_port *tport = &port->state->port; - if (kfifo_is_empty(&tport->xmit_fifo) && !port->x_char) { - stm32_usart_rs485_rts_disable(port); + if (kfifo_is_empty(&tport->xmit_fifo) && !port->x_char) return; - } stm32_usart_rs485_rts_enable(port);

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] serial: stm32: do not deassert RS485 RTS GPIO prematurely" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2790ce23951f0c497810c44ad60a126a59c8d84c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040348-sudoku-backspace-0802@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2790ce23951f0c497810c44ad60a126a59c8d84c Mon Sep 17 00:00:00 2001 From: Cheick Traore <cheick.traore(a)foss.st.com> Date: Thu, 20 Mar 2025 16:25:40 +0100 Subject: [PATCH] serial: stm32: do not deassert RS485 RTS GPIO prematurely If stm32_usart_start_tx is called with an empty xmit buffer, RTS GPIO could be deasserted prematurely, as bytes in TX FIFO are still transmitting. So this patch remove rts disable when xmit buffer is empty. Fixes: d7c76716169d ("serial: stm32: Use TC interrupt to deassert GPIO RTS in RS485 mode") Cc: stable <stable(a)kernel.org> Signed-off-by: Cheick Traore <cheick.traore(a)foss.st.com> Link: https://lore.kernel.org/r/20250320152540.709091-1-cheick.traore@foss.st.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c index 4c97965ec43b..ad06b760cfca 100644 --- a/drivers/tty/serial/stm32-usart.c +++ b/drivers/tty/serial/stm32-usart.c @@ -965,10 +965,8 @@ static void stm32_usart_start_tx(struct uart_port *port) { struct tty_port *tport = &port->state->port; - if (kfifo_is_empty(&tport->xmit_fifo) && !port->x_char) { - stm32_usart_rs485_rts_disable(port); + if (kfifo_is_empty(&tport->xmit_fifo) && !port->x_char) return; - } stm32_usart_rs485_rts_enable(port);

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] serial: stm32: do not deassert RS485 RTS GPIO prematurely" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2790ce23951f0c497810c44ad60a126a59c8d84c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040348-deem-hazard-b9f8@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2790ce23951f0c497810c44ad60a126a59c8d84c Mon Sep 17 00:00:00 2001 From: Cheick Traore <cheick.traore(a)foss.st.com> Date: Thu, 20 Mar 2025 16:25:40 +0100 Subject: [PATCH] serial: stm32: do not deassert RS485 RTS GPIO prematurely If stm32_usart_start_tx is called with an empty xmit buffer, RTS GPIO could be deasserted prematurely, as bytes in TX FIFO are still transmitting. So this patch remove rts disable when xmit buffer is empty. Fixes: d7c76716169d ("serial: stm32: Use TC interrupt to deassert GPIO RTS in RS485 mode") Cc: stable <stable(a)kernel.org> Signed-off-by: Cheick Traore <cheick.traore(a)foss.st.com> Link: https://lore.kernel.org/r/20250320152540.709091-1-cheick.traore@foss.st.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c index 4c97965ec43b..ad06b760cfca 100644 --- a/drivers/tty/serial/stm32-usart.c +++ b/drivers/tty/serial/stm32-usart.c @@ -965,10 +965,8 @@ static void stm32_usart_start_tx(struct uart_port *port) { struct tty_port *tport = &port->state->port; - if (kfifo_is_empty(&tport->xmit_fifo) && !port->x_char) { - stm32_usart_rs485_rts_disable(port); + if (kfifo_is_empty(&tport->xmit_fifo) && !port->x_char) return; - } stm32_usart_rs485_rts_enable(port);

2 months, 2 weeks

1
0
0 0

Re: [PATCH v2] drm/nouveau: Prevent signalled fences in pending list

by Philipp Stanner

On Thu, 2025-04-03 at 15:10 +0200, Christian König wrote: > Am 03.04.25 um 14:58 schrieb Philipp Stanner: > > > > > On Thu, 2025-04-03 at 14:08 +0200, Christian König wrote: > > > > > > > > Am 03.04.25 um 12:13 schrieb Philipp Stanner: > > > > > > > > > > > Nouveau currently relies on the assumption that dma_fences will > > > > only > > > > ever get signalled through nouveau_fence_signal(), which takes > > > > care > > > > of > > > > removing a signalled fence from the list > > > > nouveau_fence_chan.pending. > > > > > > > > This self-imposed rule is violated in nouveau_fence_done(), > > > > where > > > > dma_fence_is_signaled() can signal the fence without removing > > > > it > > > > from > > > > the list. This enables accesses to already signalled fences > > > > through > > > > the > > > > list, which is a bug. > > > > > > > > Furthermore, it must always be possible to use standard > > > > dma_fence > > > > methods an a dma_fence and observe valid behavior. The > > > > canonical > > > > way of > > > > ensuring that signalling a fence has additional effects is to > > > > add > > > > those > > > > effects to a callback and register it on that fence. > > > > > > > > Move the code from nouveau_fence_signal() into a dma_fence > > > > callback. > > > > Register that callback when creating the fence. > > > > > > > > Cc: <stable(a)vger.kernel.org> # 4.10+ > > > > Signed-off-by: Philipp Stanner <phasta(a)kernel.org> > > > > --- > > > > Changes in v2: > > > > - Remove Fixes: tag. (Danilo) > > > > - Remove integer "drop" and call nvif_event_block() in the > > > > fence > > > > callback. (Danilo) > > > > --- > > > > drivers/gpu/drm/nouveau/nouveau_fence.c | 52 +++++++++++++---- > > > > ---- > > > > ---- > > > > drivers/gpu/drm/nouveau/nouveau_fence.h | 1 + > > > > 2 files changed, 29 insertions(+), 24 deletions(-) > > > > > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c > > > > b/drivers/gpu/drm/nouveau/nouveau_fence.c > > > > index 7cc84472cece..cf510ef9641a 100644 > > > > --- a/drivers/gpu/drm/nouveau/nouveau_fence.c > > > > +++ b/drivers/gpu/drm/nouveau/nouveau_fence.c > > > > @@ -50,24 +50,24 @@ nouveau_fctx(struct nouveau_fence *fence) > > > > return container_of(fence->base.lock, struct > > > > nouveau_fence_chan, lock); > > > > } > > > > > > > > -static int > > > > -nouveau_fence_signal(struct nouveau_fence *fence) > > > > +static void > > > > +nouveau_fence_cleanup_cb(struct dma_fence *dfence, struct > > > > dma_fence_cb *cb) > > > > { > > > > - int drop = 0; > > > > + struct nouveau_fence_chan *fctx; > > > > + struct nouveau_fence *fence; > > > > + > > > > + fence = container_of(dfence, struct nouveau_fence, > > > > base); > > > > + fctx = nouveau_fctx(fence); > > > > > > > > - dma_fence_signal_locked(&fence->base); > > > > list_del(&fence->head); > > > > rcu_assign_pointer(fence->channel, NULL); > > > > > > > > if (test_bit(DMA_FENCE_FLAG_USER_BITS, &fence- > > > > > > > > > > > > > > base.flags)) { > > > > > > > > > > > > > - struct nouveau_fence_chan *fctx = > > > > nouveau_fctx(fence); > > > > - > > > > if (!--fctx->notify_ref) > > > > - drop = 1; > > > > + nvif_event_block(&fctx->event); > > > > } > > > > > > > > dma_fence_put(&fence->base); > > > > - return drop; > > > > } > > > > > > > > static struct nouveau_fence * > > > > @@ -93,8 +93,7 @@ nouveau_fence_context_kill(struct > > > > nouveau_fence_chan *fctx, int error) > > > > if (error) > > > > dma_fence_set_error(&fence->base, > > > > error); > > > > > > > > - if (nouveau_fence_signal(fence)) > > > > - nvif_event_block(&fctx->event); > > > > + dma_fence_signal_locked(&fence->base); > > > > } > > > > fctx->killed = 1; > > > > spin_unlock_irqrestore(&fctx->lock, flags); > > > > @@ -127,11 +126,10 @@ nouveau_fence_context_free(struct > > > > nouveau_fence_chan *fctx) > > > > kref_put(&fctx->fence_ref, nouveau_fence_context_put); > > > > } > > > > > > > > -static int > > > > +static void > > > > nouveau_fence_update(struct nouveau_channel *chan, struct > > > > nouveau_fence_chan *fctx) > > > > { > > > > struct nouveau_fence *fence; > > > > - int drop = 0; > > > > u32 seq = fctx->read(chan); > > > > > > > > while (!list_empty(&fctx->pending)) { > > > > @@ -140,10 +138,8 @@ nouveau_fence_update(struct > > > > nouveau_channel > > > > *chan, struct nouveau_fence_chan *fc > > > > if ((int)(seq - fence->base.seqno) < 0) > > > > break; > > > > > > > > - drop |= nouveau_fence_signal(fence); > > > > + dma_fence_signal_locked(&fence->base); > > > > } > > > > - > > > > - return drop; > > > > } > > > > > > > > static void > > > > @@ -152,7 +148,6 @@ nouveau_fence_uevent_work(struct > > > > work_struct > > > > *work) > > > > struct nouveau_fence_chan *fctx = container_of(work, > > > > struct nouveau_fence_chan, > > > > > > > > uevent_work); > > > > unsigned long flags; > > > > - int drop = 0; > > > > > > > > spin_lock_irqsave(&fctx->lock, flags); > > > > if (!list_empty(&fctx->pending)) { > > > > @@ -161,11 +156,8 @@ nouveau_fence_uevent_work(struct > > > > work_struct > > > > *work) > > > > > > > > fence = list_entry(fctx->pending.next, > > > > typeof(*fence), head); > > > > chan = rcu_dereference_protected(fence- > > > > >channel, > > > > lockdep_is_held(&fctx->lock)); > > > > - if (nouveau_fence_update(chan, fctx)) > > > > - drop = 1; > > > > + nouveau_fence_update(chan, fctx); > > > > } > > > > - if (drop) > > > > - nvif_event_block(&fctx->event); > > > > > > > > spin_unlock_irqrestore(&fctx->lock, flags); > > > > } > > > > @@ -235,6 +227,19 @@ nouveau_fence_emit(struct nouveau_fence > > > > *fence) > > > > &fctx->lock, fctx->context, > > > > ++fctx- > > > > > > > > > > > > > > sequence); > > > > > > > > > > > > > kref_get(&fctx->fence_ref); > > > > > > > > + fence->cb.func = nouveau_fence_cleanup_cb; > > > > + /* Adding a callback runs into > > > > __dma_fence_enable_signaling(), which will > > > > + * ultimately run into nouveau_fence_no_signaling(), > > > > where > > > > a WARN_ON > > > > + * would fire because the refcount can be dropped > > > > there. > > > > + * > > > > + * Increment the refcount here temporarily to work > > > > around > > > > that. > > > > + */ > > > > + dma_fence_get(&fence->base); > > > > + ret = dma_fence_add_callback(&fence->base, &fence->cb, > > > > nouveau_fence_cleanup_cb); > > > > > > > > > > That looks like a really really awkward approach. The driver > > > basically uses a the DMA fence infrastructure as middle layer and > > > callbacks into itself to cleanup it's own structures. > > > > > > > What else are callbacks good for, if not to do something > > automatically > > when the fence gets signaled? > > > > Well if you add a callback for a signal you issued yourself then > that's kind of awkward. > > E.g. you call into the DMA fence code, just for the DMA fence code > to call yourself back again. Now we're entering CS-Philosophy, because it depends on who "you" and "yourself" are. In case of the driver, yes, naturally it registers a callback because at some other place (e.g., in the driver's interrupt handler) the fence will be signaled and the driver wants the callback stuff to be done. If that's not dma_fences' callbacks' purpose, then I'd be interested in knowing what their purpose is, because from my POV this discussion seems to imply that we effectively must never use them for anything. How could it ever be different? Who, for example, registers dma_fence callbacks while not signaling them "himself"? > > > > > > > > > > > Additional to that we don't guarantee any callback order for the > > > DMA > > > fence and so it can be that mix cleaning up the callback with > > > other > > > work which is certainly not good when you want to guarantee that > > > the > > > cleanup happens under the same lock. > > > > > > > Isn't my perception correct that the primary issue you have with > > this > > approach is that dma_fence_put() is called from within the > > callback? Or > > do you also take issue with deleting from the list? > > > > Well kind of both. The issue is that the caller of > dma_fence_signal() or dma_fence_signal_locked() must hold the > reference until the function returns. > > When you do the list cleanup and the drop inside the callback it is > perfectly possible that the fence pointer becomes stale before you > return and that's really not a good idea. In other words, you would prefer if this patch would have a function with my callback's code in a function, and that function would be called at every place where the driver signals a fence? If that's your opinion, then, IOW, it would mean for us to go almost back to status quo, with nouveau_fence_signal2.0, but with the dma_fence_is_signaled() part fixed. P. > > > > > > > > > > > > > > Instead the call to dma_fence_signal_locked() should probably be > > > removed from nouveau_fence_signal() and into > > > nouveau_fence_context_kill() and nouveau_fence_update(). > > > > > > This way nouveau_fence_is_signaled() can call this function as > > > well. > > > > > > > Which "this function"? dma_fence_signal_locked() > > > > No the cleanup function for the list entry. Whatever you call that > then, the name nouveau_fence_signal() is probably not appropriate any > more. > > > > > > > > > > > > > > BTW: nouveau_fence_no_signaling() looks completely broken as > > > well. It > > > calls nouveau_fence_is_signaled() and then list_del() on the > > > fence > > > head. > > > > > > > I can assure you that a great many things in Nouveau look > > completely > > broken. > > > > The question for us is always the cost-benefit-ratio when fixing > > bugs. > > There are fixes that solve the bug with reasonable effort, and > > there > > are great reworks towards an ideal state. > > > > I would just simply drop that function. As far as I can see it > severs no purpose other than doing exactly what the common DMA fence > code does anyway. > > Just one less thing which could fail. > > Christian. > > > > > > > > P. > > > > > > > > > > > > As far as I can see that is completely superfluous and should > > > probably be dropped. IIRC I once had a patch to clean that up but > > > it > > > was dropped for some reason. > > > > > > Regards, > > > Christian. > > > > > > > > > > > > > > > > > + dma_fence_put(&fence->base); > > > > + if (ret) > > > > + return ret; > > > > + > > > > ret = fctx->emit(fence); > > > > if (!ret) { > > > > dma_fence_get(&fence->base); > > > > @@ -246,8 +251,7 @@ nouveau_fence_emit(struct nouveau_fence > > > > *fence) > > > > return -ENODEV; > > > > } > > > > > > > > - if (nouveau_fence_update(chan, fctx)) > > > > - nvif_event_block(&fctx->event); > > > > + nouveau_fence_update(chan, fctx); > > > > > > > > list_add_tail(&fence->head, &fctx->pending); > > > > spin_unlock_irq(&fctx->lock); > > > > @@ -270,8 +274,8 @@ nouveau_fence_done(struct nouveau_fence > > > > *fence) > > > > > > > > spin_lock_irqsave(&fctx->lock, flags); > > > > chan = rcu_dereference_protected(fence- > > > > >channel, > > > > lockdep_is_held(&fctx->lock)); > > > > - if (chan && nouveau_fence_update(chan, fctx)) > > > > - nvif_event_block(&fctx->event); > > > > + if (chan) > > > > + nouveau_fence_update(chan, fctx); > > > > spin_unlock_irqrestore(&fctx->lock, flags); > > > > } > > > > return dma_fence_is_signaled(&fence->base); > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.h > > > > b/drivers/gpu/drm/nouveau/nouveau_fence.h > > > > index 8bc065acfe35..e6b2df7fdc42 100644 > > > > --- a/drivers/gpu/drm/nouveau/nouveau_fence.h > > > > +++ b/drivers/gpu/drm/nouveau/nouveau_fence.h > > > > @@ -10,6 +10,7 @@ struct nouveau_bo; > > > > > > > > struct nouveau_fence { > > > > struct dma_fence base; > > > > + struct dma_fence_cb cb; > > > > > > > > struct list_head head; > > > > > > > > > > > > > > >

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: lpuart: only disable CTS instead of overwriting" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x e98ab45ec5182605d2e00114cba3bbf46b0ea27f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040353-panda-varnish-c8a4@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e98ab45ec5182605d2e00114cba3bbf46b0ea27f Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Fri, 7 Mar 2025 14:54:46 +0800 Subject: [PATCH] tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register No need to overwrite the whole UARTMODIR register before waiting the transmit engine complete, actually our target here is only to disable CTS flow control to avoid the dirty data in TX FIFO may block the transmit engine complete. Also delete the following duplicate CTS disable configuration. Fixes: d5a2e0834364 ("tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Link: https://lore.kernel.org/r/20250307065446.1122482-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index c8cc0a241fba..33eeefa6fa8f 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -2349,15 +2349,19 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); + /* + * disable CTS to ensure the transmit engine is not blocked by the flow + * control when there is dirty data in TX FIFO + */ + lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* * LPUART Transmission Complete Flag may never be set while queuing a break * character, so skip waiting for transmission complete when UARTCTRL_SBK is * asserted. */ - if (!(old_ctrl & UARTCTRL_SBK)) { - lpuart32_write(port, 0, UARTMODIR); + if (!(old_ctrl & UARTCTRL_SBK)) lpuart32_wait_bit_set(port, UARTSTAT, UARTSTAT_TC); - } /* disable transmit and receive */ lpuart32_write(port, old_ctrl & ~(UARTCTRL_TE | UARTCTRL_RE), @@ -2365,8 +2369,6 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, lpuart32_write(port, bd, UARTBAUD); lpuart32_serial_setbrg(sport, baud); - /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ - lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); /* restore control register */ lpuart32_write(port, ctrl, UARTCTRL); /* re-enable the CTS if needed */

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: lpuart: only disable CTS instead of overwriting" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x e98ab45ec5182605d2e00114cba3bbf46b0ea27f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040352-makeover-hardening-da0e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e98ab45ec5182605d2e00114cba3bbf46b0ea27f Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Fri, 7 Mar 2025 14:54:46 +0800 Subject: [PATCH] tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register No need to overwrite the whole UARTMODIR register before waiting the transmit engine complete, actually our target here is only to disable CTS flow control to avoid the dirty data in TX FIFO may block the transmit engine complete. Also delete the following duplicate CTS disable configuration. Fixes: d5a2e0834364 ("tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Link: https://lore.kernel.org/r/20250307065446.1122482-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index c8cc0a241fba..33eeefa6fa8f 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -2349,15 +2349,19 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); + /* + * disable CTS to ensure the transmit engine is not blocked by the flow + * control when there is dirty data in TX FIFO + */ + lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* * LPUART Transmission Complete Flag may never be set while queuing a break * character, so skip waiting for transmission complete when UARTCTRL_SBK is * asserted. */ - if (!(old_ctrl & UARTCTRL_SBK)) { - lpuart32_write(port, 0, UARTMODIR); + if (!(old_ctrl & UARTCTRL_SBK)) lpuart32_wait_bit_set(port, UARTSTAT, UARTSTAT_TC); - } /* disable transmit and receive */ lpuart32_write(port, old_ctrl & ~(UARTCTRL_TE | UARTCTRL_RE), @@ -2365,8 +2369,6 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, lpuart32_write(port, bd, UARTBAUD); lpuart32_serial_setbrg(sport, baud); - /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ - lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); /* restore control register */ lpuart32_write(port, ctrl, UARTCTRL); /* re-enable the CTS if needed */

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: lpuart: only disable CTS instead of overwriting" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x e98ab45ec5182605d2e00114cba3bbf46b0ea27f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040352-shortwave-groom-7165@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e98ab45ec5182605d2e00114cba3bbf46b0ea27f Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Fri, 7 Mar 2025 14:54:46 +0800 Subject: [PATCH] tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register No need to overwrite the whole UARTMODIR register before waiting the transmit engine complete, actually our target here is only to disable CTS flow control to avoid the dirty data in TX FIFO may block the transmit engine complete. Also delete the following duplicate CTS disable configuration. Fixes: d5a2e0834364 ("tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Link: https://lore.kernel.org/r/20250307065446.1122482-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index c8cc0a241fba..33eeefa6fa8f 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -2349,15 +2349,19 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); + /* + * disable CTS to ensure the transmit engine is not blocked by the flow + * control when there is dirty data in TX FIFO + */ + lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* * LPUART Transmission Complete Flag may never be set while queuing a break * character, so skip waiting for transmission complete when UARTCTRL_SBK is * asserted. */ - if (!(old_ctrl & UARTCTRL_SBK)) { - lpuart32_write(port, 0, UARTMODIR); + if (!(old_ctrl & UARTCTRL_SBK)) lpuart32_wait_bit_set(port, UARTSTAT, UARTSTAT_TC); - } /* disable transmit and receive */ lpuart32_write(port, old_ctrl & ~(UARTCTRL_TE | UARTCTRL_RE), @@ -2365,8 +2369,6 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, lpuart32_write(port, bd, UARTBAUD); lpuart32_serial_setbrg(sport, baud); - /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ - lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); /* restore control register */ lpuart32_write(port, ctrl, UARTCTRL); /* re-enable the CTS if needed */

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: lpuart: only disable CTS instead of overwriting" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e98ab45ec5182605d2e00114cba3bbf46b0ea27f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040351-clay-riches-1f07@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e98ab45ec5182605d2e00114cba3bbf46b0ea27f Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Fri, 7 Mar 2025 14:54:46 +0800 Subject: [PATCH] tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register No need to overwrite the whole UARTMODIR register before waiting the transmit engine complete, actually our target here is only to disable CTS flow control to avoid the dirty data in TX FIFO may block the transmit engine complete. Also delete the following duplicate CTS disable configuration. Fixes: d5a2e0834364 ("tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Link: https://lore.kernel.org/r/20250307065446.1122482-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index c8cc0a241fba..33eeefa6fa8f 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -2349,15 +2349,19 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); + /* + * disable CTS to ensure the transmit engine is not blocked by the flow + * control when there is dirty data in TX FIFO + */ + lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* * LPUART Transmission Complete Flag may never be set while queuing a break * character, so skip waiting for transmission complete when UARTCTRL_SBK is * asserted. */ - if (!(old_ctrl & UARTCTRL_SBK)) { - lpuart32_write(port, 0, UARTMODIR); + if (!(old_ctrl & UARTCTRL_SBK)) lpuart32_wait_bit_set(port, UARTSTAT, UARTSTAT_TC); - } /* disable transmit and receive */ lpuart32_write(port, old_ctrl & ~(UARTCTRL_TE | UARTCTRL_RE), @@ -2365,8 +2369,6 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, lpuart32_write(port, bd, UARTBAUD); lpuart32_serial_setbrg(sport, baud); - /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ - lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); /* restore control register */ lpuart32_write(port, ctrl, UARTCTRL); /* re-enable the CTS if needed */

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: lpuart: only disable CTS instead of overwriting" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e98ab45ec5182605d2e00114cba3bbf46b0ea27f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040351-unbalance-hypocrite-ec8a@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e98ab45ec5182605d2e00114cba3bbf46b0ea27f Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Fri, 7 Mar 2025 14:54:46 +0800 Subject: [PATCH] tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register No need to overwrite the whole UARTMODIR register before waiting the transmit engine complete, actually our target here is only to disable CTS flow control to avoid the dirty data in TX FIFO may block the transmit engine complete. Also delete the following duplicate CTS disable configuration. Fixes: d5a2e0834364 ("tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Link: https://lore.kernel.org/r/20250307065446.1122482-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index c8cc0a241fba..33eeefa6fa8f 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -2349,15 +2349,19 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); + /* + * disable CTS to ensure the transmit engine is not blocked by the flow + * control when there is dirty data in TX FIFO + */ + lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* * LPUART Transmission Complete Flag may never be set while queuing a break * character, so skip waiting for transmission complete when UARTCTRL_SBK is * asserted. */ - if (!(old_ctrl & UARTCTRL_SBK)) { - lpuart32_write(port, 0, UARTMODIR); + if (!(old_ctrl & UARTCTRL_SBK)) lpuart32_wait_bit_set(port, UARTSTAT, UARTSTAT_TC); - } /* disable transmit and receive */ lpuart32_write(port, old_ctrl & ~(UARTCTRL_TE | UARTCTRL_RE), @@ -2365,8 +2369,6 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, lpuart32_write(port, bd, UARTBAUD); lpuart32_serial_setbrg(sport, baud); - /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ - lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); /* restore control register */ lpuart32_write(port, ctrl, UARTCTRL); /* re-enable the CTS if needed */

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: lpuart: only disable CTS instead of overwriting" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x e98ab45ec5182605d2e00114cba3bbf46b0ea27f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040350-outpour-uplifting-c895@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e98ab45ec5182605d2e00114cba3bbf46b0ea27f Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Fri, 7 Mar 2025 14:54:46 +0800 Subject: [PATCH] tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register No need to overwrite the whole UARTMODIR register before waiting the transmit engine complete, actually our target here is only to disable CTS flow control to avoid the dirty data in TX FIFO may block the transmit engine complete. Also delete the following duplicate CTS disable configuration. Fixes: d5a2e0834364 ("tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Link: https://lore.kernel.org/r/20250307065446.1122482-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index c8cc0a241fba..33eeefa6fa8f 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -2349,15 +2349,19 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); + /* + * disable CTS to ensure the transmit engine is not blocked by the flow + * control when there is dirty data in TX FIFO + */ + lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* * LPUART Transmission Complete Flag may never be set while queuing a break * character, so skip waiting for transmission complete when UARTCTRL_SBK is * asserted. */ - if (!(old_ctrl & UARTCTRL_SBK)) { - lpuart32_write(port, 0, UARTMODIR); + if (!(old_ctrl & UARTCTRL_SBK)) lpuart32_wait_bit_set(port, UARTSTAT, UARTSTAT_TC); - } /* disable transmit and receive */ lpuart32_write(port, old_ctrl & ~(UARTCTRL_TE | UARTCTRL_RE), @@ -2365,8 +2369,6 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, lpuart32_write(port, bd, UARTBAUD); lpuart32_serial_setbrg(sport, baud); - /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ - lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); /* restore control register */ lpuart32_write(port, ctrl, UARTCTRL); /* re-enable the CTS if needed */

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: lpuart: only disable CTS instead of overwriting" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e98ab45ec5182605d2e00114cba3bbf46b0ea27f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040350-genre-establish-976c@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e98ab45ec5182605d2e00114cba3bbf46b0ea27f Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Fri, 7 Mar 2025 14:54:46 +0800 Subject: [PATCH] tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register No need to overwrite the whole UARTMODIR register before waiting the transmit engine complete, actually our target here is only to disable CTS flow control to avoid the dirty data in TX FIFO may block the transmit engine complete. Also delete the following duplicate CTS disable configuration. Fixes: d5a2e0834364 ("tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Link: https://lore.kernel.org/r/20250307065446.1122482-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index c8cc0a241fba..33eeefa6fa8f 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -2349,15 +2349,19 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); + /* + * disable CTS to ensure the transmit engine is not blocked by the flow + * control when there is dirty data in TX FIFO + */ + lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* * LPUART Transmission Complete Flag may never be set while queuing a break * character, so skip waiting for transmission complete when UARTCTRL_SBK is * asserted. */ - if (!(old_ctrl & UARTCTRL_SBK)) { - lpuart32_write(port, 0, UARTMODIR); + if (!(old_ctrl & UARTCTRL_SBK)) lpuart32_wait_bit_set(port, UARTSTAT, UARTSTAT_TC); - } /* disable transmit and receive */ lpuart32_write(port, old_ctrl & ~(UARTCTRL_TE | UARTCTRL_RE), @@ -2365,8 +2369,6 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, lpuart32_write(port, bd, UARTBAUD); lpuart32_serial_setbrg(sport, baud); - /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ - lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); /* restore control register */ lpuart32_write(port, ctrl, UARTCTRL); /* re-enable the CTS if needed */

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: lpuart: only disable CTS instead of overwriting" failed to apply to 6.13-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.13.y git checkout FETCH_HEAD git cherry-pick -x e98ab45ec5182605d2e00114cba3bbf46b0ea27f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040349-defrost-doubling-19f6@gregkh' --subject-prefix 'PATCH 6.13.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e98ab45ec5182605d2e00114cba3bbf46b0ea27f Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Fri, 7 Mar 2025 14:54:46 +0800 Subject: [PATCH] tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register No need to overwrite the whole UARTMODIR register before waiting the transmit engine complete, actually our target here is only to disable CTS flow control to avoid the dirty data in TX FIFO may block the transmit engine complete. Also delete the following duplicate CTS disable configuration. Fixes: d5a2e0834364 ("tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Link: https://lore.kernel.org/r/20250307065446.1122482-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index c8cc0a241fba..33eeefa6fa8f 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -2349,15 +2349,19 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, /* update the per-port timeout */ uart_update_timeout(port, termios->c_cflag, baud); + /* + * disable CTS to ensure the transmit engine is not blocked by the flow + * control when there is dirty data in TX FIFO + */ + lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* * LPUART Transmission Complete Flag may never be set while queuing a break * character, so skip waiting for transmission complete when UARTCTRL_SBK is * asserted. */ - if (!(old_ctrl & UARTCTRL_SBK)) { - lpuart32_write(port, 0, UARTMODIR); + if (!(old_ctrl & UARTCTRL_SBK)) lpuart32_wait_bit_set(port, UARTSTAT, UARTSTAT_TC); - } /* disable transmit and receive */ lpuart32_write(port, old_ctrl & ~(UARTCTRL_TE | UARTCTRL_RE), @@ -2365,8 +2369,6 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, lpuart32_write(port, bd, UARTBAUD); lpuart32_serial_setbrg(sport, baud); - /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ - lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); /* restore control register */ lpuart32_write(port, ctrl, UARTCTRL); /* re-enable the CTS if needed */

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: fsl_lpuart: disable transmitter before changing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x f5cb528d6441eb860250a2f085773aac4f44085e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040331-baking-headgear-81e4@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5cb528d6441eb860250a2f085773aac4f44085e Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Wed, 12 Mar 2025 10:25:03 +0800 Subject: [PATCH] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers According to the LPUART reference manual, TXRTSE and TXRTSPOL of MODIR register only can be changed when the transmitter is disabled. So disable the transmitter before changing RS485 related registers and re-enable it after the change is done. Fixes: 67b01837861c ("tty: serial: lpuart: Add RS485 support for 32-bit uart flavour") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> Link: https://lore.kernel.org/r/20250312022503.1342990-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index 91d02c55c470..203ec3b46304 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -1484,6 +1484,19 @@ static int lpuart32_config_rs485(struct uart_port *port, struct ktermios *termio unsigned long modem = lpuart32_read(&sport->port, UARTMODIR) & ~(UARTMODIR_TXRTSPOL | UARTMODIR_TXRTSE); + u32 ctrl; + + /* TXRTSE and TXRTSPOL only can be changed when transmitter is disabled. */ + ctrl = lpuart32_read(&sport->port, UARTCTRL); + if (ctrl & UARTCTRL_TE) { + /* wait for the transmit engine to complete */ + lpuart32_wait_bit_set(&sport->port, UARTSTAT, UARTSTAT_TC); + lpuart32_write(&sport->port, ctrl & ~UARTCTRL_TE, UARTCTRL); + + while (lpuart32_read(&sport->port, UARTCTRL) & UARTCTRL_TE) + cpu_relax(); + } + lpuart32_write(&sport->port, modem, UARTMODIR); if (rs485->flags & SER_RS485_ENABLED) { @@ -1503,6 +1516,10 @@ static int lpuart32_config_rs485(struct uart_port *port, struct ktermios *termio } lpuart32_write(&sport->port, modem, UARTMODIR); + + if (ctrl & UARTCTRL_TE) + lpuart32_write(&sport->port, ctrl, UARTCTRL); + return 0; }

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: fsl_lpuart: disable transmitter before changing" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f5cb528d6441eb860250a2f085773aac4f44085e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040331-curler-acclaim-baee@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5cb528d6441eb860250a2f085773aac4f44085e Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Wed, 12 Mar 2025 10:25:03 +0800 Subject: [PATCH] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers According to the LPUART reference manual, TXRTSE and TXRTSPOL of MODIR register only can be changed when the transmitter is disabled. So disable the transmitter before changing RS485 related registers and re-enable it after the change is done. Fixes: 67b01837861c ("tty: serial: lpuart: Add RS485 support for 32-bit uart flavour") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> Link: https://lore.kernel.org/r/20250312022503.1342990-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index 91d02c55c470..203ec3b46304 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -1484,6 +1484,19 @@ static int lpuart32_config_rs485(struct uart_port *port, struct ktermios *termio unsigned long modem = lpuart32_read(&sport->port, UARTMODIR) & ~(UARTMODIR_TXRTSPOL | UARTMODIR_TXRTSE); + u32 ctrl; + + /* TXRTSE and TXRTSPOL only can be changed when transmitter is disabled. */ + ctrl = lpuart32_read(&sport->port, UARTCTRL); + if (ctrl & UARTCTRL_TE) { + /* wait for the transmit engine to complete */ + lpuart32_wait_bit_set(&sport->port, UARTSTAT, UARTSTAT_TC); + lpuart32_write(&sport->port, ctrl & ~UARTCTRL_TE, UARTCTRL); + + while (lpuart32_read(&sport->port, UARTCTRL) & UARTCTRL_TE) + cpu_relax(); + } + lpuart32_write(&sport->port, modem, UARTMODIR); if (rs485->flags & SER_RS485_ENABLED) { @@ -1503,6 +1516,10 @@ static int lpuart32_config_rs485(struct uart_port *port, struct ktermios *termio } lpuart32_write(&sport->port, modem, UARTMODIR); + + if (ctrl & UARTCTRL_TE) + lpuart32_write(&sport->port, ctrl, UARTCTRL); + return 0; }

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: fsl_lpuart: disable transmitter before changing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f5cb528d6441eb860250a2f085773aac4f44085e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040331-drivable-partake-4157@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5cb528d6441eb860250a2f085773aac4f44085e Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Wed, 12 Mar 2025 10:25:03 +0800 Subject: [PATCH] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers According to the LPUART reference manual, TXRTSE and TXRTSPOL of MODIR register only can be changed when the transmitter is disabled. So disable the transmitter before changing RS485 related registers and re-enable it after the change is done. Fixes: 67b01837861c ("tty: serial: lpuart: Add RS485 support for 32-bit uart flavour") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> Link: https://lore.kernel.org/r/20250312022503.1342990-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index 91d02c55c470..203ec3b46304 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -1484,6 +1484,19 @@ static int lpuart32_config_rs485(struct uart_port *port, struct ktermios *termio unsigned long modem = lpuart32_read(&sport->port, UARTMODIR) & ~(UARTMODIR_TXRTSPOL | UARTMODIR_TXRTSE); + u32 ctrl; + + /* TXRTSE and TXRTSPOL only can be changed when transmitter is disabled. */ + ctrl = lpuart32_read(&sport->port, UARTCTRL); + if (ctrl & UARTCTRL_TE) { + /* wait for the transmit engine to complete */ + lpuart32_wait_bit_set(&sport->port, UARTSTAT, UARTSTAT_TC); + lpuart32_write(&sport->port, ctrl & ~UARTCTRL_TE, UARTCTRL); + + while (lpuart32_read(&sport->port, UARTCTRL) & UARTCTRL_TE) + cpu_relax(); + } + lpuart32_write(&sport->port, modem, UARTMODIR); if (rs485->flags & SER_RS485_ENABLED) { @@ -1503,6 +1516,10 @@ static int lpuart32_config_rs485(struct uart_port *port, struct ktermios *termio } lpuart32_write(&sport->port, modem, UARTMODIR); + + if (ctrl & UARTCTRL_TE) + lpuart32_write(&sport->port, ctrl, UARTCTRL); + return 0; }

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tty: serial: fsl_lpuart: disable transmitter before changing" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f5cb528d6441eb860250a2f085773aac4f44085e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040330-immunity-crouch-2b64@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5cb528d6441eb860250a2f085773aac4f44085e Mon Sep 17 00:00:00 2001 From: Sherry Sun <sherry.sun(a)nxp.com> Date: Wed, 12 Mar 2025 10:25:03 +0800 Subject: [PATCH] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers According to the LPUART reference manual, TXRTSE and TXRTSPOL of MODIR register only can be changed when the transmitter is disabled. So disable the transmitter before changing RS485 related registers and re-enable it after the change is done. Fixes: 67b01837861c ("tty: serial: lpuart: Add RS485 support for 32-bit uart flavour") Cc: stable <stable(a)kernel.org> Signed-off-by: Sherry Sun <sherry.sun(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> Link: https://lore.kernel.org/r/20250312022503.1342990-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c index 91d02c55c470..203ec3b46304 100644 --- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -1484,6 +1484,19 @@ static int lpuart32_config_rs485(struct uart_port *port, struct ktermios *termio unsigned long modem = lpuart32_read(&sport->port, UARTMODIR) & ~(UARTMODIR_TXRTSPOL | UARTMODIR_TXRTSE); + u32 ctrl; + + /* TXRTSE and TXRTSPOL only can be changed when transmitter is disabled. */ + ctrl = lpuart32_read(&sport->port, UARTCTRL); + if (ctrl & UARTCTRL_TE) { + /* wait for the transmit engine to complete */ + lpuart32_wait_bit_set(&sport->port, UARTSTAT, UARTSTAT_TC); + lpuart32_write(&sport->port, ctrl & ~UARTCTRL_TE, UARTCTRL); + + while (lpuart32_read(&sport->port, UARTCTRL) & UARTCTRL_TE) + cpu_relax(); + } + lpuart32_write(&sport->port, modem, UARTMODIR); if (rs485->flags & SER_RS485_ENABLED) { @@ -1503,6 +1516,10 @@ static int lpuart32_config_rs485(struct uart_port *port, struct ktermios *termio } lpuart32_write(&sport->port, modem, UARTMODIR); + + if (ctrl & UARTCTRL_TE) + lpuart32_write(&sport->port, ctrl, UARTCTRL); + return 0; }

2 months, 2 weeks

1
0
0 0

[PATCH] bus: mhi: ep: Update read pointer only after buffer is written

by Sumit Kumar

Inside mhi_ep_ring_add_element, the read pointer (rd_offset) is updated before the buffer is written, potentially causing race conditions where the host sees an updated read pointer before the buffer is actually written. Updating rd_offset prematurely can lead to the host accessing an uninitialized or incomplete element, resulting in data corruption. Invoke the buffer write before updating rd_offset to ensure the element is fully written before signaling its availability. Fixes: bbdcba57a1a2 ("bus: mhi: ep: Add support for ring management") cc: stable(a)vger.kernel.org Co-developed-by: Youssef Samir <quic_yabdulra(a)quicinc.com> Signed-off-by: Youssef Samir <quic_yabdulra(a)quicinc.com> Signed-off-by: Sumit Kumar <quic_sumk(a)quicinc.com> --- drivers/bus/mhi/ep/ring.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/bus/mhi/ep/ring.c b/drivers/bus/mhi/ep/ring.c index aeb53b2c34a8cd859393529d0c8860462bc687ed..26357ee68dee984d70ae5bf39f8f09f2cbcafe30 100644 --- a/drivers/bus/mhi/ep/ring.c +++ b/drivers/bus/mhi/ep/ring.c @@ -131,19 +131,23 @@ int mhi_ep_ring_add_element(struct mhi_ep_ring *ring, struct mhi_ring_element *e } old_offset = ring->rd_offset; - mhi_ep_ring_inc_index(ring); dev_dbg(dev, "Adding an element to ring at offset (%zu)\n", ring->rd_offset); + buf_info.host_addr = ring->rbase + (old_offset * sizeof(*el)); + buf_info.dev_addr = el; + buf_info.size = sizeof(*el); + + ret = mhi_cntrl->write_sync(mhi_cntrl, &buf_info); + if (ret) + return ret; + + mhi_ep_ring_inc_index(ring); /* Update rp in ring context */ rp = cpu_to_le64(ring->rd_offset * sizeof(*el) + ring->rbase); memcpy_toio((void __iomem *) &ring->ring_ctx->generic.rp, &rp, sizeof(u64)); - buf_info.host_addr = ring->rbase + (old_offset * sizeof(*el)); - buf_info.dev_addr = el; - buf_info.size = sizeof(*el); - - return mhi_cntrl->write_sync(mhi_cntrl, &buf_info); + return ret; } void mhi_ep_ring_init(struct mhi_ep_ring *ring, enum mhi_ep_ring_type type, u32 id) --- base-commit: 1e26c5e28ca5821a824e90dd359556f5e9e7b89f change-id: 20250328-rp_fix-d7ebc18bc3be Best regards, -- Sumit Kumar <quic_sumk(a)quicinc.com>

2 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] staging: gpib: Fix Oops after disconnect in agilent usb" failed to apply to 6.13-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.13.y git checkout FETCH_HEAD git cherry-pick -x 8491e73a5223acb0a4b4d78c3f8b96aa9c5e774d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040317-flatterer-trio-16c9@gregkh' --subject-prefix 'PATCH 6.13.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8491e73a5223acb0a4b4d78c3f8b96aa9c5e774d Mon Sep 17 00:00:00 2001 From: Dave Penkler <dpenkler(a)gmail.com> Date: Sat, 22 Feb 2025 21:45:15 +0100 Subject: [PATCH] staging: gpib: Fix Oops after disconnect in agilent usb If the agilent usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously bus_interface was checked for NULL only in the functions directly calling usb_fill_bulk_urb or usb_control_msg. Check for valid bus_interface on all interface entry points and return -ENODEV if it is NULL. Fixes: fbae7090f30c ("staging: gpib: Update messaging and usb_device refs in agilent_usb") Cc: stable <stable(a)kernel.org> Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250222204515.5104-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/gpib/agilent_82357a/agilent_82357a.c b/drivers/staging/gpib/agilent_82357a/agilent_82357a.c index 7ebebe00dc48..e0d36f0dff25 100644 --- a/drivers/staging/gpib/agilent_82357a/agilent_82357a.c +++ b/drivers/staging/gpib/agilent_82357a/agilent_82357a.c @@ -427,7 +427,7 @@ static int agilent_82357a_read(gpib_board_t *board, uint8_t *buffer, size_t leng { int retval; struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length, in_data_length; int bytes_written, bytes_read; @@ -438,6 +438,10 @@ static int agilent_82357a_read(gpib_board_t *board, uint8_t *buffer, size_t leng *nbytes = 0; *end = 0; + + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); out_data_length = 0x9; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -534,7 +538,7 @@ static ssize_t agilent_82357a_generic_write(gpib_board_t *board, uint8_t *buffer { int retval; struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data = NULL; u8 *status_data = NULL; int out_data_length; @@ -545,6 +549,10 @@ static ssize_t agilent_82357a_generic_write(gpib_board_t *board, uint8_t *buffer struct agilent_82357a_register_pairlet read_reg; *bytes_written = 0; + if (!a_priv->bus_interface) + return -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); out_data_length = length + 0x8; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -697,9 +705,13 @@ int agilent_82357a_take_control_internal(gpib_board_t *board, int synchronous) static int agilent_82357a_take_control(gpib_board_t *board, int synchronous) { + struct agilent_82357a_priv *a_priv = board->private_data; const int timeout = 10; int i; + if (!a_priv->bus_interface) + return -ENODEV; + /* It looks like the 9914 does not handle tcs properly. * See comment above tms9914_take_control_workaround() in * drivers/gpib/tms9914/tms9914_aux.c @@ -723,10 +735,14 @@ static int agilent_82357a_take_control(gpib_board_t *board, int synchronous) static int agilent_82357a_go_to_standby(gpib_board_t *board) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_GTS; retval = agilent_82357a_write_registers(a_priv, &write, 1); @@ -739,11 +755,15 @@ static int agilent_82357a_go_to_standby(gpib_board_t *board) static void agilent_82357a_request_system_control(gpib_board_t *board, int request_control) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet writes[2]; int retval; int i = 0; + if (!a_priv->bus_interface) + return; // -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); /* 82357B needs bit to be set in 9914 AUXCR register */ writes[i].address = AUXCR; if (request_control) { @@ -767,10 +787,14 @@ static void agilent_82357a_request_system_control(gpib_board_t *board, int reque static void agilent_82357a_interface_clear(gpib_board_t *board, int assert) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return; // -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_SIC; if (assert) { @@ -785,10 +809,14 @@ static void agilent_82357a_interface_clear(gpib_board_t *board, int assert) static void agilent_82357a_remote_enable(gpib_board_t *board, int enable) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return; //-ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_SRE; if (enable) @@ -804,6 +832,8 @@ static int agilent_82357a_enable_eos(gpib_board_t *board, uint8_t eos_byte, int { struct agilent_82357a_priv *a_priv = board->private_data; + if (!a_priv->bus_interface) + return -ENODEV; if (compare_8_bits == 0) return -EOPNOTSUPP; @@ -822,10 +852,13 @@ static void agilent_82357a_disable_eos(gpib_board_t *board) static unsigned int agilent_82357a_update_status(gpib_board_t *board, unsigned int clear_mask) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet address_status, bus_status; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); board->status &= ~clear_mask; if (a_priv->is_cic) set_bit(CIC_NUM, &board->status); @@ -885,6 +918,9 @@ static int agilent_82357a_primary_address(gpib_board_t *board, unsigned int addr struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); // put primary address in address0 write.address = ADR; write.value = address & ADDRESS_MASK; @@ -906,11 +942,14 @@ static int agilent_82357a_secondary_address(gpib_board_t *board, unsigned int ad static int agilent_82357a_parallel_poll(gpib_board_t *board, uint8_t *result) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet writes[2]; struct agilent_82357a_register_pairlet read; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); // execute parallel poll writes[0].address = AUXCR; writes[0].value = AUX_CS | AUX_RPP; @@ -975,11 +1014,14 @@ static void agilent_82357a_return_to_local(gpib_board_t *board) static int agilent_82357a_line_status(const gpib_board_t *board) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet bus_status; int retval; int status = ValidALL; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); bus_status.address = BSR; retval = agilent_82357a_read_registers(a_priv, &bus_status, 1, 0); if (retval) { @@ -1025,10 +1067,13 @@ static unsigned short nanosec_to_fast_talker_bits(unsigned int *nanosec) static unsigned int agilent_82357a_t1_delay(gpib_board_t *board, unsigned int nanosec) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = FAST_TALKER_T1; write.value = nanosec_to_fast_talker_bits(&nanosec); retval = agilent_82357a_write_registers(a_priv, &write, 1);

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] staging: gpib: Fix Oops after disconnect in agilent usb" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 8491e73a5223acb0a4b4d78c3f8b96aa9c5e774d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040316-trespass-fencing-02e9@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8491e73a5223acb0a4b4d78c3f8b96aa9c5e774d Mon Sep 17 00:00:00 2001 From: Dave Penkler <dpenkler(a)gmail.com> Date: Sat, 22 Feb 2025 21:45:15 +0100 Subject: [PATCH] staging: gpib: Fix Oops after disconnect in agilent usb If the agilent usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously bus_interface was checked for NULL only in the functions directly calling usb_fill_bulk_urb or usb_control_msg. Check for valid bus_interface on all interface entry points and return -ENODEV if it is NULL. Fixes: fbae7090f30c ("staging: gpib: Update messaging and usb_device refs in agilent_usb") Cc: stable <stable(a)kernel.org> Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250222204515.5104-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/gpib/agilent_82357a/agilent_82357a.c b/drivers/staging/gpib/agilent_82357a/agilent_82357a.c index 7ebebe00dc48..e0d36f0dff25 100644 --- a/drivers/staging/gpib/agilent_82357a/agilent_82357a.c +++ b/drivers/staging/gpib/agilent_82357a/agilent_82357a.c @@ -427,7 +427,7 @@ static int agilent_82357a_read(gpib_board_t *board, uint8_t *buffer, size_t leng { int retval; struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length, in_data_length; int bytes_written, bytes_read; @@ -438,6 +438,10 @@ static int agilent_82357a_read(gpib_board_t *board, uint8_t *buffer, size_t leng *nbytes = 0; *end = 0; + + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); out_data_length = 0x9; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -534,7 +538,7 @@ static ssize_t agilent_82357a_generic_write(gpib_board_t *board, uint8_t *buffer { int retval; struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data = NULL; u8 *status_data = NULL; int out_data_length; @@ -545,6 +549,10 @@ static ssize_t agilent_82357a_generic_write(gpib_board_t *board, uint8_t *buffer struct agilent_82357a_register_pairlet read_reg; *bytes_written = 0; + if (!a_priv->bus_interface) + return -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); out_data_length = length + 0x8; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -697,9 +705,13 @@ int agilent_82357a_take_control_internal(gpib_board_t *board, int synchronous) static int agilent_82357a_take_control(gpib_board_t *board, int synchronous) { + struct agilent_82357a_priv *a_priv = board->private_data; const int timeout = 10; int i; + if (!a_priv->bus_interface) + return -ENODEV; + /* It looks like the 9914 does not handle tcs properly. * See comment above tms9914_take_control_workaround() in * drivers/gpib/tms9914/tms9914_aux.c @@ -723,10 +735,14 @@ static int agilent_82357a_take_control(gpib_board_t *board, int synchronous) static int agilent_82357a_go_to_standby(gpib_board_t *board) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_GTS; retval = agilent_82357a_write_registers(a_priv, &write, 1); @@ -739,11 +755,15 @@ static int agilent_82357a_go_to_standby(gpib_board_t *board) static void agilent_82357a_request_system_control(gpib_board_t *board, int request_control) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet writes[2]; int retval; int i = 0; + if (!a_priv->bus_interface) + return; // -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); /* 82357B needs bit to be set in 9914 AUXCR register */ writes[i].address = AUXCR; if (request_control) { @@ -767,10 +787,14 @@ static void agilent_82357a_request_system_control(gpib_board_t *board, int reque static void agilent_82357a_interface_clear(gpib_board_t *board, int assert) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return; // -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_SIC; if (assert) { @@ -785,10 +809,14 @@ static void agilent_82357a_interface_clear(gpib_board_t *board, int assert) static void agilent_82357a_remote_enable(gpib_board_t *board, int enable) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return; //-ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_SRE; if (enable) @@ -804,6 +832,8 @@ static int agilent_82357a_enable_eos(gpib_board_t *board, uint8_t eos_byte, int { struct agilent_82357a_priv *a_priv = board->private_data; + if (!a_priv->bus_interface) + return -ENODEV; if (compare_8_bits == 0) return -EOPNOTSUPP; @@ -822,10 +852,13 @@ static void agilent_82357a_disable_eos(gpib_board_t *board) static unsigned int agilent_82357a_update_status(gpib_board_t *board, unsigned int clear_mask) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet address_status, bus_status; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); board->status &= ~clear_mask; if (a_priv->is_cic) set_bit(CIC_NUM, &board->status); @@ -885,6 +918,9 @@ static int agilent_82357a_primary_address(gpib_board_t *board, unsigned int addr struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); // put primary address in address0 write.address = ADR; write.value = address & ADDRESS_MASK; @@ -906,11 +942,14 @@ static int agilent_82357a_secondary_address(gpib_board_t *board, unsigned int ad static int agilent_82357a_parallel_poll(gpib_board_t *board, uint8_t *result) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet writes[2]; struct agilent_82357a_register_pairlet read; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); // execute parallel poll writes[0].address = AUXCR; writes[0].value = AUX_CS | AUX_RPP; @@ -975,11 +1014,14 @@ static void agilent_82357a_return_to_local(gpib_board_t *board) static int agilent_82357a_line_status(const gpib_board_t *board) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet bus_status; int retval; int status = ValidALL; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); bus_status.address = BSR; retval = agilent_82357a_read_registers(a_priv, &bus_status, 1, 0); if (retval) { @@ -1025,10 +1067,13 @@ static unsigned short nanosec_to_fast_talker_bits(unsigned int *nanosec) static unsigned int agilent_82357a_t1_delay(gpib_board_t *board, unsigned int nanosec) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = FAST_TALKER_T1; write.value = nanosec_to_fast_talker_bits(&nanosec); retval = agilent_82357a_write_registers(a_priv, &write, 1);

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] staging: gpib: Fix Oops after disconnect in ni_usb" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x a239c6e91b665f1837cf57b97fe638ef1baf2e78 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040309-kabob-graph-ed91@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a239c6e91b665f1837cf57b97fe638ef1baf2e78 Mon Sep 17 00:00:00 2001 From: Dave Penkler <dpenkler(a)gmail.com> Date: Sat, 22 Feb 2025 17:58:17 +0100 Subject: [PATCH] staging: gpib: Fix Oops after disconnect in ni_usb If the usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously bus_interface was checked for NULL only in the the functions directly calling usb_fill_bulk_urb or usb_control_msg. Check for valid bus_interface on all interface entry points and return -ENODEV if it is NULL. Fixes: 4934b98bb243 ("staging: gpib: Update messaging and usb_device refs in ni_usb") Cc: stable <stable(a)kernel.org> Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250222165817.12856-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/gpib/ni_usb/ni_usb_gpib.c b/drivers/staging/gpib/ni_usb/ni_usb_gpib.c index 61b15b19e134..62fbc78204ce 100644 --- a/drivers/staging/gpib/ni_usb/ni_usb_gpib.c +++ b/drivers/staging/gpib/ni_usb/ni_usb_gpib.c @@ -591,7 +591,7 @@ static int ni_usb_read(gpib_board_t *board, uint8_t *buffer, size_t length, { int retval, parse_retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x20; int in_data_length; @@ -604,8 +604,11 @@ static int ni_usb_read(gpib_board_t *board, uint8_t *buffer, size_t length, struct ni_usb_register reg; *bytes_read = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_read_length) return -EINVAL; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -718,7 +721,7 @@ static int ni_usb_write(gpib_board_t *board, uint8_t *buffer, size_t length, { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length; static const int in_data_length = 0x10; @@ -728,9 +731,11 @@ static int ni_usb_write(gpib_board_t *board, uint8_t *buffer, size_t length, struct ni_usb_status_block status; static const int max_write_length = 0xffff; - *bytes_written = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_write_length) return -EINVAL; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data_length = length + 0x10; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -819,7 +824,7 @@ static int ni_usb_command_chunk(gpib_board_t *board, uint8_t *buffer, size_t len { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length; static const int in_data_length = 0x10; @@ -831,8 +836,11 @@ static int ni_usb_command_chunk(gpib_board_t *board, uint8_t *buffer, size_t len static const int max_command_length = 0x10; *command_bytes_written = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_command_length) length = max_command_length; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data_length = length + 0x10; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -925,7 +933,7 @@ static int ni_usb_take_control(gpib_board_t *board, int synchronous) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x10; @@ -933,6 +941,9 @@ static int ni_usb_take_control(gpib_board_t *board, int synchronous) int i = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -983,7 +994,7 @@ static int ni_usb_go_to_standby(gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x20; @@ -991,6 +1002,9 @@ static int ni_usb_go_to_standby(gpib_board_t *board) int i = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1039,11 +1053,14 @@ static void ni_usb_request_system_control(gpib_board_t *board, int request_contr { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[4]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); if (request_control) { writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = CMDR; @@ -1087,7 +1104,7 @@ static void ni_usb_interface_clear(gpib_board_t *board, int assert) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x10; @@ -1095,7 +1112,10 @@ static void ni_usb_interface_clear(gpib_board_t *board, int assert) int i = 0; struct ni_usb_status_block status; - // FIXME: we are going to pulse when assert is true, and ignore otherwise + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); +// FIXME: we are going to pulse when assert is true, and ignore otherwise if (assert == 0) return; out_data = kmalloc(out_data_length, GFP_KERNEL); @@ -1133,10 +1153,13 @@ static void ni_usb_remote_enable(gpib_board_t *board, int enable) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; struct ni_usb_register reg; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); reg.device = NIUSB_SUBDEV_TNT4882; reg.address = nec7210_to_tnt4882_offset(AUXMR); if (enable) @@ -1180,11 +1203,14 @@ static unsigned int ni_usb_update_status(gpib_board_t *board, unsigned int clear { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; static const int buffer_length = 8; u8 *buffer; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); buffer = kmalloc(buffer_length, GFP_KERNEL); if (!buffer) return board->status; @@ -1232,11 +1258,14 @@ static int ni_usb_primary_address(gpib_board_t *board, unsigned int address) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[2]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(ADR); writes[i].value = address; @@ -1287,11 +1316,14 @@ static int ni_usb_secondary_address(gpib_board_t *board, unsigned int address, i { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[3]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); i += ni_usb_write_sad(writes, address, enable); retval = ni_usb_write_registers(ni_priv, writes, i, &ibsta); if (retval < 0) { @@ -1306,7 +1338,7 @@ static int ni_usb_parallel_poll(gpib_board_t *board, uint8_t *result) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x20; @@ -1315,6 +1347,9 @@ static int ni_usb_parallel_poll(gpib_board_t *board, uint8_t *result) int j = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1358,11 +1393,14 @@ static void ni_usb_parallel_poll_configure(gpib_board_t *board, uint8_t config) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); writes[i].value = PPR | config; @@ -1380,11 +1418,14 @@ static void ni_usb_parallel_poll_response(gpib_board_t *board, int ist) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); if (ist) @@ -1405,11 +1446,14 @@ static void ni_usb_serial_poll_response(gpib_board_t *board, u8 status) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(SPMR); writes[i].value = status; @@ -1432,11 +1476,14 @@ static void ni_usb_return_to_local(gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); writes[i].value = AUX_RTL; @@ -1454,7 +1501,7 @@ static int ni_usb_line_status(const gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x20; static const int in_data_length = 0x20; @@ -1464,6 +1511,9 @@ static int ni_usb_line_status(const gpib_board_t *board) int line_status = ValidALL; // NI windows driver reads 0xd(HSSEL), 0xc (ARD0), 0x1f (BSR) + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1570,12 +1620,15 @@ static unsigned int ni_usb_t1_delay(gpib_board_t *board, unsigned int nano_sec) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; struct ni_usb_register writes[3]; unsigned int ibsta; unsigned int actual_ns; int i; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); i = ni_usb_setup_t1_delay(writes, nano_sec, &actual_ns); retval = ni_usb_write_registers(ni_priv, writes, i, &ibsta); if (retval < 0) {

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] staging: gpib: Fix Oops after disconnect in ni_usb" failed to apply to 6.13-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.13.y git checkout FETCH_HEAD git cherry-pick -x a239c6e91b665f1837cf57b97fe638ef1baf2e78 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040306-cedar-kiln-0b1a@gregkh' --subject-prefix 'PATCH 6.13.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a239c6e91b665f1837cf57b97fe638ef1baf2e78 Mon Sep 17 00:00:00 2001 From: Dave Penkler <dpenkler(a)gmail.com> Date: Sat, 22 Feb 2025 17:58:17 +0100 Subject: [PATCH] staging: gpib: Fix Oops after disconnect in ni_usb If the usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously bus_interface was checked for NULL only in the the functions directly calling usb_fill_bulk_urb or usb_control_msg. Check for valid bus_interface on all interface entry points and return -ENODEV if it is NULL. Fixes: 4934b98bb243 ("staging: gpib: Update messaging and usb_device refs in ni_usb") Cc: stable <stable(a)kernel.org> Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250222165817.12856-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/gpib/ni_usb/ni_usb_gpib.c b/drivers/staging/gpib/ni_usb/ni_usb_gpib.c index 61b15b19e134..62fbc78204ce 100644 --- a/drivers/staging/gpib/ni_usb/ni_usb_gpib.c +++ b/drivers/staging/gpib/ni_usb/ni_usb_gpib.c @@ -591,7 +591,7 @@ static int ni_usb_read(gpib_board_t *board, uint8_t *buffer, size_t length, { int retval, parse_retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x20; int in_data_length; @@ -604,8 +604,11 @@ static int ni_usb_read(gpib_board_t *board, uint8_t *buffer, size_t length, struct ni_usb_register reg; *bytes_read = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_read_length) return -EINVAL; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -718,7 +721,7 @@ static int ni_usb_write(gpib_board_t *board, uint8_t *buffer, size_t length, { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length; static const int in_data_length = 0x10; @@ -728,9 +731,11 @@ static int ni_usb_write(gpib_board_t *board, uint8_t *buffer, size_t length, struct ni_usb_status_block status; static const int max_write_length = 0xffff; - *bytes_written = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_write_length) return -EINVAL; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data_length = length + 0x10; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -819,7 +824,7 @@ static int ni_usb_command_chunk(gpib_board_t *board, uint8_t *buffer, size_t len { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length; static const int in_data_length = 0x10; @@ -831,8 +836,11 @@ static int ni_usb_command_chunk(gpib_board_t *board, uint8_t *buffer, size_t len static const int max_command_length = 0x10; *command_bytes_written = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_command_length) length = max_command_length; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data_length = length + 0x10; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -925,7 +933,7 @@ static int ni_usb_take_control(gpib_board_t *board, int synchronous) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x10; @@ -933,6 +941,9 @@ static int ni_usb_take_control(gpib_board_t *board, int synchronous) int i = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -983,7 +994,7 @@ static int ni_usb_go_to_standby(gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x20; @@ -991,6 +1002,9 @@ static int ni_usb_go_to_standby(gpib_board_t *board) int i = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1039,11 +1053,14 @@ static void ni_usb_request_system_control(gpib_board_t *board, int request_contr { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[4]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); if (request_control) { writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = CMDR; @@ -1087,7 +1104,7 @@ static void ni_usb_interface_clear(gpib_board_t *board, int assert) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x10; @@ -1095,7 +1112,10 @@ static void ni_usb_interface_clear(gpib_board_t *board, int assert) int i = 0; struct ni_usb_status_block status; - // FIXME: we are going to pulse when assert is true, and ignore otherwise + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); +// FIXME: we are going to pulse when assert is true, and ignore otherwise if (assert == 0) return; out_data = kmalloc(out_data_length, GFP_KERNEL); @@ -1133,10 +1153,13 @@ static void ni_usb_remote_enable(gpib_board_t *board, int enable) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; struct ni_usb_register reg; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); reg.device = NIUSB_SUBDEV_TNT4882; reg.address = nec7210_to_tnt4882_offset(AUXMR); if (enable) @@ -1180,11 +1203,14 @@ static unsigned int ni_usb_update_status(gpib_board_t *board, unsigned int clear { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; static const int buffer_length = 8; u8 *buffer; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); buffer = kmalloc(buffer_length, GFP_KERNEL); if (!buffer) return board->status; @@ -1232,11 +1258,14 @@ static int ni_usb_primary_address(gpib_board_t *board, unsigned int address) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[2]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(ADR); writes[i].value = address; @@ -1287,11 +1316,14 @@ static int ni_usb_secondary_address(gpib_board_t *board, unsigned int address, i { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[3]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); i += ni_usb_write_sad(writes, address, enable); retval = ni_usb_write_registers(ni_priv, writes, i, &ibsta); if (retval < 0) { @@ -1306,7 +1338,7 @@ static int ni_usb_parallel_poll(gpib_board_t *board, uint8_t *result) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x20; @@ -1315,6 +1347,9 @@ static int ni_usb_parallel_poll(gpib_board_t *board, uint8_t *result) int j = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1358,11 +1393,14 @@ static void ni_usb_parallel_poll_configure(gpib_board_t *board, uint8_t config) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); writes[i].value = PPR | config; @@ -1380,11 +1418,14 @@ static void ni_usb_parallel_poll_response(gpib_board_t *board, int ist) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); if (ist) @@ -1405,11 +1446,14 @@ static void ni_usb_serial_poll_response(gpib_board_t *board, u8 status) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(SPMR); writes[i].value = status; @@ -1432,11 +1476,14 @@ static void ni_usb_return_to_local(gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); writes[i].value = AUX_RTL; @@ -1454,7 +1501,7 @@ static int ni_usb_line_status(const gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x20; static const int in_data_length = 0x20; @@ -1464,6 +1511,9 @@ static int ni_usb_line_status(const gpib_board_t *board) int line_status = ValidALL; // NI windows driver reads 0xd(HSSEL), 0xc (ARD0), 0x1f (BSR) + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1570,12 +1620,15 @@ static unsigned int ni_usb_t1_delay(gpib_board_t *board, unsigned int nano_sec) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; struct ni_usb_register writes[3]; unsigned int ibsta; unsigned int actual_ns; int i; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); i = ni_usb_setup_t1_delay(writes, nano_sec, &actual_ns); retval = ni_usb_write_registers(ni_priv, writes, i, &ibsta); if (retval < 0) {

2 months, 2 weeks

1
0
0 0

[PATCH 5.10/5.15] dm cache: fix flushing uninitialized delayed_work on cache_ctr error

by Ilia Gavrilov

From: Ming-Hung Tsai <mtsai(a)redhat.com> commit 135496c208ba26fd68cdef10b64ed7a91ac9a7ff upstream. An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum error. Reproduce steps: dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890 Fix by pulling out the cancel_delayed_work_sync() from the constructor's error path. This patch doesn't affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix UAF in destroy()")) as cache_dtr is not changed. Signed-off-by: Ming-Hung Tsai <mtsai(a)redhat.com> Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Acked-by: Joe Thornber <thornber(a)redhat.com> Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> --- Backport fix for CVE-2024-50280 drivers/md/dm-cache-target.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 63eac25ec881..8a03357f8c93 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -1960,16 +1960,13 @@ static void check_migrations(struct work_struct *ws) * This function gets called on the error paths of the constructor, so we * have to cope with a partially initialised struct. */ -static void destroy(struct cache *cache) +static void __destroy(struct cache *cache) { - unsigned i; - mempool_exit(&cache->migration_pool); if (cache->prison) dm_bio_prison_destroy_v2(cache->prison); - cancel_delayed_work_sync(&cache->waker); if (cache->wq) destroy_workqueue(cache->wq); @@ -1997,13 +1994,22 @@ static void destroy(struct cache *cache) if (cache->policy) dm_cache_policy_destroy(cache->policy); + bioset_exit(&cache->bs); + + kfree(cache); +} + +static void destroy(struct cache *cache) +{ + unsigned int i; + + cancel_delayed_work_sync(&cache->waker); + for (i = 0; i < cache->nr_ctr_args ; i++) kfree(cache->ctr_args[i]); kfree(cache->ctr_args); - bioset_exit(&cache->bs); - - kfree(cache); + __destroy(cache); } static void cache_dtr(struct dm_target *ti) @@ -2616,7 +2622,7 @@ static int cache_create(struct cache_args *ca, struct cache **result) *result = cache; return 0; bad: - destroy(cache); + __destroy(cache); return r; } @@ -2667,7 +2673,7 @@ static int cache_ctr(struct dm_target *ti, unsigned argc, char **argv) r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); if (r) { - destroy(cache); + __destroy(cache); goto out; } -- 2.39.5

2 months, 2 weeks

1
0
0 0

[PATCH v2 0/7] ufs-exynos stability fixes for gs101

by Peter Griffin

Hi folks, This series fixes several stability issues with the upstream ufs-exynos driver, specifically for the gs101 SoC found in Pixel 6. The main fix is regarding the IO cache coherency setting and ensuring that it is correctly applied depending on if the dma-coherent property is specified in device tree. This fixes the UFS stability issues on gs101 and I would imagine will also fix issues on exynosauto platform that seems to have similar iocc shareability bits. Additionally the phy reference counting is fixed which allows module load/unload to work reliably and keeps the phy state machine in sync with the controller glue driver. regards, Peter Changes since v1: * Added patch for correct handling of iocc depedent on dma-coherent property * Rebased onto next-20250319 * Add a gs101 specific suspend hook (Bart) * Drop asserting GPIO_OUT in .exit() (Peter) * Remove superfluous blank line (Bart) * Update PRDT_PREFECT_EN to PRDT_PREFETCH_EN (Bart) * Update commit description for desctype type 3 (Eric) * https://lore.kernel.org/lkml/20250226220414.343659-1-peter.griffin@linaro.o… Signed-off-by: Peter Griffin <peter.griffin(a)linaro.org> --- Peter Griffin (7): scsi: ufs: exynos: ensure pre_link() executes before exynos_ufs_phy_init() scsi: ufs: exynos: move ufs shareability value to drvdata scsi: ufs: exynos: disable iocc if dma-coherent property isn't set scsi: ufs: exynos: ensure consistent phy reference counts scsi: ufs: exynos: Enable PRDT pre-fetching with UFSHCD_CAP_CRYPTO scsi: ufs: exynos: Move phy calls to .exit() callback scsi: ufs: exynos: gs101: put ufs device in reset on .suspend() drivers/ufs/host/ufs-exynos.c | 85 ++++++++++++++++++++++++++++++++----------- drivers/ufs/host/ufs-exynos.h | 6 ++- 2 files changed, 68 insertions(+), 23 deletions(-) --- base-commit: 433ccb6f2e879866b8601fcb1de14e316cdb0d39 change-id: 20250319-exynos-ufs-stability-fixes-e8da9862e3dc Best regards, -- Peter Griffin <peter.griffin(a)linaro.org>

2 months, 2 weeks

3
5
0 0

Request to back-port this patch to v5.4 stable tree

by Hardik Gohil

Hello Greg, This patch applies cleanly to the v5.4 kernel. dmaengine: ti: edma: Add some null pointer checks to the edma_probe [upstream commit 6e2276203ac9ff10fc76917ec9813c660f627369]

2 months, 2 weeks

2
1
0 0

[PATCH v3 1/2] ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate

by srinivas.kandagatla＠linaro.org

From: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Currently the VI feedback rate is set to fixed 8K, fix this by getting the correct rate from params_rate. Without this patch incorrect rate will be set on the VI feedback recording resulting in rate miss match and audio artifacts. Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route") Cc: stable(a)vger.kernel.org Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- sound/soc/codecs/lpass-wsa-macro.c | 39 +++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/sound/soc/codecs/lpass-wsa-macro.c b/sound/soc/codecs/lpass-wsa-macro.c index c989d82d1d3c..ac119847bc22 100644 --- a/sound/soc/codecs/lpass-wsa-macro.c +++ b/sound/soc/codecs/lpass-wsa-macro.c @@ -63,6 +63,10 @@ #define CDC_WSA_TX_SPKR_PROT_CLK_DISABLE 0 #define CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK GENMASK(3, 0) #define CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K 0 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K 1 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K 2 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K 3 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K 4 #define CDC_WSA_TX0_SPKR_PROT_PATH_CFG0 (0x0248) #define CDC_WSA_TX1_SPKR_PROT_PATH_CTL (0x0264) #define CDC_WSA_TX1_SPKR_PROT_PATH_CFG0 (0x0268) @@ -407,6 +411,7 @@ struct wsa_macro { int ear_spkr_gain; int spkr_gain_offset; int spkr_mode; + u32 pcm_rate_vi; int is_softclip_on[WSA_MACRO_SOFTCLIP_MAX]; int softclip_clk_users[WSA_MACRO_SOFTCLIP_MAX]; struct regmap *regmap; @@ -1280,6 +1285,7 @@ static int wsa_macro_hw_params(struct snd_pcm_substream *substream, struct snd_soc_dai *dai) { struct snd_soc_component *component = dai->component; + struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); int ret; switch (substream->stream) { @@ -1291,6 +1297,11 @@ static int wsa_macro_hw_params(struct snd_pcm_substream *substream, __func__, params_rate(params)); return ret; } + break; + case SNDRV_PCM_STREAM_CAPTURE: + if (dai->id == WSA_MACRO_AIF_VI) + wsa->pcm_rate_vi = params_rate(params); + break; default: break; @@ -1465,6 +1476,28 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); u32 tx_reg0, tx_reg1; + u32 rate_val; + + switch (wsa->pcm_rate_vi) { + case 8000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; + break; + case 16000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K; + break; + case 24000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K; + break; + case 32000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K; + break; + case 48000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K; + break; + default: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; + break; + } if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { tx_reg0 = CDC_WSA_TX0_SPKR_PROT_PATH_CTL; @@ -1476,7 +1509,7 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, switch (event) { case SND_SOC_DAPM_POST_PMU: - /* Enable V&I sensing */ + /* Enable V&I sensing */ snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_RESET_MASK, CDC_WSA_TX_SPKR_PROT_RESET); @@ -1485,10 +1518,10 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, CDC_WSA_TX_SPKR_PROT_RESET); snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K); + rate_val); snd_soc_component_update_bits(component, tx_reg1, CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K); + rate_val); snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, CDC_WSA_TX_SPKR_PROT_CLK_ENABLE); -- 2.39.5

2 months, 2 weeks

2
1
0 0

[PATCH v2] drm/nouveau: Prevent signalled fences in pending list

by Philipp Stanner

Nouveau currently relies on the assumption that dma_fences will only ever get signalled through nouveau_fence_signal(), which takes care of removing a signalled fence from the list nouveau_fence_chan.pending. This self-imposed rule is violated in nouveau_fence_done(), where dma_fence_is_signaled() can signal the fence without removing it from the list. This enables accesses to already signalled fences through the list, which is a bug. Furthermore, it must always be possible to use standard dma_fence methods an a dma_fence and observe valid behavior. The canonical way of ensuring that signalling a fence has additional effects is to add those effects to a callback and register it on that fence. Move the code from nouveau_fence_signal() into a dma_fence callback. Register that callback when creating the fence. Cc: <stable(a)vger.kernel.org> # 4.10+ Signed-off-by: Philipp Stanner <phasta(a)kernel.org> --- Changes in v2: - Remove Fixes: tag. (Danilo) - Remove integer "drop" and call nvif_event_block() in the fence callback. (Danilo) --- drivers/gpu/drm/nouveau/nouveau_fence.c | 52 +++++++++++++------------ drivers/gpu/drm/nouveau/nouveau_fence.h | 1 + 2 files changed, 29 insertions(+), 24 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c index 7cc84472cece..cf510ef9641a 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fence.c +++ b/drivers/gpu/drm/nouveau/nouveau_fence.c @@ -50,24 +50,24 @@ nouveau_fctx(struct nouveau_fence *fence) return container_of(fence->base.lock, struct nouveau_fence_chan, lock); } -static int -nouveau_fence_signal(struct nouveau_fence *fence) +static void +nouveau_fence_cleanup_cb(struct dma_fence *dfence, struct dma_fence_cb *cb) { - int drop = 0; + struct nouveau_fence_chan *fctx; + struct nouveau_fence *fence; + + fence = container_of(dfence, struct nouveau_fence, base); + fctx = nouveau_fctx(fence); - dma_fence_signal_locked(&fence->base); list_del(&fence->head); rcu_assign_pointer(fence->channel, NULL); if (test_bit(DMA_FENCE_FLAG_USER_BITS, &fence->base.flags)) { - struct nouveau_fence_chan *fctx = nouveau_fctx(fence); - if (!--fctx->notify_ref) - drop = 1; + nvif_event_block(&fctx->event); } dma_fence_put(&fence->base); - return drop; } static struct nouveau_fence * @@ -93,8 +93,7 @@ nouveau_fence_context_kill(struct nouveau_fence_chan *fctx, int error) if (error) dma_fence_set_error(&fence->base, error); - if (nouveau_fence_signal(fence)) - nvif_event_block(&fctx->event); + dma_fence_signal_locked(&fence->base); } fctx->killed = 1; spin_unlock_irqrestore(&fctx->lock, flags); @@ -127,11 +126,10 @@ nouveau_fence_context_free(struct nouveau_fence_chan *fctx) kref_put(&fctx->fence_ref, nouveau_fence_context_put); } -static int +static void nouveau_fence_update(struct nouveau_channel *chan, struct nouveau_fence_chan *fctx) { struct nouveau_fence *fence; - int drop = 0; u32 seq = fctx->read(chan); while (!list_empty(&fctx->pending)) { @@ -140,10 +138,8 @@ nouveau_fence_update(struct nouveau_channel *chan, struct nouveau_fence_chan *fc if ((int)(seq - fence->base.seqno) < 0) break; - drop |= nouveau_fence_signal(fence); + dma_fence_signal_locked(&fence->base); } - - return drop; } static void @@ -152,7 +148,6 @@ nouveau_fence_uevent_work(struct work_struct *work) struct nouveau_fence_chan *fctx = container_of(work, struct nouveau_fence_chan, uevent_work); unsigned long flags; - int drop = 0; spin_lock_irqsave(&fctx->lock, flags); if (!list_empty(&fctx->pending)) { @@ -161,11 +156,8 @@ nouveau_fence_uevent_work(struct work_struct *work) fence = list_entry(fctx->pending.next, typeof(*fence), head); chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); - if (nouveau_fence_update(chan, fctx)) - drop = 1; + nouveau_fence_update(chan, fctx); } - if (drop) - nvif_event_block(&fctx->event); spin_unlock_irqrestore(&fctx->lock, flags); } @@ -235,6 +227,19 @@ nouveau_fence_emit(struct nouveau_fence *fence) &fctx->lock, fctx->context, ++fctx->sequence); kref_get(&fctx->fence_ref); + fence->cb.func = nouveau_fence_cleanup_cb; + /* Adding a callback runs into __dma_fence_enable_signaling(), which will + * ultimately run into nouveau_fence_no_signaling(), where a WARN_ON + * would fire because the refcount can be dropped there. + * + * Increment the refcount here temporarily to work around that. + */ + dma_fence_get(&fence->base); + ret = dma_fence_add_callback(&fence->base, &fence->cb, nouveau_fence_cleanup_cb); + dma_fence_put(&fence->base); + if (ret) + return ret; + ret = fctx->emit(fence); if (!ret) { dma_fence_get(&fence->base); @@ -246,8 +251,7 @@ nouveau_fence_emit(struct nouveau_fence *fence) return -ENODEV; } - if (nouveau_fence_update(chan, fctx)) - nvif_event_block(&fctx->event); + nouveau_fence_update(chan, fctx); list_add_tail(&fence->head, &fctx->pending); spin_unlock_irq(&fctx->lock); @@ -270,8 +274,8 @@ nouveau_fence_done(struct nouveau_fence *fence) spin_lock_irqsave(&fctx->lock, flags); chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); - if (chan && nouveau_fence_update(chan, fctx)) - nvif_event_block(&fctx->event); + if (chan) + nouveau_fence_update(chan, fctx); spin_unlock_irqrestore(&fctx->lock, flags); } return dma_fence_is_signaled(&fence->base); diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.h b/drivers/gpu/drm/nouveau/nouveau_fence.h index 8bc065acfe35..e6b2df7fdc42 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fence.h +++ b/drivers/gpu/drm/nouveau/nouveau_fence.h @@ -10,6 +10,7 @@ struct nouveau_bo; struct nouveau_fence { struct dma_fence base; + struct dma_fence_cb cb; struct list_head head; -- 2.48.1

2 months, 2 weeks

4
9
0 0

[PATCH] x86/ioremap: Maintain consistent IORES_MAP_ENCRYPTED for BIOS data

by Dan Williams

Nikolay reports [1] that accessing BIOS data (first 1MB of the physical address space) via /dev/mem results in an SEPT violation. The cause is ioremap() (via xlate_dev_mem_ptr()) establishing an unencrypted mapping where the kernel had established an encrypted mapping previously. Teach __ioremap_check_other() that this address space shall always be mapped as encrypted as historically it is memory resident data, not MMIO with side-effects. Cc: <x86(a)kernel.org> Cc: Vishal Annapurve <vannapurve(a)google.com> Cc: Kirill Shutemov <kirill.shutemov(a)linux.intel.com> Reported-by: Nikolay Borisov <nik.borisov(a)suse.com> Closes: http://lore.kernel.org/20250318113604.297726-1-nik.borisov@suse.com [1] Tested-by: Nikolay Borisov <nik.borisov(a)suse.com> Fixes: 9aa6ea69852c ("x86/tdx: Make pages shared in ioremap()") Cc: <stable(a)vger.kernel.org> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> --- arch/x86/mm/ioremap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c index 42c90b420773..9e81286a631e 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c @@ -122,6 +122,10 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des return; } + /* Ensure BIOS data (see devmem_is_allowed()) is consistently mapped */ + if (PHYS_PFN(addr) < 256) + desc->flags |= IORES_MAP_ENCRYPTED; + if (!IS_ENABLED(CONFIG_EFI)) return;

2 months, 2 weeks

7
10
0 0

[PATCH v3] gpio: tegra186: fix resource handling in ACPI probe path

by Guixin Liu

When the Tegra186 GPIO controller is probed through ACPI matching, the driver emits two error messages during probing: "tegra186-gpio NVDA0508:00: invalid resource (null)" "tegra186-gpio NVDA0508:00: invalid resource (null)" Fix this by getting resource first and then do the ioremap. Fixes: 2606e7c9f5fc ("gpio: tegra186: Add ACPI support") Cc: stable(a)vger.kernel.org Signed-off-by: Guixin Liu <kanie(a)linux.alibaba.com> --- Changes from v2 to v3: - Add "CC: stable" to commit body. Changes from v1 to v2: - Add "Fixes" to commit body. drivers/gpio/gpio-tegra186.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/drivers/gpio/gpio-tegra186.c b/drivers/gpio/gpio-tegra186.c index 6895b65c86af..d27bfac6c9f5 100644 --- a/drivers/gpio/gpio-tegra186.c +++ b/drivers/gpio/gpio-tegra186.c @@ -823,6 +823,7 @@ static int tegra186_gpio_probe(struct platform_device *pdev) struct gpio_irq_chip *irq; struct tegra_gpio *gpio; struct device_node *np; + struct resource *res; char **names; int err; @@ -842,19 +843,19 @@ static int tegra186_gpio_probe(struct platform_device *pdev) gpio->num_banks++; /* get register apertures */ - gpio->secure = devm_platform_ioremap_resource_byname(pdev, "security"); - if (IS_ERR(gpio->secure)) { - gpio->secure = devm_platform_ioremap_resource(pdev, 0); - if (IS_ERR(gpio->secure)) - return PTR_ERR(gpio->secure); - } - - gpio->base = devm_platform_ioremap_resource_byname(pdev, "gpio"); - if (IS_ERR(gpio->base)) { - gpio->base = devm_platform_ioremap_resource(pdev, 1); - if (IS_ERR(gpio->base)) - return PTR_ERR(gpio->base); - } + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "security"); + if (!res) + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + gpio->secure = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(gpio->secure)) + return PTR_ERR(gpio->secure); + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpio"); + if (!res) + res = platform_get_resource(pdev, IORESOURCE_MEM, 1); + gpio->base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(gpio->base)) + return PTR_ERR(gpio->base); err = platform_irq_count(pdev); if (err < 0) -- 2.43.0

2 months, 2 weeks

2
1
0 0

[PATCH] crypto: inside-secure/eip93 - acquire lock on eip93_put_descriptor hash

by Christian Marangi

In the EIP93 HASH functions, the eip93_put_descriptor is called without acquiring lock. This is problematic when multiple thread execute hash operations. Correctly acquire ring write lock on calling eip93_put_descriptor to prevent concurrent access and mess with the ring pointers. Cc: stable(a)vger.kernel.org Fixes: 9739f5f93b78 ("crypto: eip93 - Add Inside Secure SafeXcel EIP-93 crypto engine support") Reported-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/crypto/inside-secure/eip93/eip93-hash.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/inside-secure/eip93/eip93-hash.c b/drivers/crypto/inside-secure/eip93/eip93-hash.c index 5e9627467a42..df1b05ac5a57 100644 --- a/drivers/crypto/inside-secure/eip93/eip93-hash.c +++ b/drivers/crypto/inside-secure/eip93/eip93-hash.c @@ -260,7 +260,8 @@ static int eip93_send_hash_req(struct crypto_async_request *async, u8 *data, } again: - ret = eip93_put_descriptor(eip93, &cdesc); + scoped_guard(spinlock_irqsave, &eip93->ring->write_lock) + ret = eip93_put_descriptor(eip93, &cdesc); if (ret) { usleep_range(EIP93_RING_BUSY_DELAY, EIP93_RING_BUSY_DELAY * 2); -- 2.48.1

2 months, 2 weeks

2
1
0 0

[PATCH v5 1/2] string: Add load_unaligned_zeropad() code path to sized_strscpy()

by Peter Collingbourne

The call to read_word_at_a_time() in sized_strscpy() is problematic with MTE because it may trigger a tag check fault when reading across a tag granule (16 bytes) boundary. To make this code MTE compatible, let's start using load_unaligned_zeropad() on architectures where it is available (i.e. architectures that define CONFIG_DCACHE_WORD_ACCESS). Because load_unaligned_zeropad() takes care of page boundaries as well as tag granule boundaries, also disable the code preventing crossing page boundaries when using load_unaligned_zeropad(). Signed-off-by: Peter Collingbourne <pcc(a)google.com> Link: https://linux-review.googlesource.com/id/If4b22e43b5a4ca49726b4bf98ada827fd… Fixes: 94ab5b61ee16 ("kasan, arm64: enable CONFIG_KASAN_HW_TAGS") Cc: stable(a)vger.kernel.org --- v2: - new approach lib/string.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/string.c b/lib/string.c index eb4486ed40d25..b632c71df1a50 100644 --- a/lib/string.c +++ b/lib/string.c @@ -119,6 +119,7 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) if (count == 0 || WARN_ON_ONCE(count > INT_MAX)) return -E2BIG; +#ifndef CONFIG_DCACHE_WORD_ACCESS #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS /* * If src is unaligned, don't cross a page boundary, @@ -133,12 +134,14 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) /* If src or dest is unaligned, don't do word-at-a-time. */ if (((long) dest | (long) src) & (sizeof(long) - 1)) max = 0; +#endif #endif /* - * read_word_at_a_time() below may read uninitialized bytes after the - * trailing zero and use them in comparisons. Disable this optimization - * under KMSAN to prevent false positive reports. + * load_unaligned_zeropad() or read_word_at_a_time() below may read + * uninitialized bytes after the trailing zero and use them in + * comparisons. Disable this optimization under KMSAN to prevent + * false positive reports. */ if (IS_ENABLED(CONFIG_KMSAN)) max = 0; @@ -146,7 +149,11 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) while (max >= sizeof(unsigned long)) { unsigned long c, data; +#ifdef CONFIG_DCACHE_WORD_ACCESS + c = load_unaligned_zeropad(src+res); +#else c = read_word_at_a_time(src+res); +#endif if (has_zero(c, &data, &constants)) { data = prep_zero_mask(c, data, &constants); data = create_zero_mask(data); -- 2.49.0.472.ge94155a9ec-goog

2 months, 2 weeks

2
1
0 0

[PATCH v2] serial: Fix null-ptr-deref in mlb_usio_probe()

by Henry Martin

devm_ioremap() returns NULL on error. Currently, mlb_usio_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue. Cc: stable(a)vger.kernel.org Fixes: ba44dc043004 ("serial: Add Milbeaut serial control") Signed-off-by: Henry Martin <bsdhenrymartin(a)gmail.com> --- V1 -> V2: Add cc: stable line. drivers/tty/serial/milbeaut_usio.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c index 059bea18dbab..4e47dca2c4ed 100644 --- a/drivers/tty/serial/milbeaut_usio.c +++ b/drivers/tty/serial/milbeaut_usio.c @@ -523,7 +523,10 @@ static int mlb_usio_probe(struct platform_device *pdev) } port->membase = devm_ioremap(&pdev->dev, res->start, resource_size(res)); - + if (!port->membase) { + ret = -ENOMEM; + goto failed; + } ret = platform_get_irq_byname(pdev, "rx"); mlb_usio_irq[index][RX] = ret; -- 2.34.1

2 months, 2 weeks

3
2
0 0

[RFC PATCH 1/3] firmware: arm_scmi: Ensure that the message-id supports fastchannel

by Cristian Marussi

From: Sibi Sankar <quic_sibis(a)quicinc.com> Currently the perf and powercap protocol relies on the protocol domain attributes, which just ensures that one fastchannel per domain, before instantiating fastchannels for all possible message-ids. Fix this by ensuring that each message-id supports fastchannel before initialization. Logs: scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:0] - ret:-95. Using regular messaging. scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:1] - ret:-95. Using regular messaging. scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:2] - ret:-95. Using regular messaging. CC: stable(a)vger.kernel.org Reported-by: Johan Hovold <johan+linaro(a)kernel.org> Closes: https://lore.kernel.org/lkml/ZoQjAWse2YxwyRJv@hovoldconsulting.com/ Fixes: 6f9ea4dabd2d ("firmware: arm_scmi: Generalize the fast channel support") Signed-off-by: Sibi Sankar <quic_sibis(a)quicinc.com> [Cristian: Modified the condition checked to establish support or not] Signed-off-by: Cristian Marussi <cristian.marussi(a)arm.com> --- Since PROTOCOL_MESSAGE_ATTRIBUTES, used to check if message_id is supported, is a mandatory command, it cannot fail so we must bail-out NOT only if FC was not supported for that command but also if the query fails as a whole; so the condition checked for bailing out is modified to: if (ret || !MSG_SUPPORTS_FASTCHANNEL(attributes)) { Removed also Tested-by and Reviewed-by tags since I modified the logic. --- drivers/firmware/arm_scmi/driver.c | 76 +++++++++++++++------------ drivers/firmware/arm_scmi/protocols.h | 2 + 2 files changed, 45 insertions(+), 33 deletions(-) diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c index bf2dc200604e..3855a9791f4a 100644 --- a/drivers/firmware/arm_scmi/driver.c +++ b/drivers/firmware/arm_scmi/driver.c @@ -1738,6 +1738,39 @@ static int scmi_common_get_max_msg_size(const struct scmi_protocol_handle *ph) return info->desc->max_msg_size; } +/** + * scmi_protocol_msg_check - Check protocol message attributes + * + * @ph: A reference to the protocol handle. + * @message_id: The ID of the message to check. + * @attributes: A parameter to optionally return the retrieved message + * attributes, in case of Success. + * + * An helper to check protocol message attributes for a specific protocol + * and message pair. + * + * Return: 0 on SUCCESS + */ +static int scmi_protocol_msg_check(const struct scmi_protocol_handle *ph, + u32 message_id, u32 *attributes) +{ + int ret; + struct scmi_xfer *t; + + ret = xfer_get_init(ph, PROTOCOL_MESSAGE_ATTRIBUTES, + sizeof(__le32), 0, &t); + if (ret) + return ret; + + put_unaligned_le32(message_id, t->tx.buf); + ret = do_xfer(ph, t); + if (!ret && attributes) + *attributes = get_unaligned_le32(t->rx.buf); + xfer_put(ph, t); + + return ret; +} + /** * struct scmi_iterator - Iterator descriptor * @msg: A reference to the message TX buffer; filled by @prepare_message with @@ -1879,6 +1912,7 @@ scmi_common_fastchannel_init(const struct scmi_protocol_handle *ph, int ret; u32 flags; u64 phys_addr; + u32 attributes; u8 size; void __iomem *addr; struct scmi_xfer *t; @@ -1887,6 +1921,15 @@ scmi_common_fastchannel_init(const struct scmi_protocol_handle *ph, struct scmi_msg_resp_desc_fc *resp; const struct scmi_protocol_instance *pi = ph_to_pi(ph); + /* Check if the MSG_ID supports fastchannel */ + ret = scmi_protocol_msg_check(ph, message_id, &attributes); + if (ret || !MSG_SUPPORTS_FASTCHANNEL(attributes)) { + dev_dbg(ph->dev, + "Skip FC init for 0x%02X/%d domain:%d - ret:%d\n", + pi->proto->id, message_id, domain, ret); + return; + } + if (!p_addr) { ret = -EINVAL; goto err_out; @@ -2014,39 +2057,6 @@ static void scmi_common_fastchannel_db_ring(struct scmi_fc_db_info *db) #endif } -/** - * scmi_protocol_msg_check - Check protocol message attributes - * - * @ph: A reference to the protocol handle. - * @message_id: The ID of the message to check. - * @attributes: A parameter to optionally return the retrieved message - * attributes, in case of Success. - * - * An helper to check protocol message attributes for a specific protocol - * and message pair. - * - * Return: 0 on SUCCESS - */ -static int scmi_protocol_msg_check(const struct scmi_protocol_handle *ph, - u32 message_id, u32 *attributes) -{ - int ret; - struct scmi_xfer *t; - - ret = xfer_get_init(ph, PROTOCOL_MESSAGE_ATTRIBUTES, - sizeof(__le32), 0, &t); - if (ret) - return ret; - - put_unaligned_le32(message_id, t->tx.buf); - ret = do_xfer(ph, t); - if (!ret && attributes) - *attributes = get_unaligned_le32(t->rx.buf); - xfer_put(ph, t); - - return ret; -} - static const struct scmi_proto_helpers_ops helpers_ops = { .extended_name_get = scmi_common_extended_name_get, .get_max_msg_size = scmi_common_get_max_msg_size, diff --git a/drivers/firmware/arm_scmi/protocols.h b/drivers/firmware/arm_scmi/protocols.h index aaee57cdcd55..d62c4469d1fd 100644 --- a/drivers/firmware/arm_scmi/protocols.h +++ b/drivers/firmware/arm_scmi/protocols.h @@ -31,6 +31,8 @@ #define SCMI_PROTOCOL_VENDOR_BASE 0x80 +#define MSG_SUPPORTS_FASTCHANNEL(x) ((x) & BIT(0)) + enum scmi_common_cmd { PROTOCOL_VERSION = 0x0, PROTOCOL_ATTRIBUTES = 0x1, -- 2.47.0

2 months, 2 weeks

2
1
0 0

[PATCH v5] sched/topology: Enable topology_span_sane check only for debug builds

by Naman Jain

From: Saurabh Sengar <ssengar(a)linux.microsoft.com> On a x86 system under test with 1780 CPUs, topology_span_sane() takes around 8 seconds cumulatively for all the iterations. It is an expensive operation which does the sanity of non-NUMA topology masks. CPU topology is not something which changes very frequently hence make this check optional for the systems where the topology is trusted and need faster bootup. Restrict this to sched_verbose kernel cmdline option so that this penalty can be avoided for the systems who want to avoid it. Cc: stable(a)vger.kernel.org Fixes: ccf74128d66c ("sched/topology: Assert non-NUMA topology masks don't (partially) overlap") Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Co-developed-by: Naman Jain <namjain(a)linux.microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Tested-by: K Prateek Nayak <kprateek.nayak(a)amd.com> --- Changes since v4: https://lore.kernel.org/all/20250306055354.52915-1-namjain@linux.microsoft.… - Rephrased print statement and moved it to sched_domain_debug. (addressing Valentin's comments) Changes since v3: https://lore.kernel.org/all/20250203114738.3109-1-namjain@linux.microsoft.c… - Minor typo correction in comment - Added Tested-by tag from Prateek for x86 Changes since v2: https://lore.kernel.org/all/1731922777-7121-1-git-send-email-ssengar@linux.… - Use sched_debug() instead of using sched_debug_verbose variable directly (addressing Prateek's comment) Changes since v1: https://lore.kernel.org/all/1729619853-2597-1-git-send-email-ssengar@linux.… - Use kernel cmdline param instead of compile time flag. Adding a link to the other patch which is under review. https://lore.kernel.org/lkml/20241031200431.182443-1-steve.wahl@hpe.com/ Above patch tries to optimize the topology sanity check, whereas this patch makes it optional. We believe both patches can coexist, as even with optimization, there will still be some performance overhead for this check. --- kernel/sched/topology.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index c49aea8c1025..d7254c47af45 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -132,8 +132,11 @@ static void sched_domain_debug(struct sched_domain *sd, int cpu) { int level = 0; - if (!sched_debug_verbose) + if (!sched_debug_verbose) { + pr_info_once("%s: Scheduler topology debugging disabled, add 'sched_verbose' to the cmdline to enable it\n", + __func__); return; + } if (!sd) { printk(KERN_DEBUG "CPU%d attaching NULL sched-domain.\n", cpu); @@ -2359,6 +2362,10 @@ static bool topology_span_sane(struct sched_domain_topology_level *tl, { int i = cpu + 1; + /* Skip the topology sanity check for non-debug, as it is a time-consuming operation */ + if (!sched_debug()) + return true; + /* NUMA levels are allowed to overlap */ if (tl->flags & SDTL_OVERLAP) return true; base-commit: 7ec162622e66a4ff886f8f28712ea1b13069e1aa -- 2.34.1

2 months, 2 weeks

2
5
0 0

[PATCH v3 1/3] Revert "drivers: core: synchronize really_probe() and dev_uevent()"

by Dmitry Torokhov

This reverts commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0. Probing a device can take arbitrary long time. In the field we observed that, for example, probing a bad micro-SD cards in an external USB card reader (or maybe cards were good but cables were flaky) sometimes takes longer than 2 minutes due to multiple retries at various levels of the stack. We can not block uevent_show() method for that long because udev is reading that attribute very often and that blocks udev and interferes with booting of the system. The change that introduced locking was concerned with dev_uevent() racing with unbinding the driver. However we can handle it without locking (which will be done in subsequent patch). There was also claim that synchronization with probe() is needed to properly load USB drivers, however this is a red herring: the change adding the lock was introduced in May of last year and USB loading and probing worked properly for many years before that. Revert the harmful locking. Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> --- drivers/base/core.c | 3 --- 1 file changed, 3 deletions(-) v3: no changes. v2: added Cc: stable, no code changes. diff --git a/drivers/base/core.c b/drivers/base/core.c index d2f9d3a59d6b..f9c1c623bca5 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -2726,11 +2726,8 @@ static ssize_t uevent_show(struct device *dev, struct device_attribute *attr, if (!env) return -ENOMEM; - /* Synchronize with really_probe() */ - device_lock(dev); /* let the kset specific function add its keys */ retval = kset->uevent_ops->uevent(&dev->kobj, env); - device_unlock(dev); if (retval) goto out; -- 2.49.0.rc0.332.g42c0ae87b1-goog

2 months, 2 weeks

2
1
0 0

+ mm-compaction-fix-bug-in-hugetlb-handling-pathway.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/compaction: fix bug in hugetlb handling pathway has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-compaction-fix-bug-in-hugetlb-handling-pathway.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Vishal Moola (Oracle)" <vishal.moola(a)gmail.com> Subject: mm/compaction: fix bug in hugetlb handling pathway Date: Mon, 31 Mar 2025 19:10:24 -0700 The compaction code doesn't take references on pages until we're certain we should attempt to handle it. In the hugetlb case, isolate_or_dissolve_huge_page() may return -EBUSY without taking a reference to the folio associated with our pfn. If our folio's refcount drops to 0, compound_nr() becomes unpredictable, making low_pfn and nr_scanned unreliable. The user-visible effect is minimal - this should rarely happen (if ever). Fix this by storing the folio statistics earlier on the stack (just like the THP and Buddy cases). Also revert commit 66fe1cf7f581 ("mm: compaction: use helper compound_nr in isolate_migratepages_block") to make backporting easier. Link: https://lkml.kernel.org/r/20250401021025.637333-1-vishal.moola@gmail.com Fixes: 369fa227c219 ("mm: make alloc_contig_range handle free hugetlb pages") Signed-off-by: Vishal Moola (Oracle) <vishal.moola(a)gmail.com> Acked-by: Oscar Salvador <osalvador(a)suse.de> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/compaction.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/compaction.c~mm-compaction-fix-bug-in-hugetlb-handling-pathway +++ a/mm/compaction.c @@ -981,13 +981,13 @@ isolate_migratepages_block(struct compac } if (PageHuge(page)) { + const unsigned int order = compound_order(page); /* * skip hugetlbfs if we are not compacting for pages * bigger than its order. THPs and other compound pages * are handled below. */ if (!cc->alloc_contig) { - const unsigned int order = compound_order(page); if (order <= MAX_PAGE_ORDER) { low_pfn += (1UL << order) - 1; @@ -1011,8 +1011,8 @@ isolate_migratepages_block(struct compac /* Do not report -EBUSY down the chain */ if (ret == -EBUSY) ret = 0; - low_pfn += compound_nr(page) - 1; - nr_scanned += compound_nr(page) - 1; + low_pfn += (1UL << order) - 1; + nr_scanned += (1UL << order) - 1; goto isolate_fail; } _ Patches currently in -mm which might be from vishal.moola(a)gmail.com are mm-compaction-fix-bug-in-hugetlb-handling-pathway.patch

2 months, 2 weeks

1
0
0 0

[PATCH v2 1/9] 9p: Add a migrate_folio method

by Matthew Wilcox (Oracle)

The migration code used to be able to migrate dirty 9p folios by writing them back using writepage. When the writepage method was removed, we neglected to add a migrate_folio method, which means that dirty 9p folios have been unmovable ever since. This reduced our success at defragmenting memory on machines which use 9p heavily. Fixes: 80105ed2fd27 (9p: Use netfslib read/write_iter) Cc: stable(a)vger.kernel.org Cc: David Howells <dhowells(a)redhat.com> Cc: v9fs(a)lists.linux.dev Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> --- fs/9p/vfs_addr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c index 32619d146cbc..1286d96a29bc 100644 --- a/fs/9p/vfs_addr.c +++ b/fs/9p/vfs_addr.c @@ -164,4 +164,5 @@ const struct address_space_operations v9fs_addr_operations = { .invalidate_folio = netfs_invalidate_folio, .direct_IO = noop_direct_IO, .writepages = netfs_writepages, + .migrate_folio = filemap_migrate_folio, }; -- 2.47.2

2 months, 2 weeks

4
3
0 0

+ lib-iov_iter-fix-to-increase-non-slab-folio-refcount.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: lib/iov_iter: fix to increase non slab folio refcount has been added to the -mm mm-hotfixes-unstable branch. Its filename is lib-iov_iter-fix-to-increase-non-slab-folio-refcount.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Sheng Yong <shengyong1(a)xiaomi.com> Subject: lib/iov_iter: fix to increase non slab folio refcount Date: Tue, 1 Apr 2025 22:47:12 +0800 When testing EROFS file-backed mount over v9fs on qemu, I encountered a folio UAF issue. The page sanity check reports the following call trace. The root cause is that pages in bvec are coalesced across a folio bounary. The refcount of all non-slab folios should be increased to ensure p9_releas_pages can put them correctly. BUG: Bad page state in process md5sum pfn:18300 page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300 head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 aops:z_erofs_aops ino:30b0f dentry name(?):"GoogleExtServicesCn.apk" flags: 0x100000000000041(locked|head|node=0|zone=1) raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0 raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000 head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0 head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000 head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000 head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Call Trace: dump_stack_lvl+0x53/0x70 bad_page+0xd4/0x220 __free_pages_ok+0x76d/0xf30 __folio_put+0x230/0x320 p9_release_pages+0x179/0x1f0 p9_virtio_zc_request+0xa2a/0x1230 p9_client_zc_rpc.constprop.0+0x247/0x700 p9_client_read_once+0x34d/0x810 p9_client_read+0xf3/0x150 v9fs_issue_read+0x111/0x360 netfs_unbuffered_read_iter_locked+0x927/0x1390 netfs_unbuffered_read_iter+0xa2/0xe0 vfs_iocb_iter_read+0x2c7/0x460 erofs_fileio_rq_submit+0x46b/0x5b0 z_erofs_runqueue+0x1203/0x21e0 z_erofs_readahead+0x579/0x8b0 read_pages+0x19f/0xa70 page_cache_ra_order+0x4ad/0xb80 filemap_readahead.isra.0+0xe7/0x150 filemap_get_pages+0x7aa/0x1890 filemap_read+0x320/0xc80 vfs_read+0x6c6/0xa30 ksys_read+0xf9/0x1c0 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x71/0x79 Link: https://lkml.kernel.org/r/20250401144712.1377719-1-shengyong1@xiaomi.com Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page") Signed-off-by: Sheng Yong <shengyong1(a)xiaomi.com> Reviewed-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/iov_iter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/lib/iov_iter.c~lib-iov_iter-fix-to-increase-non-slab-folio-refcount +++ a/lib/iov_iter.c @@ -1191,7 +1191,7 @@ static ssize_t __iov_iter_get_pages_allo return -ENOMEM; p = *pages; for (int k = 0; k < n; k++) { - struct folio *folio = page_folio(page); + struct folio *folio = page_folio(page + k); p[k] = page + k; if (!folio_test_slab(folio)) folio_get(folio); _ Patches currently in -mm which might be from shengyong1(a)xiaomi.com are lib-iov_iter-fix-to-increase-non-slab-folio-refcount.patch

2 months, 2 weeks

1
0
0 0

[for-linus][PATCH 4/4] ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio()

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> Some architectures do not have data cache coherency between user and kernel space. For these architectures, the cache needs to be flushed on both the kernel and user addresses so that user space can see the updates the kernel has made. Instead of using flush_dcache_folio() and playing with virt_to_folio() within the call to that function, use flush_kernel_vmap_range() which takes the virtual address and does the work for those architectures that need it. This also fixes a bug where the flush of the reader page only flushed one page. If the sub-buffer order is 1 or more, where the sub-buffer size would be greater than a page, it would miss the rest of the sub-buffer content, as the "reader page" is not just a page, but the size of a sub-buffer. Link: https://lore.kernel.org/all/CAG48ez3w0my4Rwttbc5tEbNsme6tc0mrSN95thjXUFaJ3a… Cc: stable(a)vger.kernel.org Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Vincent Donnefort <vdonnefort(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Mike Rapoport <rppt(a)kernel.org> Link: https://lore.kernel.org/20250402144953.920792197@goodmis.org Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions"); Suggested-by: Jann Horn <jannh(a)google.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ring_buffer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index f25966b3a1fc..d4b0f7b55cce 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -6016,7 +6016,7 @@ static void rb_update_meta_page(struct ring_buffer_per_cpu *cpu_buffer) meta->read = cpu_buffer->read; /* Some archs do not have data cache coherency between kernel and user-space */ - flush_dcache_folio(virt_to_folio(cpu_buffer->meta_page)); + flush_kernel_vmap_range(cpu_buffer->meta_page, PAGE_SIZE); } static void @@ -7319,7 +7319,8 @@ int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu) out: /* Some archs do not have data cache coherency between kernel and user-space */ - flush_dcache_folio(virt_to_folio(cpu_buffer->reader_page->page)); + flush_kernel_vmap_range(cpu_buffer->reader_page->page, + buffer->subbuf_size + BUF_PAGE_HDR_SIZE); rb_update_meta_page(cpu_buffer); -- 2.47.2

2 months, 2 weeks

1
0
0 0

[PATCH v4] usb: dwc3: gadget: check that event count does not exceed event buffer length

by Frode Isaksen

From: Frode Isaksen <frode(a)meta.com> The event count is read from register DWC3_GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : __memcpy+0x114/0x180 lr : dwc3_check_event_buf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Call trace: __memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34 Signed-off-by: Frode Isaksen <frode(a)meta.com> Fixes: ebbb2d59398f ("usb: dwc3: gadget: use evt->cache for processing events") Cc: stable(a)vger.kernel.org --- v1 -> v2: Added Fixes and Cc tag. v2 -> v3: Added error log v3 -> v4: Rate limit error log drivers/usb/dwc3/gadget.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89a4dc8ebf94..b75b4c5ca7fc 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4564,6 +4564,12 @@ static irqreturn_t dwc3_check_event_buf(struct dwc3_event_buffer *evt) if (!count) return IRQ_NONE; + if (count > evt->length) { + dev_err_ratelimited(dwc->dev, "invalid count(%u) > evt->length(%u)\n", + count, evt->length); + return IRQ_NONE; + } + evt->count = count; evt->flags |= DWC3_EVENT_PENDING; -- 2.49.0

2 months, 2 weeks

2
1
0 0

[PATCH v2] usb: dwc3: gadget: check that event count does not exceed event buffer length

by Frode Isaksen

From: Frode Isaksen <frode(a)meta.com> The event count is read from register DWC3_GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : __memcpy+0x114/0x180 lr : dwc3_check_event_buf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Call trace: __memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34 Signed-off-by: Frode Isaksen <frode(a)meta.com> Fixes: ebbb2d59398f ("usb: dwc3: gadget: use evt->cache for processing events") Cc: stable(a)vger.kernel.org --- v1 -> v2: Added Fixes and Cc tag. This bug was discovered, tested and fixed (no more crashes seen) on Meta Quest 3 device. Also tested on T.I. AM62x board. drivers/usb/dwc3/gadget.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 63fef4a1a498..548e112167f3 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4564,7 +4564,7 @@ static irqreturn_t dwc3_check_event_buf(struct dwc3_event_buffer *evt) count = dwc3_readl(dwc->regs, DWC3_GEVNTCOUNT(0)); count &= DWC3_GEVNTCOUNT_MASK; - if (!count) + if (!count || count > evt->length) return IRQ_NONE; evt->count = count; -- 2.48.1

2 months, 2 weeks

3
7
0 0

[PATCH 5.15.y] smb: client: fix use-after-free bug in cifs_debug_data_proc_show()

by Xiangyu Chen

From: Paulo Alcantara <pc(a)manguebit.com> commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 upstream. Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [ This patch removed lock/unlock operation due to ses_lock is not present in v5.15 and not ported yet. ses->status is protected by a global lock, cifs_tcp_ses_lock, in v5.15. ] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified build test. --- fs/cifs/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index e7501533c2ec..c90f51c12fb0 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -380,6 +380,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) list_for_each(tmp2, &server->smb_ses_list) { ses = list_entry(tmp2, struct cifs_ses, smb_ses_list); + if (ses->status == CifsExiting) + continue; i++; if ((ses->serverDomain == NULL) || (ses->serverOS == NULL) || -- 2.43.0

2 months, 2 weeks

2
1
0 0

[PATCH 5.10.y] smb: client: fix use-after-free bug in cifs_debug_data_proc_show()

by Xiangyu Chen

From: Paulo Alcantara <pc(a)manguebit.com> commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 upstream. Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [ This patch removed lock/unlock operation due to ses_lock is not present in v5.10 and not ported yet. ses->status is protected by a global lock, cifs_tcp_ses_lock, in v5.10. ] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test. --- fs/cifs/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index 53588d7517b4..5ec4788341c2 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -356,6 +356,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) list_for_each(tmp2, &server->smb_ses_list) { ses = list_entry(tmp2, struct cifs_ses, smb_ses_list); + if (ses->status == CifsExiting) + continue; if ((ses->serverDomain == NULL) || (ses->serverOS == NULL) || (ses->serverNOS == NULL)) { -- 2.43.0

2 months, 2 weeks

2
1
0 0

[PATCH 5.10.y] i2c: dev: check return value when calling dev_set_name()

by Feng Liu

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> [ Upstream commit 993eb48fa199b5f476df8204e652eff63dd19361 ] If dev_set_name() fails, the dev_name() is null, check the return value of dev_set_name() to avoid the null-ptr-deref. Fixes: 1413ef638aba ("i2c: dev: Fix the race between the release of i2c_dev and cdev") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Signed-off-by: Wolfram Sang <wsa(a)kernel.org> Signed-off-by: Feng Liu <Feng.Liu3(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- drivers/i2c/i2c-dev.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c index dafad891998e..f0bd4ae19df6 100644 --- a/drivers/i2c/i2c-dev.c +++ b/drivers/i2c/i2c-dev.c @@ -669,17 +669,22 @@ static int i2cdev_attach_adapter(struct device *dev, void *dummy) i2c_dev->dev.class = i2c_dev_class; i2c_dev->dev.parent = &adap->dev; i2c_dev->dev.release = i2cdev_dev_release; - dev_set_name(&i2c_dev->dev, "i2c-%d", adap->nr); + + res = dev_set_name(&i2c_dev->dev, "i2c-%d", adap->nr); + if (res) + goto err_put_i2c_dev; res = cdev_device_add(&i2c_dev->cdev, &i2c_dev->dev); - if (res) { - put_i2c_dev(i2c_dev, false); - return res; - } + if (res) + goto err_put_i2c_dev; pr_debug("i2c-dev: adapter [%s] registered as minor %d\n", adap->name, adap->nr); return 0; + +err_put_i2c_dev: + put_i2c_dev(i2c_dev, false); + return res; } static int i2cdev_detach_adapter(struct device *dev, void *dummy) -- 2.34.1

2 months, 2 weeks

2
1
0 0

[PATCH 5.10.y] bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers

by Cliff Liu

From: Hou Tao <houtao1(a)huawei.com> [ Upstream commit 169410eba271afc9f0fb476d996795aa26770c6d ] These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be reported when a sleepable bpf program manipulates bpf map under interpreter mode (aka bpf_jit_enable=0): WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:bpf_map_lookup_elem+0x54/0x60 ...... Call Trace: <TASK> ? __warn+0xa5/0x240 ? bpf_map_lookup_elem+0x54/0x60 ? report_bug+0x1ba/0x1f0 ? handle_bug+0x40/0x80 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1b/0x20 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ? rcu_lockdep_current_cpu_online+0x65/0xb0 ? rcu_is_watching+0x23/0x50 ? bpf_map_lookup_elem+0x54/0x60 ? __pfx_bpf_map_lookup_elem+0x10/0x10 ___bpf_prog_run+0x513/0x3b70 __bpf_prog_run32+0x9d/0xd0 ? __bpf_prog_enter_sleepable_recur+0xad/0x120 ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 bpf_trampoline_6442580665+0x4d/0x1000 __x64_sys_getpgid+0x5/0x30 ? do_syscall_64+0x36/0xb0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> Signed-off-by: Hou Tao <houtao1(a)huawei.com> Link: https://lore.kernel.org/r/20231204140425.1480317-2-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> [Minor conflict resolved due to code context change.] Signed-off-by: Cliff Liu <donghua.liu(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- kernel/bpf/helpers.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 31e3a5482156..238a51daefa4 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -3,6 +3,7 @@ */ #include <linux/bpf.h> #include <linux/rcupdate.h> +#include <linux/rcupdate_trace.h> #include <linux/random.h> #include <linux/smp.h> #include <linux/topology.h> @@ -24,12 +25,12 @@ * * Different map implementations will rely on rcu in map methods * lookup/update/delete, therefore eBPF programs must run under rcu lock - * if program is allowed to access maps, so check rcu_read_lock_held in - * all three functions. + * if program is allowed to access maps, so check rcu_read_lock_held() or + * rcu_read_lock_trace_held() in all three functions. */ BPF_CALL_2(bpf_map_lookup_elem, struct bpf_map *, map, void *, key) { - WARN_ON_ONCE(!rcu_read_lock_held()); + WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held()); return (unsigned long) map->ops->map_lookup_elem(map, key); } @@ -45,7 +46,7 @@ const struct bpf_func_proto bpf_map_lookup_elem_proto = { BPF_CALL_4(bpf_map_update_elem, struct bpf_map *, map, void *, key, void *, value, u64, flags) { - WARN_ON_ONCE(!rcu_read_lock_held()); + WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held()); return map->ops->map_update_elem(map, key, value, flags); } @@ -62,7 +63,7 @@ const struct bpf_func_proto bpf_map_update_elem_proto = { BPF_CALL_2(bpf_map_delete_elem, struct bpf_map *, map, void *, key) { - WARN_ON_ONCE(!rcu_read_lock_held()); + WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held()); return map->ops->map_delete_elem(map, key); } -- 2.34.1

2 months, 2 weeks

2
1
0 0

[PATCH v2 2/2] Revert "smb: client: fix TCP timers deadlock after rmmod"

by Kuniyuki Iwashima

This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801. Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is mentioned as CVE-2024-54680, but is actually did not fix anything; The issue can be reproduced on top of it. [0] Also, it reverted the change by commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") and introduced a real issue by reviving the kernel TCP socket. When a reconnect happens for a CIFS connection, the socket state transitions to FIN_WAIT_1. Then, inet_csk_clear_xmit_timers_sync() in tcp_close() stops all timers for the socket. If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1 forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans. Usually, FIN can be retransmitted by the peer, but if the peer aborts the connection, the issue comes into reality. I warned about this privately by pointing out the exact report [1], but the bogus fix was finally merged. So, we should not stop the timers to finally kill the connection on our side in that case, meaning we must not use a kernel socket for TCP whose sk->sk_net_refcnt is 0. The kernel socket does not have a reference to its netns to make it possible to tear down netns without cleaning up every resource in it. For example, tunnel devices use a UDP socket internally, but we can destroy netns without removing such devices and let it complete during exit. Otherwise, netns would be leaked when the last application died. However, this is problematic for TCP sockets because TCP has timers to close the connection gracefully even after the socket is close()d. The lifetime of the socket and its netns is different from the lifetime of the underlying connection. If the socket user does not maintain the netns lifetime, the timer could be fired after the socket is close()d and its netns is freed up, resulting in use-after-free. Actually, we have seen so many similar issues and converted such sockets to have a reference to netns. That's why I converted the CIFS client socket to have a reference to netns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope of CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right fix**. Regarding the LOCKDEP issue, we can prevent the module unload by bumping the module refcount when switching the LOCKDDEP key in sock_lock_init_class_and_name(). [2] For a while, let's revert the bogus fix. Note that now we can use sk_net_refcnt_upgrade() for the socket conversion, but I'll do so later separately to make backport easy. Link: https://lore.kernel.org/all/20250402020807.28583-1-kuniyu@amazon.com/ #[0] Link: https://lore.kernel.org/netdev/c08bd5378da647a2a4c16698125d180a@huawei.com/ #[1] Link: https://lore.kernel.org/lkml/20250402005841.19846-1-kuniyu@amazon.com/ #[2] Fixes: e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: stable(a)vger.kernel.org --- fs/smb/client/connect.c | 36 ++++++++++-------------------------- 1 file changed, 10 insertions(+), 26 deletions(-) diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 137a611c5ab0..989d8808260b 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -1073,13 +1073,9 @@ clean_demultiplex_info(struct TCP_Server_Info *server) msleep(125); if (cifs_rdma_enabled(server)) smbd_destroy(server); - if (server->ssocket) { sock_release(server->ssocket); server->ssocket = NULL; - - /* Release netns reference for the socket. */ - put_net(cifs_net_ns(server)); } if (!list_empty(&server->pending_mid_q)) { @@ -1127,7 +1123,6 @@ clean_demultiplex_info(struct TCP_Server_Info *server) */ } - /* Release netns reference for this server. */ put_net(cifs_net_ns(server)); kfree(server->leaf_fullpath); kfree(server->hostname); @@ -1773,8 +1768,6 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx, tcp_ses->ops = ctx->ops; tcp_ses->vals = ctx->vals; - - /* Grab netns reference for this server. */ cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns)); tcp_ses->sign = ctx->sign; @@ -1902,7 +1895,6 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx, out_err_crypto_release: cifs_crypto_secmech_release(tcp_ses); - /* Release netns reference for this server. */ put_net(cifs_net_ns(tcp_ses)); out_err: @@ -1911,10 +1903,8 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx, cifs_put_tcp_session(tcp_ses->primary_server, false); kfree(tcp_ses->hostname); kfree(tcp_ses->leaf_fullpath); - if (tcp_ses->ssocket) { + if (tcp_ses->ssocket) sock_release(tcp_ses->ssocket); - put_net(cifs_net_ns(tcp_ses)); - } kfree(tcp_ses); } return ERR_PTR(rc); @@ -3356,20 +3346,20 @@ generic_ip_connect(struct TCP_Server_Info *server) socket = server->ssocket; } else { struct net *net = cifs_net_ns(server); + struct sock *sk; - rc = sock_create_kern(net, sfamily, SOCK_STREAM, IPPROTO_TCP, &server->ssocket); + rc = __sock_create(net, sfamily, SOCK_STREAM, + IPPROTO_TCP, &server->ssocket, 1); if (rc < 0) { cifs_server_dbg(VFS, "Error %d creating socket\n", rc); return rc; } - /* - * Grab netns reference for the socket. - * - * It'll be released here, on error, or in clean_demultiplex_info() upon server - * teardown. - */ - get_net(net); + sk = server->ssocket->sk; + __netns_tracker_free(net, &sk->ns_tracker, false); + sk->sk_net_refcnt = 1; + get_net_track(net, &sk->ns_tracker, GFP_KERNEL); + sock_inuse_add(net, 1); /* BB other socket options to set KEEPALIVE, NODELAY? */ cifs_dbg(FYI, "Socket created\n"); @@ -3383,10 +3373,8 @@ generic_ip_connect(struct TCP_Server_Info *server) } rc = bind_socket(server); - if (rc < 0) { - put_net(cifs_net_ns(server)); + if (rc < 0) return rc; - } /* * Eventually check for other socket options to change from @@ -3423,7 +3411,6 @@ generic_ip_connect(struct TCP_Server_Info *server) if (rc < 0) { cifs_dbg(FYI, "Error %d connecting to server\n", rc); trace_smb3_connect_err(server->hostname, server->conn_id, &server->dstaddr, rc); - put_net(cifs_net_ns(server)); sock_release(socket); server->ssocket = NULL; return rc; @@ -3441,9 +3428,6 @@ generic_ip_connect(struct TCP_Server_Info *server) (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT))) rc = ip_rfc1001_connect(server); - if (rc < 0) - put_net(cifs_net_ns(server)); - return rc; } -- 2.48.1

2 months, 2 weeks

1
0
0 0

[PATCH v2 1/2] Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"

by Kuniyuki Iwashima

This reverts commit 4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef. The commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") is not only a bogus fix for LOCKDEP null-ptr-deref but also introduces a real issue, TCP sockets leak, which will be explained in detail in the next revert. Also, CNA assigned CVE-2024-54680 to it but is rejecting it. [0] Thus, we are reverting the commit and its follow-up commit 4e7f1644f2ac ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free"). Link: https://lore.kernel.org/all/2025040248-tummy-smilingly-4240@gregkh/ #[0] Fixes: 4e7f1644f2ac ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: stable(a)vger.kernel.org --- fs/smb/client/connect.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 10a7c28d2d44..137a611c5ab0 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -300,7 +300,6 @@ cifs_abort_connection(struct TCP_Server_Info *server) server->ssocket->flags); sock_release(server->ssocket); server->ssocket = NULL; - put_net(cifs_net_ns(server)); } server->sequence_number = 0; server->session_estab = false; @@ -3367,12 +3366,8 @@ generic_ip_connect(struct TCP_Server_Info *server) /* * Grab netns reference for the socket. * - * This reference will be released in several situations: - * - In the failure path before the cifsd thread is started. - * - In the all place where server->socket is released, it is - * also set to NULL. - * - Ultimately in clean_demultiplex_info(), during the final - * teardown. + * It'll be released here, on error, or in clean_demultiplex_info() upon server + * teardown. */ get_net(net); @@ -3388,8 +3383,10 @@ generic_ip_connect(struct TCP_Server_Info *server) } rc = bind_socket(server); - if (rc < 0) + if (rc < 0) { + put_net(cifs_net_ns(server)); return rc; + } /* * Eventually check for other socket options to change from @@ -3444,6 +3441,9 @@ generic_ip_connect(struct TCP_Server_Info *server) (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT))) rc = ip_rfc1001_connect(server); + if (rc < 0) + put_net(cifs_net_ns(server)); + return rc; } -- 2.48.1

2 months, 2 weeks

1
0
0 0

[PATCH net 1/5] igc: Fix XSK queue NAPI ID mapping

by Tony Nguyen

From: Joe Damato <jdamato(a)fastly.com> In commit b65969856d4f ("igc: Link queues to NAPI instances"), the XSK queues were incorrectly unmapped from their NAPI instances. After discussion on the mailing list and the introduction of a test to codify the expected behavior, we can see that the unmapping causes the check_xsk test to fail: NETIF=enp86s0 ./tools/testing/selftests/drivers/net/queues.py [...] # Check| ksft_eq(q.get('xsk', None), {}, # Check failed None != {} xsk attr on queue we configured not ok 4 queues.check_xsk After this commit, the test passes: ok 4 queues.check_xsk Note that the test itself is only in net-next, so I tested this change by applying it to my local net-next tree, booting, and running the test. Cc: stable(a)vger.kernel.org Fixes: b65969856d4f ("igc: Link queues to NAPI instances") Signed-off-by: Joe Damato <jdamato(a)fastly.com> Reviewed-by: Gerhard Engleder <gerhard(a)engleder-embedded.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> --- drivers/net/ethernet/intel/igc/igc.h | 2 -- drivers/net/ethernet/intel/igc/igc_main.c | 4 ++-- drivers/net/ethernet/intel/igc/igc_xdp.c | 2 -- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h index cd1d7b6c1782..c35cc5cb1185 100644 --- a/drivers/net/ethernet/intel/igc/igc.h +++ b/drivers/net/ethernet/intel/igc/igc.h @@ -337,8 +337,6 @@ struct igc_adapter { struct igc_led_classdev *leds; }; -void igc_set_queue_napi(struct igc_adapter *adapter, int q_idx, - struct napi_struct *napi); void igc_up(struct igc_adapter *adapter); void igc_down(struct igc_adapter *adapter); int igc_open(struct net_device *netdev); diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c index 491d942cefca..27c99ff59ed4 100644 --- a/drivers/net/ethernet/intel/igc/igc_main.c +++ b/drivers/net/ethernet/intel/igc/igc_main.c @@ -5022,8 +5022,8 @@ static int igc_sw_init(struct igc_adapter *adapter) return 0; } -void igc_set_queue_napi(struct igc_adapter *adapter, int vector, - struct napi_struct *napi) +static void igc_set_queue_napi(struct igc_adapter *adapter, int vector, + struct napi_struct *napi) { struct igc_q_vector *q_vector = adapter->q_vector[vector]; diff --git a/drivers/net/ethernet/intel/igc/igc_xdp.c b/drivers/net/ethernet/intel/igc/igc_xdp.c index c538e6b18aad..9eb47b4beb06 100644 --- a/drivers/net/ethernet/intel/igc/igc_xdp.c +++ b/drivers/net/ethernet/intel/igc/igc_xdp.c @@ -97,7 +97,6 @@ static int igc_xdp_enable_pool(struct igc_adapter *adapter, napi_disable(napi); } - igc_set_queue_napi(adapter, queue_id, NULL); set_bit(IGC_RING_FLAG_AF_XDP_ZC, &rx_ring->flags); set_bit(IGC_RING_FLAG_AF_XDP_ZC, &tx_ring->flags); @@ -147,7 +146,6 @@ static int igc_xdp_disable_pool(struct igc_adapter *adapter, u16 queue_id) xsk_pool_dma_unmap(pool, IGC_RX_DMA_ATTR); clear_bit(IGC_RING_FLAG_AF_XDP_ZC, &rx_ring->flags); clear_bit(IGC_RING_FLAG_AF_XDP_ZC, &tx_ring->flags); - igc_set_queue_napi(adapter, queue_id, napi); if (needs_reset) { napi_enable(napi); -- 2.47.1

2 months, 2 weeks

1
0
0 0

[PATCH 08/16] drm/amd/display: Add HP Elitebook 645 to the quirk list for eDP on DP1

by Roman.Li＠amd.com

From: Mario Limonciello <mario.limonciello(a)amd.com> [Why] HP Elitebook 645 has DP0 and DP1 swapped. [How] Add HP Elitebook 645 to DP0/DP1 swap quirk list. Cc: stable(a)vger.kernel.org Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3701 Reviewed-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Roman Li <roman.li(a)amd.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index b2bb2f92db00..8665bd3cb75a 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -1760,6 +1760,13 @@ static const struct dmi_system_id dmi_quirk_table[] = { DMI_MATCH(DMI_PRODUCT_NAME, "HP Elite mt645 G8 Mobile Thin Client"), }, }, + { + .callback = edp0_on_dp1_callback, + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "HP"), + DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook 645 14 inch G11 Notebook PC"), + }, + }, { .callback = edp0_on_dp1_callback, .matches = { -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH 07/16] drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1

by Roman.Li＠amd.com

From: Mario Limonciello <mario.limonciello(a)amd.com> [Why] HP Probook 445 and 465 has DP0 and DP1 swapped. [How] Add HP Probook 445 and 465 to DP0/DP1 swap quirk list. Cc: stable(a)vger.kernel.org Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3995 Reviewed-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Roman Li <roman.li(a)amd.com> Tested-by: Anson Tsao <anson.tsao(a)amd.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 7cfb6fb89fca..b2bb2f92db00 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -1767,6 +1767,20 @@ static const struct dmi_system_id dmi_quirk_table[] = { DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook 665 16 inch G11 Notebook PC"), }, }, + { + .callback = edp0_on_dp1_callback, + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "HP"), + DMI_MATCH(DMI_PRODUCT_NAME, "HP ProBook 445 14 inch G11 Notebook PC"), + }, + }, + { + .callback = edp0_on_dp1_callback, + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "HP"), + DMI_MATCH(DMI_PRODUCT_NAME, "HP ProBook 465 16 inch G11 Notebook PC"), + }, + }, {} /* TODO: refactor this from a fixed table to a dynamic option */ }; -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v6 4/4] ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio()

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> Some architectures do not have data cache coherency between user and kernel space. For these architectures, the cache needs to be flushed on both the kernel and user addresses so that user space can see the updates the kernel has made. Instead of using flush_dcache_folio() and playing with virt_to_folio() within the call to that function, use flush_kernel_vmap_range() which takes the virtual address and does the work for those architectures that need it. This also fixes a bug where the flush of the reader page only flushed one page. If the sub-buffer order is 1 or more, where the sub-buffer size would be greater than a page, it would miss the rest of the sub-buffer content, as the "reader page" is not just a page, but the size of a sub-buffer. Link: https://lore.kernel.org/all/CAG48ez3w0my4Rwttbc5tEbNsme6tc0mrSN95thjXUFaJ3a… Cc: stable(a)vger.kernel.org Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions"); Suggested-by: Jann Horn <jannh(a)google.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ring_buffer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index f25966b3a1fc..d4b0f7b55cce 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -6016,7 +6016,7 @@ static void rb_update_meta_page(struct ring_buffer_per_cpu *cpu_buffer) meta->read = cpu_buffer->read; /* Some archs do not have data cache coherency between kernel and user-space */ - flush_dcache_folio(virt_to_folio(cpu_buffer->meta_page)); + flush_kernel_vmap_range(cpu_buffer->meta_page, PAGE_SIZE); } static void @@ -7319,7 +7319,8 @@ int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu) out: /* Some archs do not have data cache coherency between kernel and user-space */ - flush_dcache_folio(virt_to_folio(cpu_buffer->reader_page->page)); + flush_kernel_vmap_range(cpu_buffer->reader_page->page, + buffer->subbuf_size + BUF_PAGE_HDR_SIZE); rb_update_meta_page(cpu_buffer); -- 2.47.2

2 months, 2 weeks

1
0
0 0

[PATCH] nilfs2: Add pointer check for nilfs_direct_propagate()

by Wentao Liang

In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr() need to be checked to ensure it is not an invalid pointer. A proper implementation can be found in nilfs_direct_delete(). Add a value check and return -ENOENT when it is an invalid pointer. Fixes: 10ff885ba6f5 ("nilfs2: get rid of nilfs_direct uses") Cc: stable(a)vger.kernel.org # v2.6+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- fs/nilfs2/direct.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c index 893ab36824cc..ff1c9fe72bec 100644 --- a/fs/nilfs2/direct.c +++ b/fs/nilfs2/direct.c @@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap, dat = nilfs_bmap_get_dat(bmap); key = nilfs_bmap_data_get_key(bmap, bh); ptr = nilfs_direct_get_ptr(bmap, key); + if (ptr == NILFS_BMAP_INVALID_PTR) + return -ENOENT; + if (!buffer_nilfs_volatile(bh)) { oldreq.pr_entry_nr = ptr; newreq.pr_entry_nr = ptr; -- 2.42.0.windows.2

2 months, 2 weeks

2
1
0 0

[PATCH] rtlwifi: rtl892cu: Set limit for pwdb_all

by Wentao Liang

In _rtl92c_query_rxphystatus(), the return rtl_query_rxpwrpercentage() need to be checked. A proper implementation can be found in _rtl8723be_query_rxphystatus(). Add a value check and set the limit of pwdb_add as 100. Fixes: 666e8457fae4 ("rtlwifi: rtl8192cu: Add routine mac") Cc: stable(a)vger.kernel.org # v2.6+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/net/wireless/realtek/rtlwifi/rtl8192cu/mac.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/mac.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/mac.c index a76f2dc8a977..e2145f284ec0 100644 --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/mac.c +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/mac.c @@ -641,6 +641,9 @@ static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw, } } pwdb_all = rtl_query_rxpwrpercentage(rx_pwr_all); + if (pwdb_all > 100) + pwdb_all = 100; + pstats->rx_pwdb_all = pwdb_all; pstats->recvsignalpower = rx_pwr_all; if (packet_match_bssid) { -- 2.42.0.windows.2

2 months, 2 weeks

2
1
0 0

[PATCH v4 1/1] usbnet:fix NPE during rx_complete

by Ying Lu

From: Ying Lu <luying1(a)xiaomi.com> Missing usbnet_going_away Check in Critical Path. The usb_submit_urb function lacks a usbnet_going_away validation, whereas __usbnet_queue_skb includes this check. This inconsistency creates a race condition where: A URB request may succeed, but the corresponding SKB data fails to be queued. Subsequent processes: (e.g., rx_complete → defer_bh → __skb_unlink(skb, list)) attempt to access skb->next, triggering a NULL pointer dereference (Kernel Panic). Fixes: 04e906839a05 ("usbnet: fix cyclical race on disconnect with work queue") Cc: stable(a)vger.kernel.org Signed-off-by: Ying Lu <luying1(a)xiaomi.com> --- drivers/net/usb/usbnet.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 44179f4e807f..5161bb5d824b 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -519,7 +519,8 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags) netif_device_present (dev->net) && test_bit(EVENT_DEV_OPEN, &dev->flags) && !test_bit (EVENT_RX_HALT, &dev->flags) && - !test_bit (EVENT_DEV_ASLEEP, &dev->flags)) { + !test_bit (EVENT_DEV_ASLEEP, &dev->flags) && + !usbnet_going_away(dev)) { switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) { case -EPIPE: usbnet_defer_kevent (dev, EVENT_RX_HALT); @@ -540,8 +541,7 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags) tasklet_schedule (&dev->bh); break; case 0: - if (!usbnet_going_away(dev)) - __usbnet_queue_skb(&dev->rxq, skb, rx_start); + __usbnet_queue_skb(&dev->rxq, skb, rx_start); } } else { netif_dbg(dev, ifdown, dev->net, "rx: stopped\n"); -- 2.49.0

2 months, 2 weeks

1
0
0 0

[PATCH] Bluetooth: Revert vendor-specific ISO classification for

by Sean Rhodes

From ccabbdd36dacc3e03ed819b4b050ebcc1978e311 Mon Sep 17 00:00:00 2001 From: Sean Rhodes <sean(a)starlabs.systems> Date: Wed, 2 Apr 2025 09:05:17 +0100 Subject: [PATCH] Bluetooth: Revert vendor-specific ISO classification for non-offload cards This reverts commit f25b7fd36cc3a850e006aed686f5bbecd200de1b. The commit introduces vendor-specific classification of ISO data, but breaks Bluetooth functionality on certain Intel cards that do not support audio offload, such as the 9462. Affected devices are unable to discover new Bluetooth peripherals, and previously paired devices fail to reconnect. This issue does not affect newer cards (e.g., AX201+) that support audio offload. A conditional check using AOLD() could be used in the future to reintroduce this behavior only on supported hardware. Cc: Ying Hsu <yinghsu(a)chromium.org> Cc: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Sean Rhodes <sean(a)starlabs.systems> --- drivers/bluetooth/btintel.c | 7 ++----- include/net/bluetooth/hci_core.h | 1 - net/bluetooth/hci_core.c | 16 ---------------- 3 files changed, 2 insertions(+), 22 deletions(-) diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c index 48e2f400957b..2114fe8d527e 100644 --- a/drivers/bluetooth/btintel.c +++ b/drivers/bluetooth/btintel.c @@ -3588,15 +3588,12 @@ static int btintel_setup_combined(struct hci_dev *hdev) err = btintel_bootloader_setup(hdev, &ver); btintel_register_devcoredump_support(hdev); break; - case 0x18: /* GfP2 */ - case 0x1c: /* GaP */ - /* Re-classify packet type for controllers with LE audio */ - hdev->classify_pkt_type = btintel_classify_pkt_type; - fallthrough; case 0x17: + case 0x18: case 0x19: case 0x1b: case 0x1d: + case 0x1c: case 0x1e: case 0x1f: /* Display version information of TLV type */ diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index 5115da34f881..d1a4436e4cc3 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h @@ -646,7 +646,6 @@ struct hci_dev { int (*get_codec_config_data)(struct hci_dev *hdev, __u8 type, struct bt_codec *codec, __u8 *vnd_len, __u8 **vnd_data); - u8 (*classify_pkt_type)(struct hci_dev *hdev, struct sk_buff *skb); }; #define HCI_PHY_HANDLE(handle) (handle & 0xff) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 5eb0600bbd03..5b7515703ad1 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2868,31 +2868,15 @@ int hci_reset_dev(struct hci_dev *hdev) } EXPORT_SYMBOL(hci_reset_dev); -static u8 hci_dev_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb) -{ - if (hdev->classify_pkt_type) - return hdev->classify_pkt_type(hdev, skb); - - return hci_skb_pkt_type(skb); -} - /* Receive frame from HCI drivers */ int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb) { - u8 dev_pkt_type; - if (!hdev || (!test_bit(HCI_UP, &hdev->flags) && !test_bit(HCI_INIT, &hdev->flags))) { kfree_skb(skb); return -ENXIO; } - /* Check if the driver agree with packet type classification */ - dev_pkt_type = hci_dev_classify_pkt_type(hdev, skb); - if (hci_skb_pkt_type(skb) != dev_pkt_type) { - hci_skb_pkt_type(skb) = dev_pkt_type; - } - switch (hci_skb_pkt_type(skb)) { case HCI_EVENT_PKT: break; -- 2.45.2

2 months, 2 weeks

2
1
0 0

[PATCH v2] HID: wacom: fix shift OOB in kfifo allocation for zero pktlen

by Qasim Ijaz

During wacom_parse_and_register() the code calls wacom_devm_kfifo_alloc to allocate a fifo. During this operation it passes kfifo_alloc a fifo_size of 0. Kfifo attempts to round the size passed to it to the next power of 2 via roundup_pow_of_two (queue-type data structures do this to maintain efficiency of operations). However during this phase a problem arises when the roundup_pow_of_two() function utilises a shift exponent of fls_long(n-1), where n is the fifo_size. Since n is 0 in this case and n is also an unsigned long, doing n-1 causes unsigned integer wrap-around to occur making the fifo_size 4294967295. So the code effectively does fls_long(4294967295) which results in 64. Returning back to roundup_pow_of_two(), the code utilises a shift exponent of 64. When a shift exponent of 64 is used on a 64-bit type such as 1UL it results in a shift-out-of-bounds. The root cause of the issue seems to stem from insufficient validation of wacom_compute_pktlen(), since in this case the fifo_size comes from wacom_wac->features.pktlen. During wacom_parse_and_register() the wacom_compute_pktlen() function sets the pktlen as 0. To fix this, we should handle cases where wacom_compute_pktlen() results in 0. Reported-by: syzbot <syzbot+d5204cbbdd921f1f7cad(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=d5204cbbdd921f1f7cad Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit") Tested-by: Qasim Ijaz <qasdev00(a)gmail.com> Reviewed-by: Jason Gerecke <jason.gerecke(a)wacom.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- v2: - Added Fixes tag as suggested by Jason Gerecke drivers/hid/wacom_sys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index 97393a3083ca..9b2f3dbca467 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -2361,6 +2361,8 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless) unsigned int connect_mask = HID_CONNECT_HIDRAW; features->pktlen = wacom_compute_pktlen(hdev); + if (!features->pktlen) + return -ENODEV; if (!devres_open_group(&hdev->dev, wacom, GFP_KERNEL)) return -ENOMEM; -- 2.39.5

2 months, 2 weeks

3
2
0 0

[PATCH] sound/pci: Add fixup for Star Labs laptops

by Sean Rhodes

From 427d5b100dee0c5c3a09e3e1ad095b06ebe33a8b Mon Sep 17 00:00:00 2001 From: Sean Rhodes <sean(a)starlabs.systems> Date: Wed, 2 Apr 2025 08:31:04 +0100 Subject: [PATCH] sound/pci: Add fixup for Star Labs laptops For all Star Labs boards that use Realtek cards, select ALC269_FIXUP_LIMIT_INT_MIC_BOOST to mitigate noise when the fans are active. Cc: Oder Chiou <oder_chiou(a)realtek.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Sean Rhodes <sean(a)starlabs.systems> --- sound/pci/hda/patch_realtek.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index b4fe681ec3cb..d75b09f962f9 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10921,10 +10921,12 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC), SND_PCI_QUIRK(0x10cf, 0x1757, "Lifebook E752", ALC269_FIXUP_LIFEBOOK_HP_PIN), SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC), + SND_PCI_QUIRK(0x10ec, 0x10d0, "StarLabs Kaby Lake Laptop", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE), SND_PCI_QUIRK(0x10ec, 0x118c, "Medion EE4254 MD62100", ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE), SND_PCI_QUIRK(0x10ec, 0x119e, "Positivo SU C1400", ALC269_FIXUP_ASPIRE_HEADSET_MIC), SND_PCI_QUIRK(0x10ec, 0x11bc, "VAIO VJFE-IL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x10ec, 0x1200, "StarLabs Comet/Tiger Lake Laptop", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), SND_PCI_QUIRK(0x10ec, 0x1230, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), SND_PCI_QUIRK(0x10ec, 0x124c, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), SND_PCI_QUIRK(0x10ec, 0x1252, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), @@ -11238,6 +11240,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC), SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC), SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x1e50, 0x7007, "StarLabs Alder Lake Laptop", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1e50, 0x7038, "StarLabs Meteor Lake Laptop",ALC269_FIXUP_LIMIT_INT_MIC_BOOST), SND_PCI_QUIRK(0x1f66, 0x0105, "Ayaneo Portable Game Player", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x2014, 0x800a, "Positivo ARN50", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), SND_PCI_QUIRK(0x2782, 0x0214, "VAIO VJFE-CL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), -- 2.45.2

2 months, 2 weeks

2
1
0 0

Request for backporting c4af66a95aa3 ("cgroup/rstat: Fix forceidle time in cpu.stat")

by Tejun Heo

Hello, c4af66a95aa3 ("cgroup/rstat: Fix forceidle time in cpu.stat") fixes b824766504e4 ("cgroup/rstat: add force idle show helper") and should be backported to v6.11+ but I forgot to add the tag and the patch is currently queued in cgroup/for-6.15. Once the cgroup pull request is merged, can you please include the commit in -stable backports? Thanks. -- tejun

2 months, 2 weeks

2
2
0 0

[PATCH] PCI: Add ACS quirk for Loongson PCIe

by Huacai Chen

Loongson PCIe Root Ports don't advertise an ACS capability, but they do not allow peer-to-peer transactions between Root Ports. Add an ACS quirk so each Root Port can be in a separate IOMMU group. Cc: stable(a)vger.kernel.org Signed-off-by: Xianglai Li <lixianglai(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- drivers/pci/quirks.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index 8d610c17e0f2..d52ec85f3382 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -4995,6 +4995,18 @@ static int pci_quirk_brcm_acs(struct pci_dev *dev, u16 acs_flags) PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); } +static int pci_quirk_loongson_acs(struct pci_dev *dev, u16 acs_flags) +{ + /* + * Loongson PCIe Root Ports don't advertise an ACS capability, but + * they do not allow peer-to-peer transactions between Root Ports. + * Allow each Root Port to be in a separate IOMMU group by masking + * SV/RR/CR/UF bits. + */ + return pci_acs_ctrl_enabled(acs_flags, + PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); +} + /* * Wangxun 40G/25G/10G/1G NICs have no ACS capability, but on * multi-function devices, the hardware isolates the functions by @@ -5128,6 +5140,9 @@ static const struct pci_dev_acs_enabled { { PCI_VENDOR_ID_BROADCOM, 0x1762, pci_quirk_mf_endpoint_acs }, { PCI_VENDOR_ID_BROADCOM, 0x1763, pci_quirk_mf_endpoint_acs }, { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, + /* Loongson PCIe Root Ports */ + { PCI_VENDOR_ID_LOONGSON, 0x3C09, pci_quirk_loongson_acs }, + { PCI_VENDOR_ID_LOONGSON, 0x3C19, pci_quirk_loongson_acs }, /* Amazon Annapurna Labs */ { PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs }, /* Zhaoxin multi-function devices */ -- 2.47.1

2 months, 2 weeks

1
0
0 0

[GIT PULL] virtio: features, fixes, cleanups

by Michael S. Tsirkin

The following changes since commit d082ecbc71e9e0bf49883ee4afd435a77a5101b6: Linux 6.14-rc4 (2025-02-23 12:32:57 -0800) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus for you to fetch changes up to 9d8960672d63db4b3b04542f5622748b345c637a: vhost-scsi: Reduce response iov mem use (2025-02-25 07:10:46 -0500) ---------------------------------------------------------------- virtio: features, fixes, cleanups A small number of improvements all over the place: shutdown has been reworked to reset devices. virtio fs is now allowed in vduse. vhost-scsi memory use has been reduced. cleanups, fixes all over the place. A couple more fixes are being tested and will be merged after rc1. Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> ---------------------------------------------------------------- Eugenio Pérez (1): vduse: add virtio_fs to allowed dev id John Stultz (1): sound/virtio: Fix cancel_sync warnings on uninitialized work_structs Konstantin Shkolnyy (1): vdpa/mlx5: Fix mlx5_vdpa_get_config() endianness on big-endian machines Michael S. Tsirkin (1): virtio: break and reset virtio devices on device_shutdown() Mike Christie (9): vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint vhost-scsi: Reduce mem use by moving upages to per queue vhost-scsi: Allocate T10 PI structs only when enabled vhost-scsi: Add better resource allocation failure handling vhost-scsi: Return queue full for page alloc failures during copy vhost-scsi: Dynamically allocate scatterlists vhost-scsi: Stop duplicating se_cmd fields vhost-scsi: Allocate iov_iter used for unaligned copies when needed vhost-scsi: Reduce response iov mem use Si-Wei Liu (1): vdpa/mlx5: Fix oversized null mkey longer than 32bit Yufeng Wang (3): tools/virtio: Add DMA_MAPPING_ERROR and sg_dma_len api define for virtio test tools: virtio/linux/compiler.h: Add data_race() define. tools: virtio/linux/module.h add MODULE_DESCRIPTION() define. drivers/vdpa/mlx5/core/mr.c | 7 +- drivers/vdpa/mlx5/net/mlx5_vnet.c | 3 + drivers/vdpa/vdpa_user/vduse_dev.c | 1 + drivers/vhost/Kconfig | 1 + drivers/vhost/scsi.c | 549 +++++++++++++++++++++++-------------- drivers/virtio/virtio.c | 29 ++ sound/virtio/virtio_pcm.c | 21 +- tools/virtio/linux/compiler.h | 25 ++ tools/virtio/linux/dma-mapping.h | 13 + tools/virtio/linux/module.h | 7 + 10 files changed, 439 insertions(+), 217 deletions(-)

2 months, 2 weeks

2
1
0 0

[PATCH 6.1.y 0/7] Backported patches to fix selftest tpdir2

by Kang Wenlin

From: Wenlin Kang <wenlin.kang(a)windriver.com> The selftest tpdir2 terminated with a 'Segmentation fault' during loading. root@localhost:~# cd linux-kenel/tools/testing/selftests/arm64/abi && make root@localhost:~/linux-kernel/tools/testing/selftests/arm64/abi# ./tpidr2 Segmentation fault The cause of this is the __arch_clear_user() failure. load_elf_binary() [fs/binfmt_elf.c] -> if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bes))) -> padzero() -> clear_user() [arch/arm64/include/asm/uaccess.h] -> __arch_clear_user() [arch/arm64/lib/clear_user.S] For more details, please see: https://lore.kernel.org/lkml/1d0342f3-0474-482b-b6db-81ca7820a462@t-8ch.de/… This issue has been fixed in the mainline. Here I have backported the relevant commits for the linux-6.1.y branch and attached them. With these patches, tpdir2 works as: root@localhost:~/linux-kernel/tools/testing/selftests/arm64/abi# ./tpidr2 TAP version 13 1..5 ok 0 skipped, TPIDR2 not supported ok 1 skipped, TPIDR2 not supported ok 2 skipped, TPIDR2 not supported ok 3 skipped, TPIDR2 not supported ok 4 skipped, TPIDR2 not supported The first patch is just for alignment to apply the follow patches. This issue is resolved by the second patch. However, to ensure functional completeness, all related patches were backported according to the following link. https://lore.kernel.org/all/20230929031716.it.155-kees@kernel.org/#t Bo Liu (1): binfmt_elf: replace IS_ERR() with IS_ERR_VALUE() Eric W. Biederman (1): binfmt_elf: Support segments with 0 filesz and misaligned starts Kees Cook (5): binfmt_elf: elf_bss no longer used by load_elf_binary() binfmt_elf: Use elf_load() for interpreter binfmt_elf: Use elf_load() for library binfmt_elf: Only report padzero() errors when PROT_WRITE mm: Remove unused vm_brk() fs/binfmt_elf.c | 221 ++++++++++++++++----------------------------- include/linux/mm.h | 3 +- mm/mmap.c | 6 -- mm/nommu.c | 5 - 4 files changed, 79 insertions(+), 156 deletions(-) -- 2.39.2

2 months, 2 weeks

4
16
0 0

[PATCH] media: gspca: Add error handling for stv06xx_read_sensor()

by Wentao Liang

In hdcs_init(), the return value of stv06xx_read_sensor() needs to be checked. A proper implementation can be found in vv6410_dump(). Add a check in loop condition and propergate error code to fix this issue. Fixes: 4c98834addfe ("V4L/DVB (10048): gspca - stv06xx: New subdriver.") Cc: stable(a)vger.kernel.org # v2.6+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c b/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c index 5a47dcbf1c8e..303b055fefea 100644 --- a/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c +++ b/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c @@ -520,12 +520,13 @@ static int hdcs_init(struct sd *sd) static int hdcs_dump(struct sd *sd) { u16 reg, val; + int err = 0; pr_info("Dumping sensor registers:\n"); - for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH; reg++) { - stv06xx_read_sensor(sd, reg, &val); + for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH && !err; reg++) { + err = stv06xx_read_sensor(sd, reg, &val); pr_info("reg 0x%02x = 0x%02x\n", reg, val); } - return 0; + return (err < 0) ? err : 0; } -- 2.42.0.windows.2

2 months, 2 weeks

1
0
0 0

[for-linus][PATCH 4/4] tracing: Verify event formats that have "%*p.."

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The trace event verifier checks the formats of trace events to make sure that they do not point at memory that is not in the trace event itself or in data that will never be freed. If an event references data that was allocated when the event triggered and that same data is freed before the event is read, then the kernel can crash by reading freed memory. The verifier runs at boot up (or module load) and scans the print formats of the events and checks their arguments to make sure that dereferenced pointers are safe. If the format uses "%*p.." the verifier will ignore it, and that could be dangerous. Cover this case as well. Also add to the sample code a use case of "%*pbl". Link: https://lore.kernel.org/all/bcba4d76-2c3f-4d11-baf0-02905db953dd@oracle.com/ Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") Link: https://lore.kernel.org/20250327195311.2d89ec66@gandalf.local.home Reported-by: Libo Chen <libo.chen(a)oracle.com> Reviewed-by: Libo Chen <libo.chen(a)oracle.com> Tested-by: Libo Chen <libo.chen(a)oracle.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events.c | 7 +++++++ samples/trace_events/trace-events-sample.h | 8 ++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 8638b7f7ff85..069e92856bda 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -470,6 +470,7 @@ static void test_event_printk(struct trace_event_call *call) case '%': continue; case 'p': + do_pointer: /* Find dereferencing fields */ switch (fmt[i + 1]) { case 'B': case 'R': case 'r': @@ -498,6 +499,12 @@ static void test_event_printk(struct trace_event_call *call) continue; if (fmt[i + j] == '*') { star = true; + /* Handle %*pbl case */ + if (!j && fmt[i + 1] == 'p') { + arg++; + i++; + goto do_pointer; + } continue; } if ((fmt[i + j] == 's')) { diff --git a/samples/trace_events/trace-events-sample.h b/samples/trace_events/trace-events-sample.h index 999f78d380ae..1a05fc153353 100644 --- a/samples/trace_events/trace-events-sample.h +++ b/samples/trace_events/trace-events-sample.h @@ -319,7 +319,8 @@ TRACE_EVENT(foo_bar, __assign_cpumask(cpum, cpumask_bits(mask)); ), - TP_printk("foo %s %d %s %s %s %s %s %s (%s) (%s) %s", __entry->foo, __entry->bar, + TP_printk("foo %s %d %s %s %s %s %s %s (%s) (%s) %s [%d] %*pbl", + __entry->foo, __entry->bar, /* * Notice here the use of some helper functions. This includes: @@ -370,7 +371,10 @@ TRACE_EVENT(foo_bar, __get_str(str), __get_str(lstr), __get_bitmask(cpus), __get_cpumask(cpum), - __get_str(vstr)) + __get_str(vstr), + __get_dynamic_array_len(cpus), + __get_dynamic_array_len(cpus), + __get_dynamic_array(cpus)) ); /* -- 2.47.2

2 months, 2 weeks

1
0
0 0

[for-linus][PATCH 3/4] ftrace: Add cond_resched() to ftrace_graph_set_hash()

by Steven Rostedt

From: zhoumin <teczm(a)foxmail.com> When the kernel contains a large number of functions that can be traced, the loop in ftrace_graph_set_hash() may take a lot of time to execute. This may trigger the softlockup watchdog. Add cond_resched() within the loop to allow the kernel to remain responsive even when processing a large number of functions. This matches the cond_resched() that is used in other locations of the code that iterates over all functions that can be traced. Cc: stable(a)vger.kernel.org Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables") Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com Signed-off-by: zhoumin <teczm(a)foxmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ftrace.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 92015de6203d..1a48aedb5255 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -6855,6 +6855,7 @@ ftrace_graph_set_hash(struct ftrace_hash *hash, char *buffer) } } } + cond_resched(); } while_for_each_ftrace_rec(); return fail ? -EINVAL : 0; -- 2.47.2

2 months, 2 weeks

1
0
0 0

[PATCH v2] usb: dwc3: gadget: check that event count does not exceed event buffer length

by Frode Isaksen

From: Frode Isaksen <frode(a)meta.com> The event count is read from register DWC3_GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : __memcpy+0x114/0x180 lr : dwc3_check_event_buf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Call trace: __memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34 Signed-off-by: Frode Isaksen <frode(a)meta.com> Fixes: ebbb2d59398f ("usb: dwc3: gadget: use evt->cache for processing events") Cc: stable(a)vger.kernel.org --- v1->v2: added error log drivers/usb/dwc3/gadget.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89a4dc8ebf94..923737776d82 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4564,6 +4564,12 @@ static irqreturn_t dwc3_check_event_buf(struct dwc3_event_buffer *evt) if (!count) return IRQ_NONE; + if (count > evt->length) { + dev_err(dwc->dev, "invalid count(%u) > evt->length(%u)\n", + count, evt->length); + return IRQ_NONE; + } + evt->count = count; evt->flags |= DWC3_EVENT_PENDING; -- 2.49.0

2 months, 2 weeks

3
2
0 0

[PATCH 3/4] drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> The intel-media-driver is currently broken on DG1 because it uses EXEC_CAPTURE with recovarable contexts. Relax the check to allow that. I've also submitted a fix for the intel-media-driver: https://github.com/intel/media-driver/pull/1920 Cc: stable(a)vger.kernel.org Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Fixes: 71b1669ea9bd ("drm/i915/uapi: tweak error capture on recoverable contexts") Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c index ca7e9216934a..ea9d5063ce78 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c @@ -2013,7 +2013,7 @@ static int eb_capture_stage(struct i915_execbuffer *eb) continue; if (i915_gem_context_is_recoverable(eb->gem_context) && - (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0))) + GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 10)) return -EINVAL; for_each_batch_create_order(eb, j) { -- 2.45.3

2 months, 2 weeks

3
3
0 0

[PATCH v5 4/4] ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio()

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> Some architectures do not have data cache coherency between user and kernel space. For these architectures, the cache needs to be flushed on both the kernel and user addresses so that user space can see the updates the kernel has made. Instead of using flush_dcache_folio() and playing with virt_to_folio() within the call to that function, use flush_kernel_vmap_range() which takes the virtual address and does the work for those architectures that need it. This also fixes a bug where the flush of the reader page only flushed one page. If the sub-buffer order is 1 or more, where the sub-buffer size would be greater than a page, it would miss the rest of the sub-buffer content, as the "reader page" is not just a page, but the size of a sub-buffer. Link: https://lore.kernel.org/all/CAG48ez3w0my4Rwttbc5tEbNsme6tc0mrSN95thjXUFaJ3a… Cc: stable(a)vger.kernel.org Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions"); Suggested-by: Jann Horn <jannh(a)google.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ring_buffer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index d8d7b28e2c2f..c0f877d39a24 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -6016,7 +6016,7 @@ static void rb_update_meta_page(struct ring_buffer_per_cpu *cpu_buffer) meta->read = cpu_buffer->read; /* Some archs do not have data cache coherency between kernel and user-space */ - flush_dcache_folio(virt_to_folio(cpu_buffer->meta_page)); + flush_kernel_vmap_range(cpu_buffer->meta_page, PAGE_SIZE); } static void @@ -7319,7 +7319,8 @@ int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu) out: /* Some archs do not have data cache coherency between kernel and user-space */ - flush_dcache_folio(virt_to_folio(cpu_buffer->reader_page->page)); + flush_kernel_vmap_range(cpu_buffer->reader_page->page, + buffer->subbuf_size + BUF_PAGE_HDR_SIZE); rb_update_meta_page(cpu_buffer); -- 2.47.2

2 months, 2 weeks

1
0
0 0

[merged mm-nonmm-stable] lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets has been removed from the -mm tree. Its filename was lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets.patch This patch was dropped because it was merged into the mm-nonmm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: T Pratham <t-pratham(a)ti.com> Subject: lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Date: Wed, 19 Mar 2025 16:44:38 +0530 The split_sg_phys function was incorrectly setting the offsets of all scatterlist entries (except the first) to 0. Only the first scatterlist entry's offset and length needs to be modified to account for the skip. Setting the rest entries' offsets to 0 could lead to incorrect data access. I am using this function in a crypto driver that I'm currently developing (not yet sent to mailing list). During testing, it was observed that the output scatterlists (except the first one) contained incorrect garbage data. I narrowed this issue down to the call of sg_split(). Upon debugging inside this function, I found that this resetting of offset is the cause of the problem, causing the subsequent scatterlists to point to incorrect memory locations in a page. By removing this code, I am obtaining expected data in all the split output scatterlists. Thus, this was indeed causing observable runtime effects! This patch removes the offending code, ensuring that the page offsets in the input scatterlist are preserved in the output scatterlist. Link: https://lkml.kernel.org/r/20250319111437.1969903-1-t-pratham@ti.com Fixes: f8bcbe62acd0 ("lib: scatterlist: add sg splitting function") Signed-off-by: T Pratham <t-pratham(a)ti.com> Cc: Robert Jarzmik <robert.jarzmik(a)free.fr> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Kamlesh Gurudasani <kamlesh(a)ti.com> Cc: Praneeth Bajjuri <praneeth(a)ti.com> Cc: Vignesh Raghavendra <vigneshr(a)ti.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/sg_split.c | 2 -- 1 file changed, 2 deletions(-) --- a/lib/sg_split.c~lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets +++ a/lib/sg_split.c @@ -88,8 +88,6 @@ static void sg_split_phys(struct sg_spli if (!j) { out_sg->offset += split->skip_sg0; out_sg->length -= split->skip_sg0; - } else { - out_sg->offset = 0; } sg_dma_address(out_sg) = 0; sg_dma_len(out_sg) = 0; _ Patches currently in -mm which might be from t-pratham(a)ti.com are

2 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-zswap-fix-crypto_free_acomp-deadlock-in-zswap_cpu_comp_dead.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() has been removed from the -mm tree. Its filename was mm-zswap-fix-crypto_free_acomp-deadlock-in-zswap_cpu_comp_dead.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yosry Ahmed <yosry.ahmed(a)linux.dev> Subject: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() Date: Wed, 26 Feb 2025 18:56:25 +0000 Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock (through crypto_exit_scomp_ops_async()). On the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through crypto_scomp_init_tfm()), and then allocates memory. If the allocation results in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex. The above dependencies can cause an ABBA deadlock. For example in the following scenario: (1) Task A running on CPU #1: crypto_alloc_acomp_node() Holds scomp_lock Enters reclaim Reads per_cpu_ptr(pool->acomp_ctx, 1) (2) Task A is descheduled (3) CPU #1 goes offline zswap_cpu_comp_dead(CPU #1) Holds per_cpu_ptr(pool->acomp_ctx, 1)) Calls crypto_free_acomp() Waits for scomp_lock (4) Task A running on CPU #2: Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1 DEADLOCK Since there is no requirement to call crypto_free_acomp() with the per-CPU acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is unlocked. Also move the acomp_request_free() and kfree() calls for consistency and to avoid any potential sublte locking dependencies in the future. With this, only setting acomp_ctx fields to NULL occurs with the mutex held. This is similar to how zswap_cpu_comp_prepare() only initializes acomp_ctx fields with the mutex held, after performing all allocations before holding the mutex. Opportunistically, move the NULL check on acomp_ctx so that it takes place before the mutex dereference. Link: https://lkml.kernel.org/r/20250226185625.2672936-1-yosry.ahmed@linux.dev Fixes: 12dcb0ef5406 ("mm: zswap: properly synchronize freeing resources during CPU hotunplug") Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Co-developed-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> Reported-by: syzbot+1a517ccfcbc6a7ab0f82(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67bcea51.050a0220.bbfd1.0096.GAE@google.com/ Acked-by: Herbert Xu <herbert(a)gondor.apana.org.au> Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Tested-by: Nhat Pham <nphamcs(a)gmail.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Eric Biggers <ebiggers(a)kernel.org> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Chris Murphy <lists(a)colorremedies.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zswap.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) --- a/mm/zswap.c~mm-zswap-fix-crypto_free_acomp-deadlock-in-zswap_cpu_comp_dead +++ a/mm/zswap.c @@ -883,18 +883,32 @@ static int zswap_cpu_comp_dead(unsigned { struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node); struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu); + struct acomp_req *req; + struct crypto_acomp *acomp; + u8 *buffer; + + if (IS_ERR_OR_NULL(acomp_ctx)) + return 0; mutex_lock(&acomp_ctx->mutex); - if (!IS_ERR_OR_NULL(acomp_ctx)) { - if (!IS_ERR_OR_NULL(acomp_ctx->req)) - acomp_request_free(acomp_ctx->req); - acomp_ctx->req = NULL; - if (!IS_ERR_OR_NULL(acomp_ctx->acomp)) - crypto_free_acomp(acomp_ctx->acomp); - kfree(acomp_ctx->buffer); - } + req = acomp_ctx->req; + acomp = acomp_ctx->acomp; + buffer = acomp_ctx->buffer; + acomp_ctx->req = NULL; + acomp_ctx->acomp = NULL; + acomp_ctx->buffer = NULL; mutex_unlock(&acomp_ctx->mutex); + /* + * Do the actual freeing after releasing the mutex to avoid subtle + * locking dependencies causing deadlocks. + */ + if (!IS_ERR_OR_NULL(req)) + acomp_request_free(req); + if (!IS_ERR_OR_NULL(acomp)) + crypto_free_acomp(acomp); + kfree(buffer); + return 0; } _ Patches currently in -mm which might be from yosry.ahmed(a)linux.dev are

2 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: move hugetlb_sysctl_init() to the __init section has been removed from the -mm tree. Its filename was mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Marc Herbert <Marc.Herbert(a)linux.intel.com> Subject: mm/hugetlb: move hugetlb_sysctl_init() to the __init section Date: Wed, 19 Mar 2025 06:00:30 +0000 hugetlb_sysctl_init() is only invoked once by an __init function and is merely a wrapper around another __init function so there is not reason to keep it. Fixes the following warning when toning down some GCC inline options: WARNING: modpost: vmlinux: section mismatch in reference: hugetlb_sysctl_init+0x1b (section: .text) -> __register_sysctl_init (section: .init.text) Link: https://lkml.kernel.org/r/20250319060041.2737320-1-marc.herbert@linux.intel… Signed-off-by: Marc Herbert <Marc.Herbert(a)linux.intel.com> Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Reviewed-by: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/hugetlb.c~mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section +++ a/mm/hugetlb.c @@ -5179,7 +5179,7 @@ static const struct ctl_table hugetlb_ta }, }; -static void hugetlb_sysctl_init(void) +static void __init hugetlb_sysctl_init(void) { register_sysctl_init("vm", hugetlb_table); } _ Patches currently in -mm which might be from Marc.Herbert(a)linux.intel.com are

2 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-userfaultfd-fix-release-hang-over-concurrent-gup.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/userfaultfd: fix release hang over concurrent GUP has been removed from the -mm tree. Its filename was mm-userfaultfd-fix-release-hang-over-concurrent-gup.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Peter Xu <peterx(a)redhat.com> Subject: mm/userfaultfd: fix release hang over concurrent GUP Date: Wed, 12 Mar 2025 10:51:31 -0400 This patch should fix a possible userfaultfd release() hang during concurrent GUP. This problem was initially reported by Dimitris Siakavaras in July 2023 [1] in a firecracker use case. Firecracker has a separate process handling page faults remotely, and when the process releases the userfaultfd it can race with a concurrent GUP from KVM trying to fault in a guest page during the secondary MMU page fault process. A similar problem was reported recently again by Jinjiang Tu in March 2025 [2], even though the race happened this time with a mlockall() operation, which does GUP in a similar fashion. In 2017, commit 656710a60e36 ("userfaultfd: non-cooperative: closing the uffd without triggering SIGBUS") was trying to fix this issue. AFAIU, that fixes well the fault paths but may not work yet for GUP. In GUP, the issue is NOPAGE will be almost treated the same as "page fault resolved" in faultin_page(), then the GUP will follow page again, seeing page missing, and it'll keep going into a live lock situation as reported. This change makes core mm return RETRY instead of NOPAGE for both the GUP and fault paths, proactively releasing the mmap read lock. This should guarantee the other release thread make progress on taking the write lock and avoid the live lock even for GUP. When at it, rearrange the comments to make sure it's uptodate. [1] https://lore.kernel.org/r/79375b71-db2e-3e66-346b-254c90d915e2@cslab.ece.nt… [2] https://lore.kernel.org/r/20250307072133.3522652-1-tujinjiang@huawei.com Link: https://lkml.kernel.org/r/20250312145131.1143062-1-peterx@redhat.com Signed-off-by: Peter Xu <peterx(a)redhat.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Mike Rapoport (IBM) <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Dimitris Siakavaras <jimsiak(a)cslab.ece.ntua.gr> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/userfaultfd.c | 51 ++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 26 deletions(-) --- a/fs/userfaultfd.c~mm-userfaultfd-fix-release-hang-over-concurrent-gup +++ a/fs/userfaultfd.c @@ -396,32 +396,6 @@ vm_fault_t handle_userfault(struct vm_fa goto out; /* - * If it's already released don't get it. This avoids to loop - * in __get_user_pages if userfaultfd_release waits on the - * caller of handle_userfault to release the mmap_lock. - */ - if (unlikely(READ_ONCE(ctx->released))) { - /* - * Don't return VM_FAULT_SIGBUS in this case, so a non - * cooperative manager can close the uffd after the - * last UFFDIO_COPY, without risking to trigger an - * involuntary SIGBUS if the process was starting the - * userfaultfd while the userfaultfd was still armed - * (but after the last UFFDIO_COPY). If the uffd - * wasn't already closed when the userfault reached - * this point, that would normally be solved by - * userfaultfd_must_wait returning 'false'. - * - * If we were to return VM_FAULT_SIGBUS here, the non - * cooperative manager would be instead forced to - * always call UFFDIO_UNREGISTER before it can safely - * close the uffd. - */ - ret = VM_FAULT_NOPAGE; - goto out; - } - - /* * Check that we can return VM_FAULT_RETRY. * * NOTE: it should become possible to return VM_FAULT_RETRY @@ -457,6 +431,31 @@ vm_fault_t handle_userfault(struct vm_fa if (vmf->flags & FAULT_FLAG_RETRY_NOWAIT) goto out; + if (unlikely(READ_ONCE(ctx->released))) { + /* + * If a concurrent release is detected, do not return + * VM_FAULT_SIGBUS or VM_FAULT_NOPAGE, but instead always + * return VM_FAULT_RETRY with lock released proactively. + * + * If we were to return VM_FAULT_SIGBUS here, the non + * cooperative manager would be instead forced to + * always call UFFDIO_UNREGISTER before it can safely + * close the uffd, to avoid involuntary SIGBUS triggered. + * + * If we were to return VM_FAULT_NOPAGE, it would work for + * the fault path, in which the lock will be released + * later. However for GUP, faultin_page() does nothing + * special on NOPAGE, so GUP would spin retrying without + * releasing the mmap read lock, causing possible livelock. + * + * Here only VM_FAULT_RETRY would make sure the mmap lock + * be released immediately, so that the thread concurrently + * releasing the userfault would always make progress. + */ + release_fault_lock(vmf); + goto out; + } + /* take the reference before dropping the mmap_lock */ userfaultfd_ctx_get(ctx); _ Patches currently in -mm which might be from peterx(a)redhat.com are maintainers-add-myself-as-userfaultfd-reviewer.patch

2 months, 2 weeks

1
0
0 0

[to-be-updated] x86-vmemmap-use-direct-mapped-va-instead-of-vmemmap-based-va.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: x86/vmemmap: use direct-mapped VA instead of vmemmap-based VA has been removed from the -mm tree. Its filename was x86-vmemmap-use-direct-mapped-va-instead-of-vmemmap-based-va.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Subject: x86/vmemmap: use direct-mapped VA instead of vmemmap-based VA Date: Mon, 17 Feb 2025 13:41:33 +0200 Address an Oops issues when performing test of loading XE GPU driver module after applying the GPU SVM and Xe SVM patch series[1] and the Dept patch series[2]. The issue occurs when loading the xe driver via modprobe [3], which adds a struct page for device memory via devm_memremap_pages(). When a process leads the addition of a struct page to vmemmap (e.g. hot-plug), the page table update for the newly added vmemmap-based virtual address is updated first in init_mm's page table and then synchronized later. If the vmemmap-based virtual address is accessed through the process's page table before this sync, a page fault will occur. This patch translates vmemmap-based virtual address to direct-mapped virtual address and use it, if the current top-level page table is not init_mm's page table when accessing a vmemmap-based virtual address before this sync. [1] https://lore.kernel.org/dri-devel/20250213021112.1228481-1-matthew.brost@in… [2] https://lore.kernel.org/lkml/20240508094726.35754-1-byungchul@sk.com/ [3] [ 49.103630] xe 0000:00:04.0: [drm] Available VRAM: 0x0000000800000000, 0x00000002fb800000 [ 49.116710] BUG: unable to handle page fault for address: ffffeb3ff1200000 [ 49.117175] #PF: supervisor write access in kernel mode [ 49.117511] #PF: error_code(0x0002) - not-present page [ 49.117835] PGD 0 P4D 0 [ 49.118015] Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI [ 49.118366] CPU: 3 UID: 0 PID: 302 Comm: modprobe Tainted: G W 6.13.0-drm-tip-test+ #62 [ 49.118976] Tainted: [W]=WARN [ 49.119179] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 49.119710] RIP: 0010:vmemmap_set_pmd+0xff/0x230 [ 49.120011] Code: 77 22 02 a9 ff ff 1f 00 74 58 48 8b 3d 62 77 22 02 48 85 ff 0f 85 9a 00 00 00 48 8d 7d 08 48 89 e9 31 c0 48 89 ea 48 83 e7 f8 <48> c7 45 00 00 00 00 00 48 29 f9 48 c7 45 48 00 00 00 00 83 c1 50 [ 49.121158] RSP: 0018:ffffc900016d37a8 EFLAGS: 00010282 [ 49.121502] RAX: 0000000000000000 RBX: ffff888164000000 RCX: ffffeb3ff1200000 [ 49.121966] RDX: ffffeb3ff1200000 RSI: 80000000000001e3 RDI: ffffeb3ff1200008 [ 49.122499] RBP: ffffeb3ff1200000 R08: ffffeb3ff1280000 R09: 0000000000000000 [ 49.123032] R10: ffff88817b94dc48 R11: 0000000000000003 R12: ffffeb3ff1280000 [ 49.123566] R13: 0000000000000000 R14: ffff88817b94dc48 R15: 8000000163e001e3 [ 49.124096] FS: 00007f53ae71d740(0000) GS:ffff88843fd80000(0000) knlGS:0000000000000000 [ 49.124698] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 49.125129] CR2: ffffeb3ff1200000 CR3: 000000017c7d2000 CR4: 0000000000750ef0 [ 49.125662] PKRU: 55555554 [ 49.125880] Call Trace: [ 49.126078] <TASK> [ 49.126252] ? __die_body.cold+0x19/0x26 [ 49.126509] ? page_fault_oops+0xa2/0x240 [ 49.126736] ? preempt_count_add+0x47/0xa0 [ 49.126968] ? search_module_extables+0x4a/0x80 [ 49.127224] ? exc_page_fault+0x206/0x230 [ 49.127454] ? asm_exc_page_fault+0x22/0x30 [ 49.127691] ? vmemmap_set_pmd+0xff/0x230 [ 49.127919] vmemmap_populate_hugepages+0x176/0x180 [ 49.128194] vmemmap_populate+0x34/0x80 [ 49.128416] __populate_section_memmap+0x41/0x90 [ 49.128676] sparse_add_section+0x121/0x3e0 [ 49.128914] __add_pages+0xba/0x150 [ 49.129116] add_pages+0x1d/0x70 [ 49.129305] memremap_pages+0x3dc/0x810 [ 49.129529] devm_memremap_pages+0x1c/0x60 [ 49.129762] xe_devm_add+0x8b/0x100 [xe] [ 49.130072] xe_tile_init_noalloc+0x6a/0x70 [xe] [ 49.130408] xe_device_probe+0x48c/0x740 [xe] [ 49.130714] ? __pfx___drmm_mutex_release+0x10/0x10 [ 49.130982] ? __drmm_add_action+0x85/0xd0 [ 49.131208] ? __pfx___drmm_mutex_release+0x10/0x10 [ 49.131478] xe_pci_probe+0x7ef/0xd90 [xe] [ 49.131777] ? _raw_spin_unlock_irqrestore+0x66/0x90 [ 49.132049] ? lockdep_hardirqs_on+0xba/0x140 [ 49.132290] pci_device_probe+0x99/0x110 [ 49.132510] really_probe+0xdb/0x340 [ 49.132710] ? pm_runtime_barrier+0x50/0x90 [ 49.132941] ? __pfx___driver_attach+0x10/0x10 [ 49.133190] __driver_probe_device+0x78/0x110 [ 49.133433] driver_probe_device+0x1f/0xa0 [ 49.133661] __driver_attach+0xba/0x1c0 [ 49.133874] bus_for_each_dev+0x7a/0xd0 [ 49.134089] bus_add_driver+0x114/0x200 [ 49.134302] driver_register+0x6e/0xc0 [ 49.134515] xe_init+0x1e/0x50 [xe] [ 49.134827] ? __pfx_xe_init+0x10/0x10 [xe] [ 49.134926] xe 0000:00:04.0: [drm:process_one_work] GT1: GuC CT safe-mode canceled [ 49.135112] do_one_initcall+0x5b/0x2b0 [ 49.135734] ? rcu_is_watching+0xd/0x40 [ 49.135995] ? __kmalloc_cache_noprof+0x231/0x310 [ 49.136315] do_init_module+0x60/0x210 [ 49.136572] init_module_from_file+0x86/0xc0 [ 49.136863] idempotent_init_module+0x12b/0x340 [ 49.137156] __x64_sys_finit_module+0x61/0xc0 [ 49.137437] do_syscall_64+0x69/0x140 [ 49.137681] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 49.137953] RIP: 0033:0x7f53ae1261fd [ 49.138153] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 fa 0c 00 f7 d8 64 89 01 48 [ 49.139117] RSP: 002b:00007ffd0e9021e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 49.139525] RAX: ffffffffffffffda RBX: 000055c02951ee50 RCX: 00007f53ae1261fd [ 49.139905] RDX: 0000000000000000 RSI: 000055bfff125478 RDI: 0000000000000010 [ 49.140282] RBP: 000055bfff125478 R08: 00007f53ae1f6b20 R09: 00007ffd0e902230 [ 49.140663] R10: 000055c029522000 R11: 0000000000000246 R12: 0000000000040000 [ 49.141040] R13: 000055c02951ef80 R14: 0000000000000000 R15: 000055c029521fc0 [ 49.141424] </TASK> [ 49.141552] Modules linked in: xe(+) drm_ttm_helper gpu_sched drm_suballoc_helper drm_gpuvm drm_exec drm_gpusvm i2c_algo_bit drm_buddy video wmi ttm drm_display_helper drm_kms_helper crct10dif_pclmul crc32_pclmul i2c_piix4 e1000 ghash_clmulni_intel i2c_smbus fuse [ 49.142824] CR2: ffffeb3ff1200000 [ 49.143010] ---[ end trace 0000000000000000 ]--- [ 49.143268] RIP: 0010:vmemmap_set_pmd+0xff/0x230 [ 49.143523] Code: 77 22 02 a9 ff ff 1f 00 74 58 48 8b 3d 62 77 22 02 48 85 ff 0f 85 9a 00 00 00 48 8d 7d 08 48 89 e9 31 c0 48 89 ea 48 83 e7 f8 <48> c7 45 00 00 00 00 00 48 29 f9 48 c7 45 48 00 00 00 00 83 c1 50 [ 49.144489] RSP: 0018:ffffc900016d37a8 EFLAGS: 00010282 [ 49.144775] RAX: 0000000000000000 RBX: ffff888164000000 RCX: ffffeb3ff1200000 [ 49.145154] RDX: ffffeb3ff1200000 RSI: 80000000000001e3 RDI: ffffeb3ff1200008 [ 49.145536] RBP: ffffeb3ff1200000 R08: ffffeb3ff1280000 R09: 0000000000000000 [ 49.145914] R10: ffff88817b94dc48 R11: 0000000000000003 R12: ffffeb3ff1280000 [ 49.146292] R13: 0000000000000000 R14: ffff88817b94dc48 R15: 8000000163e001e3 [ 49.146671] FS: 00007f53ae71d740(0000) GS:ffff88843fd80000(0000) knlGS:0000000000000000 [ 49.147097] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 49.147407] CR2: ffffeb3ff1200000 CR3: 000000017c7d2000 CR4: 0000000000750ef0 [ 49.147786] PKRU: 55555554 [ 49.147941] note: modprobe[302] exited with irqs disabled When a process leads the addition of a struct page to vmemmap (e.g. hot-plug), the page table update for the newly added vmemmap-based virtual address is updated first in init_mm's page table and then synchronized later. If the vmemmap-based virtual address is accessed through the process's page table before this sync, a page fault will occur. This translates vmemmap-based virtual address to direct-mapped virtual address and use it, if the current top-level page table is not init_mm's page table when accessing a vmemmap-based virtual address before this sync. Link: https://lkml.kernel.org/r/20250217114133.400063-2-gwan-gyeong.mun@intel.com Fixes: faf1c0008a33 ("x86/vmemmap: optimize for consecutive sections in partial populated PMDs") Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Hyeonggon Yoo <42.hyeyoo(a)gmail.com> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/x86/mm/init_64.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) --- a/arch/x86/mm/init_64.c~x86-vmemmap-use-direct-mapped-va-instead-of-vmemmap-based-va +++ a/arch/x86/mm/init_64.c @@ -844,6 +844,17 @@ void __init paging_init(void) */ static unsigned long unused_pmd_start __meminitdata; +static void * __meminit vmemmap_va_to_kaddr(unsigned long vmemmap_va) +{ + void *kaddr = (void *)vmemmap_va; + pgd_t *pgd = __va(read_cr3_pa()); + + if (init_mm.pgd != pgd) + kaddr = __va(slow_virt_to_phys(kaddr)); + + return kaddr; +} + static void __meminit vmemmap_flush_unused_pmd(void) { if (!unused_pmd_start) @@ -851,7 +862,7 @@ static void __meminit vmemmap_flush_unus /* * Clears (unused_pmd_start, PMD_END] */ - memset((void *)unused_pmd_start, PAGE_UNUSED, + memset(vmemmap_va_to_kaddr(unused_pmd_start), PAGE_UNUSED, ALIGN(unused_pmd_start, PMD_SIZE) - unused_pmd_start); unused_pmd_start = 0; } @@ -882,7 +893,7 @@ static void __meminit __vmemmap_use_sub_ * case the first memmap never gets initialized e.g., because the memory * block never gets onlined). */ - memset((void *)start, 0, sizeof(struct page)); + memset(vmemmap_va_to_kaddr(start), 0, sizeof(struct page)); } static void __meminit vmemmap_use_sub_pmd(unsigned long start, unsigned long end) @@ -924,7 +935,7 @@ static void __meminit vmemmap_use_new_su * Mark with PAGE_UNUSED the unused parts of the new memmap range */ if (!IS_ALIGNED(start, PMD_SIZE)) - memset((void *)page, PAGE_UNUSED, start - page); + memset(vmemmap_va_to_kaddr(page), PAGE_UNUSED, start - page); /* * We want to avoid memset(PAGE_UNUSED) when populating the vmemmap of _ Patches currently in -mm which might be from gwan-gyeong.mun(a)intel.com are

2 months, 2 weeks

1
0
0 0

+ x86-vmemmap-use-direct-mapped-va-instead-of-vmemmap-based-va.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: x86/vmemmap: use direct-mapped VA instead of vmemmap-based VA has been added to the -mm mm-hotfixes-unstable branch. Its filename is x86-vmemmap-use-direct-mapped-va-instead-of-vmemmap-based-va.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Subject: x86/vmemmap: use direct-mapped VA instead of vmemmap-based VA Date: Mon, 17 Feb 2025 13:41:33 +0200 Address an Oops issues when performing test of loading XE GPU driver module after applying the GPU SVM and Xe SVM patch series[1] and the Dept patch series[2]. The issue occurs when loading the xe driver via modprobe [3], which adds a struct page for device memory via devm_memremap_pages(). When a process leads the addition of a struct page to vmemmap (e.g. hot-plug), the page table update for the newly added vmemmap-based virtual address is updated first in init_mm's page table and then synchronized later. If the vmemmap-based virtual address is accessed through the process's page table before this sync, a page fault will occur. This patch translates vmemmap-based virtual address to direct-mapped virtual address and use it, if the current top-level page table is not init_mm's page table when accessing a vmemmap-based virtual address before this sync. [1] https://lore.kernel.org/dri-devel/20250213021112.1228481-1-matthew.brost@in… [2] https://lore.kernel.org/lkml/20240508094726.35754-1-byungchul@sk.com/ [3] [ 49.103630] xe 0000:00:04.0: [drm] Available VRAM: 0x0000000800000000, 0x00000002fb800000 [ 49.116710] BUG: unable to handle page fault for address: ffffeb3ff1200000 [ 49.117175] #PF: supervisor write access in kernel mode [ 49.117511] #PF: error_code(0x0002) - not-present page [ 49.117835] PGD 0 P4D 0 [ 49.118015] Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI [ 49.118366] CPU: 3 UID: 0 PID: 302 Comm: modprobe Tainted: G W 6.13.0-drm-tip-test+ #62 [ 49.118976] Tainted: [W]=WARN [ 49.119179] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 49.119710] RIP: 0010:vmemmap_set_pmd+0xff/0x230 [ 49.120011] Code: 77 22 02 a9 ff ff 1f 00 74 58 48 8b 3d 62 77 22 02 48 85 ff 0f 85 9a 00 00 00 48 8d 7d 08 48 89 e9 31 c0 48 89 ea 48 83 e7 f8 <48> c7 45 00 00 00 00 00 48 29 f9 48 c7 45 48 00 00 00 00 83 c1 50 [ 49.121158] RSP: 0018:ffffc900016d37a8 EFLAGS: 00010282 [ 49.121502] RAX: 0000000000000000 RBX: ffff888164000000 RCX: ffffeb3ff1200000 [ 49.121966] RDX: ffffeb3ff1200000 RSI: 80000000000001e3 RDI: ffffeb3ff1200008 [ 49.122499] RBP: ffffeb3ff1200000 R08: ffffeb3ff1280000 R09: 0000000000000000 [ 49.123032] R10: ffff88817b94dc48 R11: 0000000000000003 R12: ffffeb3ff1280000 [ 49.123566] R13: 0000000000000000 R14: ffff88817b94dc48 R15: 8000000163e001e3 [ 49.124096] FS: 00007f53ae71d740(0000) GS:ffff88843fd80000(0000) knlGS:0000000000000000 [ 49.124698] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 49.125129] CR2: ffffeb3ff1200000 CR3: 000000017c7d2000 CR4: 0000000000750ef0 [ 49.125662] PKRU: 55555554 [ 49.125880] Call Trace: [ 49.126078] <TASK> [ 49.126252] ? __die_body.cold+0x19/0x26 [ 49.126509] ? page_fault_oops+0xa2/0x240 [ 49.126736] ? preempt_count_add+0x47/0xa0 [ 49.126968] ? search_module_extables+0x4a/0x80 [ 49.127224] ? exc_page_fault+0x206/0x230 [ 49.127454] ? asm_exc_page_fault+0x22/0x30 [ 49.127691] ? vmemmap_set_pmd+0xff/0x230 [ 49.127919] vmemmap_populate_hugepages+0x176/0x180 [ 49.128194] vmemmap_populate+0x34/0x80 [ 49.128416] __populate_section_memmap+0x41/0x90 [ 49.128676] sparse_add_section+0x121/0x3e0 [ 49.128914] __add_pages+0xba/0x150 [ 49.129116] add_pages+0x1d/0x70 [ 49.129305] memremap_pages+0x3dc/0x810 [ 49.129529] devm_memremap_pages+0x1c/0x60 [ 49.129762] xe_devm_add+0x8b/0x100 [xe] [ 49.130072] xe_tile_init_noalloc+0x6a/0x70 [xe] [ 49.130408] xe_device_probe+0x48c/0x740 [xe] [ 49.130714] ? __pfx___drmm_mutex_release+0x10/0x10 [ 49.130982] ? __drmm_add_action+0x85/0xd0 [ 49.131208] ? __pfx___drmm_mutex_release+0x10/0x10 [ 49.131478] xe_pci_probe+0x7ef/0xd90 [xe] [ 49.131777] ? _raw_spin_unlock_irqrestore+0x66/0x90 [ 49.132049] ? lockdep_hardirqs_on+0xba/0x140 [ 49.132290] pci_device_probe+0x99/0x110 [ 49.132510] really_probe+0xdb/0x340 [ 49.132710] ? pm_runtime_barrier+0x50/0x90 [ 49.132941] ? __pfx___driver_attach+0x10/0x10 [ 49.133190] __driver_probe_device+0x78/0x110 [ 49.133433] driver_probe_device+0x1f/0xa0 [ 49.133661] __driver_attach+0xba/0x1c0 [ 49.133874] bus_for_each_dev+0x7a/0xd0 [ 49.134089] bus_add_driver+0x114/0x200 [ 49.134302] driver_register+0x6e/0xc0 [ 49.134515] xe_init+0x1e/0x50 [xe] [ 49.134827] ? __pfx_xe_init+0x10/0x10 [xe] [ 49.134926] xe 0000:00:04.0: [drm:process_one_work] GT1: GuC CT safe-mode canceled [ 49.135112] do_one_initcall+0x5b/0x2b0 [ 49.135734] ? rcu_is_watching+0xd/0x40 [ 49.135995] ? __kmalloc_cache_noprof+0x231/0x310 [ 49.136315] do_init_module+0x60/0x210 [ 49.136572] init_module_from_file+0x86/0xc0 [ 49.136863] idempotent_init_module+0x12b/0x340 [ 49.137156] __x64_sys_finit_module+0x61/0xc0 [ 49.137437] do_syscall_64+0x69/0x140 [ 49.137681] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 49.137953] RIP: 0033:0x7f53ae1261fd [ 49.138153] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 fa 0c 00 f7 d8 64 89 01 48 [ 49.139117] RSP: 002b:00007ffd0e9021e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 49.139525] RAX: ffffffffffffffda RBX: 000055c02951ee50 RCX: 00007f53ae1261fd [ 49.139905] RDX: 0000000000000000 RSI: 000055bfff125478 RDI: 0000000000000010 [ 49.140282] RBP: 000055bfff125478 R08: 00007f53ae1f6b20 R09: 00007ffd0e902230 [ 49.140663] R10: 000055c029522000 R11: 0000000000000246 R12: 0000000000040000 [ 49.141040] R13: 000055c02951ef80 R14: 0000000000000000 R15: 000055c029521fc0 [ 49.141424] </TASK> [ 49.141552] Modules linked in: xe(+) drm_ttm_helper gpu_sched drm_suballoc_helper drm_gpuvm drm_exec drm_gpusvm i2c_algo_bit drm_buddy video wmi ttm drm_display_helper drm_kms_helper crct10dif_pclmul crc32_pclmul i2c_piix4 e1000 ghash_clmulni_intel i2c_smbus fuse [ 49.142824] CR2: ffffeb3ff1200000 [ 49.143010] ---[ end trace 0000000000000000 ]--- [ 49.143268] RIP: 0010:vmemmap_set_pmd+0xff/0x230 [ 49.143523] Code: 77 22 02 a9 ff ff 1f 00 74 58 48 8b 3d 62 77 22 02 48 85 ff 0f 85 9a 00 00 00 48 8d 7d 08 48 89 e9 31 c0 48 89 ea 48 83 e7 f8 <48> c7 45 00 00 00 00 00 48 29 f9 48 c7 45 48 00 00 00 00 83 c1 50 [ 49.144489] RSP: 0018:ffffc900016d37a8 EFLAGS: 00010282 [ 49.144775] RAX: 0000000000000000 RBX: ffff888164000000 RCX: ffffeb3ff1200000 [ 49.145154] RDX: ffffeb3ff1200000 RSI: 80000000000001e3 RDI: ffffeb3ff1200008 [ 49.145536] RBP: ffffeb3ff1200000 R08: ffffeb3ff1280000 R09: 0000000000000000 [ 49.145914] R10: ffff88817b94dc48 R11: 0000000000000003 R12: ffffeb3ff1280000 [ 49.146292] R13: 0000000000000000 R14: ffff88817b94dc48 R15: 8000000163e001e3 [ 49.146671] FS: 00007f53ae71d740(0000) GS:ffff88843fd80000(0000) knlGS:0000000000000000 [ 49.147097] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 49.147407] CR2: ffffeb3ff1200000 CR3: 000000017c7d2000 CR4: 0000000000750ef0 [ 49.147786] PKRU: 55555554 [ 49.147941] note: modprobe[302] exited with irqs disabled When a process leads the addition of a struct page to vmemmap (e.g. hot-plug), the page table update for the newly added vmemmap-based virtual address is updated first in init_mm's page table and then synchronized later. If the vmemmap-based virtual address is accessed through the process's page table before this sync, a page fault will occur. This translates vmemmap-based virtual address to direct-mapped virtual address and use it, if the current top-level page table is not init_mm's page table when accessing a vmemmap-based virtual address before this sync. Link: https://lkml.kernel.org/r/20250217114133.400063-2-gwan-gyeong.mun@intel.com Fixes: faf1c0008a33 ("x86/vmemmap: optimize for consecutive sections in partial populated PMDs") Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Hyeonggon Yoo <42.hyeyoo(a)gmail.com> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/x86/mm/init_64.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) --- a/arch/x86/mm/init_64.c~x86-vmemmap-use-direct-mapped-va-instead-of-vmemmap-based-va +++ a/arch/x86/mm/init_64.c @@ -844,6 +844,17 @@ void __init paging_init(void) */ static unsigned long unused_pmd_start __meminitdata; +static void * __meminit vmemmap_va_to_kaddr(unsigned long vmemmap_va) +{ + void *kaddr = (void *)vmemmap_va; + pgd_t *pgd = __va(read_cr3_pa()); + + if (init_mm.pgd != pgd) + kaddr = __va(slow_virt_to_phys(kaddr)); + + return kaddr; +} + static void __meminit vmemmap_flush_unused_pmd(void) { if (!unused_pmd_start) @@ -851,7 +862,7 @@ static void __meminit vmemmap_flush_unus /* * Clears (unused_pmd_start, PMD_END] */ - memset((void *)unused_pmd_start, PAGE_UNUSED, + memset(vmemmap_va_to_kaddr(unused_pmd_start), PAGE_UNUSED, ALIGN(unused_pmd_start, PMD_SIZE) - unused_pmd_start); unused_pmd_start = 0; } @@ -882,7 +893,7 @@ static void __meminit __vmemmap_use_sub_ * case the first memmap never gets initialized e.g., because the memory * block never gets onlined). */ - memset((void *)start, 0, sizeof(struct page)); + memset(vmemmap_va_to_kaddr(start), 0, sizeof(struct page)); } static void __meminit vmemmap_use_sub_pmd(unsigned long start, unsigned long end) @@ -924,7 +935,7 @@ static void __meminit vmemmap_use_new_su * Mark with PAGE_UNUSED the unused parts of the new memmap range */ if (!IS_ALIGNED(start, PMD_SIZE)) - memset((void *)page, PAGE_UNUSED, start - page); + memset(vmemmap_va_to_kaddr(page), PAGE_UNUSED, start - page); /* * We want to avoid memset(PAGE_UNUSED) when populating the vmemmap of _ Patches currently in -mm which might be from gwan-gyeong.mun(a)intel.com are x86-vmemmap-use-direct-mapped-va-instead-of-vmemmap-based-va.patch

2 months, 2 weeks

3
5
0 0

[PATCH v4 4/4] ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio()

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> Some architectures do not have data cache coherency between user and kernel space. For these architectures, the cache needs to be flushed on both the kernel and user addresses so that user space can see the updates the kernel has made. Instead of using flush_dcache_folio() and playing with virt_to_folio() within the call to that function, use flush_kernel_vmap_range() which takes the virtual address and does the work for those architectures that need it. This also fixes a bug where the flush of the reader page only flushed one page. If the sub-buffer order is 1 or more, where the sub-buffer size would be greater than a page, it would miss the rest of the sub-buffer content, as the "reader page" is not just a page, but the size of a sub-buffer. Link: https://lore.kernel.org/all/CAG48ez3w0my4Rwttbc5tEbNsme6tc0mrSN95thjXUFaJ3a… Cc: stable(a)vger.kernel.org Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions"); Suggested-by: Jann Horn <jannh(a)google.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ring_buffer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index d8d7b28e2c2f..c0f877d39a24 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -6016,7 +6016,7 @@ static void rb_update_meta_page(struct ring_buffer_per_cpu *cpu_buffer) meta->read = cpu_buffer->read; /* Some archs do not have data cache coherency between kernel and user-space */ - flush_dcache_folio(virt_to_folio(cpu_buffer->meta_page)); + flush_kernel_vmap_range(cpu_buffer->meta_page, PAGE_SIZE); } static void @@ -7319,7 +7319,8 @@ int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu) out: /* Some archs do not have data cache coherency between kernel and user-space */ - flush_dcache_folio(virt_to_folio(cpu_buffer->reader_page->page)); + flush_kernel_vmap_range(cpu_buffer->reader_page->page, + buffer->subbuf_size + BUF_PAGE_HDR_SIZE); rb_update_meta_page(cpu_buffer); -- 2.47.2

2 months, 2 weeks

1
0
0 0

[PATCH] HID: wacom: fix shift OOB in kfifo allocation for zero pktlen

by Qasim Ijaz

During wacom_parse_and_register() the code calls wacom_devm_kfifo_alloc to allocate a fifo. During this operation it passes kfifo_alloc a fifo_size of 0. Kfifo attempts to round the size passed to it to the next power of 2 via roundup_pow_of_two (queue-type data structures do this to maintain efficiency of operations). However during this phase a problem arises when the roundup_pow_of_two() function utilises a shift exponent of fls_long(n-1), where n is the fifo_size. Since n is 0 in this case and n is also an unsigned long, doing n-1 causes unsigned integer wrap-around to occur making the fifo_size 4294967295. So the code effectively does fls_long(4294967295) which results in 64. Returning back to roundup_pow_of_two(), the code utilises a shift exponent of 64. When a shift exponent of 64 is used on a 64-bit type such as 1UL it results in a shift-out-of-bounds. The root cause of the issue seems to stem from insufficient validation of wacom_compute_pktlen(), since in this case the fifo_size comes from wacom_wac->features.pktlen. During wacom_parse_and_register() the wacom_compute_pktlen() function sets the pktlen as 0. To fix this, we should handle cases where wacom_compute_pktlen() results in 0. Reported-by: syzbot <syzbot+d5204cbbdd921f1f7cad(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=d5204cbbdd921f1f7cad Tested-by: Qasim Ijaz <qasdev00(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/wacom_sys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index 97393a3083ca..9b2f3dbca467 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -2361,6 +2361,8 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless) unsigned int connect_mask = HID_CONNECT_HIDRAW; features->pktlen = wacom_compute_pktlen(hdev); + if (!features->pktlen) + return -ENODEV; if (!devres_open_group(&hdev->dev, wacom, GFP_KERNEL)) return -ENOMEM; -- 2.39.5

2 months, 2 weeks

2
1
0 0

[PATCH] perf/x86/intel/uncore: Add error handling for uncore_msr_box_ctl()

by Wentao Liang

In mtl_uncore_msr_init_box(), the return value of uncore_msr_box_ctl() needs to be checked before being used as the parameter of wrmsrl(). A proper implementation can be found in ivbep_uncore_msr_init_box(). Add error handling for uncore_msr_box_ctl() to ensure the MSR write operation is only performed when a valid MSR address is returned. Fixes: c828441f21dd ("perf/x86/intel/uncore: Add Meteor Lake support") Cc: stable(a)vger.kernel.org # v6.3+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- arch/x86/events/intel/uncore_snb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c index 3934e1e4e3b1..84070388f495 100644 --- a/arch/x86/events/intel/uncore_snb.c +++ b/arch/x86/events/intel/uncore_snb.c @@ -691,7 +691,10 @@ static struct intel_uncore_type mtl_uncore_hac_cbox = { static void mtl_uncore_msr_init_box(struct intel_uncore_box *box) { - wrmsrl(uncore_msr_box_ctl(box), SNB_UNC_GLOBAL_CTL_EN); + unsigned int msr = uncore_msr_box_ctl(box); + + if (msr) + wrmsrl(msr, SNB_UNC_GLOBAL_CTL_EN); } static struct intel_uncore_ops mtl_uncore_msr_ops = { -- 2.42.0.windows.2

2 months, 2 weeks

3
2
0 0

[PATCH V2 1/3] drm/amd/display: Protect FPU in dml21_copy()

by Huacai Chen

Commit 7da55c27e76749b9 ("drm/amd/display: Remove incorrect FP context start") removes the FP context protection of dml2_create(), and it said "All the DC_FP_START/END should be used before call anything from DML2". However, dml21_copy() are not protected from their callers, causing such errors: do_fpu invoked from kernel context![#1]: CPU: 0 UID: 0 PID: 240 Comm: kworker/0:5 Not tainted 6.14.0-rc6+ #1 Workqueue: events work_for_cpu_fn pc ffff80000318bd2c ra ffff80000315750c tp 9000000105910000 sp 9000000105913810 a0 0000000000000000 a1 0000000000000002 a2 900000013140d728 a3 900000013140d720 a4 0000000000000000 a5 9000000131592d98 a6 0000000000017ae8 a7 00000000001312d0 t0 9000000130751ff0 t1 ffff800003790000 t2 ffff800003790000 t3 9000000131592e28 t4 000000000004c6a8 t5 00000000001b7740 t6 0000000000023e38 t7 0000000000249f00 t8 0000000000000002 u0 0000000000000000 s9 900000012b010000 s0 9000000131400000 s1 9000000130751fd8 s2 ffff800003408000 s3 9000000130752c78 s4 9000000131592da8 s5 9000000131592120 s6 9000000130751ff0 s7 9000000131592e28 s8 9000000131400008 ra: ffff80000315750c dml2_top_soc15_initialize_instance+0x20c/0x300 [amdgpu] ERA: ffff80000318bd2c mcg_dcn4_build_min_clock_table+0x14c/0x600 [amdgpu] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000000 (-FPE -SXE -ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 000f0000 [FPD] (IS= ECode=15 EsubCode=0) PRID: 0014d010 (Loongson-64bit, Loongson-3C6000/S) Process kworker/0:5 (pid: 240, threadinfo=00000000f1700428, task=0000000020d2e962) Stack : 0000000000000000 0000000000000000 0000000000000000 9000000130751fd8 9000000131400000 ffff8000031574e0 9000000130751ff0 0000000000000000 9000000131592e28 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 f9175936df5d7fd2 900000012b00ff08 900000012b000000 ffff800003409000 ffff8000034a1780 90000001019634c0 900000012b000010 90000001307beeb8 90000001306b0000 0000000000000001 ffff8000031942b4 9000000130780000 90000001306c0000 9000000130780000 ffff8000031c276c 900000012b044bd0 ffff800003408000 ... Call Trace: [<ffff80000318bd2c>] mcg_dcn4_build_min_clock_table+0x14c/0x600 [amdgpu] [<ffff800003157508>] dml2_top_soc15_initialize_instance+0x208/0x300 [amdgpu] [<ffff8000031942b0>] dml21_create_copy+0x30/0x60 [amdgpu] [<ffff8000031c2768>] dc_state_create_copy+0x68/0xe0 [amdgpu] [<ffff800002e98ea0>] amdgpu_dm_init+0x8c0/0x2060 [amdgpu] [<ffff800002e9a658>] dm_hw_init+0x18/0x60 [amdgpu] [<ffff800002b0a738>] amdgpu_device_init+0x1938/0x27e0 [amdgpu] [<ffff800002b0ce80>] amdgpu_driver_load_kms+0x20/0xa0 [amdgpu] [<ffff800002b008f0>] amdgpu_pci_probe+0x1b0/0x580 [amdgpu] [<9000000003c7eae4>] local_pci_probe+0x44/0xc0 [<90000000032f2b18>] work_for_cpu_fn+0x18/0x40 [<90000000032f5da0>] process_one_work+0x160/0x300 [<90000000032f6718>] worker_thread+0x318/0x440 [<9000000003301b8c>] kthread+0x12c/0x220 [<90000000032b1484>] ret_from_kernel_thread+0x8/0xa4 Unfortunately, protecting dml21_copy() out of DML2 causes "sleeping function called from invalid context", so protect them with DC_FP_START() and DC_FP_END() inside. Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c index fb80ba9287b6..a6b8df1d96e8 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c @@ -412,8 +412,12 @@ void dml21_copy(struct dml2_context *dst_dml_ctx, dst_dml_ctx->v21.mode_programming.programming = dst_dml2_programming; + DC_FP_START(); + /* need to initialize copied instance for internal references to be correct */ dml2_initialize_instance(&dst_dml_ctx->v21.dml_init); + + DC_FP_END(); } bool dml21_create_copy(struct dml2_context **dst_dml_ctx, -- 2.47.1

2 months, 2 weeks

3
4
0 0

[PATCH] kernfs: fix potential NULL dereference in mmap handler

by Wentao Liang

The kernfs_fop_mmap() invokes the '->mmap' callback without verifying its existence. This leads to a NULL pointer dereference when the kernfs node does not define the operation, resulting in an invalid memory access. Add a check to ensure the '->mmap' callback is present before invocation. Return -EINVAL when uninitialized to prevent the invalid access. Fixes: 324a56e16e44 ("kernfs: s/sysfs_dirent/kernfs_node/ and rename its friends accordingly") Cc: stable(a)vger.kernel.org # 3.14+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- fs/kernfs/file.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c index 8502ef68459b..7d8434a97487 100644 --- a/fs/kernfs/file.c +++ b/fs/kernfs/file.c @@ -459,9 +459,14 @@ static int kernfs_fop_mmap(struct file *file, struct vm_area_struct *vma) goto out_unlock; ops = kernfs_ops(of->kn); - rc = ops->mmap(of, vma); - if (rc) + if (ops->mmap) { + rc = ops->mmap(of, vma); + if (rc) + goto out_put; + } else { + rc = -EINVAL; goto out_put; + } /* * PowerPC's pci_mmap of legacy_mem uses shmem_zero_setup() -- 2.42.0.windows.2

2 months, 2 weeks

3
2
0 0

Investment H e l p

by Calib Cassim

Good Day, How are you? My name is Calib Cassim from Eskom Holdings Ltd. SA. I got your email from my personal search. I have in my position an (over-invoice / over-estimated) contract amount executed by a Foreign Contractor through my Department, which the contractor has been paid, and left the excess amount with the payment Management. So, I need your help to receive the $25.5M on my behalf for an investment, I will obtain all the needed legal documents for the transfer. If you can help, please send me your phone number for more discussion. Thanks, Mr. Calib

2 months, 2 weeks

1
0
0 0

[PATCH v2 1/1] x86/fred: Fix system hang during S4 resume with FRED enabled

by Xin Li (Intel)

Upon a wakeup from S4, the restore kernel starts and initializes the FRED MSRs as needed from its perspective. It then loads a hibernation image, including the image kernel, and attempts to load image pages directly into their original page frames used before hibernation unless those frames are currently in use. Once all pages are moved to their original locations, it jumps to a "trampoline" page in the image kernel. At this point, the image kernel takes control, but the FRED MSRs still contain values set by the restore kernel, which may differ from those set by the image kernel before hibernation. Therefore, the image kernel must ensure the FRED MSRs have the same values as before hibernation. Since these values depend only on the location of the kernel text and data, they can be recomputed from scratch. Reported-by: Xi Pardee <xi.pardee(a)intel.com> Reported-by: Todd Brandt <todd.e.brandt(a)intel.com> Suggested-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Tested-by: Todd Brandt <todd.e.brandt(a)intel.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: stable(a)vger.kernel.org # 6.9+ --- Change in v2: * Rewrite the change log and in-code comments based on Rafael's feedback. --- arch/x86/power/cpu.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c index 63230ff8cf4f..08e76a5ca155 100644 --- a/arch/x86/power/cpu.c +++ b/arch/x86/power/cpu.c @@ -27,6 +27,7 @@ #include <asm/mmu_context.h> #include <asm/cpu_device_id.h> #include <asm/microcode.h> +#include <asm/fred.h> #ifdef CONFIG_X86_32 __visible unsigned long saved_context_ebx; @@ -231,6 +232,19 @@ static void notrace __restore_processor_state(struct saved_context *ctxt) */ #ifdef CONFIG_X86_64 wrmsrl(MSR_GS_BASE, ctxt->kernelmode_gs_base); + + /* + * Reinitialize FRED to ensure the FRED MSRs contain the same values + * as before hibernation. + * + * Note, the setup of FRED RSPs requires access to percpu data + * structures. Therefore, FRED reinitialization can only occur after + * the percpu access pointer (i.e., MSR_GS_BASE) is restored. + */ + if (ctxt->cr4 & X86_CR4_FRED) { + cpu_init_fred_exceptions(); + cpu_init_fred_rsps(); + } #else loadsegment(fs, __KERNEL_PERCPU); #endif base-commit: 535bd326c5657fe570f41b1f76941e449d9e2062 -- 2.49.0

2 months, 2 weeks

3
2
0 0

[PATCH] drivers: video: backlight: Fix NULL Pointer Dereference in backlight_device_register()

by Haoyu Li

In the function "wled_probe", the "wled->name" is dynamically allocated (wled_probe -> wled_configure -> devm_kasprintf), which is possible to be null. In the call trace: wled_probe -> devm_backlight_device_register -> backlight_device_register, this "name" variable is directly dereferenced without checking. We add a null-check statement. Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name") Signed-off-by: Haoyu Li <lihaoyu499(a)gmail.com> Cc: stable(a)vger.kernel.org --- drivers/video/backlight/backlight.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/backlight/backlight.c b/drivers/video/backlight/backlight.c index f699e5827ccb..b21670bd86de 100644 --- a/drivers/video/backlight/backlight.c +++ b/drivers/video/backlight/backlight.c @@ -414,6 +414,8 @@ struct backlight_device *backlight_device_register(const char *name, struct backlight_device *new_bd; int rc; + if (!name) + return ERR_PTR(-EINVAL); pr_debug("backlight_device_register: name=%s\n", name); new_bd = kzalloc(sizeof(struct backlight_device), GFP_KERNEL); -- 2.34.1

2 months, 2 weeks

4
4
0 0

[PATCH v2] misc: tps6594-pfsm: Add NULL check in tps6594_pfsm_probe()

by Henry Martin

devm_kasprintf() returns NULL when memory allocation fails. Currently, tps6594_pfsm_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. Cc: stable(a)vger.kernel.org # 6.5+ Fixes: a0df3ef087f8 ("misc: tps6594-pfsm: Add driver for TI TPS6594 PFSM") Signed-off-by: Henry Martin <bsdhenrymartin(a)gmail.com> --- V1 -> V2: Add Cc stable line. drivers/misc/tps6594-pfsm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/misc/tps6594-pfsm.c b/drivers/misc/tps6594-pfsm.c index 0a24ce44cc37..0d9dad20b6ae 100644 --- a/drivers/misc/tps6594-pfsm.c +++ b/drivers/misc/tps6594-pfsm.c @@ -281,6 +281,8 @@ static int tps6594_pfsm_probe(struct platform_device *pdev) pfsm->miscdev.minor = MISC_DYNAMIC_MINOR; pfsm->miscdev.name = devm_kasprintf(dev, GFP_KERNEL, "pfsm-%ld-0x%02x", tps->chip_id, tps->reg); + if (!pfsm->miscdev.name) + return -ENOMEM; pfsm->miscdev.fops = &tps6594_pfsm_fops; pfsm->miscdev.parent = dev->parent; pfsm->chip_id = tps->chip_id; -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v3] arm64: Don't call NULL in do_compat_alignment_fixup

by Angelos Oikonomopoulos

do_alignment_t32_to_handler only fixes up alignment faults for specific instructions; it returns NULL otherwise. When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SIGBUS). Without this patch, we get: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000 [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] SMP Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa> libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c> CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1 Debian 6.1.128-1 Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : do_compat_alignment_fixup+0xd8/0x3dc sp : ffff80000f973dd0 x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001 x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000 x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001 Call trace: 0x0 do_alignment_fault+0x40/0x50 do_mem_abort+0x4c/0xa0 el0_da+0x48/0xf0 el0t_32_sync_handler+0x110/0x140 el0t_32_sync+0x190/0x194 Code: bad PC value ---[ end trace 0000000000000000 ]--- Signed-off-by: Angelos Oikonomopoulos <angelos(a)igalia.com> Fixes: 3fc24ef32d3b93 ("arm64: compat: Implement misalignment fixups for multiword loads") Cc: stable(a)vger.kernel.org --- arch/arm64/kernel/compat_alignment.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/kernel/compat_alignment.c b/arch/arm64/kernel/compat_alignment.c index deff21bfa680..b68e1d328d4c 100644 --- a/arch/arm64/kernel/compat_alignment.c +++ b/arch/arm64/kernel/compat_alignment.c @@ -368,6 +368,8 @@ int do_compat_alignment_fixup(unsigned long addr, struct pt_regs *regs) return 1; } + if (!handler) + return 1; type = handler(addr, instr, regs); if (type == TYPE_ERROR || type == TYPE_FAULT) -- 2.49.0

2 months, 2 weeks

3
2
0 0

[for v6.12 LTS] nfsd: fix legacy client tracking intialization

by Chuck Lever

Hi - Commit de71d4e211ed ("nfsd: fix legacy client tracking initialization") should have included a "Cc: stable" tag. Please include it in the next release of v6.12 LTS. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=219911 -- Chuck Lever

2 months, 2 weeks

2
2
0 0

[PATCH] pinctrl: airoha: fix wrong PHY LED mapping and PHY2 LED defines

by Christian Marangi

The current PHY2 LED define are wrong and actually set BITs outside the related mask. Fix it and set the correct value. While at it, also use FIELD_PREP_CONST macro to make it simple to understand what values are actually applied for the mask. Also fix wrong PHY LED mapping. The SoC Switch supports up to 4 port but the register define mapping for 5 PHY port, starting from 0. The mapping was wrongly defined starting from PHY1. Reorder the function group to start from PHY0. PHY4 is actually never supported as we don't have a GPIO pin to assign. Cc: stable(a)vger.kernel.org Fixes: 1c8ace2d0725 ("pinctrl: airoha: Add support for EN7581 SoC") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/pinctrl/mediatek/pinctrl-airoha.c | 179 +++++++++++----------- 1 file changed, 90 insertions(+), 89 deletions(-) diff --git a/drivers/pinctrl/mediatek/pinctrl-airoha.c b/drivers/pinctrl/mediatek/pinctrl-airoha.c index 547a798b71c8..9099ad34aa29 100644 --- a/drivers/pinctrl/mediatek/pinctrl-airoha.c +++ b/drivers/pinctrl/mediatek/pinctrl-airoha.c @@ -6,6 +6,7 @@ */ #include <dt-bindings/pinctrl/mt65xx.h> +#include <linux/bitfield.h> #include <linux/bits.h> #include <linux/cleanup.h> #include <linux/gpio/driver.h> @@ -112,39 +113,39 @@ #define REG_LAN_LED1_MAPPING 0x0280 #define LAN4_LED_MAPPING_MASK GENMASK(18, 16) -#define LAN4_PHY4_LED_MAP BIT(18) -#define LAN4_PHY2_LED_MAP BIT(17) -#define LAN4_PHY1_LED_MAP BIT(16) -#define LAN4_PHY0_LED_MAP 0 -#define LAN4_PHY3_LED_MAP GENMASK(17, 16) +#define LAN4_PHY4_LED_MAP FIELD_PREP_CONST(LAN4_LED_MAPPING_MASK, 0x4) +#define LAN4_PHY3_LED_MAP FIELD_PREP_CONST(LAN4_LED_MAPPING_MASK, 0x3) +#define LAN4_PHY2_LED_MAP FIELD_PREP_CONST(LAN4_LED_MAPPING_MASK, 0x2) +#define LAN4_PHY1_LED_MAP FIELD_PREP_CONST(LAN4_LED_MAPPING_MASK, 0x1) +#define LAN4_PHY0_LED_MAP FIELD_PREP_CONST(LAN4_LED_MAPPING_MASK, 0x0) #define LAN3_LED_MAPPING_MASK GENMASK(14, 12) -#define LAN3_PHY4_LED_MAP BIT(14) -#define LAN3_PHY2_LED_MAP BIT(13) -#define LAN3_PHY1_LED_MAP BIT(12) -#define LAN3_PHY0_LED_MAP 0 -#define LAN3_PHY3_LED_MAP GENMASK(13, 12) +#define LAN3_PHY4_LED_MAP FIELD_PREP_CONST(LAN3_LED_MAPPING_MASK, 0x4) +#define LAN3_PHY3_LED_MAP FIELD_PREP_CONST(LAN3_LED_MAPPING_MASK, 0x3) +#define LAN3_PHY2_LED_MAP FIELD_PREP_CONST(LAN3_LED_MAPPING_MASK, 0x2) +#define LAN3_PHY1_LED_MAP FIELD_PREP_CONST(LAN3_LED_MAPPING_MASK, 0x1) +#define LAN3_PHY0_LED_MAP FIELD_PREP_CONST(LAN3_LED_MAPPING_MASK, 0x0) #define LAN2_LED_MAPPING_MASK GENMASK(10, 8) -#define LAN2_PHY4_LED_MAP BIT(12) -#define LAN2_PHY2_LED_MAP BIT(11) -#define LAN2_PHY1_LED_MAP BIT(10) -#define LAN2_PHY0_LED_MAP 0 -#define LAN2_PHY3_LED_MAP GENMASK(11, 10) +#define LAN2_PHY4_LED_MAP FIELD_PREP_CONST(LAN2_LED_MAPPING_MASK, 0x4) +#define LAN2_PHY3_LED_MAP FIELD_PREP_CONST(LAN2_LED_MAPPING_MASK, 0x3) +#define LAN2_PHY2_LED_MAP FIELD_PREP_CONST(LAN2_LED_MAPPING_MASK, 0x2) +#define LAN2_PHY1_LED_MAP FIELD_PREP_CONST(LAN2_LED_MAPPING_MASK, 0x1) +#define LAN2_PHY0_LED_MAP FIELD_PREP_CONST(LAN2_LED_MAPPING_MASK, 0x0) #define LAN1_LED_MAPPING_MASK GENMASK(6, 4) -#define LAN1_PHY4_LED_MAP BIT(6) -#define LAN1_PHY2_LED_MAP BIT(5) -#define LAN1_PHY1_LED_MAP BIT(4) -#define LAN1_PHY0_LED_MAP 0 -#define LAN1_PHY3_LED_MAP GENMASK(5, 4) +#define LAN1_PHY4_LED_MAP FIELD_PREP_CONST(LAN1_LED_MAPPING_MASK, 0x4) +#define LAN1_PHY3_LED_MAP FIELD_PREP_CONST(LAN1_LED_MAPPING_MASK, 0x3) +#define LAN1_PHY2_LED_MAP FIELD_PREP_CONST(LAN1_LED_MAPPING_MASK, 0x2) +#define LAN1_PHY1_LED_MAP FIELD_PREP_CONST(LAN1_LED_MAPPING_MASK, 0x1) +#define LAN1_PHY0_LED_MAP FIELD_PREP_CONST(LAN1_LED_MAPPING_MASK, 0x0) #define LAN0_LED_MAPPING_MASK GENMASK(2, 0) -#define LAN0_PHY4_LED_MAP BIT(3) -#define LAN0_PHY2_LED_MAP BIT(2) -#define LAN0_PHY1_LED_MAP BIT(1) -#define LAN0_PHY0_LED_MAP 0 -#define LAN0_PHY3_LED_MAP GENMASK(2, 1) +#define LAN0_PHY4_LED_MAP FIELD_PREP_CONST(LAN0_LED_MAPPING_MASK, 0x4) +#define LAN0_PHY3_LED_MAP FIELD_PREP_CONST(LAN0_LED_MAPPING_MASK, 0x3) +#define LAN0_PHY2_LED_MAP FIELD_PREP_CONST(LAN0_LED_MAPPING_MASK, 0x2) +#define LAN0_PHY1_LED_MAP FIELD_PREP_CONST(LAN0_LED_MAPPING_MASK, 0x1) +#define LAN0_PHY0_LED_MAP FIELD_PREP_CONST(LAN0_LED_MAPPING_MASK, 0x0) /* CONF */ #define REG_I2C_SDA_E2 0x001c @@ -1476,8 +1477,8 @@ static const struct airoha_pinctrl_func_group phy1_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN1_LED_MAPPING_MASK, - LAN1_PHY1_LED_MAP + LAN0_LED_MAPPING_MASK, + LAN0_PHY0_LED_MAP }, .regmap_size = 2, }, { @@ -1491,8 +1492,8 @@ static const struct airoha_pinctrl_func_group phy1_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN2_LED_MAPPING_MASK, - LAN2_PHY1_LED_MAP + LAN1_LED_MAPPING_MASK, + LAN1_PHY0_LED_MAP }, .regmap_size = 2, }, { @@ -1506,8 +1507,8 @@ static const struct airoha_pinctrl_func_group phy1_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN3_LED_MAPPING_MASK, - LAN3_PHY1_LED_MAP + LAN2_LED_MAPPING_MASK, + LAN2_PHY0_LED_MAP }, .regmap_size = 2, }, { @@ -1521,8 +1522,8 @@ static const struct airoha_pinctrl_func_group phy1_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN4_LED_MAPPING_MASK, - LAN4_PHY1_LED_MAP + LAN3_LED_MAPPING_MASK, + LAN3_PHY0_LED_MAP }, .regmap_size = 2, }, @@ -1540,8 +1541,8 @@ static const struct airoha_pinctrl_func_group phy2_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN1_LED_MAPPING_MASK, - LAN1_PHY2_LED_MAP + LAN0_LED_MAPPING_MASK, + LAN0_PHY1_LED_MAP }, .regmap_size = 2, }, { @@ -1555,8 +1556,8 @@ static const struct airoha_pinctrl_func_group phy2_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN2_LED_MAPPING_MASK, - LAN2_PHY2_LED_MAP + LAN1_LED_MAPPING_MASK, + LAN1_PHY1_LED_MAP }, .regmap_size = 2, }, { @@ -1570,8 +1571,8 @@ static const struct airoha_pinctrl_func_group phy2_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN3_LED_MAPPING_MASK, - LAN3_PHY2_LED_MAP + LAN2_LED_MAPPING_MASK, + LAN2_PHY1_LED_MAP }, .regmap_size = 2, }, { @@ -1585,8 +1586,8 @@ static const struct airoha_pinctrl_func_group phy2_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN4_LED_MAPPING_MASK, - LAN4_PHY2_LED_MAP + LAN3_LED_MAPPING_MASK, + LAN3_PHY1_LED_MAP }, .regmap_size = 2, }, @@ -1604,8 +1605,8 @@ static const struct airoha_pinctrl_func_group phy3_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN1_LED_MAPPING_MASK, - LAN1_PHY3_LED_MAP + LAN0_LED_MAPPING_MASK, + LAN0_PHY2_LED_MAP }, .regmap_size = 2, }, { @@ -1619,8 +1620,8 @@ static const struct airoha_pinctrl_func_group phy3_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN2_LED_MAPPING_MASK, - LAN2_PHY3_LED_MAP + LAN1_LED_MAPPING_MASK, + LAN1_PHY2_LED_MAP }, .regmap_size = 2, }, { @@ -1634,8 +1635,8 @@ static const struct airoha_pinctrl_func_group phy3_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN3_LED_MAPPING_MASK, - LAN3_PHY3_LED_MAP + LAN2_LED_MAPPING_MASK, + LAN2_PHY2_LED_MAP }, .regmap_size = 2, }, { @@ -1649,8 +1650,8 @@ static const struct airoha_pinctrl_func_group phy3_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN4_LED_MAPPING_MASK, - LAN4_PHY3_LED_MAP + LAN3_LED_MAPPING_MASK, + LAN3_PHY2_LED_MAP }, .regmap_size = 2, }, @@ -1668,8 +1669,8 @@ static const struct airoha_pinctrl_func_group phy4_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN1_LED_MAPPING_MASK, - LAN1_PHY4_LED_MAP + LAN0_LED_MAPPING_MASK, + LAN0_PHY3_LED_MAP }, .regmap_size = 2, }, { @@ -1683,8 +1684,8 @@ static const struct airoha_pinctrl_func_group phy4_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN2_LED_MAPPING_MASK, - LAN2_PHY4_LED_MAP + LAN1_LED_MAPPING_MASK, + LAN1_PHY3_LED_MAP }, .regmap_size = 2, }, { @@ -1698,8 +1699,8 @@ static const struct airoha_pinctrl_func_group phy4_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN3_LED_MAPPING_MASK, - LAN3_PHY4_LED_MAP + LAN2_LED_MAPPING_MASK, + LAN2_PHY3_LED_MAP }, .regmap_size = 2, }, { @@ -1713,8 +1714,8 @@ static const struct airoha_pinctrl_func_group phy4_led0_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED0_MAPPING, - LAN4_LED_MAPPING_MASK, - LAN4_PHY4_LED_MAP + LAN3_LED_MAPPING_MASK, + LAN3_PHY3_LED_MAP }, .regmap_size = 2, }, @@ -1732,8 +1733,8 @@ static const struct airoha_pinctrl_func_group phy1_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN1_LED_MAPPING_MASK, - LAN1_PHY1_LED_MAP + LAN0_LED_MAPPING_MASK, + LAN0_PHY0_LED_MAP }, .regmap_size = 2, }, { @@ -1747,8 +1748,8 @@ static const struct airoha_pinctrl_func_group phy1_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN2_LED_MAPPING_MASK, - LAN2_PHY1_LED_MAP + LAN1_LED_MAPPING_MASK, + LAN1_PHY0_LED_MAP }, .regmap_size = 2, }, { @@ -1762,8 +1763,8 @@ static const struct airoha_pinctrl_func_group phy1_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN3_LED_MAPPING_MASK, - LAN3_PHY1_LED_MAP + LAN2_LED_MAPPING_MASK, + LAN2_PHY0_LED_MAP }, .regmap_size = 2, }, { @@ -1777,8 +1778,8 @@ static const struct airoha_pinctrl_func_group phy1_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN4_LED_MAPPING_MASK, - LAN4_PHY1_LED_MAP + LAN3_LED_MAPPING_MASK, + LAN3_PHY0_LED_MAP }, .regmap_size = 2, }, @@ -1796,8 +1797,8 @@ static const struct airoha_pinctrl_func_group phy2_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN1_LED_MAPPING_MASK, - LAN1_PHY2_LED_MAP + LAN0_LED_MAPPING_MASK, + LAN0_PHY1_LED_MAP }, .regmap_size = 2, }, { @@ -1811,8 +1812,8 @@ static const struct airoha_pinctrl_func_group phy2_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN2_LED_MAPPING_MASK, - LAN2_PHY2_LED_MAP + LAN1_LED_MAPPING_MASK, + LAN1_PHY1_LED_MAP }, .regmap_size = 2, }, { @@ -1826,8 +1827,8 @@ static const struct airoha_pinctrl_func_group phy2_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN3_LED_MAPPING_MASK, - LAN3_PHY2_LED_MAP + LAN2_LED_MAPPING_MASK, + LAN2_PHY1_LED_MAP }, .regmap_size = 2, }, { @@ -1841,8 +1842,8 @@ static const struct airoha_pinctrl_func_group phy2_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN4_LED_MAPPING_MASK, - LAN4_PHY2_LED_MAP + LAN3_LED_MAPPING_MASK, + LAN3_PHY1_LED_MAP }, .regmap_size = 2, }, @@ -1860,8 +1861,8 @@ static const struct airoha_pinctrl_func_group phy3_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN1_LED_MAPPING_MASK, - LAN1_PHY3_LED_MAP + LAN0_LED_MAPPING_MASK, + LAN0_PHY2_LED_MAP }, .regmap_size = 2, }, { @@ -1875,8 +1876,8 @@ static const struct airoha_pinctrl_func_group phy3_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN2_LED_MAPPING_MASK, - LAN2_PHY3_LED_MAP + LAN1_LED_MAPPING_MASK, + LAN1_PHY2_LED_MAP }, .regmap_size = 2, }, { @@ -1890,8 +1891,8 @@ static const struct airoha_pinctrl_func_group phy3_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN3_LED_MAPPING_MASK, - LAN3_PHY3_LED_MAP + LAN2_LED_MAPPING_MASK, + LAN2_PHY2_LED_MAP }, .regmap_size = 2, }, { @@ -1905,8 +1906,8 @@ static const struct airoha_pinctrl_func_group phy3_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN4_LED_MAPPING_MASK, - LAN4_PHY3_LED_MAP + LAN3_LED_MAPPING_MASK, + LAN3_PHY2_LED_MAP }, .regmap_size = 2, }, @@ -1924,8 +1925,8 @@ static const struct airoha_pinctrl_func_group phy4_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN1_LED_MAPPING_MASK, - LAN1_PHY4_LED_MAP + LAN0_LED_MAPPING_MASK, + LAN0_PHY3_LED_MAP }, .regmap_size = 2, }, { @@ -1939,8 +1940,8 @@ static const struct airoha_pinctrl_func_group phy4_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN2_LED_MAPPING_MASK, - LAN2_PHY4_LED_MAP + LAN1_LED_MAPPING_MASK, + LAN1_PHY3_LED_MAP }, .regmap_size = 2, }, { @@ -1954,8 +1955,8 @@ static const struct airoha_pinctrl_func_group phy4_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN3_LED_MAPPING_MASK, - LAN3_PHY4_LED_MAP + LAN2_LED_MAPPING_MASK, + LAN2_PHY3_LED_MAP }, .regmap_size = 2, }, { @@ -1969,8 +1970,8 @@ static const struct airoha_pinctrl_func_group phy4_led1_func_group[] = { .regmap[1] = { AIROHA_FUNC_MUX, REG_LAN_LED1_MAPPING, - LAN4_LED_MAPPING_MASK, - LAN4_PHY4_LED_MAP + LAN3_LED_MAPPING_MASK, + LAN3_PHY3_LED_MAP }, .regmap_size = 2, }, -- 2.48.1

2 months, 2 weeks

3
2
0 0

[PATCH v3] platform/x86: thinkpad_acpi: disable ACPI fan access for T495* and E560

by Seyediman Seyedarab

From: Eduard Christian Dumitrescu <eduard.c.dumitrescu(a)gmail.com> T495, T495s, and E560 laptops have the FANG+FANW ACPI methods (therefore fang_handle and fanw_handle are not NULL) but they do not actually work, which results in a "No such device or address" error. The DSDT table code for the FANG+FANW methods doesn't seem to do anything special regarding the fan being secondary. Fan access and control is restored after forcing the legacy non-ACPI fan control method by setting both fang_handle and fanw_handle to NULL. The bug was introduced in commit 57d0557dfa49 ("platform/x86: thinkpad_acpi: Add Thinkpad Edge E531 fan support"), which added a new fan control method via the FANG+FANW ACPI methods. Add a quirk for T495, T495s, and E560 to avoid the FANG+FANW methods. Reported-by: Vlastimil Holer <vlastimil.holer(a)gmail.com> Fixes: 57d0557dfa49 ("platform/x86: thinkpad_acpi: Add Thinkpad Edge E531 fan support") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219643 Cc: stable(a)vger.kernel.org Tested-by: Alireza Elikahi <scr0lll0ck1s4b0v3h0m3k3y(a)gmail.com> Reviewed-by: Kurt Borja <kuurtb(a)gmail.com> Signed-off-by: Eduard Christian Dumitrescu <eduard.c.dumitrescu(a)gmail.com> Co-developed-by: Seyediman Seyedarab <ImanDevel(a)gmail.com> Signed-off-by: Seyediman Seyedarab <ImanDevel(a)gmail.com> --- Changes in v3: - Reordered paragraphs in the changelog and made minor adjusments - Reorded tags - Added Kurt Borja as a reviewer - Removed Tested-by: crok <crok.bic(a)gmail.com> as crok didn't test the patch Kindest Regards, Seyediman drivers/platform/x86/thinkpad_acpi.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c index d8df1405edfa..27fd67a2f2d1 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c @@ -8793,6 +8793,7 @@ static const struct attribute_group fan_driver_attr_group = { #define TPACPI_FAN_NS 0x0010 /* For EC with non-Standard register addresses */ #define TPACPI_FAN_DECRPM 0x0020 /* For ECFW's with RPM in register as decimal */ #define TPACPI_FAN_TPR 0x0040 /* Fan speed is in Ticks Per Revolution */ +#define TPACPI_FAN_NOACPI 0x0080 /* Don't use ACPI methods even if detected */ static const struct tpacpi_quirk fan_quirk_table[] __initconst = { TPACPI_QEC_IBM('1', 'Y', TPACPI_FAN_Q1), @@ -8823,6 +8824,9 @@ static const struct tpacpi_quirk fan_quirk_table[] __initconst = { TPACPI_Q_LNV3('N', '1', 'O', TPACPI_FAN_NOFAN), /* X1 Tablet (2nd gen) */ TPACPI_Q_LNV3('R', '0', 'Q', TPACPI_FAN_DECRPM),/* L480 */ TPACPI_Q_LNV('8', 'F', TPACPI_FAN_TPR), /* ThinkPad x120e */ + TPACPI_Q_LNV3('R', '0', '0', TPACPI_FAN_NOACPI),/* E560 */ + TPACPI_Q_LNV3('R', '1', '2', TPACPI_FAN_NOACPI),/* T495 */ + TPACPI_Q_LNV3('R', '1', '3', TPACPI_FAN_NOACPI),/* T495s */ }; static int __init fan_init(struct ibm_init_struct *iibm) @@ -8874,6 +8878,13 @@ static int __init fan_init(struct ibm_init_struct *iibm) tp_features.fan_ctrl_status_undef = 1; } + if (quirks & TPACPI_FAN_NOACPI) { + /* E560, T495, T495s */ + pr_info("Ignoring buggy ACPI fan access method\n"); + fang_handle = NULL; + fanw_handle = NULL; + } + if (gfan_handle) { /* 570, 600e/x, 770e, 770x */ fan_status_access_mode = TPACPI_FAN_RD_ACPI_GFAN; -- 2.48.1

2 months, 2 weeks

2
2
0 0

[PATCH] platform/x86: ISST: Correct command storage data length

by Srinivas Pandruvada

After resume/online turbo limit ratio (TRL) is restored partially if the admin explicitly changed TRL from user space. A hash table is used to store SST mail box and MSR settings when modified to restore those settings after resume or online. This uses a struct isst_cmd field "data" to store these settings. This is a 64 bit field. But isst_store_new_cmd() is only assigning as u32. This results in truncation of 32 bits. Change the argument to u64 from u32. Fixes: f607874f35cb ("platform/x86: ISST: Restore state on resume") Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c index dbcd3087aaa4..31239a93dd71 100644 --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c @@ -84,7 +84,7 @@ static DECLARE_HASHTABLE(isst_hash, 8); static DEFINE_MUTEX(isst_hash_lock); static int isst_store_new_cmd(int cmd, u32 cpu, int mbox_cmd_type, u32 param, - u32 data) + u64 data) { struct isst_cmd *sst_cmd; -- 2.48.1

2 months, 2 weeks

2
1
0 0

[PATCHv2 gfs2/for-next] gfs2: move msleep to sleepable context

by Alexander Aring

This patch moves the msleep_interruptible() out of the non-sleepable context by moving the ls->ls_recover_spin spinlock around so msleep_interruptible() will be called in a sleepable context. Cc: stable(a)vger.kernel.org Fixes: 4a7727725dc7 ("GFS2: Fix recovery issues for spectators") Suggested-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: Alexander Aring <aahringo(a)redhat.com> --- changes since v2: - move the spinlock around to avoid schedule under spinlock fs/gfs2/lock_dlm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c index 58aeeae7ed8c..2c9172dd41e7 100644 --- a/fs/gfs2/lock_dlm.c +++ b/fs/gfs2/lock_dlm.c @@ -996,14 +996,15 @@ static int control_mount(struct gfs2_sbd *sdp) if (sdp->sd_args.ar_spectator) { fs_info(sdp, "Recovery is required. Waiting for a " "non-spectator to mount.\n"); + spin_unlock(&ls->ls_recover_spin); msleep_interruptible(1000); } else { fs_info(sdp, "control_mount wait1 block %u start %u " "mount %u lvb %u flags %lx\n", block_gen, start_gen, mount_gen, lvb_gen, ls->ls_recover_flags); + spin_unlock(&ls->ls_recover_spin); } - spin_unlock(&ls->ls_recover_spin); goto restart; } -- 2.43.0

2 months, 2 weeks

2
1
0 0

[PATCH] accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW

by Jacek Lawrynowicz

From: Karol Wachowski <karol.wachowski(a)intel.com> commit dad945c27a42dfadddff1049cf5ae417209a8996 upstream. Trigger recovery of the NPU upon receiving HW context violation from the firmware. The context violation error is a fatal error that prevents any subsequent jobs from being executed. Without this fix it is necessary to reload the driver to restore the NPU operational state. This is simplified version of upstream commit as the full implementation would require all engine reset/resume logic to be backported. Signed-off-by: Karol Wachowski <karol.wachowski(a)intel.com> Signed-off-by: Maciej Falkowski <maciej.falkowski(a)linux.intel.com> Reviewed-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20250107173238.381120-13-maci… Fixes: 0adff3b0ef12 ("accel/ivpu: Share NPU busy time in sysfs") Cc: <stable(a)vger.kernel.org> # v6.11+ --- drivers/accel/ivpu/ivpu_job.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/accel/ivpu/ivpu_job.c b/drivers/accel/ivpu/ivpu_job.c index be2e2bf0f43f0..70b3676974407 100644 --- a/drivers/accel/ivpu/ivpu_job.c +++ b/drivers/accel/ivpu/ivpu_job.c @@ -482,6 +482,8 @@ static struct ivpu_job *ivpu_job_remove_from_submitted_jobs(struct ivpu_device * return job; } +#define VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW 0xEU + static int ivpu_job_signal_and_destroy(struct ivpu_device *vdev, u32 job_id, u32 job_status) { struct ivpu_job *job; @@ -490,6 +492,9 @@ static int ivpu_job_signal_and_destroy(struct ivpu_device *vdev, u32 job_id, u32 if (!job) return -ENOENT; + if (job_status == VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW) + ivpu_pm_trigger_recovery(vdev, "HW context violation"); + if (job->file_priv->has_mmu_faults) job_status = DRM_IVPU_JOB_STATUS_ABORTED; -- 2.45.1

2 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] cgroup/rstat: Fix forceidle time in cpu.stat" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x c4af66a95aa3bc1d4f607ebd4eea524fb58946e3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040113-pellet-sanding-f62c@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c4af66a95aa3bc1d4f607ebd4eea524fb58946e3 Mon Sep 17 00:00:00 2001 From: Abel Wu <wuyun.abel(a)bytedance.com> Date: Sun, 9 Feb 2025 14:13:11 +0800 Subject: [PATCH] cgroup/rstat: Fix forceidle time in cpu.stat The commit b824766504e4 ("cgroup/rstat: add force idle show helper") retrieves forceidle_time outside cgroup_rstat_lock for non-root cgroups which can be potentially inconsistent with other stats. Rather than reverting that commit, fix it in a way that retains the effort of cleaning up the ifdef-messes. Fixes: b824766504e4 ("cgroup/rstat: add force idle show helper") Signed-off-by: Abel Wu <wuyun.abel(a)bytedance.com> Signed-off-by: Tejun Heo <tj(a)kernel.org> diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c index 5877974ece92..c2784c317cdd 100644 --- a/kernel/cgroup/rstat.c +++ b/kernel/cgroup/rstat.c @@ -613,36 +613,33 @@ static void cgroup_force_idle_show(struct seq_file *seq, struct cgroup_base_stat void cgroup_base_stat_cputime_show(struct seq_file *seq) { struct cgroup *cgrp = seq_css(seq)->cgroup; - u64 usage, utime, stime, ntime; + struct cgroup_base_stat bstat; if (cgroup_parent(cgrp)) { cgroup_rstat_flush_hold(cgrp); - usage = cgrp->bstat.cputime.sum_exec_runtime; + bstat = cgrp->bstat; cputime_adjust(&cgrp->bstat.cputime, &cgrp->prev_cputime, - &utime, &stime); - ntime = cgrp->bstat.ntime; + &bstat.cputime.utime, &bstat.cputime.stime); cgroup_rstat_flush_release(cgrp); } else { - /* cgrp->bstat of root is not actually used, reuse it */ - root_cgroup_cputime(&cgrp->bstat); - usage = cgrp->bstat.cputime.sum_exec_runtime; - utime = cgrp->bstat.cputime.utime; - stime = cgrp->bstat.cputime.stime; - ntime = cgrp->bstat.ntime; + root_cgroup_cputime(&bstat); } - do_div(usage, NSEC_PER_USEC); - do_div(utime, NSEC_PER_USEC); - do_div(stime, NSEC_PER_USEC); - do_div(ntime, NSEC_PER_USEC); + do_div(bstat.cputime.sum_exec_runtime, NSEC_PER_USEC); + do_div(bstat.cputime.utime, NSEC_PER_USEC); + do_div(bstat.cputime.stime, NSEC_PER_USEC); + do_div(bstat.ntime, NSEC_PER_USEC); seq_printf(seq, "usage_usec %llu\n" "user_usec %llu\n" "system_usec %llu\n" "nice_usec %llu\n", - usage, utime, stime, ntime); + bstat.cputime.sum_exec_runtime, + bstat.cputime.utime, + bstat.cputime.stime, + bstat.ntime); - cgroup_force_idle_show(seq, &cgrp->bstat); + cgroup_force_idle_show(seq, &bstat); } /* Add bpf kfuncs for cgroup_rstat_updated() and cgroup_rstat_flush() */

2 months, 2 weeks

1
0
0 0

[PATCH 6.1.y] smb: client: Fix use-after-free of network namespace.

by Xiangyu Chen

From: Kuniyuki Iwashima <kuniyu(a)amazon.com> commit ef7134c7fc48e1441b398e55a862232868a6f0a7 upstream. Recently, we got a customer report that CIFS triggers oops while reconnecting to a server. [0] The workload runs on Kubernetes, and some pods mount CIFS servers in non-root network namespaces. The problem rarely happened, but it was always while the pod was dying. The root cause is wrong reference counting for network namespace. CIFS uses kernel sockets, which do not hold refcnt of the netns that the socket belongs to. That means CIFS must ensure the socket is always freed before its netns; otherwise, use-after-free happens. The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFS We can reproduce the issue quickly with the script [1] below and see the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled. When the socket is TCP, it is hard to guarantee the netns lifetime without holding refcnt due to async timers. Let's hold netns refcnt for each socket as done for SMC in commit 9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler()."). Note that we need to move put_net() from cifs_put_tcp_session() to clean_demultiplex_info(); otherwise, __sock_create() still could touch a freed netns while cifsd tries to reconnect from cifs_demultiplex_thread(). Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns. [0]: CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting... CIFS: Serverclose failed 4 times, giving up Unable to handle kernel paging request at virtual address 14de99e461f84a07 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [14de99e461f84a07] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1 Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fib_rules_lookup+0x44/0x238 lr : __fib_lookup+0x64/0xbc sp : ffff8000265db790 x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01 x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580 x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500 x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002 x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294 x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0 x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500 Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_connect+0x10c/0x6c8 [cifs] __reconnect_target_unlocked+0xa0/0x214 [cifs] reconnect_dfs_server+0x144/0x460 [cifs] cifs_reconnect+0x88/0x148 [cifs] cifs_readv_from_socket+0x230/0x430 [cifs] cifs_read_from_socket+0x74/0xa8 [cifs] cifs_demultiplex_thread+0xf8/0x704 [cifs] kthread+0xd0/0xd4 Code: aa0003f8 f8480f13 eb18027f 540006c0 (b9401264) [1]: CIFS_CRED="/root/cred.cifs" CIFS_USER="Administrator" CIFS_PASS="Password" CIFS_IP="X.X.X.X" CIFS_PATH="//${CIFS_IP}/Users/Administrator/Desktop/CIFS_TEST" CIFS_MNT="/mnt/smb" DEV="enp0s3" cat <<EOF > ${CIFS_CRED} username=${CIFS_USER} password=${CIFS_PASS} domain=EXAMPLE.COM EOF unshare -n bash -c " mkdir -p ${CIFS_MNT} ip netns attach root 1 ip link add eth0 type veth peer veth0 netns root ip link set eth0 up ip -n root link set veth0 up ip addr add 192.168.0.2/24 dev eth0 ip -n root addr add 192.168.0.1/24 dev veth0 ip route add default via 192.168.0.1 dev eth0 ip netns exec root sysctl net.ipv4.ip_forward=1 ip netns exec root iptables -t nat -A POSTROUTING -s 192.168.0.2 -o ${DEV} -j MASQUERADE mount -t cifs ${CIFS_PATH} ${CIFS_MNT} -o vers=3.0,sec=ntlmssp,credentials=${CIFS_CRED},rsize=65536,wsize=65536,cache=none,echo_interval=1 touch ${CIFS_MNT}/a.txt ip netns exec root iptables -t nat -D POSTROUTING -s 192.168.0.2 -o ${DEV} -j MASQUERADE " umount ${CIFS_MNT} [2]: ref_tracker: net notrefcnt@000000004bbc008d has 1/1 users at sk_alloc (./include/net/net_namespace.h:339 net/core/sock.c:2227) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1576) generic_ip_connect (fs/smb/client/connect.c:3075) cifs_get_tcp_session.part.0 (fs/smb/client/connect.c:3160 fs/smb/client/connect.c:1798) cifs_mount_get_session (fs/smb/client/trace.h:959 fs/smb/client/connect.c:3366) dfs_mount_share (fs/smb/client/dfs.c:63 fs/smb/client/dfs.c:285) cifs_mount (fs/smb/client/connect.c:3622) cifs_smb3_do_mount (fs/smb/client/cifsfs.c:949) smb3_get_tree (fs/smb/client/fs_context.c:784 fs/smb/client/fs_context.c:802 fs/smb/client/fs_context.c:794) vfs_get_tree (fs/super.c:1800) path_mount (fs/namespace.c:3508 fs/namespace.c:3834) __x64_sys_mount (fs/namespace.c:3848 fs/namespace.c:4057 fs/namespace.c:4034 fs/namespace.c:4034) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Acked-by: Tom Talpey <tom(a)talpey.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [ cherry-pick from amazon-linux amazon-6.1.y/mainline ] Link: https://github.com/amazonlinux/linux/commit/12bb8c57cead Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test. --- fs/smb/client/connect.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index db30c4b8a221..13dcf973e795 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -1062,6 +1062,7 @@ static void clean_demultiplex_info(struct TCP_Server_Info *server) */ } + put_net(cifs_net_ns(server)); #ifdef CONFIG_CIFS_DFS_UPCALL kfree(server->origin_fullpath); kfree(server->leaf_fullpath); @@ -1656,8 +1657,6 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect) /* srv_count can never go negative */ WARN_ON(server->srv_count < 0); - put_net(cifs_net_ns(server)); - list_del_init(&server->tcp_ses_list); spin_unlock(&cifs_tcp_ses_lock); @@ -3031,7 +3030,10 @@ generic_ip_connect(struct TCP_Server_Info *server) } if (socket == NULL) { - rc = __sock_create(cifs_net_ns(server), sfamily, SOCK_STREAM, + struct net *net = cifs_net_ns(server); + struct sock *sk; + + rc = __sock_create(net, sfamily, SOCK_STREAM, IPPROTO_TCP, &socket, 1); if (rc < 0) { cifs_server_dbg(VFS, "Error %d creating socket\n", rc); @@ -3039,6 +3041,11 @@ generic_ip_connect(struct TCP_Server_Info *server) return rc; } + sk = socket->sk; + sk->sk_net_refcnt = 1; + get_net_track(net, &sk->ns_tracker, GFP_KERNEL); + sock_inuse_add(net, 1); + /* BB other socket options to set KEEPALIVE, NODELAY? */ cifs_dbg(FYI, "Socket created\n"); server->ssocket = socket; -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH 5.10/5.15/6.1] HID: mcp2221: Set driver data before I2C adapter add

by Mikhail Lobanov

From: Hamish Martin <hamish.martin(a)alliedtelesis.co.nz> commit f2d4a5834638bbc967371b9168c0b481519f7c5e upstream. The process of adding an I2C adapter can invoke I2C accesses on that new adapter (see i2c_detect()). Ensure we have set the adapter's driver data to avoid null pointer dereferences in the xfer functions during the adapter add. This has been noted in the past and the same fix proposed but not completed. See: https://lore.kernel.org/lkml/ef597e73-ed71-168e-52af-0d19b03734ac@vigem.de/ Signed-off-by: Hamish Martin <hamish.martin(a)alliedtelesis.co.nz> Signed-off-by: Jiri Kosina <jkosina(a)suse.cz> [Mikhail Lobanov: older kernels use i2c_add_adapter() instead of devm_i2c_add_adapter(). This problem manifests itself in stable kernel branches: https://syzkaller.appspot.com/bug?extid=40dc62a33c759a65ad44, https://syzkaller.appspot.com/bug?extid=24b122f8e84c3f9d9d1d] Signed-off-by: Mikhail Lobanov <m.lobanov(a)rosa.ru> --- drivers/hid/hid-mcp2221.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c index 560eeec4035a..b0dc0edc69c2 100644 --- a/drivers/hid/hid-mcp2221.c +++ b/drivers/hid/hid-mcp2221.c @@ -879,12 +879,12 @@ static int mcp2221_probe(struct hid_device *hdev, snprintf(mcp->adapter.name, sizeof(mcp->adapter.name), "MCP2221 usb-i2c bridge"); + i2c_set_adapdata(&mcp->adapter, mcp); ret = i2c_add_adapter(&mcp->adapter); if (ret) { hid_err(hdev, "can't add usb-i2c adapter: %d\n", ret); goto err_i2c; } - i2c_set_adapdata(&mcp->adapter, mcp); /* Setup GPIO chip */ mcp->gc = devm_kzalloc(&hdev->dev, sizeof(*mcp->gc), GFP_KERNEL); -- 2.47.2

2 months, 2 weeks

1
0
0 0

[PATCH] habanalabs: Add error handling for hl_mmu_get_hop_pte_phys_addr()

by Wentao Liang

In _hl_mmu_v2_hr_map(), If hl_mmu_get_hop_pte_phys_addr() fail to get physical address, the return address will be set as U64_MAX. Hence, the return value of hl_mmu_get_hop_pte_phys_addr() must be checked to prevent invalid address access. Add error handling and propagate return code to caller function to fix this issue. Fixes: 8aa1e1e60553 ("habanalabs: add gaudi2 MMU support") Cc: stable(a)vger.kernel.org # v6.0+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/accel/habanalabs/common/mmu/mmu_v2_hr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/accel/habanalabs/common/mmu/mmu_v2_hr.c b/drivers/accel/habanalabs/common/mmu/mmu_v2_hr.c index 31507b2a431b..cdade07e22c5 100644 --- a/drivers/accel/habanalabs/common/mmu/mmu_v2_hr.c +++ b/drivers/accel/habanalabs/common/mmu/mmu_v2_hr.c @@ -253,6 +253,11 @@ static int _hl_mmu_v2_hr_map(struct hl_ctx *ctx, hop_pte_phys_addr[i] = hl_mmu_get_hop_pte_phys_addr(ctx, mmu_prop, i, hops_pgt_info[i]->phys_addr, scrambled_virt_addr); + if (hop_pte_phys_addr[i] == U64_MAX) { + rc = -EINVAL; + goto err; + } + curr_pte = *(u64 *) (uintptr_t) hl_mmu_hr_pte_phys_to_virt(ctx, hops_pgt_info[i], hop_pte_phys_addr[i], ctx->hdev->asic_prop.pmmu.hop_table_size); -- 2.42.0.windows.2

2 months, 2 weeks

1
0
0 0

[PATCH 6.12] drm/amd/display: Don't write DP_MSTM_CTRL after LT

by Thadeu Lima de Souza Cascardo

From: Wayne Lin <Wayne.Lin(a)amd.com> [ Upstream commit bc068194f548ef1f230d96c4398046bf59165992 ] [Why] Observe after suspend/resme, we can't light up mst monitors under specific mst hub. The reason is that driver still writes DPCD DP_MSTM_CTRL after LT. It's forbidden even we write the same value for that dpcd register. [How] We already resume the mst branch device dpcd settings during resume_mst_branch_status(). Leverage drm_dp_mst_topology_queue_probe() to only probe the topology, not calling drm_dp_mst_topology_mgr_resume() which will set DP_MSTM_CTRL as well. Reviewed-by: Jerry Zuo <jerry.zuo(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Signed-off-by: Zaeem Mohamed <zaeem.mohamed(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> --- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index d9a3917d207e..c4c6538eabae 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -3231,8 +3231,7 @@ static int dm_resume(void *handle) struct dm_atomic_state *dm_state = to_dm_atomic_state(dm->atomic_obj.state); enum dc_connection_type new_connection_type = dc_connection_none; struct dc_state *dc_state; - int i, r, j, ret; - bool need_hotplug = false; + int i, r, j; struct dc_commit_streams_params commit_params = {}; if (dm->dc->caps.ips_support) { @@ -3427,23 +3426,16 @@ static int dm_resume(void *handle) aconnector->mst_root) continue; - ret = drm_dp_mst_topology_mgr_resume(&aconnector->mst_mgr, true); - - if (ret < 0) { - dm_helpers_dp_mst_stop_top_mgr(aconnector->dc_link->ctx, - aconnector->dc_link); - need_hotplug = true; - } + drm_dp_mst_topology_queue_probe(&aconnector->mst_mgr); } drm_connector_list_iter_end(&iter); - if (need_hotplug) - drm_kms_helper_hotplug_event(ddev); - amdgpu_dm_irq_resume_late(adev); amdgpu_dm_smu_write_watermarks_table(adev); + drm_kms_helper_hotplug_event(ddev); + return 0; } -- 2.47.2

2 months, 2 weeks

2
1
0 0

Request to cherry-pick a few ARM mm fixes

by Munehisa Kamata

Hello stable maintainers, The following mainline commits fix a certain stack unwinding issue on ARM, which had existed till v6.9. Could you please cherry-pick them for 5.4.y - 6.6.y? 169f9102f919 ("ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()") 8f09b8b4fa58 ("ARM: 9351/1: fault: Add "cut here" line for prefetch aborts") 3ccea4784fdd ("ARM: Remove address checking for MMUless devices") Confirmed these cleanly apply and build in all the branches. Thanks, Munehisa

2 months, 2 weeks

2
1
0 0

Upstream patch pairing request

by Terry Junge

Hi Greg and Sasha, The following two patches have now been applied to mainline. commit 486f6205c233da1baa309bde5f634eb1f8319a33 ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names commit 9821709af892be9fbf4ee9a50b2f3e0604295ce0 HID: hid-plantronics: Add mic mute mapping and generalize quirks It would be ideal if both of these patches could flow upstream together although neither actually depends on the other. A verbose description of the user experience with neither, one, the other, or both patches applied can be found here: https://lore.kernel.org/all/f107e133-c536-43e5-bd4f-4fcb8a4b4c7f@cosmicgizm… Let me know if there is anything I can do to help. Thanks, Terry

2 months, 2 weeks

2
1
0 0

[PATCH] batman-adv: batman-adv: handle tvlv unicast send errors

by Wentao Liang

In batadv_tvlv_unicast_send(), the return value of batadv_send_skb_to_orig() is ignored. This could silently drop send failures, making it difficult to detect connectivity issues. Add error checking for batadv_send_skb_to_orig() and log failures via batadv_dbg() to improve error visibility. Fixes: 1ad5bcb2a032 ("batman-adv: Consume skb in batadv_send_skb_to_orig") Cc: stable(a)vger.kernel.org # 4.10+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- net/batman-adv/tvlv.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c index 2a583215d439..f081136cc5b7 100644 --- a/net/batman-adv/tvlv.c +++ b/net/batman-adv/tvlv.c @@ -625,6 +625,7 @@ void batadv_tvlv_unicast_send(struct batadv_priv *bat_priv, const u8 *src, unsigned char *tvlv_buff; unsigned int tvlv_len; ssize_t hdr_len = sizeof(*unicast_tvlv_packet); + int r; orig_node = batadv_orig_hash_find(bat_priv, dst); if (!orig_node) @@ -657,7 +658,10 @@ void batadv_tvlv_unicast_send(struct batadv_priv *bat_priv, const u8 *src, tvlv_buff += sizeof(*tvlv_hdr); memcpy(tvlv_buff, tvlv_value, tvlv_value_len); - batadv_send_skb_to_orig(skb, orig_node, NULL); + r = batadv_send_skb_to_orig(skb, orig_node, NULL); + if (r != NET_XMIT_SUCCESS) + batadv_dbg(BATADV_DBG_TP_METER, bat_priv, + "Fail to send the ack."); out: batadv_orig_node_put(orig_node); } -- 2.42.0.windows.2

2 months, 2 weeks

2
1
0 0

[PATCH] drm/i915/gvt: fix unterminated-string-initialization warning

by Jani Nikula

Initializing const char opregion_signature[16] = OPREGION_SIGNATURE (which is "IntelGraphicsMem") drops the NUL termination of the string. This is intentional, but the compiler doesn't know this. Switch to initializing header->signature directly from the string litaral, with sizeof destination rather than source. We don't treat the signature as a string other than for initialization; it's really just a blob of binary data. Add a static assert for good measure to cross-check the sizes. Reported-by: Kees Cook <kees(a)kernel.org> Closes: https://lore.kernel.org/r/20250310222355.work.417-kees@kernel.org Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13934 Tested-by: Nicolas Chauvet <kwizart(a)gmail.com> Tested-by: Damian Tometzki <damian(a)riscv-rocks.de> Cc: stable(a)vger.kernel.org Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> --- drivers/gpu/drm/i915/gvt/opregion.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/gvt/opregion.c b/drivers/gpu/drm/i915/gvt/opregion.c index 509f9ccae3a9..dbad4d853d3a 100644 --- a/drivers/gpu/drm/i915/gvt/opregion.c +++ b/drivers/gpu/drm/i915/gvt/opregion.c @@ -222,7 +222,6 @@ int intel_vgpu_init_opregion(struct intel_vgpu *vgpu) u8 *buf; struct opregion_header *header; struct vbt v; - const char opregion_signature[16] = OPREGION_SIGNATURE; gvt_dbg_core("init vgpu%d opregion\n", vgpu->id); vgpu_opregion(vgpu)->va = (void *)__get_free_pages(GFP_KERNEL | @@ -236,8 +235,10 @@ int intel_vgpu_init_opregion(struct intel_vgpu *vgpu) /* emulated opregion with VBT mailbox only */ buf = (u8 *)vgpu_opregion(vgpu)->va; header = (struct opregion_header *)buf; - memcpy(header->signature, opregion_signature, - sizeof(opregion_signature)); + + static_assert(sizeof(header->signature) == sizeof(OPREGION_SIGNATURE) - 1); + memcpy(header->signature, OPREGION_SIGNATURE, sizeof(header->signature)); + header->size = 0x8; header->opregion_ver = 0x02000000; header->mboxes = MBOX_VBT; -- 2.39.5

2 months, 2 weeks

2
2
0 0

[PATCH] drm/imagination: take paired job reference

by Brendan King via B4 Relay

From: Brendan King <Brendan.King(a)imgtec.com> For paired jobs, have the fragment job take a reference on the geometry job, so that the geometry job cannot be freed until the fragment job has finished with it. The geometry job structure is accessed when the fragment job is being prepared by the GPU scheduler. Taking the reference prevents the geometry job being freed until the fragment job no longer requires it. Fixes a use after free bug detected by KASAN: [ 124.256386] BUG: KASAN: slab-use-after-free in pvr_queue_prepare_job+0x108/0x868 [powervr] [ 124.264893] Read of size 1 at addr ffff0000084cb960 by task kworker/u16:4/63 Cc: stable(a)vger.kernel.org Fixes: eaf01ee5ba28 ("drm/imagination: Implement job submission and scheduling") Signed-off-by: Brendan King <brendan.king(a)imgtec.com> --- drivers/gpu/drm/imagination/pvr_job.c | 7 +++++++ drivers/gpu/drm/imagination/pvr_queue.c | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/drivers/gpu/drm/imagination/pvr_job.c b/drivers/gpu/drm/imagination/pvr_job.c index 1cdb3cfd058d7db573337a2b4f6895ee4922f9a9..59b334d094fa826f26668d98561e956ec9c51428 100644 --- a/drivers/gpu/drm/imagination/pvr_job.c +++ b/drivers/gpu/drm/imagination/pvr_job.c @@ -671,6 +671,13 @@ pvr_jobs_link_geom_frag(struct pvr_job_data *job_data, u32 *job_count) geom_job->paired_job = frag_job; frag_job->paired_job = geom_job; + /* The geometry job pvr_job structure is used when the fragment + * job is being prepared by the GPU scheduler. Have the fragment + * job hold a reference on the geometry job to prevent it being + * freed until the fragment job has finished with it. + */ + pvr_job_get(geom_job); + /* Skip the fragment job we just paired to the geometry job. */ i++; } diff --git a/drivers/gpu/drm/imagination/pvr_queue.c b/drivers/gpu/drm/imagination/pvr_queue.c index 21c185d18bb2e0569bd6e12832a74e38137bd48a..6431f6b654a2e60b86a46bd8571eb9f8133c4b53 100644 --- a/drivers/gpu/drm/imagination/pvr_queue.c +++ b/drivers/gpu/drm/imagination/pvr_queue.c @@ -856,6 +856,10 @@ static void pvr_queue_free_job(struct drm_sched_job *sched_job) struct pvr_job *job = container_of(sched_job, struct pvr_job, base); drm_sched_job_cleanup(sched_job); + + if (job->type == DRM_PVR_JOB_TYPE_FRAGMENT && job->paired_job) + pvr_job_put(job->paired_job); + job->paired_job = NULL; pvr_job_put(job); } --- base-commit: 96c85e428ebaeacd2c640eba075479ab92072ccd change-id: 20250318-ddkopsrc-1337-use-after-free-in-pvr_queue_prepare_job-16fbc74b0c20 Best regards, -- Brendan King <Brendan.King(a)imgtec.com>

2 months, 2 weeks

3
2
0 0

[PATCH] drm/imagination: fix firmware memory leaks

by Brendan King via B4 Relay

From: Brendan King <Brendan.King(a)imgtec.com> Free the memory used to hold the results of firmware image processing when the module is unloaded. Fix the related issue of the same memory being leaked if processing of the firmware image fails during module load. Ensure all firmware GEM objects are destroyed if firmware image processing fails. Fixes memory leaks on powervr module unload detected by Kmemleak: unreferenced object 0xffff000042e20000 (size 94208): comm "modprobe", pid 470, jiffies 4295277154 hex dump (first 32 bytes): 02 ae 7f ed bf 45 84 00 3c 5b 1f ed 9f 45 45 05 .....E..<[...EE. d5 4f 5d 14 6c 00 3d 23 30 d0 3a 4a 66 0e 48 c8 .O].l.=#0.:Jf.H. backtrace (crc dd329dec): kmemleak_alloc+0x30/0x40 ___kmalloc_large_node+0x140/0x188 __kmalloc_large_node_noprof+0x2c/0x13c __kmalloc_noprof+0x48/0x4c0 pvr_fw_init+0xaa4/0x1f50 [powervr] unreferenced object 0xffff000042d20000 (size 20480): comm "modprobe", pid 470, jiffies 4295277154 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 09 00 00 00 0b 00 00 00 ................ 00 00 00 00 00 00 00 00 07 00 00 00 08 00 00 00 ................ backtrace (crc 395b02e3): kmemleak_alloc+0x30/0x40 ___kmalloc_large_node+0x140/0x188 __kmalloc_large_node_noprof+0x2c/0x13c __kmalloc_noprof+0x48/0x4c0 pvr_fw_init+0xb0c/0x1f50 [powervr] Cc: stable(a)vger.kernel.org Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support") Signed-off-by: Brendan King <brendan.king(a)imgtec.com> --- drivers/gpu/drm/imagination/pvr_fw.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/imagination/pvr_fw.c b/drivers/gpu/drm/imagination/pvr_fw.c index 3debc9870a82ae7de9b2dc173df84c466c137bb3..d09c4c68411627714c14dee5ed4e61b07baca1ba 100644 --- a/drivers/gpu/drm/imagination/pvr_fw.c +++ b/drivers/gpu/drm/imagination/pvr_fw.c @@ -732,7 +732,7 @@ pvr_fw_process(struct pvr_device *pvr_dev) fw_mem->core_data, fw_mem->core_code_alloc_size); if (err) - goto err_free_fw_core_data_obj; + goto err_free_kdata; memcpy(fw_code_ptr, fw_mem->code, fw_mem->code_alloc_size); memcpy(fw_data_ptr, fw_mem->data, fw_mem->data_alloc_size); @@ -742,10 +742,14 @@ pvr_fw_process(struct pvr_device *pvr_dev) memcpy(fw_core_data_ptr, fw_mem->core_data, fw_mem->core_data_alloc_size); /* We're finished with the firmware section memory on the CPU, unmap. */ - if (fw_core_data_ptr) + if (fw_core_data_ptr) { pvr_fw_object_vunmap(fw_mem->core_data_obj); - if (fw_core_code_ptr) + fw_core_data_ptr = NULL; + } + if (fw_core_code_ptr) { pvr_fw_object_vunmap(fw_mem->core_code_obj); + fw_core_code_ptr = NULL; + } pvr_fw_object_vunmap(fw_mem->data_obj); fw_data_ptr = NULL; pvr_fw_object_vunmap(fw_mem->code_obj); @@ -753,7 +757,7 @@ pvr_fw_process(struct pvr_device *pvr_dev) err = pvr_fw_create_fwif_connection_ctl(pvr_dev); if (err) - goto err_free_fw_core_data_obj; + goto err_free_kdata; return 0; @@ -763,13 +767,16 @@ pvr_fw_process(struct pvr_device *pvr_dev) kfree(fw_mem->data); kfree(fw_mem->code); -err_free_fw_core_data_obj: if (fw_core_data_ptr) - pvr_fw_object_unmap_and_destroy(fw_mem->core_data_obj); + pvr_fw_object_vunmap(fw_mem->core_data_obj); + if (fw_mem->core_data_obj) + pvr_fw_object_destroy(fw_mem->core_data_obj); err_free_fw_core_code_obj: if (fw_core_code_ptr) - pvr_fw_object_unmap_and_destroy(fw_mem->core_code_obj); + pvr_fw_object_vunmap(fw_mem->core_code_obj); + if (fw_mem->core_code_obj) + pvr_fw_object_destroy(fw_mem->core_code_obj); err_free_fw_data_obj: if (fw_data_ptr) @@ -836,6 +843,12 @@ pvr_fw_cleanup(struct pvr_device *pvr_dev) struct pvr_fw_mem *fw_mem = &pvr_dev->fw_dev.mem; pvr_fw_fini_fwif_connection_ctl(pvr_dev); + + kfree(fw_mem->core_data); + kfree(fw_mem->core_code); + kfree(fw_mem->data); + kfree(fw_mem->code); + if (fw_mem->core_code_obj) pvr_fw_object_destroy(fw_mem->core_code_obj); if (fw_mem->core_data_obj) --- base-commit: 96c85e428ebaeacd2c640eba075479ab92072ccd change-id: 20250318-ddkopsrc-1339-firmware-related-memory-leak-on-module-unload-c18a9a4fd0db Best regards, -- Brendan King <Brendan.King(a)imgtec.com>

2 months, 2 weeks

3
2
0 0

[PATCH v1 1/1] x86/fred: Fix system hang during S4 resume with FRED enabled

by Xin Li (Intel)

During an S4 resume, the system first performs a cold power-on. The kernel image is initially loaded to a random linear address, and the FRED MSRs are initialized. Subsequently, the S4 image is loaded, and the kernel image is relocated to its original address from before the S4 suspend. Due to changes in the kernel text and data mappings, the FRED MSRs must be reinitialized. Reported-by: Xi Pardee <xi.pardee(a)intel.com> Reported-and-Tested-by: Todd Brandt <todd.e.brandt(a)intel.com> Suggested-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: stable(a)kernel.org # 6.9+ --- arch/x86/power/cpu.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c index 63230ff8cf4f..ef3c152c319c 100644 --- a/arch/x86/power/cpu.c +++ b/arch/x86/power/cpu.c @@ -27,6 +27,7 @@ #include <asm/mmu_context.h> #include <asm/cpu_device_id.h> #include <asm/microcode.h> +#include <asm/fred.h> #ifdef CONFIG_X86_32 __visible unsigned long saved_context_ebx; @@ -231,6 +232,21 @@ static void notrace __restore_processor_state(struct saved_context *ctxt) */ #ifdef CONFIG_X86_64 wrmsrl(MSR_GS_BASE, ctxt->kernelmode_gs_base); + + /* + * Restore FRED configs. + * + * FRED configs are completely derived from current kernel text and + * data mappings, thus nothing needs to be saved and restored. + * + * As such, simply re-initialize FRED to restore FRED configs. + * + * Note, FRED RSPs setup needs to access percpu data structures. + */ + if (ctxt->cr4 & X86_CR4_FRED) { + cpu_init_fred_exceptions(); + cpu_init_fred_rsps(); + } #else loadsegment(fs, __KERNEL_PERCPU); #endif -- 2.48.1

2 months, 2 weeks

6
7
0 0

[PATCH 1/1] phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking

by Wayne Chang

The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. Cc: stable(a)vger.kernel.org Fixes: a30951d31b25 ("xhci: tegra: USB2 pad power controls") Signed-off-by: Wayne Chang <waynec(a)nvidia.com> --- drivers/phy/tegra/xusb-tegra186.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/drivers/phy/tegra/xusb-tegra186.c b/drivers/phy/tegra/xusb-tegra186.c index fae6242aa730..77bb27a34738 100644 --- a/drivers/phy/tegra/xusb-tegra186.c +++ b/drivers/phy/tegra/xusb-tegra186.c @@ -237,6 +237,8 @@ #define DATA0_VAL_PD BIT(1) #define USE_XUSB_AO BIT(4) +#define TEGRA_UTMI_PAD_MAX 4 + #define TEGRA186_LANE(_name, _offset, _shift, _mask, _type) \ { \ .name = _name, \ @@ -269,7 +271,7 @@ struct tegra186_xusb_padctl { /* UTMI bias and tracking */ struct clk *usb2_trk_clk; - unsigned int bias_pad_enable; + DECLARE_BITMAP(utmi_pad_enabled, TEGRA_UTMI_PAD_MAX); /* padctl context */ struct tegra186_xusb_padctl_context context; @@ -605,7 +607,7 @@ static void tegra186_utmi_bias_pad_power_on(struct tegra_xusb_padctl *padctl) mutex_lock(&padctl->lock); - if (priv->bias_pad_enable++ > 0) { + if (!bitmap_empty(priv->utmi_pad_enabled, TEGRA_UTMI_PAD_MAX)) { mutex_unlock(&padctl->lock); return; } @@ -669,12 +671,7 @@ static void tegra186_utmi_bias_pad_power_off(struct tegra_xusb_padctl *padctl) mutex_lock(&padctl->lock); - if (WARN_ON(priv->bias_pad_enable == 0)) { - mutex_unlock(&padctl->lock); - return; - } - - if (--priv->bias_pad_enable > 0) { + if (!bitmap_empty(priv->utmi_pad_enabled, TEGRA_UTMI_PAD_MAX)) { mutex_unlock(&padctl->lock); return; } @@ -697,6 +694,7 @@ static void tegra186_utmi_pad_power_on(struct phy *phy) { struct tegra_xusb_lane *lane = phy_get_drvdata(phy); struct tegra_xusb_padctl *padctl = lane->pad->padctl; + struct tegra186_xusb_padctl *priv = to_tegra186_xusb_padctl(padctl); struct tegra_xusb_usb2_port *port; struct device *dev = padctl->dev; unsigned int index = lane->index; @@ -705,6 +703,9 @@ static void tegra186_utmi_pad_power_on(struct phy *phy) if (!phy) return; + if (test_bit(index, priv->utmi_pad_enabled)) + return; + port = tegra_xusb_find_usb2_port(padctl, index); if (!port) { dev_err(dev, "no port found for USB2 lane %u\n", index); @@ -724,18 +725,24 @@ static void tegra186_utmi_pad_power_on(struct phy *phy) value = padctl_readl(padctl, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index)); value &= ~USB2_OTG_PD_DR; padctl_writel(padctl, value, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index)); + + set_bit(index, priv->utmi_pad_enabled); } static void tegra186_utmi_pad_power_down(struct phy *phy) { struct tegra_xusb_lane *lane = phy_get_drvdata(phy); struct tegra_xusb_padctl *padctl = lane->pad->padctl; + struct tegra186_xusb_padctl *priv = to_tegra186_xusb_padctl(padctl); unsigned int index = lane->index; u32 value; if (!phy) return; + if (!test_bit(index, priv->utmi_pad_enabled)) + return; + dev_dbg(padctl->dev, "power down UTMI pad %u\n", index); value = padctl_readl(padctl, XUSB_PADCTL_USB2_OTG_PADX_CTL0(index)); @@ -748,6 +755,8 @@ static void tegra186_utmi_pad_power_down(struct phy *phy) udelay(2); + clear_bit(index, priv->utmi_pad_enabled); + tegra186_utmi_bias_pad_power_off(padctl); } -- 2.25.1

2 months, 2 weeks

3
3
0 0

Re: [PATCH 6.1.y 0/7] Backported patches to fix selftest tpdir2

by gregkh＠linuxfoundation.org

On Tue, Apr 01, 2025 at 03:01:19AM +0000, Kang, Wenlin wrote: > Ping ...... Context-less pings in html format for a change you sent a week ago during the middle of the merge window is not going to get you very far, sorry.

2 months, 2 weeks

1
0
0 0

[PATCH v2] media: dvb: Add error checking for bcm3510_writeB()

by Wentao Liang

In bcm3510_bert_reset(), the function performed multiple writes without checking the return value of bcm3510_writeB(). This could result in silent failures if the writes failed, leaving the BER counter in an undefined state. Add error checking for each bcm3510_writeB call and propagate any errors immediately. This ensures proper error handling and prevents silent failures during BER counter initialization. Fixes: 55f51efdb696 ("[PATCH] dvb: flexcop: add BCM3510 ATSC frontend support for Air2PC card") Cc: stable(a)vger.kernel.org Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/media/dvb-frontends/bcm3510.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/media/dvb-frontends/bcm3510.c b/drivers/media/dvb-frontends/bcm3510.c index d935fb10e620..9e60020a8fea 100644 --- a/drivers/media/dvb-frontends/bcm3510.c +++ b/drivers/media/dvb-frontends/bcm3510.c @@ -270,10 +270,22 @@ static int bcm3510_bert_reset(struct bcm3510_state *st) if ((ret = bcm3510_readB(st,0xfa,&b)) < 0) return ret; - b.BERCTL_fa.RESYNC = 0; bcm3510_writeB(st,0xfa,b); - b.BERCTL_fa.RESYNC = 1; bcm3510_writeB(st,0xfa,b); - b.BERCTL_fa.RESYNC = 0; bcm3510_writeB(st,0xfa,b); - b.BERCTL_fa.CNTCTL = 1; b.BERCTL_fa.BITCNT = 1; bcm3510_writeB(st,0xfa,b); + b.BERCTL_fa.RESYNC = 0; + ret = bcm3510_writeB(st, 0xfa, b); + if (ret < 0) + return ret; + b.BERCTL_fa.RESYNC = 1; + ret = bcm3510_writeB(st, 0xfa, b); + if (ret < 0) + return ret; + b.BERCTL_fa.RESYNC = 0; + ret = bcm3510_writeB(st, 0xfa, b); + if (ret < 0) + return ret; + b.BERCTL_fa.CNTCTL = 1; b.BERCTL_fa.BITCNT = 1; + ret = bcm3510_writeB(st, 0xfa, b); + if (ret < 0) + return ret; /* clear residual bit counter TODO */ return 0; -- 2.42.0.windows.2

2 months, 2 weeks

1
0
0 0

[PATCH v5] usb: xhci: quirk for data loss in ISOC transfers

by Raju Rangoju

During the High-Speed Isochronous Audio transfers, xHCI controller on certain AMD platforms experiences momentary data loss. This results in Missed Service Errors (MSE) being generated by the xHCI. The root cause of the MSE is attributed to the ISOC OUT endpoint being omitted from scheduling. This can happen when an IN endpoint with a 64ms service interval either is pre-scheduled prior to the ISOC OUT endpoint or the interval of the ISOC OUT endpoint is shorter than that of the IN endpoint. Consequently, the OUT service is neglected when an IN endpoint with a service interval exceeding 32ms is scheduled concurrently (every 64ms in this scenario). This issue is particularly seen on certain older AMD platforms. To mitigate this problem, it is recommended to adjust the service interval of the IN endpoint to not exceed 32ms (interval 8). This adjustment ensures that the OUT endpoint will not be bypassed, even if a smaller interval value is utilized. Cc: stable(a)vger.kernel.org Signed-off-by: Raju Rangoju <Raju.Rangoju(a)amd.com> --- Changes since v4: - reword the commit message. - handle the potential corner case with ISOC IN ep with 64ms ESIT Changes since v3: - Bump up the enum number XHCI_LIMIT_ENDPOINT_INTERVAL_9 Changes since v2: - added stable tag to backport to all stable kernels Changes since v1: - replaced hex values with pci device names - corrected the commit message --- drivers/usb/host/xhci-mem.c | 4 ++++ drivers/usb/host/xhci-pci.c | 25 +++++++++++++++++++++++++ drivers/usb/host/xhci.h | 1 + 3 files changed, 30 insertions(+) diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index fdf0c1008225..364b5a9e7c3e 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -1420,6 +1420,10 @@ int xhci_endpoint_init(struct xhci_hcd *xhci, /* Periodic endpoint bInterval limit quirk */ if (usb_endpoint_xfer_int(&ep->desc) || usb_endpoint_xfer_isoc(&ep->desc)) { + if ((xhci->quirks & XHCI_LIMIT_ENDPOINT_INTERVAL_9) && + interval >= 9) { + interval = 8; + } if ((xhci->quirks & XHCI_LIMIT_ENDPOINT_INTERVAL_7) && udev->speed >= USB_SPEED_HIGH && interval >= 7) { diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index 54460d11f7ee..6c15b4158f06 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -71,12 +71,22 @@ #define PCI_DEVICE_ID_INTEL_TITAN_RIDGE_4C_XHCI 0x15ec #define PCI_DEVICE_ID_INTEL_TITAN_RIDGE_DD_XHCI 0x15f0 +#define PCI_DEVICE_ID_AMD_ARIEL_TYPEC_XHCI 0x13ed +#define PCI_DEVICE_ID_AMD_ARIEL_TYPEA_XHCI 0x13ee +#define PCI_DEVICE_ID_AMD_STARSHIP_XHCI 0x148c +#define PCI_DEVICE_ID_AMD_FIREFLIGHT_15D4_XHCI 0x15d4 +#define PCI_DEVICE_ID_AMD_FIREFLIGHT_15D5_XHCI 0x15d5 +#define PCI_DEVICE_ID_AMD_RAVEN_15E0_XHCI 0x15e0 +#define PCI_DEVICE_ID_AMD_RAVEN_15E1_XHCI 0x15e1 +#define PCI_DEVICE_ID_AMD_RAVEN2_XHCI 0x15e5 #define PCI_DEVICE_ID_AMD_RENOIR_XHCI 0x1639 #define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9 #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc +#define PCI_DEVICE_ID_ATI_NAVI10_7316_XHCI 0x7316 + #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 #define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242 @@ -280,6 +290,21 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) if (pdev->vendor == PCI_VENDOR_ID_NEC) xhci->quirks |= XHCI_NEC_HOST; + if (pdev->vendor == PCI_VENDOR_ID_AMD && + (pdev->device == PCI_DEVICE_ID_AMD_ARIEL_TYPEC_XHCI || + pdev->device == PCI_DEVICE_ID_AMD_ARIEL_TYPEA_XHCI || + pdev->device == PCI_DEVICE_ID_AMD_STARSHIP_XHCI || + pdev->device == PCI_DEVICE_ID_AMD_FIREFLIGHT_15D4_XHCI || + pdev->device == PCI_DEVICE_ID_AMD_FIREFLIGHT_15D5_XHCI || + pdev->device == PCI_DEVICE_ID_AMD_RAVEN_15E0_XHCI || + pdev->device == PCI_DEVICE_ID_AMD_RAVEN_15E1_XHCI || + pdev->device == PCI_DEVICE_ID_AMD_RAVEN2_XHCI)) + xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_9; + + if (pdev->vendor == PCI_VENDOR_ID_ATI && + pdev->device == PCI_DEVICE_ID_ATI_NAVI10_7316_XHCI) + xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_9; + if (pdev->vendor == PCI_VENDOR_ID_AMD && xhci->hci_version == 0x96) xhci->quirks |= XHCI_AMD_0x96_HOST; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 779b01dee068..6de1164e2e53 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1637,6 +1637,7 @@ struct xhci_hcd { #define XHCI_WRITE_64_HI_LO BIT_ULL(47) #define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) #define XHCI_ETRON_HOST BIT_ULL(49) +#define XHCI_LIMIT_ENDPOINT_INTERVAL_9 BIT_ULL(50) unsigned int num_active_eps; unsigned int limit_active_eps; -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v2] net: mdio: mux-meson-gxl: set 28th bit in eth_reg2

by Christian Hewitt

From: Da Xue <da(a)libre.computer> This bit is necessary to enable packets on the interface. Without this bit set, ethernet behaves as if it is working, but no activity occurs. The vendor SDK sets this bit along with the PHY_ID bits. U-boot also sets this bit, but if u-boot is not compiled with networking support the interface will not work. Fixes: 9a24e1ff4326 ("net: mdio: add amlogic gxl mdio mux support"); Signed-off-by: Da Xue <da(a)libre.computer> Signed-off-by: Christian Hewitt <christianshewitt(a)gmail.com> --- Resending on behalf of Da Xue who has email sending issues. Changes since v1 [0]: - Remove blank line between Fixes and SoB tags - Submit without mail server mangling the patch - Minor tweaks to subject line and commit message - CC to stable(a)vger.kernel.org [0] https://patchwork.kernel.org/project/linux-amlogic/patch/CACqvRUbx-KsrMwCHY… drivers/net/mdio/mdio-mux-meson-gxl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/mdio/mdio-mux-meson-gxl.c b/drivers/net/mdio/mdio-mux-meson-gxl.c index 00c66240136b..fc5883387718 100644 --- a/drivers/net/mdio/mdio-mux-meson-gxl.c +++ b/drivers/net/mdio/mdio-mux-meson-gxl.c @@ -17,6 +17,7 @@ #define REG2_LEDACT GENMASK(23, 22) #define REG2_LEDLINK GENMASK(25, 24) #define REG2_DIV4SEL BIT(27) +#define REG2_RESERVED_28 BIT(28) #define REG2_ADCBYPASS BIT(30) #define REG2_CLKINSEL BIT(31) #define ETH_REG3 0x4 @@ -65,7 +66,7 @@ static void gxl_enable_internal_mdio(struct gxl_mdio_mux *priv) * The only constraint is that it must match the one in * drivers/net/phy/meson-gxl.c to properly match the PHY. */ - writel(FIELD_PREP(REG2_PHYID, EPHY_GXL_ID), + writel(REG2_RESERVED_28 | FIELD_PREP(REG2_PHYID, EPHY_GXL_ID), priv->regs + ETH_REG2); /* Enable the internal phy */ -- 2.34.1

2 months, 2 weeks

6
9
0 0

[PATCH net 0/4] mptcp: misc. fixes for 6.15-rc0

by Matthieu Baerts (NGI0)

Here are 4 unrelated patches: - Patch 1: fix a NULL pointer when two SYN-ACK for the same request are handled in parallel. A fix for up to v5.9. - Patch 2: selftests: fix check for the wrong FD. A fix for up to v5.17. - Patch 3: selftests: close all FDs in case of error. A fix for up to v5.17. - Patch 4: selftests: ignore a new generated file. A fix for 6.15-rc0. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Cong Liu (1): selftests: mptcp: fix incorrect fd checks in main_loop Gang Yan (1): mptcp: fix NULL pointer in can_accept_new_subflow Geliang Tang (1): selftests: mptcp: close fd_in before returning in main_loop Matthieu Baerts (NGI0) (1): selftests: mptcp: ignore mptcp_diag binary net/mptcp/subflow.c | 15 ++++++++------- tools/testing/selftests/net/mptcp/.gitignore | 1 + tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +++++++---- 3 files changed, 16 insertions(+), 11 deletions(-) --- base-commit: 2ea396448f26d0d7d66224cb56500a6789c7ed07 change-id: 20250328-net-mptcp-misc-fixes-6-15-98bfbeaa15ac Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

2 months, 2 weeks

2
4
0 0

[PATCH 6.1 V2] cifs: use origin fullpath for automounts

by Andrew Paniakin

From: Paulo Alcantara <pc(a)cjr.nz> commit 7ad54b98fc1f141cfb70cfe2a3d6def5a85169ff upstream. Use TCP_Server_Info::origin_fullpath instead of cifs_tcon::tree_name when building source paths for automounts as it will be useful for domain-based DFS referrals where the connections and referrals would get either re-used from the cache or re-created when chasing the dfs link. Signed-off-by: Paulo Alcantara (SUSE) <pc(a)cjr.nz> Signed-off-by: Steve French <stfrench(a)microsoft.com> [apanyaki: backport to v6.1-stable] Signed-off-by: Andrew Paniakin <apanyaki(a)amazon.com> --- Please do not include follow-up fix d5a863a153e9 ("cifs: avoid dup prefix path in dfs_get_automount_devname()"). It works correctly only when all patches applied in a following order: 1. 7ad54b98fc1f1 ("cifs: use origin fullpath for automounts") 2. a1c0d00572fc ("cifs: share dfs connections and supers") (not ported to linux-6.1) 3. d5a863a153e9 ("cifs: avoid dup prefix path in dfs_get_automount_devname()") The reason is that patch a1c0d00572fc ("cifs: share dfs connections and supers") changes origin_fullpath contents from just a namespace root to a full path eg. from '//corp.fsxtest.local/namespace/' to '//corp.fsxtest.local/namespace/folderA/fs1-folder/'. But the prefix path '/folderA/' is also stored in a cifs superblock info and it was copied twice. With patch d5a863a153e9 ("cifs: avoid dup prefix path in dfs_get_automount_devname()") prepath string from superblock info is not used in path construction and result is correct. But the patch a1c0d00572fc ("cifs: share dfs connections and supers") was not ported to linux-6.1, probably because it's a part of huge cifs driver update series merged in linux-6.2, not just a bug fix. So if we apply patches in following order: 1. 7ad54b98fc1f1 ("cifs: use origin fullpath for automounts") 2. d5a863a153e9 ("cifs: avoid dup prefix path in dfs_get_automount_devname()") then constructed fullpath will be '//corp.fsxtest.local/namespace/fs1-folder/' instead of '//corp.fsxtest.local/namespace/folderA/fs1-folder/' because prefix path was not copied from the superblock info. Changelog: v2: - added CONFIG_CIFS_DFS_UPCALL wrapper to fix build issue [1] v1: (updates made to upstream version of this patch) - set_dest_addr() converts DFS address to sockaddr differently: in kernel 6.1 dns_resolve_server_name_to_ip() returns a string which needs to be converted to sockaddr with cifs_convert_address(). - removed hunk to init tmp.leaf_fullpath, it was introduced later in a1c0d00572fc ("cifs: share dfs connections and supers") - __build_path_from_dentry_optional_prefix() and dfs_get_automount_devname() functions were added to fs/smb/client/cifsproto.h instead of fs/cifs/dfs.h as it doesn't exist in 6.1 - Link to v1: https://lore.kernel.org/all/20240713031147.20332-1-apanyaki@amazon.com/ Testing: 1. tested that these steps do not work without this backport and work with it: - mount DFS namespace root: mount -t cifs -o cred=/mnt/creds,noserverino //corp.fsxtest.local - shutdown the namespace server that is in use - access DFS link (triggers automount): ls /mnt/dfs-namespace/fs1-folder Reported verbose logs which demonstrate backport correctness in regression ML thread [2]. 2. build kernel with debug options listed in the patch submission checklist[3], executed cifs test suite of the xfstests [4], no errors. 3. confirmed compilation works with all y/m/n combinations for CONFIG_CIFS and CONFIG_CIFS_DFS_UPCALL. 4. confirmed allmodconfig and allnoconfig cross-compilation works on arm, arm64, mips, powerpc, risc. [1] https://lore.kernel.org/all/aaccd8cc-2bfe-4b2e-b690-be50540f9965@gmail.com/ [2] https://lore.kernel.org/all/Z9cZuBxOscqybcMy@3c06303d853a.ant.amazon.com/ [3] https://www.kernel.org/doc/html/latest/process/submit-checklist.html [4] https://web.git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git fs/smb/client/cifs_dfs_ref.c | 34 ++++++++++++++++++++++++++++++++-- fs/smb/client/cifsproto.h | 21 +++++++++++++++++++++ fs/smb/client/dir.c | 21 +++++++++++++++------ 3 files changed, 68 insertions(+), 8 deletions(-) diff --git a/fs/smb/client/cifs_dfs_ref.c b/fs/smb/client/cifs_dfs_ref.c index 020e71fe1454..876f9a43a99d 100644 --- a/fs/smb/client/cifs_dfs_ref.c +++ b/fs/smb/client/cifs_dfs_ref.c @@ -258,6 +258,31 @@ char *cifs_compose_mount_options(const char *sb_mountdata, goto compose_mount_options_out; } +static int set_dest_addr(struct smb3_fs_context *ctx, const char *full_path) +{ + struct sockaddr *addr = (struct sockaddr *)&ctx->dstaddr; + char *str_addr = NULL; + int rc; + + rc = dns_resolve_server_name_to_ip(full_path, &str_addr, NULL); + if (rc < 0) + goto out; + + rc = cifs_convert_address(addr, str_addr, strlen(str_addr)); + if (!rc) { + cifs_dbg(FYI, "%s: failed to convert ip address\n", __func__); + rc = -EINVAL; + goto out; + } + + cifs_set_port(addr, ctx->port); + rc = 0; + +out: + kfree(str_addr); + return rc; +} + /* * Create a vfsmount that we can automount */ @@ -295,8 +320,7 @@ static struct vfsmount *cifs_dfs_do_automount(struct path *path) ctx = smb3_fc2context(fc); page = alloc_dentry_path(); - /* always use tree name prefix */ - full_path = build_path_from_dentry_optional_prefix(mntpt, page, true); + full_path = dfs_get_automount_devname(mntpt, page); if (IS_ERR(full_path)) { mnt = ERR_CAST(full_path); goto out; @@ -315,6 +339,12 @@ static struct vfsmount *cifs_dfs_do_automount(struct path *path) goto out; } + rc = set_dest_addr(ctx, full_path); + if (rc) { + mnt = ERR_PTR(rc); + goto out; + } + rc = smb3_parse_devname(full_path, ctx); if (!rc) mnt = fc_mount(fc); diff --git a/fs/smb/client/cifsproto.h b/fs/smb/client/cifsproto.h index f37e4da0fe40..81d2761cd00a 100644 --- a/fs/smb/client/cifsproto.h +++ b/fs/smb/client/cifsproto.h @@ -57,8 +57,29 @@ extern void exit_cifs_idmap(void); extern int init_cifs_spnego(void); extern void exit_cifs_spnego(void); extern const char *build_path_from_dentry(struct dentry *, void *); +char *__build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page, + const char *tree, int tree_len, + bool prefix); extern char *build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page, bool prefix); + +#ifdef CONFIG_CIFS_DFS_UPCALL +static inline char *dfs_get_automount_devname(struct dentry *dentry, void *page) +{ + struct cifs_sb_info *cifs_sb = CIFS_SB(dentry->d_sb); + struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb); + struct TCP_Server_Info *server = tcon->ses->server; + + if (unlikely(!server->origin_fullpath)) + return ERR_PTR(-EREMOTE); + + return __build_path_from_dentry_optional_prefix(dentry, page, + server->origin_fullpath, + strlen(server->origin_fullpath), + true); +} +#endif + static inline void *alloc_dentry_path(void) { return __getname(); diff --git a/fs/smb/client/dir.c b/fs/smb/client/dir.c index 863c7bc3db86..477302157ab3 100644 --- a/fs/smb/client/dir.c +++ b/fs/smb/client/dir.c @@ -78,14 +78,13 @@ build_path_from_dentry(struct dentry *direntry, void *page) prefix); } -char * -build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page, - bool prefix) +char *__build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page, + const char *tree, int tree_len, + bool prefix) { int dfsplen; int pplen = 0; struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb); - struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb); char dirsep = CIFS_DIR_SEP(cifs_sb); char *s; @@ -93,7 +92,7 @@ build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page, return ERR_PTR(-ENOMEM); if (prefix) - dfsplen = strnlen(tcon->tree_name, MAX_TREE_SIZE + 1); + dfsplen = strnlen(tree, tree_len + 1); else dfsplen = 0; @@ -123,7 +122,7 @@ build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page, } if (dfsplen) { s -= dfsplen; - memcpy(s, tcon->tree_name, dfsplen); + memcpy(s, tree, dfsplen); if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) { int i; for (i = 0; i < dfsplen; i++) { @@ -135,6 +134,16 @@ build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page, return s; } +char *build_path_from_dentry_optional_prefix(struct dentry *direntry, void *page, + bool prefix) +{ + struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb); + struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb); + + return __build_path_from_dentry_optional_prefix(direntry, page, tcon->tree_name, + MAX_TREE_SIZE, prefix); +} + /* * Don't allow path components longer than the server max. * Don't allow the separator character in a path component. base-commit: 8e60a714ba3bb083b7321385054fa39ceb876914 -- 2.43.0

2 months, 2 weeks

1
0
0 0

[PATCH gfs2/for-next] gfs2: use delay during spinlock area

by Alexander Aring

In a rare case of gfs2 spectator mount the ls->ls_recover_spin is being held. In this case we cannot call msleep_interruptible() as we a in a non-sleepable context. Replace it with mdelay() to busy wait for 1 second. Cc: stable(a)vger.kernel.org Fixes: 4a7727725dc7 ("GFS2: Fix recovery issues for spectators") Signed-off-by: Alexander Aring <aahringo(a)redhat.com> --- fs/gfs2/lock_dlm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c index 58aeeae7ed8c..ac0afedff49b 100644 --- a/fs/gfs2/lock_dlm.c +++ b/fs/gfs2/lock_dlm.c @@ -996,7 +996,7 @@ static int control_mount(struct gfs2_sbd *sdp) if (sdp->sd_args.ar_spectator) { fs_info(sdp, "Recovery is required. Waiting for a " "non-spectator to mount.\n"); - msleep_interruptible(1000); + mdelay(1000); } else { fs_info(sdp, "control_mount wait1 block %u start %u " "mount %u lvb %u flags %lx\n", block_gen, -- 2.43.0

2 months, 2 weeks

3
2
0 0

[PATCH 6.6 1/3] drm/dp_mst: Factor out function to queue a topology probe work

by Thadeu Lima de Souza Cascardo

From: Imre Deak <imre.deak(a)intel.com> [ Upstream commit e9b36c5be2e7fdef2cc933c1dac50bd81881e9b8 ] Factor out a function to queue a work for probing the topology, also used by the next patch. Cc: Lyude Paul <lyude(a)redhat.com> Cc: dri-devel(a)lists.freedesktop.org Reviewed-by: Lyude Paul <lyude(a)redhat.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240722165503.2084999-2-imre… Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> --- drivers/gpu/drm/display/drm_dp_mst_topology.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c index 08f8a22431fe..2a6feb83f786 100644 --- a/drivers/gpu/drm/display/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c @@ -2692,6 +2692,11 @@ static void drm_dp_mst_link_probe_work(struct work_struct *work) drm_kms_helper_hotplug_event(dev); } +static void drm_dp_mst_queue_probe_work(struct drm_dp_mst_topology_mgr *mgr) +{ + queue_work(system_long_wq, &mgr->work); +} + static bool drm_dp_validate_guid(struct drm_dp_mst_topology_mgr *mgr, u8 *guid) { @@ -3643,7 +3648,7 @@ int drm_dp_mst_topology_mgr_set_mst(struct drm_dp_mst_topology_mgr *mgr, bool ms /* Write reset payload */ drm_dp_dpcd_write_payload(mgr, 0, 0, 0x3f); - queue_work(system_long_wq, &mgr->work); + drm_dp_mst_queue_probe_work(mgr); ret = 0; } else { @@ -3766,7 +3771,7 @@ int drm_dp_mst_topology_mgr_resume(struct drm_dp_mst_topology_mgr *mgr, * state of our in-memory topology back into sync with reality. So, * restart the probing process as if we're probing a new hub */ - queue_work(system_long_wq, &mgr->work); + drm_dp_mst_queue_probe_work(mgr); mutex_unlock(&mgr->lock); if (sync) { -- 2.47.2

2 months, 2 weeks

1
2
0 0

[PATCH v5 3/5] ASoC: q6apm-dai: make use of q6apm_get_hw_pointer

by srinivas.kandagatla＠linaro.org

From: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> With the existing code, the buffer position is only reset in pointer callback, which leaves the possiblity of it going over the size of buffer size and reporting incorrect position to userspace. Without this patch, its possible to see errors like: snd-x1e80100 sound: invalid position: pcmC0D0p:0, pos = 12288, buffer size = 12288, period size = 1536 snd-x1e80100 sound: invalid position: pcmC0D0p:0, pos = 12288, buffer size = 12288, period size = 1536 Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support") Cc: stable(a)vger.kernel.org Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Tested-by: Johan Hovold <johan+linaro(a)kernel.org> --- sound/soc/qcom/qdsp6/q6apm-dai.c | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/sound/soc/qcom/qdsp6/q6apm-dai.c b/sound/soc/qcom/qdsp6/q6apm-dai.c index 9d8e8e37c6de..90cb24947f31 100644 --- a/sound/soc/qcom/qdsp6/q6apm-dai.c +++ b/sound/soc/qcom/qdsp6/q6apm-dai.c @@ -64,7 +64,6 @@ struct q6apm_dai_rtd { phys_addr_t phys; unsigned int pcm_size; unsigned int pcm_count; - unsigned int pos; /* Buffer position */ unsigned int periods; unsigned int bytes_sent; unsigned int bytes_received; @@ -124,23 +123,16 @@ static void event_handler(uint32_t opcode, uint32_t token, void *payload, void * { struct q6apm_dai_rtd *prtd = priv; struct snd_pcm_substream *substream = prtd->substream; - unsigned long flags; switch (opcode) { case APM_CLIENT_EVENT_CMD_EOS_DONE: prtd->state = Q6APM_STREAM_STOPPED; break; case APM_CLIENT_EVENT_DATA_WRITE_DONE: - spin_lock_irqsave(&prtd->lock, flags); - prtd->pos += prtd->pcm_count; - spin_unlock_irqrestore(&prtd->lock, flags); snd_pcm_period_elapsed(substream); break; case APM_CLIENT_EVENT_DATA_READ_DONE: - spin_lock_irqsave(&prtd->lock, flags); - prtd->pos += prtd->pcm_count; - spin_unlock_irqrestore(&prtd->lock, flags); snd_pcm_period_elapsed(substream); if (prtd->state == Q6APM_STREAM_RUNNING) q6apm_read(prtd->graph); @@ -247,7 +239,6 @@ static int q6apm_dai_prepare(struct snd_soc_component *component, } prtd->pcm_count = snd_pcm_lib_period_bytes(substream); - prtd->pos = 0; /* rate and channels are sent to audio driver */ ret = q6apm_graph_media_format_shmem(prtd->graph, &cfg); if (ret < 0) { @@ -445,16 +436,12 @@ static snd_pcm_uframes_t q6apm_dai_pointer(struct snd_soc_component *component, struct snd_pcm_runtime *runtime = substream->runtime; struct q6apm_dai_rtd *prtd = runtime->private_data; snd_pcm_uframes_t ptr; - unsigned long flags; - spin_lock_irqsave(&prtd->lock, flags); - if (prtd->pos == prtd->pcm_size) - prtd->pos = 0; - - ptr = bytes_to_frames(runtime, prtd->pos); - spin_unlock_irqrestore(&prtd->lock, flags); + ptr = q6apm_get_hw_pointer(prtd->graph, substream->stream) * runtime->period_size; + if (ptr) + return ptr - 1; - return ptr; + return 0; } static int q6apm_dai_hw_params(struct snd_soc_component *component, @@ -669,8 +656,6 @@ static int q6apm_dai_compr_set_params(struct snd_soc_component *component, prtd->pcm_size = runtime->fragments * runtime->fragment_size; prtd->bits_per_sample = 16; - prtd->pos = 0; - if (prtd->next_track != true) { memcpy(&prtd->codec, codec, sizeof(*codec)); -- 2.39.5

2 months, 2 weeks

4
4
0 0

[PATCH AUTOSEL 5.4 1/5] HID: pidff: Convert infinite length from Linux API to PID standard

by Sasha Levin

From: Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> [ Upstream commit 37e0591fe44dce39d1ebc7a82d5b6e4dba1582eb ] Software uses 0 as de-facto infinite lenght on Linux FF apis (SDL), Linux doesn't actually define anythi as of now, while USB PID defines NULL (0xffff). Most PID devices do not expect a 0-length effect and can't interpret it as infinite. This change fixes Force Feedback for most PID compliant devices. As most games depend on updating the values of already playing infinite effects, this is crucial to ensure they will actually work. Previously, users had to rely on third-party software to do this conversion and make their PID devices usable. Co-developed-by: Makarenko Oleg <oleg(a)makarenk.ooo> Signed-off-by: Makarenko Oleg <oleg(a)makarenk.ooo> Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> Reviewed-by: Michał Kopeć <michal(a)nozomi.space> Reviewed-by: Paul Dino Jones <paul(a)spacefreak18.xyz> Tested-by: Paul Dino Jones <paul(a)spacefreak18.xyz> Tested-by: Cristóferson Bueno <cbueno81(a)gmail.com> Tested-by: Pablo Cisneros <patchkez(a)protonmail.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hid/usbhid/hid-pidff.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c index 07a9fe97d2e05..badcb5f28607e 100644 --- a/drivers/hid/usbhid/hid-pidff.c +++ b/drivers/hid/usbhid/hid-pidff.c @@ -21,6 +21,7 @@ #include "usbhid.h" #define PID_EFFECTS_MAX 64 +#define PID_INFINITE 0xffff /* Report usage table used to put reports into an array */ @@ -301,7 +302,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff, pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0]; pidff->set_effect_type->value[0] = pidff->create_new_effect_type->value[0]; - pidff->set_effect[PID_DURATION].value[0] = effect->replay.length; + + /* Convert infinite length from Linux API (0) + to PID standard (NULL) if needed */ + pidff->set_effect[PID_DURATION].value[0] = + effect->replay.length == 0 ? PID_INFINITE : effect->replay.length; + pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button; pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] = effect->trigger.interval; -- 2.39.5

2 months, 2 weeks

1
4
0 0

[PATCH AUTOSEL 5.15 1/6] HID: pidff: Convert infinite length from Linux API to PID standard

by Sasha Levin

From: Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> [ Upstream commit 37e0591fe44dce39d1ebc7a82d5b6e4dba1582eb ] Software uses 0 as de-facto infinite lenght on Linux FF apis (SDL), Linux doesn't actually define anythi as of now, while USB PID defines NULL (0xffff). Most PID devices do not expect a 0-length effect and can't interpret it as infinite. This change fixes Force Feedback for most PID compliant devices. As most games depend on updating the values of already playing infinite effects, this is crucial to ensure they will actually work. Previously, users had to rely on third-party software to do this conversion and make their PID devices usable. Co-developed-by: Makarenko Oleg <oleg(a)makarenk.ooo> Signed-off-by: Makarenko Oleg <oleg(a)makarenk.ooo> Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> Reviewed-by: Michał Kopeć <michal(a)nozomi.space> Reviewed-by: Paul Dino Jones <paul(a)spacefreak18.xyz> Tested-by: Paul Dino Jones <paul(a)spacefreak18.xyz> Tested-by: Cristóferson Bueno <cbueno81(a)gmail.com> Tested-by: Pablo Cisneros <patchkez(a)protonmail.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hid/usbhid/hid-pidff.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c index 3b4ee21cd8111..5fe4422bb5bad 100644 --- a/drivers/hid/usbhid/hid-pidff.c +++ b/drivers/hid/usbhid/hid-pidff.c @@ -21,6 +21,7 @@ #include "usbhid.h" #define PID_EFFECTS_MAX 64 +#define PID_INFINITE 0xffff /* Report usage table used to put reports into an array */ @@ -301,7 +302,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff, pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0]; pidff->set_effect_type->value[0] = pidff->create_new_effect_type->value[0]; - pidff->set_effect[PID_DURATION].value[0] = effect->replay.length; + + /* Convert infinite length from Linux API (0) + to PID standard (NULL) if needed */ + pidff->set_effect[PID_DURATION].value[0] = + effect->replay.length == 0 ? PID_INFINITE : effect->replay.length; + pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button; pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] = effect->trigger.interval; -- 2.39.5

2 months, 2 weeks

1
5
0 0

[PATCH AUTOSEL 6.6 01/19] ASoC: SOF: topology: Use krealloc_array() to replace krealloc()

by Sasha Levin

From: Zhang Heng <zhangheng(a)kylinos.cn> [ Upstream commit a05143a8f713d9ae6abc41141dac52c66fca8b06 ] Use krealloc_array() to replace krealloc() with multiplication. krealloc_array() has multiply overflow check, which will be safer. Signed-off-by: Zhang Heng <zhangheng(a)kylinos.cn> Link: https://patch.msgid.link/20250117014343.451503-1-zhangheng@kylinos.cn Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/sof/topology.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c index cf1e63daad86b..7afded323150c 100644 --- a/sound/soc/sof/topology.c +++ b/sound/soc/sof/topology.c @@ -1267,8 +1267,8 @@ static int sof_widget_parse_tokens(struct snd_soc_component *scomp, struct snd_s struct snd_sof_tuple *new_tuples; num_tuples += token_list[object_token_list[i]].count * (num_sets - 1); - new_tuples = krealloc(swidget->tuples, - sizeof(*new_tuples) * num_tuples, GFP_KERNEL); + new_tuples = krealloc_array(swidget->tuples, + num_tuples, sizeof(*new_tuples), GFP_KERNEL); if (!new_tuples) { ret = -ENOMEM; goto err; -- 2.39.5

2 months, 2 weeks

1
18
0 0

[PATCH AUTOSEL 6.12 01/23] platform/chrome: cros_ec_lpc: Match on Framework ACPI device

by Sasha Levin

From: Daniel Schaefer <dhs(a)frame.work> [ Upstream commit d83c45aeec9b223fe6db4175e9d1c4f5699cc37a ] Load the cros_ec_lpc driver based on a Framework FRMWC004 ACPI device, which mirrors GOOG0004, but also applies npcx quirks for Framework systems. Matching on ACPI will let us avoid having to change the SMBIOS match rules again and again. Cc: Tzung-Bi Shih <tzungbi(a)kernel.org> Cc: linux(a)frame.work Cc: Dustin L. Howett <dustin(a)howett.net> Signed-off-by: Daniel Schaefer <dhs(a)frame.work> Link: https://lore.kernel.org/r/20250128181329.8070-1-dhs@frame.work Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/chrome/cros_ec_lpc.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c index 626e2635e3da7..ac198d1fd1707 100644 --- a/drivers/platform/chrome/cros_ec_lpc.c +++ b/drivers/platform/chrome/cros_ec_lpc.c @@ -30,6 +30,7 @@ #define DRV_NAME "cros_ec_lpcs" #define ACPI_DRV_NAME "GOOG0004" +#define FRMW_ACPI_DRV_NAME "FRMWC004" /* True if ACPI device is present */ static bool cros_ec_lpc_acpi_device_found; @@ -460,7 +461,7 @@ static int cros_ec_lpc_probe(struct platform_device *pdev) acpi_status status; struct cros_ec_device *ec_dev; struct cros_ec_lpc *ec_lpc; - struct lpc_driver_data *driver_data; + const struct lpc_driver_data *driver_data; u8 buf[2] = {}; int irq, ret; u32 quirks; @@ -472,6 +473,9 @@ static int cros_ec_lpc_probe(struct platform_device *pdev) ec_lpc->mmio_memory_base = EC_LPC_ADDR_MEMMAP; driver_data = platform_get_drvdata(pdev); + if (!driver_data) + driver_data = acpi_device_get_match_data(dev); + if (driver_data) { quirks = driver_data->quirks; @@ -625,12 +629,6 @@ static void cros_ec_lpc_remove(struct platform_device *pdev) cros_ec_unregister(ec_dev); } -static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = { - { ACPI_DRV_NAME, 0 }, - { } -}; -MODULE_DEVICE_TABLE(acpi, cros_ec_lpc_acpi_device_ids); - static const struct lpc_driver_data framework_laptop_npcx_lpc_driver_data __initconst = { .quirks = CROS_EC_LPC_QUIRK_REMAP_MEMORY, .quirk_mmio_memory_base = 0xE00, @@ -642,6 +640,13 @@ static const struct lpc_driver_data framework_laptop_mec_lpc_driver_data __initc .quirk_aml_mutex_name = "ECMT", }; +static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = { + { ACPI_DRV_NAME, 0 }, + { FRMW_ACPI_DRV_NAME, (kernel_ulong_t)&framework_laptop_npcx_lpc_driver_data }, + { } +}; +MODULE_DEVICE_TABLE(acpi, cros_ec_lpc_acpi_device_ids); + static const struct dmi_system_id cros_ec_lpc_dmi_table[] __initconst = { { /* @@ -795,7 +800,8 @@ static int __init cros_ec_lpc_init(void) int ret; const struct dmi_system_id *dmi_match; - cros_ec_lpc_acpi_device_found = !!cros_ec_lpc_get_device(ACPI_DRV_NAME); + cros_ec_lpc_acpi_device_found = !!cros_ec_lpc_get_device(ACPI_DRV_NAME) || + !!cros_ec_lpc_get_device(FRMW_ACPI_DRV_NAME); dmi_match = dmi_first_match(cros_ec_lpc_dmi_table); -- 2.39.5

2 months, 2 weeks

1
22
0 0

[PATCH AUTOSEL 6.13 01/24] platform/chrome: cros_ec_lpc: Match on Framework ACPI device

by Sasha Levin

From: Daniel Schaefer <dhs(a)frame.work> [ Upstream commit d83c45aeec9b223fe6db4175e9d1c4f5699cc37a ] Load the cros_ec_lpc driver based on a Framework FRMWC004 ACPI device, which mirrors GOOG0004, but also applies npcx quirks for Framework systems. Matching on ACPI will let us avoid having to change the SMBIOS match rules again and again. Cc: Tzung-Bi Shih <tzungbi(a)kernel.org> Cc: linux(a)frame.work Cc: Dustin L. Howett <dustin(a)howett.net> Signed-off-by: Daniel Schaefer <dhs(a)frame.work> Link: https://lore.kernel.org/r/20250128181329.8070-1-dhs@frame.work Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/chrome/cros_ec_lpc.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c index 8470b7f2b1358..7924b79f84f1f 100644 --- a/drivers/platform/chrome/cros_ec_lpc.c +++ b/drivers/platform/chrome/cros_ec_lpc.c @@ -30,6 +30,7 @@ #define DRV_NAME "cros_ec_lpcs" #define ACPI_DRV_NAME "GOOG0004" +#define FRMW_ACPI_DRV_NAME "FRMWC004" /* True if ACPI device is present */ static bool cros_ec_lpc_acpi_device_found; @@ -460,7 +461,7 @@ static int cros_ec_lpc_probe(struct platform_device *pdev) acpi_status status; struct cros_ec_device *ec_dev; struct cros_ec_lpc *ec_lpc; - struct lpc_driver_data *driver_data; + const struct lpc_driver_data *driver_data; u8 buf[2] = {}; int irq, ret; u32 quirks; @@ -472,6 +473,9 @@ static int cros_ec_lpc_probe(struct platform_device *pdev) ec_lpc->mmio_memory_base = EC_LPC_ADDR_MEMMAP; driver_data = platform_get_drvdata(pdev); + if (!driver_data) + driver_data = acpi_device_get_match_data(dev); + if (driver_data) { quirks = driver_data->quirks; @@ -625,12 +629,6 @@ static void cros_ec_lpc_remove(struct platform_device *pdev) cros_ec_unregister(ec_dev); } -static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = { - { ACPI_DRV_NAME, 0 }, - { } -}; -MODULE_DEVICE_TABLE(acpi, cros_ec_lpc_acpi_device_ids); - static const struct lpc_driver_data framework_laptop_npcx_lpc_driver_data __initconst = { .quirks = CROS_EC_LPC_QUIRK_REMAP_MEMORY, .quirk_mmio_memory_base = 0xE00, @@ -642,6 +640,13 @@ static const struct lpc_driver_data framework_laptop_mec_lpc_driver_data __initc .quirk_aml_mutex_name = "ECMT", }; +static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = { + { ACPI_DRV_NAME, 0 }, + { FRMW_ACPI_DRV_NAME, (kernel_ulong_t)&framework_laptop_npcx_lpc_driver_data }, + { } +}; +MODULE_DEVICE_TABLE(acpi, cros_ec_lpc_acpi_device_ids); + static const struct dmi_system_id cros_ec_lpc_dmi_table[] __initconst = { { /* @@ -795,7 +800,8 @@ static int __init cros_ec_lpc_init(void) int ret; const struct dmi_system_id *dmi_match; - cros_ec_lpc_acpi_device_found = !!cros_ec_lpc_get_device(ACPI_DRV_NAME); + cros_ec_lpc_acpi_device_found = !!cros_ec_lpc_get_device(ACPI_DRV_NAME) || + !!cros_ec_lpc_get_device(FRMW_ACPI_DRV_NAME); dmi_match = dmi_first_match(cros_ec_lpc_dmi_table); -- 2.39.5

2 months, 2 weeks

1
23
0 0

[PATCH AUTOSEL 6.14 01/27] platform/chrome: cros_ec_lpc: Match on Framework ACPI device

by Sasha Levin

From: Daniel Schaefer <dhs(a)frame.work> [ Upstream commit d83c45aeec9b223fe6db4175e9d1c4f5699cc37a ] Load the cros_ec_lpc driver based on a Framework FRMWC004 ACPI device, which mirrors GOOG0004, but also applies npcx quirks for Framework systems. Matching on ACPI will let us avoid having to change the SMBIOS match rules again and again. Cc: Tzung-Bi Shih <tzungbi(a)kernel.org> Cc: linux(a)frame.work Cc: Dustin L. Howett <dustin(a)howett.net> Signed-off-by: Daniel Schaefer <dhs(a)frame.work> Link: https://lore.kernel.org/r/20250128181329.8070-1-dhs@frame.work Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/chrome/cros_ec_lpc.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c index 5a2f1d98b3501..be319949b9415 100644 --- a/drivers/platform/chrome/cros_ec_lpc.c +++ b/drivers/platform/chrome/cros_ec_lpc.c @@ -30,6 +30,7 @@ #define DRV_NAME "cros_ec_lpcs" #define ACPI_DRV_NAME "GOOG0004" +#define FRMW_ACPI_DRV_NAME "FRMWC004" /* True if ACPI device is present */ static bool cros_ec_lpc_acpi_device_found; @@ -514,7 +515,7 @@ static int cros_ec_lpc_probe(struct platform_device *pdev) acpi_status status; struct cros_ec_device *ec_dev; struct cros_ec_lpc *ec_lpc; - struct lpc_driver_data *driver_data; + const struct lpc_driver_data *driver_data; u8 buf[2] = {}; int irq, ret; u32 quirks; @@ -526,6 +527,9 @@ static int cros_ec_lpc_probe(struct platform_device *pdev) ec_lpc->mmio_memory_base = EC_LPC_ADDR_MEMMAP; driver_data = platform_get_drvdata(pdev); + if (!driver_data) + driver_data = acpi_device_get_match_data(dev); + if (driver_data) { quirks = driver_data->quirks; @@ -696,12 +700,6 @@ static void cros_ec_lpc_remove(struct platform_device *pdev) cros_ec_unregister(ec_dev); } -static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = { - { ACPI_DRV_NAME, 0 }, - { } -}; -MODULE_DEVICE_TABLE(acpi, cros_ec_lpc_acpi_device_ids); - static const struct lpc_driver_data framework_laptop_npcx_lpc_driver_data __initconst = { .quirks = CROS_EC_LPC_QUIRK_REMAP_MEMORY, .quirk_mmio_memory_base = 0xE00, @@ -713,6 +711,13 @@ static const struct lpc_driver_data framework_laptop_mec_lpc_driver_data __initc .quirk_aml_mutex_name = "ECMT", }; +static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = { + { ACPI_DRV_NAME, 0 }, + { FRMW_ACPI_DRV_NAME, (kernel_ulong_t)&framework_laptop_npcx_lpc_driver_data }, + { } +}; +MODULE_DEVICE_TABLE(acpi, cros_ec_lpc_acpi_device_ids); + static const struct dmi_system_id cros_ec_lpc_dmi_table[] __initconst = { { /* @@ -866,7 +871,8 @@ static int __init cros_ec_lpc_init(void) int ret; const struct dmi_system_id *dmi_match; - cros_ec_lpc_acpi_device_found = !!cros_ec_lpc_get_device(ACPI_DRV_NAME); + cros_ec_lpc_acpi_device_found = !!cros_ec_lpc_get_device(ACPI_DRV_NAME) || + !!cros_ec_lpc_get_device(FRMW_ACPI_DRV_NAME); dmi_match = dmi_first_match(cros_ec_lpc_dmi_table); -- 2.39.5

2 months, 2 weeks

1
26
0 0

[PATCH 5.10.y] media: i2c: et8ek8: Don't strip remove function when driver is builtin

by bin.lan.cn＠windriver.com

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> [ Upstream commit 545b215736c5c4b354e182d99c578a472ac9bfce ] Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text) Fixes: c5254e72b8ed ("[media] media: Driver for Toshiba et8ek8 5MP sensor") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/et8ek8/et8ek8_driver.c b/drivers/media/i2c/et8ek8/et8ek8_driver.c index 256acf73d5ea..4d7c4eac5e20 100644 --- a/drivers/media/i2c/et8ek8/et8ek8_driver.c +++ b/drivers/media/i2c/et8ek8/et8ek8_driver.c @@ -1460,7 +1460,7 @@ static int et8ek8_probe(struct i2c_client *client) return ret; } -static int __exit et8ek8_remove(struct i2c_client *client) +static int et8ek8_remove(struct i2c_client *client) { struct v4l2_subdev *subdev = i2c_get_clientdata(client); struct et8ek8_sensor *sensor = to_et8ek8_sensor(subdev); @@ -1504,7 +1504,7 @@ static struct i2c_driver et8ek8_i2c_driver = { .of_match_table = et8ek8_of_table, }, .probe_new = et8ek8_probe, - .remove = __exit_p(et8ek8_remove), + .remove = et8ek8_remove, .id_table = et8ek8_id_table, }; -- 2.34.1

2 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 83964a29379cb08929a39172780a4c2992bc7c93 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032458-hammock-twitter-2596@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 83964a29379cb08929a39172780a4c2992bc7c93 Mon Sep 17 00:00:00 2001 From: Stefan Eichenberger <stefan.eichenberger(a)toradex.com> Date: Fri, 10 Jan 2025 16:18:29 +0100 Subject: [PATCH] ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 The current solution for powering off the Apalis iMX6 is not functioning as intended. To resolve this, it is necessary to power off the vgen2_reg, which will also set the POWER_ENABLE_MOCI signal to a low state. This ensures the carrier board is properly informed to initiate its power-off sequence. The new solution uses the regulator-poweroff driver, which will power off the regulator during a system shutdown. Cc: <stable(a)vger.kernel.org> Fixes: 4eb56e26f92e ("ARM: dts: imx6q-apalis: Command pmic to standby for poweroff") Signed-off-by: Stefan Eichenberger <stefan.eichenberger(a)toradex.com> Signed-off-by: Shawn Guo <shawnguo(a)kernel.org> diff --git a/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi b/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi index dffab5aa8b9c..88be29166c1a 100644 --- a/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi +++ b/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi @@ -108,6 +108,11 @@ lvds_panel_in: endpoint { }; }; + poweroff { + compatible = "regulator-poweroff"; + cpu-supply = <&vgen2_reg>; + }; + reg_module_3v3: regulator-module-3v3 { compatible = "regulator-fixed"; regulator-always-on; @@ -236,10 +241,6 @@ &can2 { status = "disabled"; }; -&clks { - fsl,pmic-stby-poweroff; -}; - /* Apalis SPI1 */ &ecspi1 { cs-gpios = <&gpio5 25 GPIO_ACTIVE_LOW>; @@ -527,7 +528,6 @@ &i2c2 { pmic: pmic@8 { compatible = "fsl,pfuze100"; - fsl,pmic-stby-poweroff; reg = <0x08>; regulators {

2 months, 2 weeks

3
2
0 0

[PATCH 6.1.y] drm/amd/display: Check denominator crb_pipes before used

by Cliff Liu

From: Alex Hung <alex.hung(a)amd.com> [ Upstream commit ea79068d4073bf303f8203f2625af7d9185a1bc6 ] [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity. Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Signed-off-by: Jerry Zuo <jerry.zuo(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Cliff Liu <donghua.liu(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c index e78954514e3e..958170fbfece 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c @@ -1772,7 +1772,7 @@ static int dcn315_populate_dml_pipes_from_context( bool split_required = pipe->stream->timing.pix_clk_100hz >= dcn_get_max_non_odm_pix_rate_100hz(&dc->dml.soc) || (pipe->plane_state && pipe->plane_state->src_rect.width > 5120); - if (remaining_det_segs > MIN_RESERVED_DET_SEGS) + if (remaining_det_segs > MIN_RESERVED_DET_SEGS && crb_pipes != 0) pipes[pipe_cnt].pipe.src.det_size_override += (remaining_det_segs - MIN_RESERVED_DET_SEGS) / crb_pipes + (crb_idx < (remaining_det_segs - MIN_RESERVED_DET_SEGS) % crb_pipes ? 1 : 0); if (pipes[pipe_cnt].pipe.src.det_size_override > 2 * DCN3_15_MAX_DET_SEGS) { -- 2.34.1

2 months, 2 weeks

2
1
0 0

[PATCH 6.1.y] media: i2c: et8ek8: Don't strip remove function when driver is builtin

by bin.lan.cn＠windriver.com

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> [ Upstream commit 545b215736c5c4b354e182d99c578a472ac9bfce ] Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text) Fixes: c5254e72b8ed ("[media] media: Driver for Toshiba et8ek8 5MP sensor") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/et8ek8/et8ek8_driver.c b/drivers/media/i2c/et8ek8/et8ek8_driver.c index ff9bb9fc97dd..49fe2bd702f7 100644 --- a/drivers/media/i2c/et8ek8/et8ek8_driver.c +++ b/drivers/media/i2c/et8ek8/et8ek8_driver.c @@ -1460,7 +1460,7 @@ static int et8ek8_probe(struct i2c_client *client) return ret; } -static void __exit et8ek8_remove(struct i2c_client *client) +static void et8ek8_remove(struct i2c_client *client) { struct v4l2_subdev *subdev = i2c_get_clientdata(client); struct et8ek8_sensor *sensor = to_et8ek8_sensor(subdev); @@ -1502,7 +1502,7 @@ static struct i2c_driver et8ek8_i2c_driver = { .of_match_table = et8ek8_of_table, }, .probe_new = et8ek8_probe, - .remove = __exit_p(et8ek8_remove), + .remove = et8ek8_remove, .id_table = et8ek8_id_table, }; -- 2.34.1

2 months, 2 weeks

2
1
0 0

[PATCH 5.15.y] media: i2c: et8ek8: Don't strip remove function when driver is builtin

by bin.lan.cn＠windriver.com

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> [ Upstream commit 545b215736c5c4b354e182d99c578a472ac9bfce ] Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text) Fixes: c5254e72b8ed ("[media] media: Driver for Toshiba et8ek8 5MP sensor") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/et8ek8/et8ek8_driver.c b/drivers/media/i2c/et8ek8/et8ek8_driver.c index 873d614339bb..2910842705bc 100644 --- a/drivers/media/i2c/et8ek8/et8ek8_driver.c +++ b/drivers/media/i2c/et8ek8/et8ek8_driver.c @@ -1460,7 +1460,7 @@ static int et8ek8_probe(struct i2c_client *client) return ret; } -static int __exit et8ek8_remove(struct i2c_client *client) +static int et8ek8_remove(struct i2c_client *client) { struct v4l2_subdev *subdev = i2c_get_clientdata(client); struct et8ek8_sensor *sensor = to_et8ek8_sensor(subdev); @@ -1504,7 +1504,7 @@ static struct i2c_driver et8ek8_i2c_driver = { .of_match_table = et8ek8_of_table, }, .probe_new = et8ek8_probe, - .remove = __exit_p(et8ek8_remove), + .remove = et8ek8_remove, .id_table = et8ek8_id_table, }; -- 2.34.1

2 months, 2 weeks

2
1
0 0

[PATCH AUTOSEL 5.4 1/5] pm: cpupower: bench: Prevent NULL dereference on malloc failure

by Sasha Levin

From: Zhongqiu Han <quic_zhonhan(a)quicinc.com> [ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ] If malloc returns NULL due to low memory, 'config' pointer can be NULL. Add a check to prevent NULL dereference. Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com Signed-off-by: Zhongqiu Han <quic_zhonhan(a)quicinc.com> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/power/cpupower/bench/parse.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c index e63dc11fa3a53..48e25be6e1635 100644 --- a/tools/power/cpupower/bench/parse.c +++ b/tools/power/cpupower/bench/parse.c @@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname) struct config *prepare_default_config() { struct config *config = malloc(sizeof(struct config)); + if (!config) { + perror("malloc"); + return NULL; + } dprintf("loading defaults\n"); -- 2.39.5

2 months, 2 weeks

1
4
0 0

[PATCH AUTOSEL 5.15 1/6] pm: cpupower: bench: Prevent NULL dereference on malloc failure

by Sasha Levin

From: Zhongqiu Han <quic_zhonhan(a)quicinc.com> [ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ] If malloc returns NULL due to low memory, 'config' pointer can be NULL. Add a check to prevent NULL dereference. Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com Signed-off-by: Zhongqiu Han <quic_zhonhan(a)quicinc.com> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/power/cpupower/bench/parse.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c index e63dc11fa3a53..48e25be6e1635 100644 --- a/tools/power/cpupower/bench/parse.c +++ b/tools/power/cpupower/bench/parse.c @@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname) struct config *prepare_default_config() { struct config *config = malloc(sizeof(struct config)); + if (!config) { + perror("malloc"); + return NULL; + } dprintf("loading defaults\n"); -- 2.39.5

2 months, 2 weeks

1
5
0 0

[PATCH AUTOSEL 6.1 1/6] pm: cpupower: bench: Prevent NULL dereference on malloc failure

by Sasha Levin

From: Zhongqiu Han <quic_zhonhan(a)quicinc.com> [ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ] If malloc returns NULL due to low memory, 'config' pointer can be NULL. Add a check to prevent NULL dereference. Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com Signed-off-by: Zhongqiu Han <quic_zhonhan(a)quicinc.com> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/power/cpupower/bench/parse.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c index e63dc11fa3a53..48e25be6e1635 100644 --- a/tools/power/cpupower/bench/parse.c +++ b/tools/power/cpupower/bench/parse.c @@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname) struct config *prepare_default_config() { struct config *config = malloc(sizeof(struct config)); + if (!config) { + perror("malloc"); + return NULL; + } dprintf("loading defaults\n"); -- 2.39.5

2 months, 2 weeks

1
5
0 0

[PATCH AUTOSEL 6.6 1/9] pm: cpupower: bench: Prevent NULL dereference on malloc failure

by Sasha Levin

From: Zhongqiu Han <quic_zhonhan(a)quicinc.com> [ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ] If malloc returns NULL due to low memory, 'config' pointer can be NULL. Add a check to prevent NULL dereference. Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com Signed-off-by: Zhongqiu Han <quic_zhonhan(a)quicinc.com> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/power/cpupower/bench/parse.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c index e63dc11fa3a53..48e25be6e1635 100644 --- a/tools/power/cpupower/bench/parse.c +++ b/tools/power/cpupower/bench/parse.c @@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname) struct config *prepare_default_config() { struct config *config = malloc(sizeof(struct config)); + if (!config) { + perror("malloc"); + return NULL; + } dprintf("loading defaults\n"); -- 2.39.5

2 months, 2 weeks

1
7
0 0

[PATCH AUTOSEL 6.12 01/13] pm: cpupower: bench: Prevent NULL dereference on malloc failure

by Sasha Levin

From: Zhongqiu Han <quic_zhonhan(a)quicinc.com> [ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ] If malloc returns NULL due to low memory, 'config' pointer can be NULL. Add a check to prevent NULL dereference. Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com Signed-off-by: Zhongqiu Han <quic_zhonhan(a)quicinc.com> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/power/cpupower/bench/parse.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c index e63dc11fa3a53..48e25be6e1635 100644 --- a/tools/power/cpupower/bench/parse.c +++ b/tools/power/cpupower/bench/parse.c @@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname) struct config *prepare_default_config() { struct config *config = malloc(sizeof(struct config)); + if (!config) { + perror("malloc"); + return NULL; + } dprintf("loading defaults\n"); -- 2.39.5

2 months, 2 weeks

1
11
0 0

[PATCH AUTOSEL 6.13 01/16] srcu: Force synchronization for srcu_get_delay()

by Sasha Levin

From: "Paul E. McKenney" <paulmck(a)kernel.org> [ Upstream commit d31e31365b5b6c0cdfc74d71be87234ced564395 ] Currently, srcu_get_delay() can be called concurrently, for example, by a CPU that is the first to request a new grace period and the CPU processing the current grace period. Although concurrent access is harmless, it unnecessarily expands the state space. Additionally, all calls to srcu_get_delay() are from slow paths. This commit therefore protects all calls to srcu_get_delay() with ssp->srcu_sup->lock, which is already held on the invocation from the srcu_funnel_gp_start() function. While in the area, this commit also adds a lockdep_assert_held() to srcu_get_delay() itself. Reported-by: syzbot+16a19b06125a2963eaee(a)syzkaller.appspotmail.com Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Andrii Nakryiko <andrii(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: <bpf(a)vger.kernel.org> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/rcu/srcutree.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c index 5e2e534647946..c5419e97bd97b 100644 --- a/kernel/rcu/srcutree.c +++ b/kernel/rcu/srcutree.c @@ -647,6 +647,7 @@ static unsigned long srcu_get_delay(struct srcu_struct *ssp) unsigned long jbase = SRCU_INTERVAL; struct srcu_usage *sup = ssp->srcu_sup; + lockdep_assert_held(&ACCESS_PRIVATE(ssp->srcu_sup, lock)); if (srcu_gp_is_expedited(ssp)) jbase = 0; if (rcu_seq_state(READ_ONCE(sup->srcu_gp_seq))) { @@ -674,9 +675,13 @@ static unsigned long srcu_get_delay(struct srcu_struct *ssp) void cleanup_srcu_struct(struct srcu_struct *ssp) { int cpu; + unsigned long delay; struct srcu_usage *sup = ssp->srcu_sup; - if (WARN_ON(!srcu_get_delay(ssp))) + spin_lock_irq_rcu_node(ssp->srcu_sup); + delay = srcu_get_delay(ssp); + spin_unlock_irq_rcu_node(ssp->srcu_sup); + if (WARN_ON(!delay)) return; /* Just leak it! */ if (WARN_ON(srcu_readers_active(ssp))) return; /* Just leak it! */ @@ -1102,7 +1107,9 @@ static bool try_check_zero(struct srcu_struct *ssp, int idx, int trycount) { unsigned long curdelay; + spin_lock_irq_rcu_node(ssp->srcu_sup); curdelay = !srcu_get_delay(ssp); + spin_unlock_irq_rcu_node(ssp->srcu_sup); for (;;) { if (srcu_readers_active_idx_check(ssp, idx)) @@ -1849,7 +1856,9 @@ static void process_srcu(struct work_struct *work) ssp = sup->srcu_ssp; srcu_advance_state(ssp); + spin_lock_irq_rcu_node(ssp->srcu_sup); curdelay = srcu_get_delay(ssp); + spin_unlock_irq_rcu_node(ssp->srcu_sup); if (curdelay) { WRITE_ONCE(sup->reschedule_count, 0); } else { -- 2.39.5

2 months, 2 weeks

1
13
0 0

[PATCH AUTOSEL 6.14 01/18] srcu: Force synchronization for srcu_get_delay()

by Sasha Levin

From: "Paul E. McKenney" <paulmck(a)kernel.org> [ Upstream commit d31e31365b5b6c0cdfc74d71be87234ced564395 ] Currently, srcu_get_delay() can be called concurrently, for example, by a CPU that is the first to request a new grace period and the CPU processing the current grace period. Although concurrent access is harmless, it unnecessarily expands the state space. Additionally, all calls to srcu_get_delay() are from slow paths. This commit therefore protects all calls to srcu_get_delay() with ssp->srcu_sup->lock, which is already held on the invocation from the srcu_funnel_gp_start() function. While in the area, this commit also adds a lockdep_assert_held() to srcu_get_delay() itself. Reported-by: syzbot+16a19b06125a2963eaee(a)syzkaller.appspotmail.com Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Andrii Nakryiko <andrii(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: <bpf(a)vger.kernel.org> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/rcu/srcutree.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c index b83c74c4dcc0d..2d8f3329023c5 100644 --- a/kernel/rcu/srcutree.c +++ b/kernel/rcu/srcutree.c @@ -647,6 +647,7 @@ static unsigned long srcu_get_delay(struct srcu_struct *ssp) unsigned long jbase = SRCU_INTERVAL; struct srcu_usage *sup = ssp->srcu_sup; + lockdep_assert_held(&ACCESS_PRIVATE(ssp->srcu_sup, lock)); if (srcu_gp_is_expedited(ssp)) jbase = 0; if (rcu_seq_state(READ_ONCE(sup->srcu_gp_seq))) { @@ -674,9 +675,13 @@ static unsigned long srcu_get_delay(struct srcu_struct *ssp) void cleanup_srcu_struct(struct srcu_struct *ssp) { int cpu; + unsigned long delay; struct srcu_usage *sup = ssp->srcu_sup; - if (WARN_ON(!srcu_get_delay(ssp))) + spin_lock_irq_rcu_node(ssp->srcu_sup); + delay = srcu_get_delay(ssp); + spin_unlock_irq_rcu_node(ssp->srcu_sup); + if (WARN_ON(!delay)) return; /* Just leak it! */ if (WARN_ON(srcu_readers_active(ssp))) return; /* Just leak it! */ @@ -1102,7 +1107,9 @@ static bool try_check_zero(struct srcu_struct *ssp, int idx, int trycount) { unsigned long curdelay; + spin_lock_irq_rcu_node(ssp->srcu_sup); curdelay = !srcu_get_delay(ssp); + spin_unlock_irq_rcu_node(ssp->srcu_sup); for (;;) { if (srcu_readers_active_idx_check(ssp, idx)) @@ -1849,7 +1856,9 @@ static void process_srcu(struct work_struct *work) ssp = sup->srcu_ssp; srcu_advance_state(ssp); + spin_lock_irq_rcu_node(ssp->srcu_sup); curdelay = srcu_get_delay(ssp); + spin_unlock_irq_rcu_node(ssp->srcu_sup); if (curdelay) { WRITE_ONCE(sup->reschedule_count, 0); } else { -- 2.39.5

2 months, 2 weeks

1
15
0 0

[PATCH AUTOSEL 5.15] umount: Allow superblock owners to force umount

by Sasha Levin

From: Trond Myklebust <trond.myklebust(a)hammerspace.com> [ Upstream commit e1ff7aa34dec7e650159fd7ca8ec6af7cc428d9f ] Loosen the permission check on forced umount to allow users holding CAP_SYS_ADMIN privileges in namespaces that are privileged with respect to the userns that originally mounted the filesystem. Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Link: https://lore.kernel.org/r/12f212d4ef983714d065a6bb372fbb378753bf4c.17423151… Acked-by: "Eric W. Biederman" <ebiederm(a)xmission.com> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/namespace.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 22af4b6c737f4..642baef4d9aaa 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1734,6 +1734,7 @@ static void warn_mandlock(void) static int can_umount(const struct path *path, int flags) { struct mount *mnt = real_mount(path->mnt); + struct super_block *sb = path->dentry->d_sb; if (!may_mount()) return -EPERM; @@ -1743,7 +1744,7 @@ static int can_umount(const struct path *path, int flags) return -EINVAL; if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */ return -EINVAL; - if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN)) + if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN)) return -EPERM; return 0; } -- 2.39.5

2 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 6.1 1/2] fs: consistently deref the files table with rcu_dereference_raw()

by Sasha Levin

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit f381640e1bd4f2de7ccafbfe8703d33c3718aad9 ] ... except when the table is known to be only used by one thread. A file pointer can get installed at any moment despite the ->file_lock being held since the following: 8a81252b774b53e6 ("fs/file.c: don't acquire files->file_lock in fd_install()") Accesses subject to such a race can in principle suffer load tearing. While here redo the comment in dup_fd -- it only covered a race against files showing up, still assuming fd_install() takes the lock. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20250313135725.1320914-1-mjguzik@gmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/fs/file.c b/fs/file.c index bc0c087b31bbd..2eccbb5dcd86a 100644 --- a/fs/file.c +++ b/fs/file.c @@ -362,17 +362,25 @@ struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_ho old_fds = old_fdt->fd; new_fds = new_fdt->fd; + /* + * We may be racing against fd allocation from other threads using this + * files_struct, despite holding ->file_lock. + * + * alloc_fd() might have already claimed a slot, while fd_install() + * did not populate it yet. Note the latter operates locklessly, so + * the file can show up as we are walking the array below. + * + * At the same time we know no files will disappear as all other + * operations take the lock. + * + * Instead of trying to placate userspace racing with itself, we + * ref the file if we see it and mark the fd slot as unused otherwise. + */ for (i = open_files; i != 0; i--) { - struct file *f = *old_fds++; + struct file *f = rcu_dereference_raw(*old_fds++); if (f) { get_file(f); } else { - /* - * The fd may be claimed in the fd bitmap but not yet - * instantiated in the files array if a sibling thread - * is partway through open(). So make sure that this - * fd is available to the new process. - */ __clear_open_fd(open_files - i, new_fdt); } rcu_assign_pointer(*new_fds++, f); @@ -625,7 +633,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd) return NULL; fd = array_index_nospec(fd, fdt->max_fds); - file = fdt->fd[fd]; + file = rcu_dereference_raw(fdt->fd[fd]); if (file) { rcu_assign_pointer(fdt->fd[fd], NULL); __put_unused_fd(files, fd); @@ -1093,7 +1101,7 @@ __releases(&files->file_lock) */ fdt = files_fdtable(files); fd = array_index_nospec(fd, fdt->max_fds); - tofree = fdt->fd[fd]; + tofree = rcu_dereference_raw(fdt->fd[fd]); if (!tofree && fd_is_open(fd, fdt)) goto Ebusy; get_file(file); -- 2.39.5

2 months, 2 weeks

1
1
0 0

[PATCH AUTOSEL 6.6 1/2] fs: consistently deref the files table with rcu_dereference_raw()

by Sasha Levin

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit f381640e1bd4f2de7ccafbfe8703d33c3718aad9 ] ... except when the table is known to be only used by one thread. A file pointer can get installed at any moment despite the ->file_lock being held since the following: 8a81252b774b53e6 ("fs/file.c: don't acquire files->file_lock in fd_install()") Accesses subject to such a race can in principle suffer load tearing. While here redo the comment in dup_fd -- it only covered a race against files showing up, still assuming fd_install() takes the lock. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20250313135725.1320914-1-mjguzik@gmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/fs/file.c b/fs/file.c index a178efc8cf4b5..f8cf6728c6a03 100644 --- a/fs/file.c +++ b/fs/file.c @@ -362,17 +362,25 @@ struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_ho old_fds = old_fdt->fd; new_fds = new_fdt->fd; + /* + * We may be racing against fd allocation from other threads using this + * files_struct, despite holding ->file_lock. + * + * alloc_fd() might have already claimed a slot, while fd_install() + * did not populate it yet. Note the latter operates locklessly, so + * the file can show up as we are walking the array below. + * + * At the same time we know no files will disappear as all other + * operations take the lock. + * + * Instead of trying to placate userspace racing with itself, we + * ref the file if we see it and mark the fd slot as unused otherwise. + */ for (i = open_files; i != 0; i--) { - struct file *f = *old_fds++; + struct file *f = rcu_dereference_raw(*old_fds++); if (f) { get_file(f); } else { - /* - * The fd may be claimed in the fd bitmap but not yet - * instantiated in the files array if a sibling thread - * is partway through open(). So make sure that this - * fd is available to the new process. - */ __clear_open_fd(open_files - i, new_fdt); } rcu_assign_pointer(*new_fds++, f); @@ -625,7 +633,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd) return NULL; fd = array_index_nospec(fd, fdt->max_fds); - file = fdt->fd[fd]; + file = rcu_dereference_raw(fdt->fd[fd]); if (file) { rcu_assign_pointer(fdt->fd[fd], NULL); __put_unused_fd(files, fd); @@ -1095,7 +1103,7 @@ __releases(&files->file_lock) */ fdt = files_fdtable(files); fd = array_index_nospec(fd, fdt->max_fds); - tofree = fdt->fd[fd]; + tofree = rcu_dereference_raw(fdt->fd[fd]); if (!tofree && fd_is_open(fd, fdt)) goto Ebusy; get_file(file); -- 2.39.5

2 months, 2 weeks

1
1
0 0

[PATCH AUTOSEL 6.12 1/2] fs: consistently deref the files table with rcu_dereference_raw()

by Sasha Levin

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit f381640e1bd4f2de7ccafbfe8703d33c3718aad9 ] ... except when the table is known to be only used by one thread. A file pointer can get installed at any moment despite the ->file_lock being held since the following: 8a81252b774b53e6 ("fs/file.c: don't acquire files->file_lock in fd_install()") Accesses subject to such a race can in principle suffer load tearing. While here redo the comment in dup_fd -- it only covered a race against files showing up, still assuming fd_install() takes the lock. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20250313135725.1320914-1-mjguzik@gmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/fs/file.c b/fs/file.c index 4cb952541dd03..b6fb6d18ac3b9 100644 --- a/fs/file.c +++ b/fs/file.c @@ -367,17 +367,25 @@ struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_ho old_fds = old_fdt->fd; new_fds = new_fdt->fd; + /* + * We may be racing against fd allocation from other threads using this + * files_struct, despite holding ->file_lock. + * + * alloc_fd() might have already claimed a slot, while fd_install() + * did not populate it yet. Note the latter operates locklessly, so + * the file can show up as we are walking the array below. + * + * At the same time we know no files will disappear as all other + * operations take the lock. + * + * Instead of trying to placate userspace racing with itself, we + * ref the file if we see it and mark the fd slot as unused otherwise. + */ for (i = open_files; i != 0; i--) { - struct file *f = *old_fds++; + struct file *f = rcu_dereference_raw(*old_fds++); if (f) { get_file(f); } else { - /* - * The fd may be claimed in the fd bitmap but not yet - * instantiated in the files array if a sibling thread - * is partway through open(). So make sure that this - * fd is available to the new process. - */ __clear_open_fd(open_files - i, new_fdt); } rcu_assign_pointer(*new_fds++, f); @@ -637,7 +645,7 @@ struct file *file_close_fd_locked(struct files_struct *files, unsigned fd) return NULL; fd = array_index_nospec(fd, fdt->max_fds); - file = fdt->fd[fd]; + file = rcu_dereference_raw(fdt->fd[fd]); if (file) { rcu_assign_pointer(fdt->fd[fd], NULL); __put_unused_fd(files, fd); @@ -1219,7 +1227,7 @@ __releases(&files->file_lock) */ fdt = files_fdtable(files); fd = array_index_nospec(fd, fdt->max_fds); - tofree = fdt->fd[fd]; + tofree = rcu_dereference_raw(fdt->fd[fd]); if (!tofree && fd_is_open(fd, fdt)) goto Ebusy; get_file(file); -- 2.39.5

2 months, 2 weeks

1
1
0 0

[PATCH AUTOSEL 6.13 1/2] fs: consistently deref the files table with rcu_dereference_raw()

by Sasha Levin

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit f381640e1bd4f2de7ccafbfe8703d33c3718aad9 ] ... except when the table is known to be only used by one thread. A file pointer can get installed at any moment despite the ->file_lock being held since the following: 8a81252b774b53e6 ("fs/file.c: don't acquire files->file_lock in fd_install()") Accesses subject to such a race can in principle suffer load tearing. While here redo the comment in dup_fd -- it only covered a race against files showing up, still assuming fd_install() takes the lock. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20250313135725.1320914-1-mjguzik@gmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/fs/file.c b/fs/file.c index 25c6e53b03f8f..97e2a9e09b70c 100644 --- a/fs/file.c +++ b/fs/file.c @@ -418,17 +418,25 @@ struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_ho old_fds = old_fdt->fd; new_fds = new_fdt->fd; + /* + * We may be racing against fd allocation from other threads using this + * files_struct, despite holding ->file_lock. + * + * alloc_fd() might have already claimed a slot, while fd_install() + * did not populate it yet. Note the latter operates locklessly, so + * the file can show up as we are walking the array below. + * + * At the same time we know no files will disappear as all other + * operations take the lock. + * + * Instead of trying to placate userspace racing with itself, we + * ref the file if we see it and mark the fd slot as unused otherwise. + */ for (i = open_files; i != 0; i--) { - struct file *f = *old_fds++; + struct file *f = rcu_dereference_raw(*old_fds++); if (f) { get_file(f); } else { - /* - * The fd may be claimed in the fd bitmap but not yet - * instantiated in the files array if a sibling thread - * is partway through open(). So make sure that this - * fd is available to the new process. - */ __clear_open_fd(open_files - i, new_fdt); } rcu_assign_pointer(*new_fds++, f); @@ -679,7 +687,7 @@ struct file *file_close_fd_locked(struct files_struct *files, unsigned fd) return NULL; fd = array_index_nospec(fd, fdt->max_fds); - file = fdt->fd[fd]; + file = rcu_dereference_raw(fdt->fd[fd]); if (file) { rcu_assign_pointer(fdt->fd[fd], NULL); __put_unused_fd(files, fd); @@ -1245,7 +1253,7 @@ __releases(&files->file_lock) */ fdt = files_fdtable(files); fd = array_index_nospec(fd, fdt->max_fds); - tofree = fdt->fd[fd]; + tofree = rcu_dereference_raw(fdt->fd[fd]); if (!tofree && fd_is_open(fd, fdt)) goto Ebusy; get_file(file); -- 2.39.5

2 months, 2 weeks

1
1
0 0

[PATCH AUTOSEL 6.14 1/2] fs: consistently deref the files table with rcu_dereference_raw()

by Sasha Levin

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit f381640e1bd4f2de7ccafbfe8703d33c3718aad9 ] ... except when the table is known to be only used by one thread. A file pointer can get installed at any moment despite the ->file_lock being held since the following: 8a81252b774b53e6 ("fs/file.c: don't acquire files->file_lock in fd_install()") Accesses subject to such a race can in principle suffer load tearing. While here redo the comment in dup_fd -- it only covered a race against files showing up, still assuming fd_install() takes the lock. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20250313135725.1320914-1-mjguzik@gmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/file.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/fs/file.c b/fs/file.c index d868cdb95d1e7..1ba03662ae66f 100644 --- a/fs/file.c +++ b/fs/file.c @@ -418,17 +418,25 @@ struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_ho old_fds = old_fdt->fd; new_fds = new_fdt->fd; + /* + * We may be racing against fd allocation from other threads using this + * files_struct, despite holding ->file_lock. + * + * alloc_fd() might have already claimed a slot, while fd_install() + * did not populate it yet. Note the latter operates locklessly, so + * the file can show up as we are walking the array below. + * + * At the same time we know no files will disappear as all other + * operations take the lock. + * + * Instead of trying to placate userspace racing with itself, we + * ref the file if we see it and mark the fd slot as unused otherwise. + */ for (i = open_files; i != 0; i--) { - struct file *f = *old_fds++; + struct file *f = rcu_dereference_raw(*old_fds++); if (f) { get_file(f); } else { - /* - * The fd may be claimed in the fd bitmap but not yet - * instantiated in the files array if a sibling thread - * is partway through open(). So make sure that this - * fd is available to the new process. - */ __clear_open_fd(open_files - i, new_fdt); } rcu_assign_pointer(*new_fds++, f); @@ -679,7 +687,7 @@ struct file *file_close_fd_locked(struct files_struct *files, unsigned fd) return NULL; fd = array_index_nospec(fd, fdt->max_fds); - file = fdt->fd[fd]; + file = rcu_dereference_raw(fdt->fd[fd]); if (file) { rcu_assign_pointer(fdt->fd[fd], NULL); __put_unused_fd(files, fd); @@ -1237,7 +1245,7 @@ __releases(&files->file_lock) */ fdt = files_fdtable(files); fd = array_index_nospec(fd, fdt->max_fds); - tofree = fdt->fd[fd]; + tofree = rcu_dereference_raw(fdt->fd[fd]); if (!tofree && fd_is_open(fd, fdt)) goto Ebusy; get_file(file); -- 2.39.5

2 months, 2 weeks

1
1
0 0

[PATCH] accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal()

by Maciej Falkowski

From: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Warn if device is suspended only when runtime PM is enabled. Runtime PM is disabled during reset/recovery and it is not an error to use ivpu_ipc_send_receive_internal() in such cases. Fixes: 5eaa49741119 ("accel/ivpu: Prevent recovery invocation during probe and resume") Cc: <stable(a)vger.kernel.org> # v6.13+ Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Signed-off-by: Maciej Falkowski <maciej.falkowski(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_ipc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/accel/ivpu/ivpu_ipc.c b/drivers/accel/ivpu/ivpu_ipc.c index 0e096fd9b95d..39f83225c181 100644 --- a/drivers/accel/ivpu/ivpu_ipc.c +++ b/drivers/accel/ivpu/ivpu_ipc.c @@ -302,7 +302,8 @@ ivpu_ipc_send_receive_internal(struct ivpu_device *vdev, struct vpu_jsm_msg *req struct ivpu_ipc_consumer cons; int ret; - drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev)); + drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev) && + pm_runtime_enabled(vdev->drm.dev)); ivpu_ipc_consumer_add(vdev, &cons, channel, NULL); -- 2.43.0

2 months, 2 weeks

3
2
0 0

[PATCH 6.6 00/75] 6.6.85-rc3 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.85 release. There are 75 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 30 Mar 2025 14:49:59 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.85-rc3… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.85-rc3 Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Use u64_stats_t for statistic. Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: mvm: ensure offloading TID queue exists Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: support BIOS override for 5G9 in CA also in LARI version 8 Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix receive ring space parameters when XDP is active Josef Bacik <josef(a)toxicpanda.com> btrfs: make sure that WRITTEN is set on all metadata blocks Dietmar Eggemann <dietmar.eggemann(a)arm.com> Revert "sched/core: Reduce cost of sched_move_task when config autogroup" Justin Klaassen <justin(a)tidylabs.net> arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Eagerly switch ZCR_EL{1,2} Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Mark some header functions as inline Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Refactor exit handlers Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove host FPSIMD saving for non-protected KVM Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state Fuad Tabba <tabba(a)google.com> KVM: arm64: Calculate cptr_el2 traps on activating traps Arthur Mongodin <amongodin(a)randorisec.fr> mptcp: Fix data stream corruption in the address announcement Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix incorrect validation for num_aces field of smb_acl Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Martin Tsai <martin.tsai(a)amd.com> drm/amd/display: should support dmub hw lock on Replay David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix JPEG video caps max size for navi1x and raven David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size qianyi liu <liuqianyi125(a)gmail.com> drm/sched: Fix fence reference count leak Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Saranya R <quic_sarar(a)quicinc.com> soc: qcom: pdr: Fix the potential deadlock Sven Eckelmann <sven(a)narfation.org> batman-adv: Ignore own maximum aggregation size during RX Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> xsk: fix an integer overflow in xp_create_and_assign_umem() Ard Biesheuvel <ardb(a)kernel.org> efi/libstub: Avoid physical address 0x0 when doing random allocation Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: shmobile: smp: Enforce shmobile_smp_* alignment Stefan Eichenberger <stefan.eichenberger(a)toradex.com> ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 Ye Bin <yebin10(a)huawei.com> proc: fix UAF in proc_get_inode() Zi Yan <ziy(a)nvidia.com> mm/migrate: fix shmem xarray update during migration Raphael S. Carvalho <raphaelsc(a)scylladb.com> mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT Gu Bowen <gubowen5(a)huawei.com> mmc: atmel-mci: Add missing clk_disable_unprepare() Kamal Dasu <kamal.dasu(a)broadcom.com> mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card Dan Carpenter <dan.carpenter(a)linaro.org> accel/qaic: Fix integer overflow in qaic_validate_req() Christian Eggers <ceggers(a)arri.de> regulator: check that dummy regulator has been probed before using it Christian Eggers <ceggers(a)arri.de> regulator: dummy: force synchronous probing E Shattow <e(a)freeshell.de> riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions Maíra Canal <mcanal(a)igalia.com> drm/v3d: Don't run jobs that have errors flagged in its fence Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: disable transceiver during system PM Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: only change CAN state when link up in system PM Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> can: ucan: fix out of bound read in strscpy() source Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix page entries in the AFL list Andreas Kemnade <andreas(a)kemnade.info> i2c: omap: fix IRQ storms Guillaume Nault <gnault(a)redhat.com> Revert "gre: Fix IPv6 link-local address generation." Lin Ma <linma(a)zju.edu.cn> net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: fix recursion loops Dan Carpenter <dan.carpenter(a)linaro.org> net: atm: fix use after free in lec_send() Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). David Lechner <dlechner(a)baylibre.com> ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX Jeffrey Hugo <quic_jhugo(a)quicinc.com> accel/qaic: Fix possible data corruption in BOs > 2G Arkadiusz Bokowy <arkadiusz.bokowy(a)gmail.com> Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: Fix error code in chan_alloc_skb_cb() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix wrong value of max_sge_rd Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix soft lockup during bt pages loop Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: Don't mark timer regs unconfigured Arnd Bergmann <arnd(a)arndb.de> ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Qasim Ijaz <qasdev00(a)gmail.com> RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Yao Zi <ziyao(a)disroot.org> arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1 Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Peng Fan <peng.fan(a)nxp.com> soc: imx8m: Unregister cpufreq and soc dev in cleanup path Marek Vasut <marex(a)denx.de> soc: imx8m: Use devm_* to simplify probe failure handling Marek Vasut <marex(a)denx.de> soc: imx8m: Remove global soc_uid Cosmin Ratiu <cratiu(a)nvidia.com> xfrm_output: Force software GSO only in tunnel mode Alexandre Cassen <acassen(a)corp.free.fr> xfrm: fix tunnel mode TX datapath in packet offload mode Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> firmware: imx-scu: fix OF node leak in .probe() ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/broadcom/bcm2711.dtsi | 11 +- arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 +- arch/arm/mach-davinci/Kconfig | 1 + arch/arm/mach-omap1/Kconfig | 1 + arch/arm/mach-shmobile/headsmp.S | 1 + .../boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +- .../arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 +-- .../boot/dts/freescale/imx8mp-verdin-dahlia.dtsi | 6 +- .../boot/dts/rockchip/px30-ringneck-haikou.dts | 2 + arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3566-lubancat-1.dts | 1 - arch/arm64/include/asm/kvm_host.h | 7 +- arch/arm64/include/asm/kvm_hyp.h | 1 + arch/arm64/kernel/fpsimd.c | 25 ---- arch/arm64/kvm/arm.c | 1 - arch/arm64/kvm/fpsimd.c | 89 +++--------- arch/arm64/kvm/hyp/entry.S | 5 + arch/arm64/kvm/hyp/include/hyp/switch.h | 106 ++++++++++----- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 15 +- arch/arm64/kvm/hyp/nvhe/pkvm.c | 29 +--- arch/arm64/kvm/hyp/nvhe/switch.c | 112 ++++++++++----- arch/arm64/kvm/hyp/vhe/switch.c | 13 +- arch/arm64/kvm/reset.c | 3 + arch/riscv/boot/dts/starfive/jh7110-pinfunc.h | 2 +- drivers/accel/qaic/qaic_data.c | 9 +- drivers/firmware/efi/libstub/randomalloc.c | 4 + drivers/firmware/imx/imx-scu.c | 1 + drivers/gpu/drm/amd/amdgpu/nv.c | 20 +-- drivers/gpu/drm/amd/amdgpu/soc15.c | 20 +-- drivers/gpu/drm/amd/amdgpu/vi.c | 36 ++--- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 15 ++ drivers/gpu/drm/radeon/radeon_vce.c | 2 +- drivers/gpu/drm/scheduler/sched_entity.c | 11 +- drivers/gpu/drm/v3d/v3d_sched.c | 9 +- drivers/i2c/busses/i2c-omap.c | 26 +--- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 - drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 16 ++- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 10 +- drivers/infiniband/hw/mlx5/ah.c | 14 +- drivers/mmc/host/atmel-mci.c | 4 +- drivers/mmc/host/sdhci-brcmstb.c | 10 ++ drivers/net/can/flexcan/flexcan-core.c | 18 ++- drivers/net/can/rcar/rcar_canfd.c | 28 ++-- drivers/net/can/usb/ucan.c | 43 +++--- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +- drivers/net/wireless/intel/iwlwifi/fw/file.h | 4 +- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 37 ++++- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 ++++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 +- drivers/regulator/core.c | 12 +- drivers/regulator/dummy.c | 2 +- drivers/soc/imx/soc-imx8m.c | 151 ++++++++++----------- drivers/soc/qcom/pdr_interface.c | 8 +- fs/btrfs/tree-checker.c | 30 ++-- fs/btrfs/tree-checker.h | 1 + fs/proc/generic.c | 10 +- fs/proc/inode.c | 6 +- fs/proc/internal.h | 14 ++ fs/smb/server/smbacl.c | 5 +- include/linux/proc_fs.h | 7 +- include/net/bluetooth/hci.h | 2 +- kernel/sched/core.c | 22 +-- mm/filemap.c | 13 +- mm/migrate.c | 10 +- net/atm/lec.c | 3 +- net/batman-adv/bat_iv_ogm.c | 3 +- net/batman-adv/bat_v_ogm.c | 3 +- net/bluetooth/6lowpan.c | 7 +- net/core/lwtunnel.c | 65 +++++++-- net/core/neighbour.c | 1 + net/ipv6/addrconf.c | 15 +- net/ipv6/route.c | 5 +- net/mptcp/options.c | 6 +- net/netfilter/nft_counter.c | 90 ++++++------ net/xdp/xsk_buff_pool.c | 2 +- net/xfrm/xfrm_output.c | 43 +++++- 80 files changed, 799 insertions(+), 600 deletions(-)

2 months, 2 weeks

5
4
0 0

[PATCH v2 2/8] landlock: Add the errata interface

by Mickaël Salaün

Some fixes may require user space to check if they are applied on the running kernel before using a specific feature. For instance, this applies when a restriction was previously too restrictive and is now getting relaxed (e.g. for compatibility reasons). However, non-visible changes for legitimate use (e.g. security fixes) do not require an erratum. Because fixes are backported down to a specific Landlock ABI, we need a way to avoid cherry-pick conflicts. The solution is to only update a file related to the lower ABI impacted by this issue. All the ABI files are then used to create a bitmask of fixes. The new errata interface is similar to the one used to get the supported Landlock ABI version, but it returns a bitmask instead because the order of fixes may not match the order of versions, and not all fixes may apply to all versions. The actual errata will come with dedicated commits. The description is not actually used in the code but serves as documentation. Create the landlock_abi_version symbol and use its value to check errata consistency. Update test_base's create_ruleset_checks_ordering tests and add errata tests. This commit is backportable down to the first version of Landlock. Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features") Cc: Günther Noack <gnoack(a)google.com> Cc: stable(a)vger.kernel.org Signed-off-by: Mickaël Salaün <mic(a)digikod.net> Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net --- Changes since v1: - New patch. --- include/uapi/linux/landlock.h | 2 + security/landlock/errata.h | 87 ++++++++++++++++++++ security/landlock/setup.c | 30 +++++++ security/landlock/setup.h | 3 + security/landlock/syscalls.c | 22 ++++- tools/testing/selftests/landlock/base_test.c | 38 ++++++++- 6 files changed, 177 insertions(+), 5 deletions(-) create mode 100644 security/landlock/errata.h diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index e1d2c27533b4..8806a132d7b8 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -57,9 +57,11 @@ struct landlock_ruleset_attr { * * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI * version. + * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues. */ /* clang-format off */ #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) +#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1) /* clang-format on */ /** diff --git a/security/landlock/errata.h b/security/landlock/errata.h new file mode 100644 index 000000000000..f26b28b9873d --- /dev/null +++ b/security/landlock/errata.h @@ -0,0 +1,87 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock - Errata information + * + * Copyright © 2025 Microsoft Corporation + */ + +#ifndef _SECURITY_LANDLOCK_ERRATA_H +#define _SECURITY_LANDLOCK_ERRATA_H + +#include <linux/init.h> + +struct landlock_erratum { + const int abi; + const u8 number; +}; + +/* clang-format off */ +#define LANDLOCK_ERRATUM(NUMBER) \ + { \ + .abi = LANDLOCK_ERRATA_ABI, \ + .number = NUMBER, \ + }, +/* clang-format on */ + +/* + * Some fixes may require user space to check if they are applied on the running + * kernel before using a specific feature. For instance, this applies when a + * restriction was previously too restrictive and is now getting relaxed (for + * compatibility or semantic reasons). However, non-visible changes for + * legitimate use (e.g. security fixes) do not require an erratum. + */ +static const struct landlock_erratum landlock_errata_init[] __initconst = { + +/* + * Only Sparse may not implement __has_include. If a compiler does not + * implement __has_include, a warning will be printed at boot time (see + * setup.c). + */ +#ifdef __has_include + +#define LANDLOCK_ERRATA_ABI 1 +#if __has_include("errata/abi-1.h") +#include "errata/abi-1.h" +#endif +#undef LANDLOCK_ERRATA_ABI + +#define LANDLOCK_ERRATA_ABI 2 +#if __has_include("errata/abi-2.h") +#include "errata/abi-2.h" +#endif +#undef LANDLOCK_ERRATA_ABI + +#define LANDLOCK_ERRATA_ABI 3 +#if __has_include("errata/abi-3.h") +#include "errata/abi-3.h" +#endif +#undef LANDLOCK_ERRATA_ABI + +#define LANDLOCK_ERRATA_ABI 4 +#if __has_include("errata/abi-4.h") +#include "errata/abi-4.h" +#endif +#undef LANDLOCK_ERRATA_ABI + +/* + * For each new erratum, we need to include all the ABI files up to the impacted + * ABI to make all potential future intermediate errata easy to backport. + * + * If such change involves more than one ABI addition, then it must be in a + * dedicated commit with the same Fixes tag as used for the actual fix. + * + * Each commit creating a new security/landlock/errata/abi-*.h file must have a + * Depends-on tag to reference the commit that previously added the line to + * include this new file, except if the original Fixes tag is enough. + * + * Each erratum must be documented in its related ABI file, and a dedicated + * commit must update Documentation/userspace-api/landlock.rst to include this + * erratum. This commit will not be backported. + */ + +#endif + + {} +}; + +#endif /* _SECURITY_LANDLOCK_ERRATA_H */ diff --git a/security/landlock/setup.c b/security/landlock/setup.c index c71832a8e369..0c85ea27e409 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -6,12 +6,14 @@ * Copyright © 2018-2020 ANSSI */ +#include <linux/bits.h> #include <linux/init.h> #include <linux/lsm_hooks.h> #include <uapi/linux/lsm.h> #include "common.h" #include "cred.h" +#include "errata.h" #include "fs.h" #include "net.h" #include "setup.h" @@ -31,8 +33,36 @@ struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = { .lbs_superblock = sizeof(struct landlock_superblock_security), }; +int landlock_errata __ro_after_init; + +static void __init compute_errata(void) +{ + size_t i; + +#ifndef __has_include + /* + * This is a safeguard to make sure the compiler implements + * __has_include (see errata.h). + */ + WARN_ON_ONCE(1); + return; +#endif + + for (i = 0; landlock_errata_init[i].number; i++) { + const int prev_errata = landlock_errata; + + if (WARN_ON_ONCE(landlock_errata_init[i].abi > + landlock_abi_version)) + continue; + + landlock_errata |= BIT(landlock_errata_init[i].number - 1); + WARN_ON_ONCE(prev_errata == landlock_errata); + } +} + static int __init landlock_init(void) { + compute_errata(); landlock_add_cred_hooks(); landlock_add_task_hooks(); landlock_add_fs_hooks(); diff --git a/security/landlock/setup.h b/security/landlock/setup.h index c4252d46d49d..fca307c35fee 100644 --- a/security/landlock/setup.h +++ b/security/landlock/setup.h @@ -11,7 +11,10 @@ #include <linux/lsm_hooks.h> +extern const int landlock_abi_version; + extern bool landlock_initialized; +extern int landlock_errata; extern struct lsm_blob_sizes landlock_blob_sizes; extern const struct lsm_id landlock_lsmid; diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index a9760d252fc2..cf9e0483e542 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -160,7 +160,9 @@ static const struct file_operations ruleset_fops = { * the new ruleset. * @size: Size of the pointed &struct landlock_ruleset_attr (needed for * backward and forward compatibility). - * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION. + * @flags: Supported value: + * - %LANDLOCK_CREATE_RULESET_VERSION + * - %LANDLOCK_CREATE_RULESET_ERRATA * * This system call enables to create a new Landlock ruleset, and returns the * related file descriptor on success. @@ -169,6 +171,10 @@ static const struct file_operations ruleset_fops = { * 0, then the returned value is the highest supported Landlock ABI version * (starting at 1). * + * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is + * 0, then the returned value is a bitmask of fixed issues for the current + * Landlock ABI version. + * * Possible returned errors are: * * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; @@ -192,9 +198,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset, return -EOPNOTSUPP; if (flags) { - if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr && - !size) - return LANDLOCK_ABI_VERSION; + if (attr || size) + return -EINVAL; + + if (flags == LANDLOCK_CREATE_RULESET_VERSION) + return landlock_abi_version; + + if (flags == LANDLOCK_CREATE_RULESET_ERRATA) + return landlock_errata; + return -EINVAL; } @@ -235,6 +247,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset, return ruleset_fd; } +const int landlock_abi_version = LANDLOCK_ABI_VERSION; + /* * Returns an owned ruleset from a FD. It is thus needed to call * landlock_put_ruleset() on the return value. diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index 1bc16fde2e8a..c0abadd0bbbe 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -98,10 +98,46 @@ TEST(abi_version) ASSERT_EQ(EINVAL, errno); } +TEST(errata) +{ + const struct landlock_ruleset_attr ruleset_attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, + }; + int errata; + + errata = landlock_create_ruleset(NULL, 0, + LANDLOCK_CREATE_RULESET_ERRATA); + /* The errata bitmask will not be backported to tests. */ + ASSERT_LE(0, errata); + TH_LOG("errata: 0x%x", errata); + + ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, + LANDLOCK_CREATE_RULESET_ERRATA)); + ASSERT_EQ(EINVAL, errno); + + ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr), + LANDLOCK_CREATE_RULESET_ERRATA)); + ASSERT_EQ(EINVAL, errno); + + ASSERT_EQ(-1, + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), + LANDLOCK_CREATE_RULESET_ERRATA)); + ASSERT_EQ(EINVAL, errno); + + ASSERT_EQ(-1, landlock_create_ruleset( + NULL, 0, + LANDLOCK_CREATE_RULESET_VERSION | + LANDLOCK_CREATE_RULESET_ERRATA)); + ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0, + LANDLOCK_CREATE_RULESET_ERRATA | + 1 << 31)); + ASSERT_EQ(EINVAL, errno); +} + /* Tests ordering of syscall argument checks. */ TEST(create_ruleset_checks_ordering) { - const int last_flag = LANDLOCK_CREATE_RULESET_VERSION; + const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA; const int invalid_flag = last_flag << 1; int ruleset_fd; const struct landlock_ruleset_attr ruleset_attr = { -- 2.48.1

2 months, 2 weeks

2
2
0 0

[PATCH v6] i3c: Add NULL pointer check in i3c_master_queue_ibi()

by Manjunatha Venkatesh

The I3C master driver may receive an IBI from a target device that has not been probed yet. In such cases, the master calls `i3c_master_queue_ibi()` to queue an IBI work task, leading to "Unable to handle kernel read from unreadable memory" and resulting in a kernel panic. Typical IBI handling flow: 1. The I3C master scans target devices and probes their respective drivers. 2. The target device driver calls `i3c_device_request_ibi()` to enable IBI and assigns `dev->ibi = ibi`. 3. The I3C master receives an IBI from the target device and calls `i3c_master_queue_ibi()` to queue the target device driver’s IBI handler task. However, since target device events are asynchronous to the I3C probe sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`, leading to a kernel panic. Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing an uninitialized `dev->ibi`, ensuring stability. Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/lkml/Z9gjGYudiYyl3bSe@lizhi-Precision-Tower-5810/ Signed-off-by: Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> --- Changes since v5: - Updated subject and commit message with some more information. drivers/i3c/master.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c index d5dc4180afbc..c65006aa0684 100644 --- a/drivers/i3c/master.c +++ b/drivers/i3c/master.c @@ -2561,6 +2561,9 @@ static void i3c_master_unregister_i3c_devs(struct i3c_master_controller *master) */ void i3c_master_queue_ibi(struct i3c_dev_desc *dev, struct i3c_ibi_slot *slot) { + if (!dev->ibi || !slot) + return; + atomic_inc(&dev->ibi->pending_ibis); queue_work(dev->ibi->wq, &slot->work); } -- 2.46.1

2 months, 2 weeks

3
2
0 0

[PATCH RESEND] fsi/core: fix error handling in fsi_slave_init()

by Ma Ke

Once cdev_device_add() failed, we should use put_device() to decrement reference count for cleanup. Or it could cause memory leak. Although operations in err_free_ida are similar to the operations in callback function fsi_slave_release(), put_device() is a correct handling operation as comments require when cdev_device_add() fails. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 371975b0b075 ("fsi/core: Fix error paths on CFAM init") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/fsi/fsi-core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c index e2e1e9df6115..1373e05e3659 100644 --- a/drivers/fsi/fsi-core.c +++ b/drivers/fsi/fsi-core.c @@ -1084,7 +1084,8 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) rc = cdev_device_add(&slave->cdev, &slave->dev); if (rc) { dev_err(&slave->dev, "Error %d creating slave device\n", rc); - goto err_free_ida; + put_device(&slave->dev); + return rc; } /* Now that we have the cdev registered with the core, any fatal @@ -1110,8 +1111,6 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) return 0; -err_free_ida: - fsi_free_minor(slave->dev.devt); err_free: of_node_put(slave->dev.of_node); kfree(slave); -- 2.25.1

2 months, 2 weeks

1
0
0 0

[PATCH 1/2] cifs: fix integer overflow in match_server()

by Roman Smirnov

The echo_interval is not limited in any way during mounting, which makes it possible to write a large number to it. This can cause an overflow when multiplying ctx->echo_interval by HZ in match_server(). Add constraints for echo_interval to smb3_fs_context_parse_param(). Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable") Cc: stable(a)vger.kernel.org Signed-off-by: Roman Smirnov <r.smirnov(a)omp.ru> --- fs/smb/client/fs_context.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c index 8c73d4d60d1a..e38521a713a6 100644 --- a/fs/smb/client/fs_context.c +++ b/fs/smb/client/fs_context.c @@ -1377,6 +1377,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, ctx->closetimeo = HZ * result.uint_32; break; case Opt_echo_interval: + if (result.uint_32 < SMB_ECHO_INTERVAL_MIN || + result.uint_32 > SMB_ECHO_INTERVAL_MAX) { + cifs_errorf(fc, "echo interval is out of bounds\n"); + goto cifs_parse_mount_err; + } ctx->echo_interval = result.uint_32; break; case Opt_snapshot: -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH 3/3] can: kvaser_pciefd: Continue parsing DMA buf after dropped RX

by Axel Forsman

Going bus-off on a channel doing RX could result in dropped packets. As netif_running() gets cleared before the channel abort procedure, the handling of any last RDATA packets would see netif_rx() return non-zero to signal a dropped packet. kvaser_pciefd_read_buffer() dealt with this "error" by breaking out of processing the remaining DMA RX buffer. Only return an error from kvaser_pciefd_read_buffer() due to packet corruption, otherwise handle it internally. Cc: stable(a)vger.kernel.org Signed-off-by: Axel Forsman <axfo(a)kvaser.com> Tested-by: Jimmy Assarsson <extja(a)kvaser.com> Reviewed-by: Jimmy Assarsson <extja(a)kvaser.com> --- drivers/net/can/kvaser_pciefd.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c index 6251a1ddfa7e..1f4004204fa8 100644 --- a/drivers/net/can/kvaser_pciefd.c +++ b/drivers/net/can/kvaser_pciefd.c @@ -1216,7 +1216,7 @@ static int kvaser_pciefd_handle_data_packet(struct kvaser_pciefd *pcie, skb = alloc_canfd_skb(priv->dev, &cf); if (!skb) { priv->dev->stats.rx_dropped++; - return -ENOMEM; + return 0; } cf->len = can_fd_dlc2len(dlc); @@ -1228,7 +1228,7 @@ static int kvaser_pciefd_handle_data_packet(struct kvaser_pciefd *pcie, skb = alloc_can_skb(priv->dev, (struct can_frame **)&cf); if (!skb) { priv->dev->stats.rx_dropped++; - return -ENOMEM; + return 0; } can_frame_set_cc_len((struct can_frame *)cf, dlc, priv->ctrlmode); } @@ -1246,7 +1246,9 @@ static int kvaser_pciefd_handle_data_packet(struct kvaser_pciefd *pcie, priv->dev->stats.rx_packets++; kvaser_pciefd_set_skb_timestamp(pcie, skb, p->timestamp); - return netif_rx(skb); + netif_rx(skb); + + return 0; } static void kvaser_pciefd_change_state(struct kvaser_pciefd_can *can, -- 2.47.2

2 months, 2 weeks

1
0
0 0

[PATCH RESEND] ocfs2: Validate chain list bits per cluster to prevent div-by-zero

by Qasim Ijaz

The call trace shows that the div error occurs on the following line where the code sets the e_cpos member of the extent record while dividing bg_bits by the bits per cluster value from the chain list: rec->e_cpos = cpu_to_le32(le16_to_cpu(bg->bg_bits) / le16_to_cpu(cl->cl_bpc)); Looking at the code disassembly we see the problem occurred during the divw instruction which performs a 16-bit unsigned divide operation. The main ways a divide error can occur is if: 1) the divisor is 0 2) if the quotient is too large for the designated register (overflow). Normally the divisor being 0 is the most common cause for a division error to occur. Focusing on the bits per cluster cl->cl_bpc (since it is the divisor) we see that cl is created in ocfs2_block_group_alloc(), cl is derived from ocfs2_dinode->id2.i_chain. To fix this issue we should verify the cl_bpc member in the chain list to ensure it is valid and non-zero. Looking through the rest of the OCFS2 code it seems like there are other places which could benefit from improved checks of the cl_bpc members of chain lists like the following: In ocfs2_group_extend(): cl_bpc = le16_to_cpu(fe->id2.i_chain.cl_bpc); if (le16_to_cpu(group->bg_bits) / cl_bpc + new_clusters > le16_to_cpu(fe->id2.i_chain.cl_cpg)) { ret = -EINVAL; goto out_unlock; } Reported-by: syzbot <syzbot+e41e83af7a07a4df8051(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=e41e83af7a07a4df8051 Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- fs/ocfs2/resize.c | 4 ++-- fs/ocfs2/suballoc.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c index b0733c08ed13..22352c027ecd 100644 --- a/fs/ocfs2/resize.c +++ b/fs/ocfs2/resize.c @@ -329,8 +329,8 @@ int ocfs2_group_extend(struct inode * inode, int new_clusters) group = (struct ocfs2_group_desc *)group_bh->b_data; cl_bpc = le16_to_cpu(fe->id2.i_chain.cl_bpc); - if (le16_to_cpu(group->bg_bits) / cl_bpc + new_clusters > - le16_to_cpu(fe->id2.i_chain.cl_cpg)) { + if (!cl_bpc || le16_to_cpu(group->bg_bits) / cl_bpc + new_clusters > + le16_to_cpu(fe->id2.i_chain.cl_cpg)) { ret = -EINVAL; goto out_unlock; } diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index f7b483f0de2a..844cb36bd7ab 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -671,6 +671,11 @@ static int ocfs2_block_group_alloc(struct ocfs2_super *osb, BUG_ON(ocfs2_is_cluster_bitmap(alloc_inode)); cl = &fe->id2.i_chain; + if (!le16_to_cpu(cl->cl_bpc)) { + status = -EINVAL; + goto bail; + } + status = ocfs2_reserve_clusters_with_limit(osb, le16_to_cpu(cl->cl_cpg), max_block, flags, &ac); -- 2.39.5

2 months, 2 weeks

2
1
0 0

[PATCH] iio: light: opt3001: fix deadlock due to concurrent flag access

by Luca Ceresoli

The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages. Fixes: 94a9b7b1809f ("iio: light: add support for TI's opt3001 light sensor") Cc: stable(a)vger.kernel.org Signed-off-by: Luca Ceresoli <luca.ceresoli(a)bootlin.com> --- drivers/iio/light/opt3001.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/iio/light/opt3001.c b/drivers/iio/light/opt3001.c index 65b295877b41588d40234ca7681bfee291e937c2..393a3d2fbe1d7320a243d3b6720e98b90f17baca 100644 --- a/drivers/iio/light/opt3001.c +++ b/drivers/iio/light/opt3001.c @@ -788,8 +788,9 @@ static irqreturn_t opt3001_irq(int irq, void *_iio) int ret; bool wake_result_ready_queue = false; enum iio_chan_type chan_type = opt->chip_info->chan_type; + bool ok_to_ignore_lock = opt->ok_to_ignore_lock; - if (!opt->ok_to_ignore_lock) + if (!ok_to_ignore_lock) mutex_lock(&opt->lock); ret = i2c_smbus_read_word_swapped(opt->client, OPT3001_CONFIGURATION); @@ -826,7 +827,7 @@ static irqreturn_t opt3001_irq(int irq, void *_iio) } out: - if (!opt->ok_to_ignore_lock) + if (!ok_to_ignore_lock) mutex_unlock(&opt->lock); if (wake_result_ready_queue) --- base-commit: 250a4b882cf37d9719874253f055aad211f2c317 change-id: 20250321-opt3001-irq-fix-f7eecd4e2e9c Best regards, -- Luca Ceresoli <luca.ceresoli(a)bootlin.com>

2 months, 2 weeks

2
1
0 0

[CI] drm/xe: Invalidate L3 read-only cachelines for geometry streams too

by Rodrigo Vivi

From: Kenneth Graunke <kenneth(a)whitecape.org> Historically, the Vertex Fetcher unit has not been an L3 client. That meant that, when a buffer containing vertex data was written to, it was necessary to issue a PIPE_CONTROL::VF Cache Invalidate to invalidate any VF L2 cachelines associated with that buffer, so the new value would be properly read from memory. Since Tigerlake and later, VERTEX_BUFFER_STATE and 3DSTATE_INDEX_BUFFER have included an "L3 Bypass Enable" bit which userspace drivers can set to request that the vertex fetcher unit snoop L3. However, unlike most true L3 clients, the "VF Cache Invalidate" bit continues to only invalidate the VF L2 cache - and not any associated L3 lines. To handle that, PIPE_CONTROL has a new "L3 Read Only Cache Invalidation Bit", which according to the docs, "controls the invalidation of the Geometry streams cached in L3 cache at the top of the pipe." In other words, the vertex and index buffer data that gets cached in L3 when "L3 Bypass Disable" is set. Mesa always sets L3 Bypass Disable so that the VF unit snoops L3, and whenever it issues a VF Cache Invalidate, it also issues a L3 Read Only Cache Invalidate so that both L2 and L3 vertex data is invalidated. xe is issuing VF cache invalidates too (which handles cases like CPU writes to a buffer between GPU batches). Because userspace may enable L3 snooping, it needs to issue an L3 Read Only Cache Invalidate as well. Fixes significant flickering in Firefox on Meteorlake, which was writing to vertex buffers via the CPU between batches; the missing L3 Read Only invalidates were causing the vertex fetcher to read stale data from L3. References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4460 Cc: stable(a)vger.kernel.org # v6.13+ Signed-off-by: Kenneth Graunke <kenneth(a)whitecape.org> Reviewed-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> --- drivers/gpu/drm/xe/instructions/xe_gpu_commands.h | 1 + drivers/gpu/drm/xe/xe_ring_ops.c | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h b/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h index a255946b6f77..8cfcd3360896 100644 --- a/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h +++ b/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h @@ -41,6 +41,7 @@ #define GFX_OP_PIPE_CONTROL(len) ((0x3<<29)|(0x3<<27)|(0x2<<24)|((len)-2)) +#define PIPE_CONTROL0_L3_READ_ONLY_CACHE_INVALIDATE BIT(10) /* gen12 */ #define PIPE_CONTROL0_HDC_PIPELINE_FLUSH BIT(9) /* gen12 */ #define PIPE_CONTROL_COMMAND_CACHE_INVALIDATE (1<<29) diff --git a/drivers/gpu/drm/xe/xe_ring_ops.c b/drivers/gpu/drm/xe/xe_ring_ops.c index 917fc16de866..a7582b097ae6 100644 --- a/drivers/gpu/drm/xe/xe_ring_ops.c +++ b/drivers/gpu/drm/xe/xe_ring_ops.c @@ -137,7 +137,8 @@ emit_pipe_control(u32 *dw, int i, u32 bit_group_0, u32 bit_group_1, u32 offset, static int emit_pipe_invalidate(u32 mask_flags, bool invalidate_tlb, u32 *dw, int i) { - u32 flags = PIPE_CONTROL_CS_STALL | + u32 flags0 = 0; + u32 flags1 = PIPE_CONTROL_CS_STALL | PIPE_CONTROL_COMMAND_CACHE_INVALIDATE | PIPE_CONTROL_INSTRUCTION_CACHE_INVALIDATE | PIPE_CONTROL_TEXTURE_CACHE_INVALIDATE | @@ -148,11 +149,15 @@ static int emit_pipe_invalidate(u32 mask_flags, bool invalidate_tlb, u32 *dw, PIPE_CONTROL_STORE_DATA_INDEX; if (invalidate_tlb) - flags |= PIPE_CONTROL_TLB_INVALIDATE; + flags1 |= PIPE_CONTROL_TLB_INVALIDATE; - flags &= ~mask_flags; + flags1 &= ~mask_flags; - return emit_pipe_control(dw, i, 0, flags, LRC_PPHWSP_FLUSH_INVAL_SCRATCH_ADDR, 0); + if (flags1 & PIPE_CONTROL_VF_CACHE_INVALIDATE) + flags0 |= PIPE_CONTROL0_L3_READ_ONLY_CACHE_INVALIDATE; + + return emit_pipe_control(dw, i, flags0, flags1, + LRC_PPHWSP_FLUSH_INVAL_SCRATCH_ADDR, 0); } static int emit_store_imm_ppgtt_posted(u64 addr, u64 value, -- 2.49.0

2 months, 2 weeks

1
0
0 0

[PATCH v3 1/2] serial: sifive: lock port in startup()/shutdown() callbacks

by Ryo Takakura

startup()/shutdown() callbacks access SIFIVE_SERIAL_IE_OFFS. The register is also accessed from write() callback. If console were printing and startup()/shutdown() callback gets called, its access to the register could be overwritten. Add port->lock to startup()/shutdown() callbacks to make sure their access to SIFIVE_SERIAL_IE_OFFS is synchronized against write() callback. Signed-off-by: Ryo Takakura <ryotkkr98(a)gmail.com> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/sifive.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/sifive.c b/drivers/tty/serial/sifive.c index 5904a2d4c..054a8e630 100644 --- a/drivers/tty/serial/sifive.c +++ b/drivers/tty/serial/sifive.c @@ -563,8 +563,11 @@ static void sifive_serial_break_ctl(struct uart_port *port, int break_state) static int sifive_serial_startup(struct uart_port *port) { struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); + unsigned long flags; + uart_port_lock_irqsave(&ssp->port, &flags); __ssp_enable_rxwm(ssp); + uart_port_unlock_irqrestore(&ssp->port, flags); return 0; } @@ -572,9 +575,12 @@ static int sifive_serial_startup(struct uart_port *port) static void sifive_serial_shutdown(struct uart_port *port) { struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); + unsigned long flags; + uart_port_lock_irqsave(&ssp->port, &flags); __ssp_disable_rxwm(ssp); __ssp_disable_txwm(ssp); + uart_port_unlock_irqrestore(&ssp->port, flags); } /** -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v2 1/2] serial: sifive: lock port in startup()/shutdown() callbacks

by Ryo Takakura

startup()/shutdown() callbacks access SIFIVE_SERIAL_IE_OFFS. The register is also accessed from write() callback. If console were printing and startup()/shutdown() callback gets called, its access to the register could be overwritten. Add port->lock to startup()/shutdown() callbacks to make sure their access to SIFIVE_SERIAL_IE_OFFS is synchronized against write() callback. Signed-off-by: Ryo Takakura <ryotkkr98(a)gmail.com> --- drivers/tty/serial/sifive.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/sifive.c b/drivers/tty/serial/sifive.c index 5904a2d4c..054a8e630 100644 --- a/drivers/tty/serial/sifive.c +++ b/drivers/tty/serial/sifive.c @@ -563,8 +563,11 @@ static void sifive_serial_break_ctl(struct uart_port *port, int break_state) static int sifive_serial_startup(struct uart_port *port) { struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); + unsigned long flags; + uart_port_lock_irqsave(&ssp->port, &flags); __ssp_enable_rxwm(ssp); + uart_port_unlock_irqrestore(&ssp->port, flags); return 0; } @@ -572,9 +575,12 @@ static int sifive_serial_startup(struct uart_port *port) static void sifive_serial_shutdown(struct uart_port *port) { struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); + unsigned long flags; + uart_port_lock_irqsave(&ssp->port, &flags); __ssp_disable_rxwm(ssp); __ssp_disable_txwm(ssp); + uart_port_unlock_irqrestore(&ssp->port, flags); } /** -- 2.34.1

2 months, 2 weeks

3
4
0 0

[PATCH RESEND#2 5.10.y] KEYS: asymmetric: properly validate hash_algo and encoding

by Sergey Shtylyov

From: Eric Biggers <ebiggers(a)google.com> [ Upstream commit 590bfb57b2328951d5833979e7ca1d5fde2e609a ] It is insecure to allow arbitrary hash algorithms and signature encodings to be used with arbitrary signature algorithms. Notably, ECDSA, ECRDSA, and SM2 all sign/verify raw hash values and don't disambiguate between different hash algorithms like RSA PKCS#1 v1.5 padding does. Therefore, they need to be restricted to certain sets of hash algorithms (ideally just one, but in practice small sets are used). Additionally, the encoding is an integral part of modern signature algorithms, and is not supposed to vary. Therefore, tighten the checks of hash_algo and encoding done by software_key_determine_akcipher(). Also rearrange the parameters to software_key_determine_akcipher() to put the public_key first, as this is the most important parameter and it often determines everything else. [s.shtylyov(a)omp.ru: removed the ECDSA related code.] Fixes: 299f561a6693 ("x509: Add support for parsing x509 certs with ECDSA keys") Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") Fixes: 0d7a78643f69 ("crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm") Cc: stable(a)vger.kernel.org Tested-by: Stefan Berger <stefanb(a)linux.ibm.com> Tested-by: Tianjia Zhang <tianjia.zhang(a)linux.alibaba.com> Signed-off-by: Eric Biggers <ebiggers(a)google.com> Reviewed-by: Vitaly Chikunov <vt(a)altlinux.org> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- Re-sending with LKML added and testers moved from the To: to Cc:... Re-sending again with the correct stable ML address... crypto/asymmetric_keys/public_key.c | 92 ++++++++++++++++++++++-------------- 1 file changed, 58 insertions(+), 34 deletions(-) Index: linux-stable/crypto/asymmetric_keys/public_key.c =================================================================== --- linux-stable.orig/crypto/asymmetric_keys/public_key.c +++ linux-stable/crypto/asymmetric_keys/public_key.c @@ -59,38 +59,65 @@ static void public_key_destroy(void *pay } /* - * Determine the crypto algorithm name. + * Given a public_key, and an encoding and hash_algo to be used for signing + * and/or verification with that key, determine the name of the corresponding + * akcipher algorithm. Also check that encoding and hash_algo are allowed. */ -static -int software_key_determine_akcipher(const char *encoding, - const char *hash_algo, - const struct public_key *pkey, - char alg_name[CRYPTO_MAX_ALG_NAME]) +static int +software_key_determine_akcipher(const struct public_key *pkey, + const char *encoding, const char *hash_algo, + char alg_name[CRYPTO_MAX_ALG_NAME]) { int n; - if (strcmp(encoding, "pkcs1") == 0) { - /* The data wangled by the RSA algorithm is typically padded - * and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447 - * sec 8.2]. + if (!encoding) + return -EINVAL; + + if (strcmp(pkey->pkey_algo, "rsa") == 0) { + /* + * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2]. */ + if (strcmp(encoding, "pkcs1") == 0) { + if (!hash_algo) + n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, + "pkcs1pad(%s)", + pkey->pkey_algo); + else + n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, + "pkcs1pad(%s,%s)", + pkey->pkey_algo, hash_algo); + return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; + } + if (strcmp(encoding, "raw") != 0) + return -EINVAL; + /* + * Raw RSA cannot differentiate between different hash + * algorithms. + */ + if (hash_algo) + return -EINVAL; + } else if (strcmp(pkey->pkey_algo, "sm2") == 0) { + if (strcmp(encoding, "raw") != 0) + return -EINVAL; if (!hash_algo) - n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, - "pkcs1pad(%s)", - pkey->pkey_algo); - else - n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, - "pkcs1pad(%s,%s)", - pkey->pkey_algo, hash_algo); - return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; - } - - if (strcmp(encoding, "raw") == 0) { - strcpy(alg_name, pkey->pkey_algo); - return 0; + return -EINVAL; + if (strcmp(hash_algo, "sm3") != 0) + return -EINVAL; + } else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) { + if (strcmp(encoding, "raw") != 0) + return -EINVAL; + if (!hash_algo) + return -EINVAL; + if (strcmp(hash_algo, "streebog256") != 0 && + strcmp(hash_algo, "streebog512") != 0) + return -EINVAL; + } else { + /* Unknown public key algorithm */ + return -ENOPKG; } - - return -ENOPKG; + if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0) + return -EINVAL; + return 0; } static u8 *pkey_pack_u32(u8 *dst, u32 val) @@ -111,9 +138,8 @@ static int software_key_query(const stru u8 *key, *ptr; int ret, len; - ret = software_key_determine_akcipher(params->encoding, - params->hash_algo, - pkey, alg_name); + ret = software_key_determine_akcipher(pkey, params->encoding, + params->hash_algo, alg_name); if (ret < 0) return ret; @@ -177,9 +203,8 @@ static int software_key_eds_op(struct ke pr_devel("==>%s()\n", __func__); - ret = software_key_determine_akcipher(params->encoding, - params->hash_algo, - pkey, alg_name); + ret = software_key_determine_akcipher(pkey, params->encoding, + params->hash_algo, alg_name); if (ret < 0) return ret; @@ -328,9 +353,8 @@ int public_key_verify_signature(const st BUG_ON(!sig); BUG_ON(!sig->s); - ret = software_key_determine_akcipher(sig->encoding, - sig->hash_algo, - pkey, alg_name); + ret = software_key_determine_akcipher(pkey, sig->encoding, + sig->hash_algo, alg_name); if (ret < 0) return ret;

2 months, 2 weeks

1
0
0 0

Re: [PATCH RESEND 5.10.y] KEYS: asymmetric: properly validate hash_algo and encoding

by Sergey Shtylyov

Hello! Ugh, just realized that I managed to get the stable address wrong -- another resend needed... :-/ MBR, Sergey

2 months, 2 weeks

1
0
0 0

[PATCH V2] USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02)

by Huacai Chen

The OHCI controller (rev 0x02) under LS7A PCI host has a hardware flaw. MMIO register with offset 0x60/0x64 is treated as legacy PS2-compatible keyboard/mouse interface, which confuse the OHCI controller. Since OHCI only use a 4KB BAR resource indeed, the LS7A OHCI controller's 32KB BAR is wrapped around (the second 4KB BAR space is the same as the first 4KB internally). So we can add an 4KB offset (0x1000) to the OHCI registers (from the PCI BAR resource) as a quirk. Cc: stable(a)vger.kernel.org Suggested-by: Bjorn Helgaas <bhelgaas(a)google.com> Tested-by: Mingcong Bai <baimingcong(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- V2: add a comment explaining why the quirk is needed and how it fixes. drivers/usb/host/ohci-pci.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/drivers/usb/host/ohci-pci.c b/drivers/usb/host/ohci-pci.c index 900ea0d368e0..bd90b2fed51b 100644 --- a/drivers/usb/host/ohci-pci.c +++ b/drivers/usb/host/ohci-pci.c @@ -165,6 +165,24 @@ static int ohci_quirk_amd700(struct usb_hcd *hcd) return 0; } +static int ohci_quirk_loongson(struct usb_hcd *hcd) +{ + struct pci_dev *pdev = to_pci_dev(hcd->self.controller); + + /* + * Loongson's LS7A OHCI controller (rev 0x02) has a + * flaw. MMIO register with offset 0x60/64 is treated + * as legacy PS2-compatible keyboard/mouse interface. + * Since OHCI only use 4KB BAR resource, LS7A OHCI's + * 32KB BAR is wrapped around (the 2nd 4KB BAR space + * is the same as the 1st 4KB internally). So add 4KB + * offset (0x1000) to the OHCI registers as a quirk. + */ + hcd->regs += (pdev->revision == 0x2) ? 0x1000 : 0x0; + + return 0; +} + static int ohci_quirk_qemu(struct usb_hcd *hcd) { struct ohci_hcd *ohci = hcd_to_ohci(hcd); @@ -224,6 +242,10 @@ static const struct pci_device_id ohci_pci_quirks[] = { PCI_DEVICE(PCI_VENDOR_ID_ATI, 0x4399), .driver_data = (unsigned long)ohci_quirk_amd700, }, + { + PCI_DEVICE(PCI_VENDOR_ID_LOONGSON, 0x7a24), + .driver_data = (unsigned long)ohci_quirk_loongson, + }, { .vendor = PCI_VENDOR_ID_APPLE, .device = 0x003f, -- 2.47.1

2 months, 2 weeks

3
3
0 0

[PATCH] exfat: fix potential wrong error return from get_block

by Sungjong Seo

If there is no error, get_block() should return 0. However, when bh_read() returns 1, get_block() also returns 1 in the same manner. Let's set err to 0, if there is no error from bh_read() Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength") Cc: stable(a)vger.kernel.org Signed-off-by: Sungjong Seo <sj1557.seo(a)samsung.com> --- fs/exfat/inode.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/exfat/inode.c b/fs/exfat/inode.c index f3fdba9f4d21..a23677de4544 100644 --- a/fs/exfat/inode.c +++ b/fs/exfat/inode.c @@ -391,6 +391,8 @@ static int exfat_get_block(struct inode *inode, sector_t iblock, /* Zero unwritten part of a block */ memset(bh_result->b_data + size, 0, bh_result->b_size - size); + + err = 0; } else { /* * The range has not been written, clear the mapped flag -- 2.25.1

2 months, 2 weeks

3
2
0 0

[PATCH v11 05/14] drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> Once the DSI Link and DSI Phy are initialized, the code needs to wait for Clk and Data Lanes to be ready, before continuing configuration. This is in accordance with the DSI Start-up procedure, found in the Technical Reference Manual of Texas Instrument's J721E SoC[0] which houses this DSI TX controller. If the previous bridge (or crtc/encoder) are configured pre-maturely, the input signal FIFO gets corrupt. This introduces a color-shift on the display. Allow the driver to wait for the clk and data lanes to get ready during DSI enable. [0]: See section 12.6.5.7.3 "Start-up Procedure" in J721E SoC TRM TRM Link: http://www.ti.com/lit/pdf/spruil1 Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Cc: stable(a)vger.kernel.org Tested-by: Dominik Haller <d.haller(a)phytec.de> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Tested-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> Signed-off-by: Aradhya Bhatia <aradhya.bhatia(a)linux.dev> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index 741d676b8266..93c3d5f1651d 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -776,7 +776,7 @@ static void cdns_dsi_bridge_atomic_enable(struct drm_bridge *bridge, struct drm_connector *connector; unsigned long tx_byte_period; struct cdns_dsi_cfg dsi_cfg; - u32 tmp, reg_wakeup, div; + u32 tmp, reg_wakeup, div, status; int nlanes; if (WARN_ON(pm_runtime_get_sync(dsi->base.dev) < 0)) @@ -796,6 +796,19 @@ static void cdns_dsi_bridge_atomic_enable(struct drm_bridge *bridge, cdns_dsi_hs_init(dsi); cdns_dsi_init_link(dsi); + /* + * Now that the DSI Link and DSI Phy are initialized, + * wait for the CLK and Data Lanes to be ready. + */ + tmp = CLK_LANE_RDY; + for (int i = 0; i < nlanes; i++) + tmp |= DATA_LANE_RDY(i); + + if (readl_poll_timeout(dsi->regs + MCTL_MAIN_STS, status, + (tmp == (status & tmp)), 100, 500000)) + dev_err(dsi->base.dev, + "Timed Out: DSI-DPhy Clock and Data Lanes not ready.\n"); + writel(HBP_LEN(dsi_cfg.hbp) | HSA_LEN(dsi_cfg.hsa), dsi->regs + VID_HSIZE1); writel(HFP_LEN(dsi_cfg.hfp) | HACT_LEN(dsi_cfg.hact), -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v11 04/14] drm/bridge: cdns-dsi: Check return value when getting default PHY config

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> Check for the return value of the phy_mipi_dphy_get_default_config() call, and in case of an error, return back the same. Fixes: fced5a364dee ("drm/bridge: cdns: Convert to phy framework") Cc: stable(a)vger.kernel.org Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Tested-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> Signed-off-by: Aradhya Bhatia <aradhya.bhatia(a)linux.dev> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index 02613ba7a05b..741d676b8266 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -575,9 +575,11 @@ static int cdns_dsi_check_conf(struct cdns_dsi *dsi, if (ret) return ret; - phy_mipi_dphy_get_default_config(mode_clock * 1000, - mipi_dsi_pixel_format_to_bpp(output->dev->format), - nlanes, phy_cfg); + ret = phy_mipi_dphy_get_default_config(mode_clock * 1000, + mipi_dsi_pixel_format_to_bpp(output->dev->format), + nlanes, phy_cfg); + if (ret) + return ret; ret = cdns_dsi_adjust_phy_config(dsi, dsi_cfg, phy_cfg, mode, mode_valid_check); if (ret) -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v11 03/14] drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> The crtc_* mode parameters do not get generated (duplicated in this case) from the regular parameters before the mode validation phase begins. The rest of the code conditionally uses the crtc_* parameters only during the bridge enable phase, but sticks to the regular parameters for mode validation. In this singular instance, however, the driver tries to use the crtc_clock parameter even during the mode validation, causing the validation to fail. Allow the D-Phy config checks to use mode->clock instead of mode->crtc_clock during mode_valid checks, like everywhere else in the driver. Fixes: fced5a364dee ("drm/bridge: cdns: Convert to phy framework") Cc: stable(a)vger.kernel.org Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Tested-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> Signed-off-by: Aradhya Bhatia <aradhya.bhatia(a)linux.dev> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index 3b15528713fe..02613ba7a05b 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -568,13 +568,14 @@ static int cdns_dsi_check_conf(struct cdns_dsi *dsi, struct phy_configure_opts_mipi_dphy *phy_cfg = &output->phy_opts.mipi_dphy; unsigned long dsi_hss_hsa_hse_hbp; unsigned int nlanes = output->dev->lanes; + int mode_clock = (mode_valid_check ? mode->clock : mode->crtc_clock); int ret; ret = cdns_dsi_mode2cfg(dsi, mode, dsi_cfg, mode_valid_check); if (ret) return ret; - phy_mipi_dphy_get_default_config(mode->crtc_clock * 1000, + phy_mipi_dphy_get_default_config(mode_clock * 1000, mipi_dsi_pixel_format_to_bpp(output->dev->format), nlanes, phy_cfg); -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v11 02/14] drm/bridge: cdns-dsi: Fix phy de-init and flag it so

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> The driver code doesn't have a Phy de-initialization path as yet, and so it does not clear the phy_initialized flag while suspending. This is a problem because after resume the driver looks at this flag to determine if a Phy re-initialization is required or not. It is in fact required because the hardware is resuming from a suspend, but the driver does not carry out any re-initialization causing the D-Phy to not work at all. Call the counterparts of phy_init() and phy_power_on(), that are phy_exit() and phy_power_off(), from _bridge_post_disable(), and clear the flags so that the Phy can be initialized again when required. Fixes: fced5a364dee ("drm/bridge: cdns: Convert to phy framework") Cc: stable(a)vger.kernel.org Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Tested-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> Signed-off-by: Aradhya Bhatia <aradhya.bhatia(a)linux.dev> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index 1cfe17865b06..3b15528713fe 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -683,6 +683,11 @@ static void cdns_dsi_bridge_atomic_post_disable(struct drm_bridge *bridge, struct cdns_dsi_input *input = bridge_to_cdns_dsi_input(bridge); struct cdns_dsi *dsi = input_to_dsi(input); + dsi->phy_initialized = false; + dsi->link_initialized = false; + phy_power_off(dsi->dphy); + phy_exit(dsi->dphy); + pm_runtime_put(dsi->base.dev); } @@ -1166,7 +1171,6 @@ static int __maybe_unused cdns_dsi_suspend(struct device *dev) clk_disable_unprepare(dsi->dsi_sys_clk); clk_disable_unprepare(dsi->dsi_p_clk); reset_control_assert(dsi->dsi_p_rst); - dsi->link_initialized = false; return 0; } -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v11 01/14] drm/bridge: cdns-dsi: Fix connecting to next bridge

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> Fix the OF node pointer passed to the of_drm_find_bridge() call to find the next bridge in the display chain. The code to find the next panel (and create its panel-bridge) works fine, but to find the next (non-panel) bridge does not. To find the next bridge in the pipeline, we need to pass "np" - the OF node pointer of the next entity in the devicetree chain. Passing "of_node" to of_drm_find_bridge (which is what the code does currently) will fetch the bridge for the cdns-dsi which is not what's required. Fix that. Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Cc: stable(a)vger.kernel.org Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Tested-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> Signed-off-by: Aradhya Bhatia <aradhya.bhatia(a)linux.dev> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index 99d43944fb8f..1cfe17865b06 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -966,7 +966,7 @@ static int cdns_dsi_attach(struct mipi_dsi_host *host, bridge = drm_panel_bridge_add_typed(panel, DRM_MODE_CONNECTOR_DSI); } else { - bridge = of_drm_find_bridge(dev->dev.of_node); + bridge = of_drm_find_bridge(np); if (!bridge) bridge = ERR_PTR(-EINVAL); } -- 2.34.1

2 months, 2 weeks

1
0
0 0

[PATCH v2] mips: Add '-std=gnu11' to vdso CFLAGS

by Khem Raj

GCC 15 changed the default C standard dialect from gnu17 to gnu23, which should not have impacted the kernel because it explicitly requests the gnu11 standard in the main Makefile. However, mips/vdso code uses its own CFLAGS without a '-std=' value, which break with this dialect change because of the kernel's own definitions of bool, false, and true conflicting with the C23 reserved keywords. include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant 11 | false = 0, | ^~~~~ include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards include/linux/types.h:35:33: error: 'bool' cannot be defined via 'typedef' 35 | typedef _Bool bool; | ^~~~ include/linux/types.h:35:33: note: 'bool' is a keyword with '-std=c23' onwards Add '-std=gnu11' to the decompressor and purgatory CFLAGS to eliminate these errors and make the C standard version of these areas match the rest of the kernel. Signed-off-by: Khem Raj <raj.khem(a)gmail.com> Cc: stable(a)vger.kernel.org --- v2: Filter the -std flag from KBUILD_CFLAGS instead of hardcoding arch/mips/vdso/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/mips/vdso/Makefile b/arch/mips/vdso/Makefile index fb4c493aaffa..69d4593f64fe 100644 --- a/arch/mips/vdso/Makefile +++ b/arch/mips/vdso/Makefile @@ -27,6 +27,7 @@ endif # offsets. cflags-vdso := $(ccflags-vdso) \ $(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \ + $(filter -std=%,$(KBUILD_CFLAGS)) \ -O3 -g -fPIC -fno-strict-aliasing -fno-common -fno-builtin -G 0 \ -mrelax-pic-calls $(call cc-option, -mexplicit-relocs) \ -fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \

2 months, 2 weeks

3
2
0 0

Reply Request For Embedded World Exhibition 2025

by Frances Gross

Hi, I just wanted to check in and see if you had the chance to review my previous email regarding Embedded World Exhibition & Conference 2025. Looking forward to your reply. Kind regards, Frances Gross _____________________________________________________________________________________ From: Frances Gross Subject: Embedded World Exhibition & Conference 2025 Hi, We are offering the visitors contact list of Embedded World Exhibition & Conference 2025. We currently have 36,668 verified visitor contacts. Each contact contains: Contact Name, Job Title, Business Name, Physical Address, Phone Number, Official Email address, and many more. Let me know your interest so that I can share the pricing accordingly. Kind Regards, Frances Gross - Sr. Marketing Manager If you do not wish to receive this newsletter reply as "Not interested"

2 months, 2 weeks

1
0
0 0

[PATCH 1/2] drm/amd/display: Protect dml2_create()/dml2_copy()/dml2_create_copy()

by Huacai Chen

Commit 7da55c27e76749b9 ("drm/amd/display: Remove incorrect FP context start") removes the FP context protection of dml2_create(), and it said "All the DC_FP_START/END should be used before call anything from DML2". However, dml2_create()/dml2_copy()/dml2_create_copy() are not protected from their callers, causing such errors: do_fpu invoked from kernel context![#1]: CPU: 0 UID: 0 PID: 239 Comm: kworker/0:5 Not tainted 6.14.0-rc6+ #1 Workqueue: events work_for_cpu_fn pc ffff80000319de80 ra ffff80000319de5c tp 900000010575c000 sp 900000010575f840 a0 0000000000000000 a1 900000012f210130 a2 900000012f000000 a3 ffff80000357e268 a4 ffff80000357e260 a5 900000012ea52cf0 a6 0000000400000004 a7 0000012c00001388 t0 00001900000015e0 t1 ffff80000379d000 t2 0000000010624dd3 t3 0000006400000014 t4 00000000000003e8 t5 0000005000000018 t6 0000000000000020 t7 0000000f00000064 t8 000000000000002f u0 5f5e9200f8901912 s9 900000012d380010 s0 900000012ea51fd8 s1 900000012f000000 s2 9000000109296000 s3 0000000000000001 s4 0000000000001fd8 s5 0000000000000001 s6 ffff800003415000 s7 900000012d390000 s8 ffff800003211f80 ra: ffff80000319de5c dml21_apply_soc_bb_overrides+0x3c/0x960 [amdgpu] ERA: ffff80000319de80 dml21_apply_soc_bb_overrides+0x60/0x960 [amdgpu] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000000 (-FPE -SXE -ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 000f0000 [FPD] (IS= ECode=15 EsubCode=0) PRID: 0014d010 (Loongson-64bit, Loongson-3C6000/S) Process kworker/0:5 (pid: 239, threadinfo=00000000927eadc6, task=000000008fd31682) Stack : 00040dc000003164 0000000000000001 900000012f210130 900000012eabeeb8 900000012f000000 ffff80000319fe48 900000012f210000 900000012f210130 900000012f000000 900000012eabeeb8 0000000000000001 ffff8000031a0064 900000010575f9f0 900000012f210130 900000012eac0000 900000012ea80000 900000012f000000 ffff8000031cefc4 900000010575f9f0 ffff8000035859c0 ffff800003414000 900000010575fa78 900000012f000000 ffff8000031b4c50 0000000000000000 9000000101c9d700 9000000109c40000 5f5e9200f8901912 900000012d3c4bd0 900000012d3c5000 ffff8000034aed18 900000012d380010 900000012d3c4bd0 ffff800003414000 900000012d380000 ffff800002ea49dc 0000000000000001 900000012d3c6000 00000000ffffe423 0000000000010000 ... Call Trace: [<ffff80000319de80>] dml21_apply_soc_bb_overrides+0x60/0x960 [amdgpu] [<ffff80000319fe44>] dml21_init+0xa4/0x280 [amdgpu] [<ffff8000031a0060>] dml21_create+0x40/0x80 [amdgpu] [<ffff8000031cefc0>] dc_state_create+0x100/0x160 [amdgpu] [<ffff8000031b4c4c>] dc_create+0x44c/0x640 [amdgpu] [<ffff800002ea49d8>] amdgpu_dm_init+0x3f8/0x2060 [amdgpu] [<ffff800002ea6658>] dm_hw_init+0x18/0x60 [amdgpu] [<ffff800002b16738>] amdgpu_device_init+0x1938/0x27e0 [amdgpu] [<ffff800002b18e80>] amdgpu_driver_load_kms+0x20/0xa0 [amdgpu] [<ffff800002b0c8f0>] amdgpu_pci_probe+0x1b0/0x580 [amdgpu] [<900000000448eae4>] local_pci_probe+0x44/0xc0 [<9000000003b02b18>] work_for_cpu_fn+0x18/0x40 [<9000000003b05da0>] process_one_work+0x160/0x300 [<9000000003b06718>] worker_thread+0x318/0x440 [<9000000003b11b8c>] kthread+0x12c/0x220 [<9000000003ac1484>] ret_from_kernel_thread+0x8/0xa4 So protect dml2_create()/dml2_copy()/dml2_create_copy() with DC_FP_START and DC_FP_END. Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- drivers/gpu/drm/amd/display/dc/core/dc_state.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_state.c b/drivers/gpu/drm/amd/display/dc/core/dc_state.c index 1b2cce127981..6e2cac08002d 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc_state.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc_state.c @@ -210,17 +210,23 @@ struct dc_state *dc_state_create(struct dc *dc, struct dc_state_create_params *p #ifdef CONFIG_DRM_AMD_DC_FP if (dc->debug.using_dml2) { + DC_FP_START(); + dml2_opt->use_clock_dc_limits = false; if (!dml2_create(dc, dml2_opt, &state->bw_ctx.dml2)) { + DC_FP_END(); dc_state_release(state); return NULL; } dml2_opt->use_clock_dc_limits = true; if (!dml2_create(dc, dml2_opt, &state->bw_ctx.dml2_dc_power_source)) { + DC_FP_END(); dc_state_release(state); return NULL; } + + DC_FP_END(); } #endif @@ -240,6 +246,8 @@ void dc_state_copy(struct dc_state *dst_state, struct dc_state *src_state) dc_state_copy_internal(dst_state, src_state); #ifdef CONFIG_DRM_AMD_DC_FP + DC_FP_START(); + dst_state->bw_ctx.dml2 = dst_dml2; if (src_state->bw_ctx.dml2) dml2_copy(dst_state->bw_ctx.dml2, src_state->bw_ctx.dml2); @@ -247,6 +255,8 @@ void dc_state_copy(struct dc_state *dst_state, struct dc_state *src_state) dst_state->bw_ctx.dml2_dc_power_source = dst_dml2_dc_power_source; if (src_state->bw_ctx.dml2_dc_power_source) dml2_copy(dst_state->bw_ctx.dml2_dc_power_source, src_state->bw_ctx.dml2_dc_power_source); + + DC_FP_END(); #endif /* context refcount should not be overridden */ @@ -268,17 +278,23 @@ struct dc_state *dc_state_create_copy(struct dc_state *src_state) new_state->bw_ctx.dml2 = NULL; new_state->bw_ctx.dml2_dc_power_source = NULL; + DC_FP_START(); + if (src_state->bw_ctx.dml2 && !dml2_create_copy(&new_state->bw_ctx.dml2, src_state->bw_ctx.dml2)) { + DC_FP_END(); dc_state_release(new_state); return NULL; } if (src_state->bw_ctx.dml2_dc_power_source && !dml2_create_copy(&new_state->bw_ctx.dml2_dc_power_source, src_state->bw_ctx.dml2_dc_power_source)) { + DC_FP_END(); dc_state_release(new_state); return NULL; } + + DC_FP_END(); #endif kref_init(&new_state->refcount); -- 2.47.1

2 months, 2 weeks

4
9
0 0

[PATCH] rust: Fix enabling Rust and building with GCC for LoongArch

by WANG Rui

This patch fixes a build issue on LoongArch when Rust is enabled and compiled with GCC by explicitly setting the bindgen target and skipping C flags that Clang doesn't support. Cc: stable(a)vger.kernel.org Signed-off-by: WANG Rui <wangrui(a)loongson.cn> --- rust/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rust/Makefile b/rust/Makefile index ea3849eb78f6..2c57c624fe7d 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -232,7 +232,8 @@ bindgen_skip_c_flags := -mno-fp-ret-in-387 -mpreferred-stack-boundary=% \ -mfunction-return=thunk-extern -mrecord-mcount -mabi=lp64 \ -mindirect-branch-cs-prefix -mstack-protector-guard% -mtraceback=no \ -mno-pointers-to-nested-functions -mno-string \ - -mno-strict-align -mstrict-align \ + -mno-strict-align -mstrict-align -mdirect-extern-access \ + -mexplicit-relocs -mno-check-zero-division \ -fconserve-stack -falign-jumps=% -falign-loops=% \ -femit-struct-debug-baseonly -fno-ipa-cp-clone -fno-ipa-sra \ -fno-partial-inlining -fplugin-arg-arm_ssp_per_task_plugin-% \ @@ -246,6 +247,7 @@ bindgen_skip_c_flags := -mno-fp-ret-in-387 -mpreferred-stack-boundary=% \ # Derived from `scripts/Makefile.clang`. BINDGEN_TARGET_x86 := x86_64-linux-gnu BINDGEN_TARGET_arm64 := aarch64-linux-gnu +BINDGEN_TARGET_loongarch := loongarch64-linux-gnusf BINDGEN_TARGET := $(BINDGEN_TARGET_$(SRCARCH)) # All warnings are inhibited since GCC builds are very experimental, -- 2.48.1

2 months, 2 weeks

4
5
0 0

[PATCH 5.10 000/462] 5.10.235-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.235 release. There are 462 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 13 Mar 2025 14:56:39 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.235-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.235-rc1 Jakub Kicinski <kuba(a)kernel.org> net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels Ben Hutchings <benh(a)debian.org> udf: Fix use of check_add_overflow() with mixed type arguments Ben Hutchings <benh(a)debian.org> perf cs-etm: Add missing variable in cs_etm__process_queues() Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Enable the TRB overfetch quirk on VIA VL805 Filipe Manana <fdmanana(a)suse.com> btrfs: bring back the incorrectly removed extent buffer lock recursion support Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - inject error before stopping queue Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kbuild: userprogs: use correct lld when linking through clang Toke Høiland-Jørgensen <toke(a)redhat.com> sched: sch_cake: add bounds checks to host bulk flow fairness counts Michal Luczaj <mhal(a)rbox.co> vsock: Orphan socket after transport release Michal Luczaj <mhal(a)rbox.co> vsock: Keep the binding until socket destruction Michal Luczaj <mhal(a)rbox.co> bpf, vsock: Invoke proto::close on close() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> Revert "media: uvcvideo: Require entities to have a non-zero unique ID" Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Remove dangling pointers Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Only save async fh if success Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: handle errors that nilfs_prepare_chunk() may return Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: eliminate staggered calls to kunmap in nilfs_rename Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link Ralf Schlatterbeck <rsc(a)runtux.com> spi-mxs: Fix chipselect glitch Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> mtd: rawnand: cadence: fix unchecked dereference Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Make GPIO lookup table match the device Visweswara Tanuku <quic_vtanuku(a)quicinc.com> slimbus: messaging: Free transaction ID in delayed interrupt scenario Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Panther Lake-P/U support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Panther Lake-H support Pawel Chmielewski <pawel.chmielewski(a)intel.com> intel_th: pci: Add Arrow Lake support Alexander Usyskin <alexander.usyskin(a)intel.com> mei: me: add panther lake P DID Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: check the inode number is not the invalid value of zero Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> xhci: pci: Fix indentation in the PCI device ID definitions Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Check bmAttributes only if configuration is valid Marek Szyprowski <m.szyprowski(a)samsung.com> usb: gadget: Fix setting self-powered state on suspend Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Set self-powered based on MaxPower and bmAttributes AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality Fedor Pchelkin <boddah8794(a)gmail.com> usb: typec: ucsi: increase timeout for PPM reset operations Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> usb: atm: cxacru: fix a flaw in existing endpoint checks Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Flush the notify_hotplug_work Miao Li <limiao(a)kylinos.cn> usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Use devm_usb_get_phy() Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Call clk_put() Christian Heusel <christian(a)heusel.eu> Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection" Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> gpio: rcar: Fix missing of_node_put() call Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix missing dst ref drop in ila lwtunnel Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix dst ref loop in ila lwtunnel Jason Xing <kerneljasonxing(a)gmail.com> net-timestamp: support TCP GSO case for a few missing flags Oscar Maes <oscmaes92(a)gmail.com> vlan: enforce underlying device type Jiayuan Chen <jiayuan.chen(a)linux.dev> ppp: Fix KMSAN uninit-value warning with bpf Nikolay Aleksandrov <razor(a)blackwall.org> be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink Philipp Stanner <phasta(a)kernel.org> drm/sched: Fix preprocessor guard Xinghuo Chen <xinghuo.chen(a)foxmail.com> hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe() Eric Dumazet <edumazet(a)google.com> llc: do not use skb_get() before dev_queue_xmit() Murad Masimov <m.masimov(a)mt-integration.ru> ALSA: usx2y: validate nrpacks module parameter on probe Erik Schumacher <erik.schumacher(a)iris-sensing.com> hwmon: (ad7314) Validate leading zero bits and return error Maud Spierings <maudspierings(a)gocontroll.com> hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table Titus Rwantare <titusr(a)google.com> hwmon: (pmbus) Initialise page count in pmbus_identify() Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> caif_virtio: fix wrong pointer check in cfv_probe() Antoine Tenart <atenart(a)kernel.org> net: gso: fix ownership in __udp_gso_segment Meir Elisha <meir.elisha(a)volumez.com> nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() Yu-Chun Lin <eleanor15x(a)gmail.com> HID: google: fix unused variable warning under !CONFIG_ACPI Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: limit printed string from FW file Hao Zhang <zhanghao1(a)kylinos.cn> mm/page_alloc: fix uninitialized variable Olivier Gayot <olivier.gayot(a)canonical.com> block: fix conversion of GPT partition name to 7-bit Heiko Carstens <hca(a)linux.ibm.com> s390/traps: Fix test_monitor_call() inline assembly Haoxiang Li <haoxiang_li2024(a)163.com> rapidio: fix an API misues when rio_add_net() fails Haoxiang Li <haoxiang_li2024(a)163.com> rapidio: add check for rio_add_net() in rio_scan_alloc_net() Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> wifi: nl80211: reject cooked mode if it is set along with other flags Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> wifi: cfg80211: regulatory: improve invalid hints checking Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63 Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Validate CPUID leaf 0x2 EDX output Ahmed S. Darwish <darwi(a)linutronix.de> x86/cacheinfo: Validate CPUID leaf 0x2 EDX output Mingcong Bai <jeffbai(a)aosc.io> platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e Richard Thier <u9vata(a)gmail.com> drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: update ALC222 depop optimize Hoku Ishibe <me(a)hokuishi.be> ALSA: hda: intel: Add Dell ALC3271 to power_save denylist Koichiro Den <koichiro.den(a)canonical.com> gpio: aggregator: protect driver attr handlers against module unload Daniil Dulov <d.dulov(a)aladdin.ru> HID: appleir: Fix potential NULL dereference at raw event handle Rob Herring (Arm) <robh(a)kernel.org> Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'" Peter Jones <pjones(a)redhat.com> efi: Don't map the entire mokvar table to determine its size Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: disable BAR resize on Dell G5 SE Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu: Check extended configuration space register when system uses large bar Haoxiang Li <haoxiang_li2024(a)163.com> smb: client: Add check for next_buffer in receive_encrypted_standard() Christian Brauner <brauner(a)kernel.org> acct: perform last write from workqueue Yang Yang <yang.yang29(a)zte.com.cn> kernel/acct.c: use dedicated helper to access rlimit values Hui Su <sh_def(a)163.com> kernel/acct.c: use #elif instead of #end and #elif Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> drop_monitor: fix incorrect initialization order Quang Le <quanglex97(a)gmail.com> pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Thomas Gleixner <tglx(a)linutronix.de> intel_idle: Handle older CPUs, which stop the TSC in deeper C states, correctly Thomas Gleixner <tglx(a)linutronix.de> sched/core: Prevent rescheduling when interrupts are disabled Ard Biesheuvel <ardb(a)kernel.org> vmlinux.lds: Ensure that const vars with relocations are mapped R/O Paolo Abeni <pabeni(a)redhat.com> mptcp: always handle address removal under msk socket lock Kaustabh Chakraborty <kauschluss(a)disroot.org> phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk BH Hsieh <bhsieh(a)nvidia.com> phy: tegra: xusb: reset VBUS & ID OVERRIDE Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> usbnet: gl620a: fix endpoint checking in genelink_bind() Tyrone Ting <kfting(a)nuvoton.com> i2c: npcm: disable interrupt enable bit before devm_request_irq Kan Liang <kan.liang(a)linux.intel.com> perf/core: Fix low freq setting via IOC_PERIOD Nikolay Kuratov <kniv(a)yandex-team.ru> ftrace: Avoid potential division by zero in function_stat_show() Russell Senior <russell(a)personaltelco.net> x86/CPU: Fix warm boot hang regression on AMD SC1100 SoC systems Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix dst ref loop on input in rpl lwt Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: rpl_iptunnel: mitigate 2-realloc issue Justin Iurman <justin.iurman(a)uliege.be> include: net: add static inline dst_dev_overhead() to dst.h Brian Vazquez <brianvv(a)google.com> net: use indirect call helpers for dst_output Brian Vazquez <brianvv(a)google.com> net: use indirect call helpers for dst_input Zheng Yongjun <zhengyongjun3(a)huawei.com> net: ipv6: rpl_iptunnel: simplify the return expression of rpl_do_srh() Harshal Chaudhari <hchaudhari(a)marvell.com> net: mvpp2: cls: Fixed Non IP flow, with vlan tag flow defination. Wang Hai <wanghai38(a)huawei.com> tcp: Defer ts_recent changes until req is owned Philo Lu <lulie(a)linux.alibaba.com> ipvs: Always clear ipvs_property flag in skb_scrub_packet() Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> ASoC: es8328: fix route from DAC to output Sean Anderson <sean.anderson(a)linux.dev> net: cadence: macb: Synchronize stats calculations Ido Schimmel <idosch(a)nvidia.com> net: loopback: Avoid sending IP packets without an Ethernet header Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports Arnd Bergmann <arnd(a)arndb.de> sunrpc: suppress warnings for unused procfs functions Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix bind QP error cleanup flow Mark Zhang <markzhang(a)nvidia.com> IB/mlx5: Set and get correct qp_num for a DCT QP Patrick Bellasi <derkling(a)google.com> x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> mtd: rawnand: cadence: fix incorrect device in dma_unmap_single Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> mtd: rawnand: cadence: use dma_map_resource for sdma address Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> mtd: rawnand: cadence: fix error code in cadence_nand_init() Christian Brauner <brauner(a)kernel.org> acct: block access to kernel internal filesystems John Veness <john-linux(a)pelago.org.uk> ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED Haoxiang Li <haoxiang_li2024(a)163.com> nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Sumit Garg <sumit.garg(a)linaro.org> tee: optee: Fix supplicant wait loop Yan Zhai <yan(a)cloudflare.com> bpf: skip non exist keys in generic_map_lookup_batch Andrey Vatoropin <a.vatoropin(a)crpt.ru> power: supply: da9150-fg: fix potential overflow Cong Wang <xiyou.wangcong(a)gmail.com> flow_dissector: Fix port range key handling in BPF conversion Cong Wang <xiyou.wangcong(a)gmail.com> flow_dissector: Fix handling of mixed port and port-range keys Maksym Glubokiy <maksym.glubokiy(a)plvision.eu> net: extract port range fields from fl_flow_key Kuniyuki Iwashima <kuniyu(a)amazon.com> geneve: Suppress list corruption splat in geneve_destroy_tunnels(). Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Kuniyuki Iwashima <kuniyu(a)amazon.com> geneve: Fix use-after-free in geneve_find_dev(). Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Fixup ALC225 depop procedure Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s/mm: Move __real_pte stubs into hash-4k.h Jill Donahue <jilliandonahue58(a)gmail.com> USB: gadget: f_midi: f_midi_complete to call queue_work Davidlohr Bueso <dave(a)stgolabs.net> usb/gadget: f_midi: Replace tasklet with work Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: Fix timeout issue during controller enter/exit from halt state Wesley Cheng <quic_wcheng(a)quicinc.com> usb: dwc3: Increase DWC3 controller halt timeout Sven Eckelmann <sven(a)narfation.org> batman-adv: Drop unmanaged ELP metric worker Sven Eckelmann <sven(a)narfation.org> batman-adv: Drop initialization of flexible ethtool_link_ksettings Sven Eckelmann <sven(a)narfation.org> batman-adv: Add new include for min/max helpers Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Change to kvalloc() in eventlog/acpi.c Eddie James <eajames(a)linux.ibm.com> tpm: Use managed allocation for bios event log Thomas Zimmermann <tzimmermann(a)suse.de> drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event() Maxime Ripard <maxime(a)cerno.tech> drm/probe-helper: Create a HPD IRQ event helper for a single connector Chen Ridong <chenridong(a)huawei.com> memcg: fix soft lockup in the OOM process Carlos Galo <carlosgalo(a)google.com> mm: update mark_victim tracepoints fields Ignat Korchagin <ignat(a)cloudflare.com> crypto: testmgr - some more fixes to RSA test vectors Ignat Korchagin <ignat(a)cloudflare.com> crypto: testmgr - populate RSA CRT parameters in RSA test vectors lei he <helei.sig11(a)bytedance.com> crypto: testmgr - fix version number of RSA tests Lei He <helei.sig11(a)bytedance.com> crypto: testmgr - Fix wrong test case of RSA Lei He <helei.sig11(a)bytedance.com> crypto: testmgr - fix wrong key length for pkcs1pad Catalin Marinas <catalin.marinas(a)arm.com> arm64: mte: Do not allow PROT_MTE on MAP_HUGETLB user mappings Casey Chen <cachen(a)purestorage.com> nvme-pci: fix multiple races in nvme_setup_io_queues Xin Long <lucien.xin(a)gmail.com> vlan: move dev_put into vlan_dev_uninit Xin Long <lucien.xin(a)gmail.com> vlan: introduce vlan_dev_free_egress_priority Stefan Berger <stefanb(a)linux.ibm.com> ima: Fix use-after-free on a dentry's dname.name Calvin Owens <calvin(a)wbinvd.org> pps: Fix a use-after-free Filipe Manana <fdmanana(a)suse.com> btrfs: avoid monopolizing a core when activating a swap file Koichiro Den <koichiro.den(a)canonical.com> Revert "btrfs: avoid monopolizing a core when activating a swap file" David Woodhouse <dwmw(a)amazon.co.uk> x86/i8253: Disable PIT timer 0 when not in use Chao Yu <chao(a)kernel.org> f2fs: fix to wait dio completion Hangbin Liu <liuhangbin(a)gmail.com> selftests: rtnetlink: update netdevsim ipsec output format Hangbin Liu <liuhangbin(a)gmail.com> netdevsim: print human readable IP address Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> parport_pc: add support for ASIX AX99100 Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> serial: 8250_pci: add support for ASIX AX99100 Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> can: ems_pci: move ASIX AX99100 ids to pci_ids.h Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: protect access to buffers with no active references Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: do not force clear folio if buffer is referenced Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: do not output warnings when clearing dirty buffers Ivan Kokshaysky <ink(a)unseen.parts> alpha: replace hardcoded stack offsets with autogenerated ones Andrew Cooper <andrew.cooper3(a)citrix.com> x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 John Ogness <john.ogness(a)linutronix.de> kdb: Do not assume write() callback available Devarsh Thakkar <devarsht(a)ti.com> drm/tidss: Clear the interrupt status for interrupts being disabled Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Fix issue in irq handling causing irq-flood issue Eric Dumazet <edumazet(a)google.com> ndisc: extend RCU protection in ndisc_send_skb() Eric Dumazet <edumazet(a)google.com> openvswitch: use RCU protection in ovs_vport_cmd_fill_info() Eric Dumazet <edumazet(a)google.com> arp: use RCU protection in arp_xmit() Eric Dumazet <edumazet(a)google.com> neighbour: use RCU protection in __neigh_notify() Li Zetao <lizetao1(a)huawei.com> neighbour: delete redundant judgment statements Eric Dumazet <edumazet(a)google.com> ndisc: use RCU protection in ndisc_alloc_skb() Eric Dumazet <edumazet(a)google.com> ipv6: use RCU protection in ip6_default_advmss() Eric Dumazet <edumazet(a)google.com> ipv4: use RCU protection in inet_select_addr() Eric Dumazet <edumazet(a)google.com> ipv4: use RCU protection in rt_is_expired() Eric Dumazet <edumazet(a)google.com> net: add dev_net_rcu() helper Jiri Pirko <jiri(a)nvidia.com> net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu() Waiman Long <longman(a)redhat.com> clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context Waiman Long <longman(a)redhat.com> clocksource: Use pr_info() for "Checking clocksource synchronization" message Yury Norov <yury.norov(a)gmail.com> clocksource: Replace cpumask_weight() with cpumask_empty() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource: Replace deprecated CPU-hotplug functions. Paul E. McKenney <paulmck(a)kernel.org> clocksource: Limit number of CPUs checked for clock synchronization Wentao Liang <vulab(a)iscas.ac.cn> mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw() Nathan Chancellor <nathan(a)kernel.org> arm64: Handle .ARM.attributes section in linker scripts Jiasheng Jiang <jiashengjiangcool(a)gmail.com> regmap-irq: Add missing kfree() Jann Horn <jannh(a)google.com> partitions: mac: fix handling of bogus partition table Wentao Liang <vulab(a)iscas.ac.cn> gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock Ivan Kokshaysky <ink(a)unseen.parts> alpha: align stack for page fault and user unaligned trap handlers John Keeping <jkeeping(a)inmusicbrands.com> serial: 8250: Fix fifo underflow on flush Ard Biesheuvel <ardb(a)kernel.org> efi: Avoid cold plugged memory for placing the kernel Ivan Kokshaysky <ink(a)unseen.parts> alpha: make stack 16-byte aligned (most cases) Alexander Hölzl <alexander.hoelzl(a)gmx.net> can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> can: c_can: fix unbalanced runtime PM disable in error path Johan Hovold <johan(a)kernel.org> USB: serial: option: drop MeiG Smart defines Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FN990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990B compositions Chester A. Unal <chester.a.unal(a)arinc9.com> USB: serial: option: add MeiG Smart SLM828 Jann Horn <jannh(a)google.com> usb: cdc-acm: Fix handling of oversized fragments Jann Horn <jannh(a)google.com> usb: cdc-acm: Check control transfer buffer size before access Marek Vasut <marek.vasut+renesas(a)mailbox.org> USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk Alan Stern <stern(a)rowland.harvard.edu> USB: hub: Ignore non-compliant devices with too many configs or interfaces John Keeping <jkeeping(a)inmusicbrands.com> usb: gadget: f_midi: fix MIDI Streaming descriptor lengths Mathias Nyman <mathias.nyman(a)linux.intel.com> USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone Lei Huang <huanglei(a)kylinos.cn> USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist Stefan Eichenberger <stefan.eichenberger(a)toradex.com> usb: core: fix pipe creation for get_bMaxPacketSize0 Huacai Chen <chenhuacai(a)loongson.cn> USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> usb: dwc2: gadget: remove of_node reference upon udc_stop Guo Ren <guoren(a)linux.alibaba.com> usb: gadget: udc: renesas_usb3: Fix compiler warning Elson Roy Serrao <quic_eserrao(a)quicinc.com> usb: roles: set switch registered flag early on Sean Christopherson <seanjc(a)google.com> perf/x86/intel: Ensure LBRs are disabled when a CPU is starting Sven Eckelmann <sven(a)narfation.org> batman-adv: Ignore neighbor throughput metrics in error case Andy Strohman <andrew(a)andrewstrohman.com> batman-adv: fix panic during interface removal Hans de Goede <hdegoede(a)redhat.com> ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V Mike Marshall <hubcap(a)omnibond.com> orangefs: fix a oob in orangefs_debug_write Maksym Planeta <maksym(a)exostellar.io> Grab mm lock before grabbing pt lock Ramesh Thomas <ramesh.thomas(a)intel.com> vfio/pci: Enable iowrite64 and ioread64 for vfio pci Takashi Iwai <tiwai(a)suse.de> PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P Edward Adam Davis <eadavis(a)qq.com> media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread Arnd Bergmann <arnd(a)arndb.de> media: cxd2841er: fix 64-bit division on gcc-9 Juergen Gross <jgross(a)suse.com> x86/xen: allow larger contiguous memory regions in PV guests Petr Tesarik <petr.tesarik.ext(a)huawei.com> xen: remove a confusing comment on auto-translated guest I/O Artur Weber <aweber.kernel(a)gmail.com> gpio: bcm-kona: Add missing newline to dev_err format string Artur Weber <aweber.kernel(a)gmail.com> gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ Artur Weber <aweber.kernel(a)gmail.com> gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 Radu Rendec <rrendec(a)redhat.com> arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array Eric Dumazet <edumazet(a)google.com> team: better TEAM_OPTION_TYPE_STRING validation Eric Dumazet <edumazet(a)google.com> vrf: use RCU protection in l3mdev_l3_out() Eric Dumazet <edumazet(a)google.com> ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() Charles Han <hanchunchao(a)inspur.com> HID: multitouch: Add NULL check in mt_input_configured Dai Ngo <dai.ngo(a)oracle.com> NFSD: fix hang in nfsd4_shutdown_callback Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: clear acl_access/acl_default after releasing them Paolo Abeni <pabeni(a)redhat.com> mptcp: prevent excessive coalescing on receive Su Yue <glass.su(a)suse.com> ocfs2: check dir i_size in ocfs2_find_entry WangYuli <wangyuli(a)uniontech.com> MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static Thomas Weißschuh <linux(a)weissschuh.net> ptp: Ensure info->enable callback is always set Paul Fertser <fercerpav(a)gmail.com> net/ncsi: wait for the last response to Deselect Package before configuring channel Ekansh Gupta <quic_ekangupt(a)quicinc.com> misc: fastrpc: Fix registered buffer page address Ivan Stepchenko <sid(a)itb.spb.ru> mtd: onenand: Fix uninitialized retlen in do_otp_read() Dan Carpenter <dan.carpenter(a)linaro.org> NFC: nci: Add bounds checking in nci_hci_create_pipe() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> nilfs2: fix possible int overflows in nilfs_fiemap() Matthew Wilcox (Oracle) <willy(a)infradead.org> ocfs2: handle a symlink read error correctly Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix incorrect CPU endianness conversion causing mount failure Mike Snitzer <snitzer(a)kernel.org> pnfs/flexfiles: retry getting layout segment for reads Alex Williamson <alex.williamson(a)redhat.com> vfio/platform: check the bounds of read/write syscalls Jennifer Berringer <jberring(a)redhat.com> nvmem: core: improve range check for nvmem_cell_write() Luca Weiss <luca.weiss(a)fairphone.com> nvmem: qcom-spmi-sdam: Set size in struct nvmem_config Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> crypto: qce - unregister previously registered algos in error path Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> crypto: qce - fix goto jump in error path Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Remove redundant NULL assignment Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Fix event flags in uvc_ctrl_send_events Sam Bobrowicz <sam(a)elite-embedded.com> media: ov5640: fix get_light_freq on auto Cosmin Tanislav <demonsingur(a)gmail.com> media: mc: fix endpoint iteration Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: qcom: smem_state: fix missing of_node_put in error path Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: as73211: fix channel handling in only-color triggered buffer Nathan Chancellor <nathan(a)kernel.org> x86/boot: Use '-std=gnu11' to fix build with GCC 15 Nathan Chancellor <nathan(a)kernel.org> kbuild: Move -Wenum-enum-conversion to W=2 Long Li <longli(a)microsoft.com> scsi: storvsc: Set correct data length for sending SCSI command without payload Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Move FCE Trace buffer allocation to user control Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Enable headset mic on Positivo C6400 Hou Tao <houtao1(a)huawei.com> dm-crypt: track tag_offset in convert_context Hou Tao <houtao1(a)huawei.com> dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit() Narayana Murty N <nnmlinux(a)linux.ibm.com> powerpc/pseries/eeh: Fix get PE state translation Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Drop __initdata macro for port_cfg Stephan Gerhold <stephan.gerhold(a)linaro.org> soc: qcom: socinfo: Avoid out of bounds read of serial number Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Don't prepare BOT write request twice Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Decrement command ref count on cleanup Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Translate error to sense Marcel Hamer <marcel.hamer(a)windriver.com> wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8821ae: Fix media status report Heiko Stuebner <heiko(a)sntech.de> HID: hid-sensor-hub: don't use stale platform-data on remove Zijun Hu <quic_zijuhu(a)quicinc.com> of: reserved-memory: Fix using wrong number of cells to get property 'alignment' Zijun Hu <quic_zijuhu(a)quicinc.com> of: Fix of_find_node_opts_by_path() handling of alias+path+options Zijun Hu <quic_zijuhu(a)quicinc.com> of: Correct child specifier used as input of the 2nd nexus node Kuan-Wei Chiu <visitorckw(a)gmail.com> perf bench: Fix undefined behavior in cmpworker() Nathan Chancellor <nathan(a)kernel.org> efi: libstub: Use '-std=gnu11' to fix build with GCC 15 Zijun Hu <quic_zijuhu(a)quicinc.com> blk-cgroup: Fix class @block_class's subsystem refcount leakage Anastasia Belova <abelova(a)astralinux.ru> clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate Gabor Juhos <j4g8y7(a)gmail.com> clk: qcom: clk-alpha-pll: fix alpha mode configuration Cody Eksal <masterr3c0rd(a)epochal.quest> clk: sunxi-ng: a100: enable MMC clock reparenting Fedor Pchelkin <pchelkin(a)ispras.ru> Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection Fedor Pchelkin <pchelkin(a)ispras.ru> Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc Haoxiang Li <haoxiang_li2024(a)163.com> drm/komeda: Add check for komeda_get_layer_fourcc_list() David Hildenbrand <david(a)redhat.com> KVM: s390: vsie: fix some corner-cases when grabbing vsie pages Sean Christopherson <seanjc(a)google.com> KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Jakob Unterwurzacher <jakobunt(a)gmail.com> arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma Dan Carpenter <dan.carpenter(a)linaro.org> binfmt_flat: Fix integer overflow bug on 32 bit systems Thomas Zimmermann <tzimmermann(a)suse.de> m68k: vga: Fix I/O defines Heiko Carstens <hca(a)linux.ibm.com> s390/futex: Fix FUTEX_OP_ANDN implementation Maarten Lankhorst <dev(a)lankhorst.se> drm/modeset: Handle tiled displays in pan_display_atomic. Alexander Sverdlin <alexander.sverdlin(a)siemens.com> leds: lp8860: Write full EEPROM, not only half of it Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: s3c64xx: Fix compilation warning Willem de Bruijn <willemb(a)google.com> tun: revert fix group permission check Cong Wang <cong.wang(a)bytedance.com> netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() Juergen Gross <jgross(a)suse.com> x86/xen: add FRAME_END to xen_hypercall_hvm() Juergen Gross <jgross(a)suse.com> x86/xen: fix xen_hypercall_hvm() to not clobber %rbx Eric Dumazet <edumazet(a)google.com> net: rose: lock the socket in rose_bind() Jacob Moroni <mail(a)jakemoroni.com> net: atlantic: fix warning during hot unplug Mark Tomlinson <mark.tomlinson(a)alliedtelesis.co.nz> gpio: pca953x: Improve interrupt support Yan Zhai <yan(a)cloudflare.com> udp: gso: do not drop small packets when PMTU reduces Lenny Szubowicz <lszubowi(a)redhat.com> tg3: Disable tg3 PCIe AER on system reboot Hans Verkuil <hverkuil(a)xs4all.nl> gpu: drm_dp_cec: fix broken CEC adapter properties check Prasad Pandit <pjp(a)fedoraproject.org> firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry Daniel Wagner <wagi(a)kernel.org> nvme: handle connectivity loss in nvme_set_queue_count Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix NULL pointer dereference on certain command aborts Hardik Gajjar <hgajjar(a)de.adit-jv.com> usb: xhci: Add timeout argument in address_device USB HCD callback Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net: usb: rtl8150: enable basic endpoint checking Emil Renner Berthing <kernel(a)esmil.dk> net: usb: rtl8150: use new tasklet API Xi Ruoyao <xry111(a)xry111.site> x86/mm: Don't disable PCID when INVLPG has been fixed by microcode Illia Ostapyshyn <illia(a)yshyn.com> Input: allocate keycode for phone linking Liu Ye <liuye(a)kylinos.cn> selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() Dan Carpenter <dan.carpenter(a)linaro.org> tipc: re-order conditions in tipc_crypto_key_rcv() Yuanjie Yang <quic_yuanjiey(a)quicinc.com> mmc: sdhci-msm: Correctly set the load for the regulator Borislav Petkov <bp(a)alien8.de> APEI: GHES: Have GHES honor the panic= setting Randolph Ha <rha051117(a)gmail.com> i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz Vadim Fedorenko <vadfed(a)meta.com> net/mlx5: use do_aux_work for PHC overflow checks Even Xu <even.xu(a)intel.com> HID: Wacom: Add PCI Wacom device support Hans de Goede <hdegoede(a)redhat.com> mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: don't emit warning in tomoyo_write_control() Dmitry Antipov <dmantipov(a)yandex.ru> wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() Shawn Lin <shawn.lin(a)rock-chips.com> mmc: core: Respect quirk_max_rate for non-UHS SDIO card Stas Sergeev <stsp2(a)yandex.ru> tun: fix group permission check Leo Stone <leocstone(a)gmail.com> safesetid: check size of policy writes Kuan-Wei Chiu <visitorckw(a)gmail.com> printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Yazen Ghannam <yazen.ghannam(a)amd.com> x86/amd_nb: Restrict init function to AMD-based systems Carlos Llamas <cmllamas(a)google.com> lockdep: Fix upper limit for LOCKDEP_*_BITS configs Suleiman Souhlal <suleiman(a)google.com> sched: Don't try to catch up excess steal time. Josef Bacik <josef(a)toxicpanda.com> btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling Filipe Manana <fdmanana(a)suse.com> btrfs: fix use-after-free when attempting to join an aborted transaction Qu Wenruo <wqu(a)suse.com> btrfs: output the reason for open_ctree() failure Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Don't free command immediately Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> media: uvcvideo: Fix double free in error path Alan Stern <stern(a)rowland.harvard.edu> HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections Jos Wang <joswang(a)lenovo.com> usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Fix Get/SetInterface return value Sean Rhodes <sean(a)starlabs.systems> drivers/card_reader/rtsx_usb: Restore interrupt based detection Ricardo B. Marliere <rbm(a)suse.com> ktest.pl: Check kernelrelease return in get_version Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject mismatching sum of field_len with set key length Chuck Lever <chuck.lever(a)oracle.com> NFSD: Reset cb_seq_status after NFS4ERR_DELAY Lin Yujun <linyujun809(a)huawei.com> hexagon: Fix unbalanced spinlock in die() Willem de Bruijn <willemb(a)google.com> hexagon: fix using plain integer as NULL pointer warning in cmpxchg Masahiro Yamada <masahiroy(a)kernel.org> genksyms: fix memory leak when the same symbol is read from *.symref file Masahiro Yamada <masahiroy(a)kernel.org> genksyms: fix memory leak when the same symbol is added from source Eric Dumazet <edumazet(a)google.com> net: hsr: fix fill_frame_info() regression vs VLAN packets Kory Maincent <kory.maincent(a)bootlin.com> net: sh_eth: Fix missing rtnl lock in suspend/resume path Rafał Miłecki <rafal(a)milecki.pl> bgmac: reduce max frame size to support just MTU 1500 Michal Luczaj <mhal(a)rbox.co> vsock: Allow retrying on connect() failure Howard Chu <howardchu95(a)gmail.com> perf trace: Fix runtime error of index out of bounds Chenyuan Yang <chenyuan0y(a)gmail.com> net: davicom: fix UAF in dm9000_drv_remove Jakub Kicinski <kuba(a)kernel.org> net: netdevsim: try to close UDP port harness races Eric Dumazet <edumazet(a)google.com> net: rose: fix timer races against user threads Wentao Liang <vulab(a)iscas.ac.cn> PM: hibernate: Add error handling for syscore_suspend() Eric Dumazet <edumazet(a)google.com> ipmr: do not call mr_mfc_uses_dev() for unres entries Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev(a)gmail.com> net: fec: implement TSO descriptor cleanup Jian Shen <shenjian15(a)huawei.com> net: hns3: fix oops when unload drivers paralleling pangliyuan <pangliyuan1(a)huawei.com> ubifs: skip dumping tnc tree when zroot is null Oleksij Rempel <linux(a)rempel-privat.de> rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> dmaengine: ti: edma: fix OF node reference leaks in edma_driver Jianbo Liu <jianbol(a)nvidia.com> xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO Luo Yifan <luoyifan(a)cmss.chinamobile.com> tools/bootconfig: Fix the wrong format specifier Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix COPY_NOTIFY xdr buf size calculation Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> module: Extend the preempt disabled section in dereference_symbol_descriptor(). Su Yue <glass.su(a)suse.com> ocfs2: mark dquot as inactive if failed to start trans while releasing dquot Guixin Liu <kanie(a)linux.alibaba.com> scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails Paul Menzel <pmenzel(a)molgen.mpg.de> scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1 King Dix <kingdix10(a)qq.com> PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> staging: media: imx: fix OF node leak in imx_media_add_of_subdevs() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> mtd: hyperbus: hbmc-am654: fix an OF node reference leak Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Propagate buf->error to userspace Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: camif-core: Add check for clk_enable() Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: mipi-csis: Add check for clk_enable() Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: marvell: Add check for clk_enable() Zijun Hu <quic_zijuhu(a)quicinc.com> PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy() Chen Ni <nichen(a)iscas.ac.cn> media: lmedm04: Handle errors for lme2510_int_read Malcolm Priestley <tvboxspy(a)gmail.com> media: lmedm04: Use GFP_KERNEL for URB allocation/submission. Oliver Neukum <oneukum(a)suse.com> media: rc: iguanair: handle timeouts Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device() Rafał Miłecki <rafal(a)milecki.pl> ARM: dts: mediatek: mt7623: fix IR nodename Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8250: correct sleep clock frequency Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: msm8994: correct sleep clock frequency Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: msm8916: correct sleep clock frequency Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property Dan Carpenter <dan.carpenter(a)linaro.org> rdma/cxgb4: Prevent potential integer overflow on 32bit Leon Romanovsky <leon(a)kernel.org> RDMA/mlx4: Avoid false error about access to uninitialized gids array Val Packett <val(a)packett.cool> arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A Val Packett <val(a)packett.cool> arm64: dts: mediatek: mt8516: add i2c clock-div property Fabien Parent <fparent(a)baylibre.com> arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks Val Packett <val(a)packett.cool> arm64: dts: mediatek: mt8516: fix wdt irq type Val Packett <val(a)packett.cool> arm64: dts: mediatek: mt8516: fix GICv2 range Chen Ridong <chenridong(a)huawei.com> padata: avoid UAF for reorder_work Chen Ridong <chenridong(a)huawei.com> padata: add pd get/put refcnt helper Chen Ridong <chenridong(a)huawei.com> padata: fix UAF in padata_reorder Puranjay Mohan <puranjay(a)kernel.org> bpf: Send signals asynchronously if !preemptible Jiachen Zhang <me(a)jcix.top> perf report: Fix misleading help message about --demangle Arnaldo Carvalho de Melo <acme(a)redhat.com> perf top: Don't complain about lack of vmlinux when not resolving some kernel samples Thomas Weißschuh <linux(a)weissschuh.net> padata: fix sysfs store callback check Ba Jing <bajing(a)cmss.chinamobile.com> ktest.pl: Remove unused declarations in run_bisect_test function Zhongqiu Han <quic_zhonhan(a)quicinc.com> perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf env: Conditionally compile BPF support code on having HAVE_LIBBPF_SUPPORT Zhongqiu Han <quic_zhonhan(a)quicinc.com> perf header: Fix one memory leakage in process_bpf_prog_info() Zhongqiu Han <quic_zhonhan(a)quicinc.com> perf header: Fix one memory leakage in process_bpf_btf() George Lander <lander(a)jagmn.com> ASoC: sun4i-spdif: Add clock multiplier settings Marco Leogrande <leogrande(a)google.com> tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net/rose: prevent integer overflows in rose_setsockopt() Roger Quadros <rogerq(a)kernel.org> net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() Jamal Hadi Salim <jhs(a)mojatatu.com> net: sched: Disallow replacing of child qdisc from one parent to another Maher Sanalla <msanalla(a)nvidia.com> net/mlxfw: Drop hard coded max FW flash image size Liu Jian <liujian56(a)huawei.com> net: let net.core.dev_weight always be non-zero Mingwei Zheng <zmw12306(a)gmail.com> pwm: stm32: Add check for clk_enable() Bo Gan <ganboing(a)gmail.com> clk: analogbits: Fix incorrect calculation of vco rate delta Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: adjust allocation of colocated AP data Ilan Peer <ilan.peer(a)intel.com> wifi: cfg80211: Handle specific BSSID in 6GHz scanning Dmitry V. Levin <ldv(a)strace.io> selftests: harness: fix printing of mismatch values in __EXPECT() Gautham R. Shenoy <gautham.shenoy(a)amd.com> cpufreq: ACPI: Fix max-frequency computation WangYuli <wangyuli(a)uniontech.com> wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO Guangguan Wang <guangguan.wang(a)linux.alibaba.com> net/smc: fix data error when recvmsg with MSG_PEEK flag Andreas Kemnade <andreas(a)kemnade.info> wifi: wlcore: fix unbalanced pm_runtime calls Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> regulator: of: Implement the unwind path of of_regulator_match() Octavian Purdila <tavip(a)google.com> team: prevent adding a device which is already a team device lower Marek Vasut <marex(a)denx.de> clk: imx8mp: Fix clkout1/2 support Sultan Alsawaf (unemployed) <sultan(a)kerneltoast.com> cpufreq: schedutil: Fix superfluous updates caused by need_freq_update Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: schedutil: Simplify sugov_update_next_freq() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata() He Rongguang <herongguang(a)linux.alibaba.com> cpupower: fix TSC MHz calculation Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> ACPI: fan: cleanup resources in the error path of .probe() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: pci: wait for firmware loading before releasing memory Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: fix memory leaks and invalid access at probe error path Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: destroy workqueue at rtl_deinit_core Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: remove unused check_buddy_priv Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtlwifi: remove unused dualmac control leftovers Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtlwifi: remove unused timer and related code Jakob Koschel <jakobkoschel(a)gmail.com> rtlwifi: replace usage of found with dedicated list iterator variable Neil Armstrong <neil.armstrong(a)linaro.org> dt-bindings: mmc: controller: clarify the address-cells description Mingwei Zheng <zmw12306(a)gmail.com> spi: zynq-qspi: Add check for clk_enable() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: usb: fix workqueue leak when probe fails Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: fix init_sw_vars leak when probe fails Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: wait for firmware loading before releasing memory Colin Ian King <colin.king(a)canonical.com> rtlwifi: remove redundant assignment to variable err Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: do not complete firmware loading needlessly Charles Han <hanchunchao(a)inspur.com> ipmi: ipmb: Add check devm_kasprintf() returned value Thomas Gleixner <tglx(a)linutronix.de> genirq: Make handle_enforce_irqctx() unconditionally available Ivan Stepchenko <sid(a)itb.spb.ru> drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table Sui Jingfeng <sui.jingfeng(a)linux.dev> drm/etnaviv: Fix page property being used for non writecombine buffers David Howells <dhowells(a)redhat.com> afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call Christophe Leroy <christophe.leroy(a)csgroup.eu> select: Fix unbalanced user_access_end() Randy Dunlap <rdunlap(a)infradead.org> partitions: ldm: remove the initial kernel-doc notation Keisuke Nishimura <keisuke.nishimura(a)inria.fr> nvme: Add error check for xa_store in nvme_get_effects_log Yu Kuai <yukuai3(a)huawei.com> nbd: don't allow reconnect after disconnect David Howells <dhowells(a)redhat.com> afs: Fix directory format encoding struct David Howells <dhowells(a)redhat.com> afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 10 + .../devicetree/bindings/mmc/mmc-controller.yaml | 2 +- Makefile | 9 +- arch/alpha/include/uapi/asm/ptrace.h | 2 + arch/alpha/kernel/asm-offsets.c | 2 + arch/alpha/kernel/entry.S | 24 +-- arch/alpha/kernel/traps.c | 2 +- arch/alpha/mm/fault.c | 4 +- arch/arm/boot/dts/mt7623.dtsi | 2 +- arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 29 +-- arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 25 +-- arch/arm64/boot/dts/mediatek/mt8516.dtsi | 38 ++-- arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 2 - arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +- arch/arm64/include/asm/mman.h | 9 +- arch/arm64/kernel/cacheinfo.c | 12 +- arch/arm64/kernel/vdso/vdso.lds.S | 1 + arch/arm64/kernel/vmlinux.lds.S | 1 + arch/hexagon/include/asm/cmpxchg.h | 2 +- arch/hexagon/kernel/traps.c | 4 +- arch/m68k/include/asm/vga.h | 8 +- arch/mips/kernel/ftrace.c | 2 +- arch/powerpc/include/asm/book3s/64/hash-4k.h | 28 +++ arch/powerpc/include/asm/book3s/64/pgtable.h | 26 --- arch/powerpc/lib/code-patching.c | 2 +- arch/powerpc/platforms/pseries/eeh_pseries.c | 6 +- arch/s390/include/asm/futex.h | 2 +- arch/s390/kernel/traps.c | 6 +- arch/s390/kvm/vsie.c | 25 ++- arch/x86/Kconfig | 3 +- arch/x86/boot/compressed/Makefile | 1 + arch/x86/events/intel/core.c | 5 +- arch/x86/include/asm/msr-index.h | 3 +- arch/x86/kernel/amd_nb.c | 4 + arch/x86/kernel/cpu/bugs.c | 20 +- arch/x86/kernel/cpu/cacheinfo.c | 2 +- arch/x86/kernel/cpu/cyrix.c | 4 +- arch/x86/kernel/cpu/intel.c | 52 +++-- arch/x86/kernel/i8253.c | 11 +- arch/x86/kernel/static_call.c | 1 - arch/x86/mm/init.c | 23 ++- arch/x86/xen/mmu_pv.c | 79 +++++-- arch/x86/xen/xen-head.S | 5 +- block/blk-cgroup.c | 1 + block/partitions/efi.c | 2 +- block/partitions/ldm.h | 2 +- block/partitions/mac.c | 18 +- crypto/testmgr.h | 227 +++++++++++++++------ drivers/acpi/apei/ghes.c | 10 +- drivers/acpi/fan.c | 10 +- drivers/base/regmap/regmap-irq.c | 2 + drivers/block/nbd.c | 1 + drivers/char/ipmi/ipmb_dev_int.c | 3 + drivers/char/tpm/eventlog/acpi.c | 16 +- drivers/char/tpm/eventlog/efi.c | 13 +- drivers/char/tpm/eventlog/of.c | 3 +- drivers/char/tpm/tpm-chip.c | 1 - drivers/clk/analogbits/wrpll-cln28hpc.c | 2 +- drivers/clk/imx/clk-imx8mp.c | 5 +- drivers/clk/qcom/clk-alpha-pll.c | 2 + drivers/clk/qcom/clk-rpmh.c | 2 +- drivers/clk/sunxi-ng/ccu-sun50i-a100.c | 6 +- drivers/clocksource/i8253.c | 13 +- drivers/cpufreq/acpi-cpufreq.c | 36 +++- drivers/cpufreq/s3c64xx-cpufreq.c | 11 +- drivers/crypto/hisilicon/qm.c | 46 ++--- drivers/crypto/qce/core.c | 13 +- drivers/dma/ti/edma.c | 3 +- drivers/firmware/Kconfig | 2 +- drivers/firmware/efi/efi.c | 6 +- drivers/firmware/efi/libstub/Makefile | 2 +- drivers/firmware/efi/libstub/randomalloc.c | 3 + drivers/firmware/efi/libstub/relocate.c | 3 + drivers/firmware/efi/mokvar-table.c | 41 ++-- drivers/gpio/gpio-aggregator.c | 20 +- drivers/gpio/gpio-bcm-kona.c | 71 +++++-- drivers/gpio/gpio-pca953x.c | 19 -- drivers/gpio/gpio-rcar.c | 7 +- drivers/gpio/gpio-stmpe.c | 15 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 + .../gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 2 + .../drm/arm/display/komeda/komeda_wb_connector.c | 4 + drivers/gpu/drm/drm_dp_cec.c | 14 +- drivers/gpu/drm/drm_fb_helper.c | 14 +- drivers/gpu/drm/drm_probe_helper.c | 116 ++++++++--- drivers/gpu/drm/etnaviv/etnaviv_gem.c | 16 +- drivers/gpu/drm/radeon/r300.c | 3 +- drivers/gpu/drm/radeon/radeon_asic.h | 1 + drivers/gpu/drm/radeon/rs400.c | 18 +- drivers/gpu/drm/rockchip/cdn-dp-core.c | 9 +- drivers/gpu/drm/scheduler/gpu_scheduler_trace.h | 4 +- drivers/gpu/drm/tidss/tidss_dispc.c | 22 +- drivers/hid/hid-appleir.c | 2 +- drivers/hid/hid-core.c | 2 + drivers/hid/hid-google-hammer.c | 2 + drivers/hid/hid-multitouch.c | 5 +- drivers/hid/hid-sensor-hub.c | 21 +- drivers/hid/intel-ish-hid/ishtp-hid.c | 4 +- drivers/hid/wacom_wac.c | 5 + drivers/hwmon/ad7314.c | 10 + drivers/hwmon/ntc_thermistor.c | 66 +++--- drivers/hwmon/pmbus/pmbus.c | 2 + drivers/hwmon/xgene-hwmon.c | 2 +- drivers/hwtracing/intel_th/pci.c | 15 ++ drivers/i2c/busses/i2c-npcm7xx.c | 7 + drivers/i2c/i2c-core-acpi.c | 22 ++ drivers/idle/intel_idle.c | 4 + drivers/iio/light/as73211.c | 24 ++- drivers/infiniband/hw/cxgb4/device.c | 6 +- drivers/infiniband/hw/mlx4/main.c | 6 +- drivers/infiniband/hw/mlx5/counters.c | 8 +- drivers/infiniband/hw/mlx5/qp.c | 4 +- drivers/leds/leds-lp8860.c | 2 +- drivers/leds/leds-netxbig.c | 1 + drivers/md/dm-crypt.c | 27 +-- drivers/media/dvb-frontends/cxd2841er.c | 8 +- drivers/media/i2c/ov5640.c | 1 + drivers/media/platform/exynos4-is/mipi-csis.c | 10 +- drivers/media/platform/marvell-ccic/mcam-core.c | 7 +- drivers/media/platform/s3c-camif/camif-core.c | 13 +- drivers/media/rc/iguanair.c | 4 +- drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +- drivers/media/usb/dvb-usb-v2/lmedm04.c | 14 +- drivers/media/usb/uvc/uvc_ctrl.c | 85 ++++++-- drivers/media/usb/uvc/uvc_driver.c | 63 +++--- drivers/media/usb/uvc/uvc_queue.c | 3 +- drivers/media/usb/uvc/uvc_status.c | 1 + drivers/media/usb/uvc/uvc_v4l2.c | 2 + drivers/media/usb/uvc/uvcvideo.h | 9 +- drivers/media/v4l2-core/v4l2-mc.c | 2 +- drivers/mfd/lpc_ich.c | 3 +- drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/misc/fastrpc.c | 2 +- drivers/misc/mei/hw-me-regs.h | 2 + drivers/misc/mei/pci-me.c | 2 + drivers/mmc/core/sdio.c | 2 + drivers/mmc/host/sdhci-msm.c | 53 ++++- drivers/mtd/hyperbus/hbmc-am654.c | 19 +- drivers/mtd/nand/onenand/onenand_base.c | 1 + drivers/mtd/nand/raw/cadence-nand-controller.c | 44 +++- drivers/net/caif/caif_virtio.c | 2 +- drivers/net/can/c_can/c_can_platform.c | 5 +- drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 +- drivers/net/ethernet/broadcom/bgmac.h | 3 +- drivers/net/ethernet/broadcom/tg3.c | 58 ++++++ drivers/net/ethernet/cadence/macb.h | 2 + drivers/net/ethernet/cadence/macb_main.c | 12 +- drivers/net/ethernet/davicom/dm9000.c | 3 +- drivers/net/ethernet/emulex/benet/be.h | 2 +- drivers/net/ethernet/emulex/benet/be_cmds.c | 197 +++++++++--------- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/freescale/fec_main.c | 31 ++- drivers/net/ethernet/hisilicon/hns3/hnae3.c | 15 ++ drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- .../net/ethernet/mellanox/mlx5/core/lib/clock.c | 24 ++- drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c | 2 - .../net/ethernet/mellanox/mlxsw/spectrum_ethtool.c | 4 +- drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 2 + drivers/net/ethernet/renesas/sh_eth.c | 4 + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- drivers/net/geneve.c | 16 +- drivers/net/gtp.c | 5 - drivers/net/loopback.c | 14 ++ drivers/net/netdevsim/ipsec.c | 12 +- drivers/net/netdevsim/netdevsim.h | 1 + drivers/net/netdevsim/udp_tunnels.c | 23 ++- drivers/net/ppp/ppp_generic.c | 28 ++- drivers/net/team/team.c | 11 +- drivers/net/tun.c | 2 +- drivers/net/usb/gl620a.c | 4 +- drivers/net/usb/rtl8150.c | 28 ++- .../wireless/broadcom/brcm80211/brcmfmac/core.c | 5 + .../broadcom/brcm80211/brcmsmac/phy/phy_n.c | 3 + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +- drivers/net/wireless/mediatek/mt76/usb.c | 4 +- drivers/net/wireless/realtek/rtlwifi/base.c | 42 ++-- drivers/net/wireless/realtek/rtlwifi/base.h | 2 - drivers/net/wireless/realtek/rtlwifi/pci.c | 67 +----- .../net/wireless/realtek/rtlwifi/rtl8192se/sw.c | 7 +- .../net/wireless/realtek/rtlwifi/rtl8821ae/fw.h | 4 +- drivers/net/wireless/realtek/rtlwifi/usb.c | 13 +- drivers/net/wireless/realtek/rtlwifi/wifi.h | 23 --- drivers/net/wireless/ti/wlcore/main.c | 10 +- drivers/nvme/host/core.c | 16 +- drivers/nvme/host/pci.c | 66 +++++- drivers/nvme/target/tcp.c | 15 +- drivers/nvmem/core.c | 2 + drivers/nvmem/qcom-spmi-sdam.c | 1 + drivers/of/base.c | 8 +- drivers/parport/parport_pc.c | 5 + drivers/pci/controller/pcie-rcar-ep.c | 2 +- drivers/pci/endpoint/pci-epc-core.c | 2 +- drivers/pci/quirks.c | 1 + drivers/phy/samsung/phy-exynos5-usbdrd.c | 12 +- drivers/phy/tegra/xusb-tegra186.c | 11 + drivers/platform/x86/thinkpad_acpi.c | 1 + drivers/power/supply/da9150-fg.c | 4 +- drivers/pps/clients/pps-gpio.c | 4 +- drivers/pps/clients/pps-ktimer.c | 4 +- drivers/pps/clients/pps-ldisc.c | 6 +- drivers/pps/clients/pps_parport.c | 4 +- drivers/pps/kapi.c | 10 +- drivers/pps/kc.c | 10 +- drivers/pps/pps.c | 127 ++++++------ drivers/ptp/ptp_clock.c | 8 + drivers/pwm/pwm-stm32.c | 7 +- drivers/rapidio/devices/rio_mport_cdev.c | 3 +- drivers/rapidio/rio-scan.c | 5 +- drivers/regulator/of_regulator.c | 14 +- drivers/rtc/rtc-pcf85063.c | 11 +- drivers/scsi/mpt3sas/mpt3sas_base.c | 3 +- drivers/scsi/qla2xxx/qla_def.h | 2 + drivers/scsi/qla2xxx/qla_dfs.c | 122 +++++++++-- drivers/scsi/qla2xxx/qla_gbl.h | 3 + drivers/scsi/qla2xxx/qla_init.c | 28 ++- drivers/scsi/storvsc_drv.c | 1 + drivers/scsi/ufs/ufs_bsg.c | 1 + drivers/slimbus/messaging.c | 5 +- drivers/soc/qcom/smem_state.c | 3 +- drivers/soc/qcom/socinfo.c | 2 +- drivers/spi/spi-mxs.c | 3 +- drivers/spi/spi-zynq-qspi.c | 13 +- drivers/staging/media/imx/imx-media-of.c | 8 +- drivers/tee/optee/supp.c | 35 +--- drivers/tty/serial/8250/8250.h | 2 + drivers/tty/serial/8250/8250_dma.c | 16 ++ drivers/tty/serial/8250/8250_pci.c | 10 + drivers/tty/serial/8250/8250_port.c | 9 + drivers/tty/serial/sh-sci.c | 25 ++- drivers/usb/atm/cxacru.c | 13 +- drivers/usb/class/cdc-acm.c | 28 ++- drivers/usb/core/hub.c | 16 +- drivers/usb/core/quirks.c | 10 + drivers/usb/dwc2/gadget.c | 1 + drivers/usb/dwc3/gadget.c | 37 +++- drivers/usb/gadget/composite.c | 17 +- drivers/usb/gadget/function/f_midi.c | 22 +- drivers/usb/gadget/function/f_tcm.c | 66 +++--- drivers/usb/gadget/udc/renesas_usb3.c | 2 +- drivers/usb/host/pci-quirks.c | 9 + drivers/usb/host/xhci-mem.c | 5 +- drivers/usb/host/xhci-pci.c | 17 +- drivers/usb/host/xhci-ring.c | 12 +- drivers/usb/host/xhci.c | 23 ++- drivers/usb/host/xhci.h | 11 +- drivers/usb/renesas_usbhs/common.c | 6 +- drivers/usb/renesas_usbhs/mod_gadget.c | 2 +- drivers/usb/roles/class.c | 5 +- drivers/usb/serial/option.c | 49 +++-- drivers/usb/typec/tcpm/tcpci_rt1711h.c | 11 + drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/ucsi.c | 2 +- drivers/vfio/pci/vfio_pci_rdwr.c | 1 + drivers/vfio/platform/vfio_platform_common.c | 10 + drivers/video/fbdev/omap2/omapfb/dss/dss-of.c | 1 + fs/afs/dir.c | 7 +- fs/afs/xdr_fs.h | 2 +- fs/afs/yfsclient.c | 5 +- fs/binfmt_flat.c | 2 +- fs/btrfs/inode.c | 4 +- fs/btrfs/locking.c | 68 +++++- fs/btrfs/relocation.c | 14 +- fs/btrfs/super.c | 2 +- fs/btrfs/transaction.c | 4 +- fs/cifs/smb2ops.c | 4 + fs/f2fs/file.c | 13 ++ fs/nfs/flexfilelayout/flexfilelayout.c | 27 ++- fs/nfs/nfs42xdr.c | 2 + fs/nfsd/nfs2acl.c | 2 + fs/nfsd/nfs3acl.c | 2 + fs/nfsd/nfs4callback.c | 8 +- fs/nilfs2/dir.c | 24 +-- fs/nilfs2/inode.c | 10 +- fs/nilfs2/mdt.c | 6 +- fs/nilfs2/namei.c | 37 ++-- fs/nilfs2/nilfs.h | 10 +- fs/nilfs2/page.c | 55 ++--- fs/nilfs2/page.h | 4 +- fs/nilfs2/segment.c | 4 +- fs/ocfs2/dir.c | 25 ++- fs/ocfs2/quota_global.c | 5 + fs/ocfs2/super.c | 2 +- fs/ocfs2/symlink.c | 5 +- fs/orangefs/orangefs-debugfs.c | 4 +- fs/select.c | 4 +- fs/squashfs/inode.c | 5 +- fs/ubifs/debug.c | 22 +- fs/udf/super.c | 2 +- include/asm-generic/vmlinux.lds.h | 2 +- include/drm/drm_probe_helper.h | 1 + include/linux/efi.h | 1 + include/linux/i8253.h | 1 + include/linux/kallsyms.h | 2 +- include/linux/kvm_host.h | 9 + include/linux/mlx5/driver.h | 1 - include/linux/netdevice.h | 6 + include/linux/pci_ids.h | 4 + include/linux/pps_kernel.h | 3 +- include/linux/usb/hcd.h | 5 +- include/net/dst.h | 23 ++- include/net/flow_dissector.h | 16 ++ include/net/flow_offload.h | 6 + include/net/l3mdev.h | 2 + include/net/net_namespace.h | 15 +- include/trace/events/oom.h | 36 +++- include/uapi/linux/input-event-codes.h | 1 + kernel/acct.c | 141 ++++++++----- kernel/bpf/syscall.c | 18 +- kernel/debug/kdb/kdb_io.c | 2 + kernel/events/core.c | 17 +- kernel/irq/internals.h | 9 +- kernel/padata.c | 45 +++- kernel/power/hibernate.c | 7 +- kernel/printk/printk.c | 2 +- kernel/sched/core.c | 8 +- kernel/sched/cpufreq_schedutil.c | 12 +- kernel/time/clocksource.c | 79 ++++++- kernel/trace/bpf_trace.c | 2 +- kernel/trace/ftrace.c | 27 ++- lib/Kconfig.debug | 8 +- mm/memcontrol.c | 7 +- mm/oom_kill.c | 14 +- mm/page_alloc.c | 1 + net/8021q/vlan.c | 3 +- net/8021q/vlan.h | 2 +- net/8021q/vlan_dev.c | 15 +- net/8021q/vlan_netlink.c | 7 +- net/batman-adv/bat_v.c | 3 +- net/batman-adv/bat_v_elp.c | 124 +++++++---- net/batman-adv/bat_v_elp.h | 2 - net/batman-adv/bat_v_ogm.c | 1 + net/batman-adv/fragmentation.c | 2 +- net/batman-adv/hard-interface.c | 1 + net/batman-adv/icmp_socket.c | 1 + net/batman-adv/main.c | 1 + net/batman-adv/netlink.c | 1 + net/batman-adv/tp_meter.c | 1 + net/batman-adv/types.h | 3 - net/bluetooth/l2cap_core.c | 9 +- net/bluetooth/l2cap_sock.c | 7 +- net/can/j1939/socket.c | 4 +- net/can/j1939/transport.c | 5 +- net/core/drop_monitor.c | 39 ++-- net/core/flow_dissector.c | 49 +++-- net/core/flow_offload.c | 7 + net/core/neighbour.c | 11 +- net/core/skbuff.c | 2 +- net/core/sysctl_net_core.c | 5 +- net/hsr/hsr_forward.c | 7 +- net/ipv4/arp.c | 4 +- net/ipv4/devinet.c | 3 +- net/ipv4/ip_input.c | 1 + net/ipv4/ip_output.c | 1 + net/ipv4/ipmr_base.c | 3 - net/ipv4/route.c | 8 +- net/ipv4/tcp_minisocks.c | 10 +- net/ipv4/tcp_offload.c | 11 +- net/ipv4/udp.c | 4 +- net/ipv4/udp_offload.c | 8 +- net/ipv6/ila/ila_lwt.c | 4 +- net/ipv6/ip6_output.c | 1 + net/ipv6/ndisc.c | 28 +-- net/ipv6/route.c | 7 +- net/ipv6/rpl_iptunnel.c | 67 +++--- net/ipv6/seg6_iptunnel.c | 2 +- net/ipv6/udp.c | 4 +- net/llc/llc_s_ac.c | 49 +++-- net/mptcp/pm_netlink.c | 6 - net/mptcp/protocol.c | 1 + net/ncsi/ncsi-manage.c | 13 +- net/netfilter/nf_tables_api.c | 8 +- net/nfc/nci/hci.c | 2 + net/openvswitch/datapath.c | 12 +- net/rose/af_rose.c | 40 ++-- net/rose/rose_timer.c | 15 ++ net/sched/cls_flower.c | 8 +- net/sched/sch_api.c | 4 + net/sched/sch_cake.c | 140 +++++++------ net/sched/sch_fifo.c | 3 + net/sched/sch_netem.c | 2 +- net/smc/af_smc.c | 2 +- net/smc/smc_rx.c | 37 ++-- net/smc/smc_rx.h | 8 +- net/sunrpc/cache.c | 10 +- net/tipc/crypto.c | 4 +- net/vmw_vsock/af_vsock.c | 82 +++++--- net/wireless/nl80211.c | 5 + net/wireless/reg.c | 3 +- net/wireless/scan.c | 35 ++++ net/xfrm/xfrm_replay.c | 10 +- scripts/Makefile.extrawarn | 5 +- scripts/genksyms/genksyms.c | 11 +- scripts/genksyms/genksyms.h | 2 +- scripts/genksyms/parse.y | 18 +- security/integrity/ima/ima_api.c | 16 +- security/integrity/ima/ima_template_lib.c | 17 +- security/safesetid/securityfs.c | 3 + security/tomoyo/common.c | 2 +- sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_conexant.c | 1 + sound/pci/hda/patch_realtek.c | 78 +++++++ sound/soc/codecs/es8328.c | 15 +- sound/soc/intel/boards/bytcr_rt5640.c | 17 +- sound/soc/sunxi/sun4i-spdif.c | 7 + sound/usb/midi.c | 2 +- sound/usb/usx2y/usbusx2y.c | 11 + sound/usb/usx2y/usbusx2y.h | 26 +++ sound/usb/usx2y/usbusx2yaudio.c | 27 --- tools/bootconfig/main.c | 4 +- tools/perf/bench/epoll-wait.c | 7 +- tools/perf/builtin-report.c | 2 +- tools/perf/builtin-top.c | 2 +- tools/perf/builtin-trace.c | 6 +- tools/perf/util/bpf-event.c | 10 +- tools/perf/util/cs-etm.c | 2 +- tools/perf/util/dso.c | 14 +- tools/perf/util/env.c | 28 ++- tools/perf/util/env.h | 8 +- tools/perf/util/header.c | 29 ++- .../cpupower/utils/idle_monitor/mperf_monitor.c | 15 +- tools/testing/ktest/ktest.pl | 7 +- tools/testing/selftests/bpf/test_tc_tunnel.sh | 1 + .../drivers/net/netdevsim/udp_tunnel_nic.sh | 16 +- tools/testing/selftests/kselftest_harness.h | 24 +-- tools/testing/selftests/net/ipsec.c | 3 +- tools/testing/selftests/net/rtnetlink.sh | 4 +- tools/testing/selftests/net/udpgso.c | 26 +++ 434 files changed, 4060 insertions(+), 2030 deletions(-)

2 months, 2 weeks

7
470
0 0

[PATCH 5.15 000/620] 5.15.179-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.179 release. There are 620 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 12 Mar 2025 17:04:00 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.179-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.179-rc1 Jakub Kicinski <kuba(a)kernel.org> net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kbuild: userprogs: use correct lld when linking through clang Toke Høiland-Jørgensen <toke(a)redhat.com> sched: sch_cake: add bounds checks to host bulk flow fairness counts Michal Luczaj <mhal(a)rbox.co> vsock: Orphan socket after transport release Michal Luczaj <mhal(a)rbox.co> vsock: Keep the binding until socket destruction Michal Luczaj <mhal(a)rbox.co> bpf, vsock: Invoke proto::close on close() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Remove dangling pointers Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Fix crash during unbind if gpio unit is in use Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: handle errors that nilfs_prepare_chunk() may return Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: eliminate staggered calls to kunmap in nilfs_rename Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link Ralf Schlatterbeck <rsc(a)runtux.com> spi-mxs: Fix chipselect glitch Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> mtd: rawnand: cadence: fix unchecked dereference NeilBrown <neilb(a)suse.de> md: select BLOCK_LEGACY_AUTOLOAD Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Avoid returning invalid controls Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Avoid invalid memory access Haoyu Li <lihaoyu499(a)gmail.com> drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Make GPIO lookup table match the device Manivannan Sadhasivam <mani(a)kernel.org> bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock Visweswara Tanuku <quic_vtanuku(a)quicinc.com> slimbus: messaging: Free transaction ID in delayed interrupt scenario Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Panther Lake-P/U support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Panther Lake-H support Pawel Chmielewski <pawel.chmielewski(a)intel.com> intel_th: pci: Add Arrow Lake support Alexander Usyskin <alexander.usyskin(a)intel.com> mei: me: add panther lake P DID Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: check the inode number is not the invalid value of zero Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Enable the TRB overfetch quirk on VIA VL805 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> xhci: pci: Fix indentation in the PCI device ID definitions Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Check bmAttributes only if configuration is valid Marek Szyprowski <m.szyprowski(a)samsung.com> usb: gadget: Fix setting self-powered state on suspend Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Set self-powered based on MaxPower and bmAttributes AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality Fedor Pchelkin <boddah8794(a)gmail.com> usb: typec: ucsi: increase timeout for PPM reset operations Badhri Jagan Sridharan <badhri(a)google.com> usb: dwc3: gadget: Prevent irq storm when TH re-executes Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: dwc3: Set SUSPENDENABLE soon after phy init Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> usb: atm: cxacru: fix a flaw in existing endpoint checks Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Flush the notify_hotplug_work Miao Li <limiao(a)kylinos.cn> usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader Pawel Laszczak <pawell(a)cadence.com> usb: hub: lack of clearing xHC resources Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Use devm_usb_get_phy() Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Call clk_put() Christian Heusel <christian(a)heusel.eu> Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection" Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> gpio: rcar: Fix missing of_node_put() call Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix missing dst ref drop in ila lwtunnel Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix dst ref loop in ila lwtunnel Zecheng Li <zecheng(a)google.com> sched/fair: Fix potential memory corruption in child_cfs_rq_on_list Jason Xing <kerneljasonxing(a)gmail.com> net-timestamp: support TCP GSO case for a few missing flags Namjae Jeon <linkinjeon(a)kernel.org> exfat: fix soft lockup in exfat_clear_bitmap Jarkko Sakkinen <jarkko(a)kernel.org> x86/sgx: Fix size overflows in sgx_encl_create() Reinette Chatre <reinette.chatre(a)intel.com> x86/sgx: Support VA page allocation without reclaiming Reinette Chatre <reinette.chatre(a)intel.com> x86/sgx: Export sgx_encl_{grow,shrink}() Reinette Chatre <reinette.chatre(a)intel.com> x86/sgx: Move PTE zap code to new sgx_zap_enclave_ptes() Reinette Chatre <reinette.chatre(a)intel.com> x86/sgx: Support loading enclave page without VMA permissions check Oscar Maes <oscmaes92(a)gmail.com> vlan: enforce underlying device type Jiayuan Chen <jiayuan.chen(a)linux.dev> ppp: Fix KMSAN uninit-value warning with bpf Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error Nikolay Aleksandrov <razor(a)blackwall.org> be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink Philipp Stanner <phasta(a)kernel.org> drm/sched: Fix preprocessor guard Xinghuo Chen <xinghuo.chen(a)foxmail.com> hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe() Eric Dumazet <edumazet(a)google.com> llc: do not use skb_get() before dev_queue_xmit() Murad Masimov <m.masimov(a)mt-integration.ru> ALSA: usx2y: validate nrpacks module parameter on probe Erik Schumacher <erik.schumacher(a)iris-sensing.com> hwmon: (ad7314) Validate leading zero bits and return error Maud Spierings <maudspierings(a)gocontroll.com> hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table Titus Rwantare <titusr(a)google.com> hwmon: (pmbus) Initialise page count in pmbus_identify() Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> caif_virtio: fix wrong pointer check in cfv_probe() Antoine Tenart <atenart(a)kernel.org> net: gso: fix ownership in __udp_gso_segment Meir Elisha <meir.elisha(a)volumez.com> nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() Yu-Chun Lin <eleanor15x(a)gmail.com> HID: google: fix unused variable warning under !CONFIG_ACPI Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: limit printed string from FW file Ryan Roberts <ryan.roberts(a)arm.com> mm: don't skip arch_sync_kernel_mappings() in error paths Hao Zhang <zhanghao1(a)kylinos.cn> mm/page_alloc: fix uninitialized variable Olivier Gayot <olivier.gayot(a)canonical.com> block: fix conversion of GPT partition name to 7-bit Heiko Carstens <hca(a)linux.ibm.com> s390/traps: Fix test_monitor_call() inline assembly Haoxiang Li <haoxiang_li2024(a)163.com> rapidio: fix an API misues when rio_add_net() fails Haoxiang Li <haoxiang_li2024(a)163.com> rapidio: add check for rio_add_net() in rio_scan_alloc_net() Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> wifi: nl80211: reject cooked mode if it is set along with other flags Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> wifi: cfg80211: regulatory: improve invalid hints checking Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63 Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Validate CPUID leaf 0x2 EDX output Ahmed S. Darwish <darwi(a)linutronix.de> x86/cacheinfo: Validate CPUID leaf 0x2 EDX output Mingcong Bai <jeffbai(a)aosc.io> platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e Richard Thier <u9vata(a)gmail.com> drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: update ALC222 depop optimize Hoku Ishibe <me(a)hokuishi.be> ALSA: hda: intel: Add Dell ALC3271 to power_save denylist Koichiro Den <koichiro.den(a)canonical.com> gpio: aggregator: protect driver attr handlers against module unload Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> gpio: rcar: Use raw_spinlock to protect register access Daniil Dulov <d.dulov(a)aladdin.ru> HID: appleir: Fix potential NULL dereference at raw event handle Rob Herring (Arm) <robh(a)kernel.org> Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'" Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: disable BAR resize on Dell G5 SE Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu: Check extended configuration space register when system uses large bar Haoxiang Li <haoxiang_li2024(a)163.com> smb: client: Add check for next_buffer in receive_encrypted_standard() Quang Le <quanglex97(a)gmail.com> pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Thomas Gleixner <tglx(a)linutronix.de> intel_idle: Handle older CPUs, which stop the TSC in deeper C states, correctly Thomas Gleixner <tglx(a)linutronix.de> sched/core: Prevent rescheduling when interrupts are disabled Ard Biesheuvel <ardb(a)kernel.org> vmlinux.lds: Ensure that const vars with relocations are mapped R/O Paolo Abeni <pabeni(a)redhat.com> mptcp: always handle address removal under msk socket lock Kaustabh Chakraborty <kauschluss(a)disroot.org> phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk BH Hsieh <bhsieh(a)nvidia.com> phy: tegra: xusb: reset VBUS & ID OVERRIDE Wei Fang <wei.fang(a)nxp.com> net: enetc: correct the xdp_tx statistics Wei Fang <wei.fang(a)nxp.com> net: enetc: update UDP checksum when updating originTimestamp field Wei Fang <wei.fang(a)nxp.com> net: enetc: fix the off-by-one issue in enetc_map_tx_buffs() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> usbnet: gl620a: fix endpoint checking in genelink_bind() Tyrone Ting <kfting(a)nuvoton.com> i2c: npcm: disable interrupt enable bit before devm_request_irq Roman Li <Roman.Li(a)amd.com> drm/amd/display: Fix HPD after gpu reset Kan Liang <kan.liang(a)linux.intel.com> perf/core: Fix low freq setting via IOC_PERIOD Dmitry Panchenko <dmitry(a)d-systems.ee> ALSA: usb-audio: Re-add sample rate quirk for Pioneer DJM-900NXS2 Nikolay Kuratov <kniv(a)yandex-team.ru> ftrace: Avoid potential division by zero in function_stat_show() Russell Senior <russell(a)personaltelco.net> x86/CPU: Fix warm boot hang regression on AMD SC1100 SoC systems Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix dst ref loop on input in rpl lwt Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: rpl_iptunnel: mitigate 2-realloc issue Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix dst ref loop on input in seg6 lwt Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: seg6_iptunnel: mitigate 2-realloc issue Justin Iurman <justin.iurman(a)uliege.be> include: net: add static inline dst_dev_overhead() to dst.h Andrea Mayer <andrea.mayer(a)uniroma2.it> seg6: add support for SRv6 H.L2Encaps.Red behavior Andrea Mayer <andrea.mayer(a)uniroma2.it> seg6: add support for SRv6 H.Encaps.Red behavior Shay Drory <shayd(a)nvidia.com> net/mlx5: IRQ, Fix null string in debug print Harshal Chaudhari <hchaudhari(a)marvell.com> net: mvpp2: cls: Fixed Non IP flow, with vlan tag flow defination. Wang Hai <wanghai38(a)huawei.com> tcp: Defer ts_recent changes until req is owned Philo Lu <lulie(a)linux.alibaba.com> ipvs: Always clear ipvs_property flag in skb_scrub_packet() Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> ASoC: es8328: fix route from DAC to output Sean Anderson <sean.anderson(a)linux.dev> net: cadence: macb: Synchronize stats calculations Ido Schimmel <idosch(a)nvidia.com> net: loopback: Avoid sending IP packets without an Ethernet header David Howells <dhowells(a)redhat.com> afs: Fix the server_list to unuse a displaced server rather than putting it David Howells <dhowells(a)redhat.com> afs: Make it possible to find the volumes that are using a server Colin Ian King <colin.i.king(a)gmail.com> afs: remove variable nr_servers Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports Arnd Bergmann <arnd(a)arndb.de> sunrpc: suppress warnings for unused procfs functions Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix bind QP error cleanup flow Ye Bin <yebin10(a)huawei.com> scsi: core: Clear driver private data when retrying request Christoph Hellwig <hch(a)lst.de> scsi: core: Don't memset() the entire scsi_cmnd in scsi_init_command() Vasiliy Kovalev <kovalev(a)altlinux.org> ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up Christian Brauner <brauner(a)kernel.org> ovl: pass ofs to creation operations Amir Goldstein <amir73il(a)gmail.com> ovl: use wrappers to all vfs_*xattr() calls Mark Zhang <markzhang(a)nvidia.com> IB/mlx5: Set and get correct qp_num for a DCT QP Patrick Bellasi <derkling(a)google.com> x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> mtd: rawnand: cadence: fix incorrect device in dma_unmap_single Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> mtd: rawnand: cadence: use dma_map_resource for sdma address Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> mtd: rawnand: cadence: fix error code in cadence_nand_init() Christian Brauner <brauner(a)kernel.org> acct: block access to kernel internal filesystems Christian Brauner <brauner(a)kernel.org> acct: perform last write from workqueue John Veness <john-linux(a)pelago.org.uk> ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED Haoxiang Li <haoxiang_li2024(a)163.com> nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> drop_monitor: fix incorrect initialization order Sumit Garg <sumit.garg(a)linaro.org> tee: optee: Fix supplicant wait loop Yan Zhai <yan(a)cloudflare.com> bpf: skip non exist keys in generic_map_lookup_batch Caleb Sander Mateos <csander(a)purestorage.com> nvme/ioctl: add missing space in err message Andrey Vatoropin <a.vatoropin(a)crpt.ru> power: supply: da9150-fg: fix potential overflow Breno Leitao <leitao(a)debian.org> arp: switch to dev_getbyhwaddr() in arp_req_set_public() Breno Leitao <leitao(a)debian.org> net: Add non-RCU dev_getbyhwaddr() helper Cong Wang <xiyou.wangcong(a)gmail.com> flow_dissector: Fix port range key handling in BPF conversion Cong Wang <xiyou.wangcong(a)gmail.com> flow_dissector: Fix handling of mixed port and port-range keys Maksym Glubokiy <maksym.glubokiy(a)plvision.eu> net: extract port range fields from fl_flow_key Kuniyuki Iwashima <kuniyu(a)amazon.com> geneve: Suppress list corruption splat in geneve_destroy_tunnels(). Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Kuniyuki Iwashima <kuniyu(a)amazon.com> geneve: Fix use-after-free in geneve_find_dev(). Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Fixup ALC225 depop procedure Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s/mm: Move __real_pte stubs into hash-4k.h Jill Donahue <jilliandonahue58(a)gmail.com> USB: gadget: f_midi: f_midi_complete to call queue_work Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: Fix timeout issue during controller enter/exit from halt state Wesley Cheng <quic_wcheng(a)quicinc.com> usb: dwc3: Increase DWC3 controller halt timeout Sven Eckelmann <sven(a)narfation.org> batman-adv: Drop unmanaged ELP metric worker Sven Eckelmann <sven(a)narfation.org> batman-adv: Drop initialization of flexible ethtool_link_ksettings Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Only save async fh if success Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Refactor iterators Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Set error_idx during ctrl_commit errors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: mediatek: mtk-devapc: Fix leaking IO map on driver remove Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> soc/mediatek: mtk-devapc: Convert to platform remove callback returning void Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: mediatek: mtk-devapc: Fix leaking IO map on error paths AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> soc: mediatek: mtk-devapc: Switch to devm_clk_get_enabled() Marco Elver <elver(a)google.com> kfence: skip __GFP_THISNODE allocations on NUMA systems huangshaobo <huangshaobo6(a)huawei.com> kfence: enable check kfence canary on panic via boot param Marco Elver <elver(a)google.com> kfence: allow use of a deferrable timer Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Change to kvalloc() in eventlog/acpi.c Eddie James <eajames(a)linux.ibm.com> tpm: Use managed allocation for bios event log Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8183: Disable DSI display output by default Dan Carpenter <dan.carpenter(a)linaro.org> ASoC: renesas: rz-ssi: Add a check for negative sample_space Thomas Zimmermann <tzimmermann(a)suse.de> drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event() Maxime Ripard <maxime(a)cerno.tech> drm/probe-helper: Create a HPD IRQ event helper for a single connector Dan Carpenter <dan.carpenter(a)linaro.org> ksmbd: fix integer overflows on 32 bit systems Chen Ridong <chenridong(a)huawei.com> memcg: fix soft lockup in the OOM process Carlos Galo <carlosgalo(a)google.com> mm: update mark_victim tracepoints fields Dan Carpenter <dan.carpenter(a)linaro.org> media: imx-jpeg: Fix potential error pointer dereference in detach_pm() Ignat Korchagin <ignat(a)cloudflare.com> crypto: testmgr - some more fixes to RSA test vectors Ignat Korchagin <ignat(a)cloudflare.com> crypto: testmgr - populate RSA CRT parameters in RSA test vectors lei he <helei.sig11(a)bytedance.com> crypto: testmgr - fix version number of RSA tests Lei He <helei.sig11(a)bytedance.com> crypto: testmgr - Fix wrong test case of RSA Lei He <helei.sig11(a)bytedance.com> crypto: testmgr - fix wrong key length for pkcs1pad Catalin Marinas <catalin.marinas(a)arm.com> arm64: mte: Do not allow PROT_MTE on MAP_HUGETLB user mappings Calvin Owens <calvin(a)wbinvd.org> pps: Fix a use-after-free Filipe Manana <fdmanana(a)suse.com> btrfs: avoid monopolizing a core when activating a swap file Koichiro Den <koichiro.den(a)canonical.com> Revert "btrfs: avoid monopolizing a core when activating a swap file" David Woodhouse <dwmw(a)amazon.co.uk> x86/i8253: Disable PIT timer 0 when not in use Chao Yu <chao(a)kernel.org> f2fs: fix to wait dio completion Romain Naour <romain.naour(a)skf.com> ARM: dts: dra7: Add bus_dma_limit for l4 cfg bus Hangbin Liu <liuhangbin(a)gmail.com> selftests: rtnetlink: update netdevsim ipsec output format Hangbin Liu <liuhangbin(a)gmail.com> netdevsim: print human readable IP address Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> parport_pc: add support for ASIX AX99100 Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> serial: 8250_pci: add support for ASIX AX99100 Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> can: ems_pci: move ASIX AX99100 ids to pci_ids.h Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: protect access to buffers with no active references Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: do not force clear folio if buffer is referenced Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: do not output warnings when clearing dirty buffers Ivan Kokshaysky <ink(a)unseen.parts> alpha: replace hardcoded stack offsets with autogenerated ones Andrew Cooper <andrew.cooper3(a)citrix.com> x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 John Ogness <john.ogness(a)linutronix.de> kdb: Do not assume write() callback available Christian Gmeiner <cgmeiner(a)igalia.com> drm/v3d: Stop active perfmon if it is being destroyed Devarsh Thakkar <devarsht(a)ti.com> drm/tidss: Clear the interrupt status for interrupts being disabled Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Fix issue in irq handling causing irq-flood issue Eric Dumazet <edumazet(a)google.com> ipv6: mcast: add RCU protection to mld_newpack() Eric Dumazet <edumazet(a)google.com> ndisc: extend RCU protection in ndisc_send_skb() Eric Dumazet <edumazet(a)google.com> openvswitch: use RCU protection in ovs_vport_cmd_fill_info() Eric Dumazet <edumazet(a)google.com> arp: use RCU protection in arp_xmit() Eric Dumazet <edumazet(a)google.com> neighbour: use RCU protection in __neigh_notify() Li Zetao <lizetao1(a)huawei.com> neighbour: delete redundant judgment statements Eric Dumazet <edumazet(a)google.com> ndisc: use RCU protection in ndisc_alloc_skb() Eric Dumazet <edumazet(a)google.com> ipv6: use RCU protection in ip6_default_advmss() Eric Dumazet <edumazet(a)google.com> ipv4: use RCU protection in __ip_rt_update_pmtu() Vladimir Vdovin <deliran(a)verdict.gg> net: ipv4: Cache pmtu for all packet paths if multipath enabled Guillaume Nault <gnault(a)redhat.com> selftest: net: Test IPv4 PMTU exceptions with DSCP and ECN xu xin <xu.xin16(a)zte.com.cn> Namespaceify mtu_expires sysctl xu xin <xu.xin16(a)zte.com.cn> Namespaceify min_pmtu sysctl Eric Dumazet <edumazet(a)google.com> ipv4: use RCU protection in inet_select_addr() Eric Dumazet <edumazet(a)google.com> ipv4: use RCU protection in rt_is_expired() Eric Dumazet <edumazet(a)google.com> net: add dev_net_rcu() helper Jiri Pirko <jiri(a)nvidia.com> net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu() Eric Dumazet <edumazet(a)google.com> ipv4: add RCU protection to ip4_dst_hoplimit() Waiman Long <longman(a)redhat.com> clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context Waiman Long <longman(a)redhat.com> clocksource: Use pr_info() for "Checking clocksource synchronization" message Yury Norov <yury.norov(a)gmail.com> clocksource: Replace cpumask_weight() with cpumask_empty() Filipe Manana <fdmanana(a)suse.com> btrfs: fix hole expansion when writing at an offset beyond EOF Wentao Liang <vulab(a)iscas.ac.cn> mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw() Nathan Chancellor <nathan(a)kernel.org> arm64: Handle .ARM.attributes section in linker scripts Jiasheng Jiang <jiashengjiangcool(a)gmail.com> regmap-irq: Add missing kfree() Jann Horn <jannh(a)google.com> partitions: mac: fix handling of bogus partition table Wentao Liang <vulab(a)iscas.ac.cn> gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock Ivan Kokshaysky <ink(a)unseen.parts> alpha: align stack for page fault and user unaligned trap handlers John Keeping <jkeeping(a)inmusicbrands.com> serial: 8250: Fix fifo underflow on flush Shakeel Butt <shakeel.butt(a)linux.dev> cgroup: fix race between fork and cgroup.kill Ard Biesheuvel <ardb(a)kernel.org> efi: Avoid cold plugged memory for placing the kernel Ivan Kokshaysky <ink(a)unseen.parts> alpha: make stack 16-byte aligned (most cases) Alexander Hölzl <alexander.hoelzl(a)gmx.net> can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> can: c_can: fix unbalanced runtime PM disable in error path Johan Hovold <johan(a)kernel.org> USB: serial: option: drop MeiG Smart defines Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FN990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990B compositions Chester A. Unal <chester.a.unal(a)arinc9.com> USB: serial: option: add MeiG Smart SLM828 Jann Horn <jannh(a)google.com> usb: cdc-acm: Fix handling of oversized fragments Jann Horn <jannh(a)google.com> usb: cdc-acm: Check control transfer buffer size before access Marek Vasut <marek.vasut+renesas(a)mailbox.org> USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk Alan Stern <stern(a)rowland.harvard.edu> USB: hub: Ignore non-compliant devices with too many configs or interfaces John Keeping <jkeeping(a)inmusicbrands.com> usb: gadget: f_midi: fix MIDI Streaming descriptor lengths Mathias Nyman <mathias.nyman(a)linux.intel.com> USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone Lei Huang <huanglei(a)kylinos.cn> USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist Stefan Eichenberger <stefan.eichenberger(a)toradex.com> usb: core: fix pipe creation for get_bMaxPacketSize0 Huacai Chen <chenhuacai(a)kernel.org> USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> usb: dwc2: gadget: remove of_node reference upon udc_stop Guo Ren <guoren(a)linux.alibaba.com> usb: gadget: udc: renesas_usb3: Fix compiler warning Elson Roy Serrao <quic_eserrao(a)quicinc.com> usb: roles: set switch registered flag early on Sean Christopherson <seanjc(a)google.com> perf/x86/intel: Ensure LBRs are disabled when a CPU is starting Sean Christopherson <seanjc(a)google.com> KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Sven Eckelmann <sven(a)narfation.org> batman-adv: Ignore neighbor throughput metrics in error case Andy Strohman <andrew(a)andrewstrohman.com> batman-adv: fix panic during interface removal Hans de Goede <hdegoede(a)redhat.com> ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V Mike Marshall <hubcap(a)omnibond.com> orangefs: fix a oob in orangefs_debug_write Rik van Riel <riel(a)fb.com> x86/mm/tlb: Only trim the mm_cpumask once a second Maksym Planeta <maksym(a)exostellar.io> Grab mm lock before grabbing pt lock Ramesh Thomas <ramesh.thomas(a)intel.com> vfio/pci: Enable iowrite64 and ioread64 for vfio pci Takashi Iwai <tiwai(a)suse.de> PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P Edward Adam Davis <eadavis(a)qq.com> media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread Arnd Bergmann <arnd(a)arndb.de> media: cxd2841er: fix 64-bit division on gcc-9 Juergen Gross <jgross(a)suse.com> x86/xen: allow larger contiguous memory regions in PV guests Petr Tesarik <petr.tesarik.ext(a)huawei.com> xen: remove a confusing comment on auto-translated guest I/O Artur Weber <aweber.kernel(a)gmail.com> gpio: bcm-kona: Add missing newline to dev_err format string Artur Weber <aweber.kernel(a)gmail.com> gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ Artur Weber <aweber.kernel(a)gmail.com> gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 Krzysztof Karas <krzysztof.karas(a)intel.com> drm/i915/selftests: avoid using uninitialized context Radu Rendec <rrendec(a)redhat.com> arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array Eric Dumazet <edumazet(a)google.com> team: better TEAM_OPTION_TYPE_STRING validation Eric Dumazet <edumazet(a)google.com> vrf: use RCU protection in l3mdev_l3_out() Eric Dumazet <edumazet(a)google.com> ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() Charles Han <hanchunchao(a)inspur.com> HID: multitouch: Add NULL check in mt_input_configured Dai Ngo <dai.ngo(a)oracle.com> NFSD: fix hang in nfsd4_shutdown_callback Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: clear acl_access/acl_default after releasing them Sean Anderson <sean.anderson(a)linux.dev> tty: xilinx_uartps: split sysrq handling Paolo Abeni <pabeni(a)redhat.com> mptcp: prevent excessive coalescing on receive Su Yue <glass.su(a)suse.com> ocfs2: check dir i_size in ocfs2_find_entry Dmitry Osipenko <digetx(a)gmail.com> memory: tegra20-emc: Correct memory device mask Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: xilinx: remove excess kernel doc Paul Fertser <fercerpav(a)gmail.com> net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling WangYuli <wangyuli(a)uniontech.com> MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static Thomas Weißschuh <linux(a)weissschuh.net> ptp: Ensure info->enable callback is always set Milos Reljin <milos_reljin(a)outlook.com> net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset Paul Fertser <fercerpav(a)gmail.com> net/ncsi: wait for the last response to Deselect Package before configuring channel Ekansh Gupta <quic_ekangupt(a)quicinc.com> misc: fastrpc: Fix registered buffer page address Ivan Stepchenko <sid(a)itb.spb.ru> mtd: onenand: Fix uninitialized retlen in do_otp_read() Dan Carpenter <dan.carpenter(a)linaro.org> NFC: nci: Add bounds checking in nci_hci_create_pipe() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> nilfs2: fix possible int overflows in nilfs_fiemap() Matthew Wilcox (Oracle) <willy(a)infradead.org> ocfs2: handle a symlink read error correctly Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix incorrect CPU endianness conversion causing mount failure Mike Snitzer <snitzer(a)kernel.org> pnfs/flexfiles: retry getting layout segment for reads Alex Williamson <alex.williamson(a)redhat.com> vfio/platform: check the bounds of read/write syscalls Jennifer Berringer <jberring(a)redhat.com> nvmem: core: improve range check for nvmem_cell_write() Luca Weiss <luca.weiss(a)fairphone.com> nvmem: qcom-spmi-sdam: Set size in struct nvmem_config Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> crypto: qce - unregister previously registered algos in error path Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> crypto: qce - fix goto jump in error path Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Remove redundant NULL assignment Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Fix event flags in uvc_ctrl_send_events Mehdi Djait <mehdi.djait(a)linux.intel.com> media: ccs: Fix cleanup order in ccs_probe() Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ccs: Fix CCS static data parsing for large block sizes Sam Bobrowicz <sam(a)elite-embedded.com> media: ov5640: fix get_light_freq on auto Cosmin Tanislav <demonsingur(a)gmail.com> media: mc: fix endpoint iteration Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: qcom: smem_state: fix missing of_node_put in error path Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: as73211: fix channel handling in only-color triggered buffer Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ccs: Clean up parsed CCS static data on parse failure Wentao Liang <vulab(a)iscas.ac.cn> xfs: Add error handling for xfs_reflink_cancel_cow_range Eric Biggers <ebiggers(a)google.com> crypto: qce - fix priority to be less than ARMv8 CE Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8350: Fix MPSS memory length Nathan Chancellor <nathan(a)kernel.org> x86/boot: Use '-std=gnu11' to fix build with GCC 15 Nathan Chancellor <nathan(a)kernel.org> kbuild: Move -Wenum-enum-conversion to W=2 Long Li <longli(a)microsoft.com> scsi: storvsc: Set correct data length for sending SCSI command without payload Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Move FCE Trace buffer allocation to user control Georg Gottleuber <ggo(a)tuxedocomputers.com> nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk Georg Gottleuber <ggo(a)tuxedocomputers.com> nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk Zijun Hu <quic_zijuhu(a)quicinc.com> PCI: endpoint: Finish virtual EP removal in pci_epf_remove_vepf() Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Enable headset mic on Positivo C6400 Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> Revert "media: uvcvideo: Require entities to have a non-zero unique ID" Mateusz Jończyk <mat.jonczyk(a)o2.pl> mips/math-emu: fix emulation of the prefx instruction Hou Tao <houtao1(a)huawei.com> dm-crypt: track tag_offset in convert_context Hou Tao <houtao1(a)huawei.com> dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit() Narayana Murty N <nnmlinux(a)linux.ibm.com> powerpc/pseries/eeh: Fix get PE state translation Kexy Biscuit <kexybiscuit(a)aosc.io> MIPS: Loongson64: remove ROM Size unit in boardinfo Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Drop __initdata macro for port_cfg Stephan Gerhold <stephan.gerhold(a)linaro.org> soc: qcom: socinfo: Avoid out of bounds read of serial number Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Don't prepare BOT write request twice Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Decrement command ref count on cleanup Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Translate error to sense Marcel Hamer <marcel.hamer(a)windriver.com> wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8821ae: Fix media status report Heiko Stuebner <heiko(a)sntech.de> HID: hid-sensor-hub: don't use stale platform-data on remove Zijun Hu <quic_zijuhu(a)quicinc.com> of: reserved-memory: Fix using wrong number of cells to get property 'alignment' Zijun Hu <quic_zijuhu(a)quicinc.com> of: Fix of_find_node_opts_by_path() handling of alias+path+options Zijun Hu <quic_zijuhu(a)quicinc.com> of: Correct child specifier used as input of the 2nd nexus node Kuan-Wei Chiu <visitorckw(a)gmail.com> perf bench: Fix undefined behavior in cmpworker() Nathan Chancellor <nathan(a)kernel.org> efi: libstub: Use '-std=gnu11' to fix build with GCC 15 Zijun Hu <quic_zijuhu(a)quicinc.com> blk-cgroup: Fix class @block_class's subsystem refcount leakage Anastasia Belova <abelova(a)astralinux.ru> clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg Luca Weiss <luca.weiss(a)fairphone.com> clk: qcom: gcc-sm6350: Add missing parent_map for two clocks Gabor Juhos <j4g8y7(a)gmail.com> clk: qcom: clk-alpha-pll: fix alpha mode configuration Cody Eksal <masterr3c0rd(a)epochal.quest> clk: sunxi-ng: a100: enable MMC clock reparenting Fedor Pchelkin <pchelkin(a)ispras.ru> Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection Fedor Pchelkin <pchelkin(a)ispras.ru> Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes Haoxiang Li <haoxiang_li2024(a)163.com> drm/komeda: Add check for komeda_get_layer_fourcc_list() Lijo Lazar <lijo.lazar(a)amd.com> drm/amd/pm: Mark MM activity as unsupported David Hildenbrand <david(a)redhat.com> KVM: s390: vsie: fix some corner-cases when grabbing vsie pages Sean Christopherson <seanjc(a)google.com> KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Jakob Unterwurzacher <jakobunt(a)gmail.com> arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma Dan Carpenter <dan.carpenter(a)linaro.org> binfmt_flat: Fix integer overflow bug on 32 bit systems Thomas Zimmermann <tzimmermann(a)suse.de> m68k: vga: Fix I/O defines Heiko Carstens <hca(a)linux.ibm.com> s390/futex: Fix FUTEX_OP_ANDN implementation Maarten Lankhorst <dev(a)lankhorst.se> drm/modeset: Handle tiled displays in pan_display_atomic. Alexander Sverdlin <alexander.sverdlin(a)siemens.com> leds: lp8860: Write full EEPROM, not only half of it Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: s3c64xx: Fix compilation warning Willem de Bruijn <willemb(a)google.com> tun: revert fix group permission check Cong Wang <cong.wang(a)bytedance.com> netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() Juergen Gross <jgross(a)suse.com> x86/xen: add FRAME_END to xen_hypercall_hvm() Juergen Gross <jgross(a)suse.com> x86/xen: fix xen_hypercall_hvm() to not clobber %rbx Eric Dumazet <edumazet(a)google.com> net: rose: lock the socket in rose_bind() Jacob Moroni <mail(a)jakemoroni.com> net: atlantic: fix warning during hot unplug Mark Tomlinson <mark.tomlinson(a)alliedtelesis.co.nz> gpio: pca953x: Improve interrupt support Yan Zhai <yan(a)cloudflare.com> udp: gso: do not drop small packets when PMTU reduces Lenny Szubowicz <lszubowi(a)redhat.com> tg3: Disable tg3 PCIe AER on system reboot Hans Verkuil <hverkuil(a)xs4all.nl> gpu: drm_dp_cec: fix broken CEC adapter properties check Prasad Pandit <pjp(a)fedoraproject.org> firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry Daniel Wagner <wagi(a)kernel.org> nvme: handle connectivity loss in nvme_set_queue_count Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix NULL pointer dereference on certain command aborts Hardik Gajjar <hgajjar(a)de.adit-jv.com> usb: xhci: Add timeout argument in address_device USB HCD callback Darrick J. Wong <djwong(a)kernel.org> xfs: don't over-report free space or inodes in statvfs Darrick J. Wong <djwong(a)kernel.org> xfs: report realtime block quota limits on realtime directories Sean Anderson <sean.anderson(a)linux.dev> gpio: xilinx: Convert gpio_lock to raw spinlock Linus Walleij <linus.walleij(a)linaro.org> gpio: xilinx: Convert to immutable irq_chip Marc Zyngier <maz(a)kernel.org> gpio: Add helpers to ease the transition towards immutable irq_chip Marc Zyngier <maz(a)kernel.org> gpio: Expose the gpiochip_irq_re[ql]res helpers Marc Zyngier <maz(a)kernel.org> gpio: Don't fiddle with irqchips marked as immutable Paul Fertser <fercerpav(a)gmail.com> net/ncsi: fix locking in Get MAC Address handling Peter Delevoryas <peter(a)pjd.dev> net/ncsi: Add NC-SI 1.2 Get MC MAC Address command Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe() Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> usb: chipidea/ci_hdrc_imx: Convert to platform remove callback returning void Alexander Stein <alexander.stein(a)ew.tq-group.com> usb: chipidea: ci_hdrc_imx: use dev_err_probe() Xi Ruoyao <xry111(a)xry111.site> x86/mm: Don't disable PCID when INVLPG has been fixed by microcode Armin Wolf <W_Armin(a)gmx.de> platform/x86: acer-wmi: Ignore AC events Illia Ostapyshyn <illia(a)yshyn.com> Input: allocate keycode for phone linking Liu Ye <liuye(a)kylinos.cn> selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() Dan Carpenter <dan.carpenter(a)linaro.org> tipc: re-order conditions in tipc_crypto_key_rcv() Yuanjie Yang <quic_yuanjiey(a)quicinc.com> mmc: sdhci-msm: Correctly set the load for the regulator Maciej S. Szmigiero <mail(a)maciej.szmigiero.name> net: wwan: iosm: Fix hibernation by re-binding the driver around it Borislav Petkov <bp(a)alien8.de> APEI: GHES: Have GHES honor the panic= setting Randolph Ha <rha051117(a)gmail.com> i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: avoid memory leak Vadim Fedorenko <vadfed(a)meta.com> net/mlx5: use do_aux_work for PHC overflow checks Even Xu <even.xu(a)intel.com> HID: Wacom: Add PCI Wacom device support Hans de Goede <hdegoede(a)redhat.com> mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: don't emit warning in tomoyo_write_control() Dmitry Antipov <dmantipov(a)yandex.ru> wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() Shawn Lin <shawn.lin(a)rock-chips.com> mmc: core: Respect quirk_max_rate for non-UHS SDIO card Stas Sergeev <stsp2(a)yandex.ru> tun: fix group permission check Leo Stone <leocstone(a)gmail.com> safesetid: check size of policy writes Kuan-Wei Chiu <visitorckw(a)gmail.com> printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Yazen Ghannam <yazen.ghannam(a)amd.com> x86/amd_nb: Restrict init function to AMD-based systems Carlos Llamas <cmllamas(a)google.com> lockdep: Fix upper limit for LOCKDEP_*_BITS configs Suleiman Souhlal <suleiman(a)google.com> sched: Don't try to catch up excess steal time. Josef Bacik <josef(a)toxicpanda.com> btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling Hao-ran Zheng <zhenghaoran154(a)gmail.com> btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() Filipe Manana <fdmanana(a)suse.com> btrfs: fix use-after-free when attempting to join an aborted transaction Qu Wenruo <wqu(a)suse.com> btrfs: output the reason for open_ctree() failure Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Don't free command immediately Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> media: uvcvideo: Fix double free in error path Paolo Abeni <pabeni(a)redhat.com> mptcp: consolidate suboption status Kyle Tso <kyletso(a)google.com> usb: typec: tcpci: Prevent Sink disconnection before vPpsShutdown in SPR PPS Jos Wang <joswang(a)lenovo.com> usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE Kyle Tso <kyletso(a)google.com> usb: dwc3: core: Defer the probe until USB power supply ready Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: gadget: f_tcm: Fix Get/SetInterface return value Sean Rhodes <sean(a)starlabs.systems> drivers/card_reader/rtsx_usb: Restore interrupt based detection Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net: usb: rtl8150: enable basic endpoint checking Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for iBasso DC07 Pro Ricardo B. Marliere <rbm(a)suse.com> ktest.pl: Check kernelrelease return in get_version Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject mismatching sum of field_len with set key length Chuck Lever <chuck.lever(a)oracle.com> NFSD: Reset cb_seq_status after NFS4ERR_DELAY Daniel Lee <chullee(a)google.com> f2fs: Introduce linear search for dentries Lin Yujun <linyujun809(a)huawei.com> hexagon: Fix unbalanced spinlock in die() Willem de Bruijn <willemb(a)google.com> hexagon: fix using plain integer as NULL pointer warning in cmpxchg Masahiro Yamada <masahiroy(a)kernel.org> kconfig: fix memory leak in sym_warn_unmet_dep() Sergey Senozhatsky <senozhatsky(a)chromium.org> kconfig: WERROR unmet symbol dependency Masahiro Yamada <masahiroy(a)kernel.org> kconfig: deduplicate code in conf_read_simple() Masahiro Yamada <masahiroy(a)kernel.org> kconfig: remove unused code for S_DEF_AUTO in conf_read_simple() Masahiro Yamada <masahiroy(a)kernel.org> kconfig: require a space after '#' for valid input Sergey Senozhatsky <senozhatsky(a)chromium.org> kconfig: add warn-unknown-symbols sanity check Masahiro Yamada <masahiroy(a)kernel.org> kconfig: fix file name in warnings when loading KCONFIG_DEFCONFIG_LIST Masahiro Yamada <masahiroy(a)kernel.org> genksyms: fix memory leak when the same symbol is read from *.symref file Masahiro Yamada <masahiroy(a)kernel.org> genksyms: fix memory leak when the same symbol is added from source Eric Dumazet <edumazet(a)google.com> net: hsr: fix fill_frame_info() regression vs VLAN packets Kory Maincent <kory.maincent(a)bootlin.com> net: sh_eth: Fix missing rtnl lock in suspend/resume path Rafał Miłecki <rafal(a)milecki.pl> bgmac: reduce max frame size to support just MTU 1500 Michal Luczaj <mhal(a)rbox.co> vsock: Allow retrying on connect() failure Howard Chu <howardchu95(a)gmail.com> perf trace: Fix runtime error of index out of bounds Thomas Weißschuh <linux(a)weissschuh.net> ptp: Properly handle compat ioctls Chenyuan Yang <chenyuan0y(a)gmail.com> net: davicom: fix UAF in dm9000_drv_remove Jakub Kicinski <kuba(a)kernel.org> net: netdevsim: try to close UDP port harness races Eric Dumazet <edumazet(a)google.com> net: rose: fix timer races against user threads Wentao Liang <vulab(a)iscas.ac.cn> PM: hibernate: Add error handling for syscore_suspend() Eric Dumazet <edumazet(a)google.com> ipmr: do not call mr_mfc_uses_dev() for unres entries Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev(a)gmail.com> net: fec: implement TSO descriptor cleanup Ahmad Fatoum <a.fatoum(a)pengutronix.de> gpio: mxc: remove dead code after switch to DT-only Jian Shen <shenjian15(a)huawei.com> net: hns3: fix oops when unload drivers paralleling pangliyuan <pangliyuan1(a)huawei.com> ubifs: skip dumping tnc tree when zroot is null Oleksij Rempel <linux(a)rempel-privat.de> rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> dmaengine: ti: edma: fix OF node reference leaks in edma_driver Jianbo Liu <jianbol(a)nvidia.com> xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO Luo Yifan <luoyifan(a)cmss.chinamobile.com> tools/bootconfig: Fix the wrong format specifier Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: mark OFFLOAD_CANCEL MOVEABLE Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix COPY_NOTIFY xdr buf size calculation Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> module: Extend the preempt disabled section in dereference_symbol_descriptor(). Su Yue <glass.su(a)suse.com> ocfs2: mark dquot as inactive if failed to start trans while releasing dquot Guixin Liu <kanie(a)linux.alibaba.com> scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails Paul Menzel <pmenzel(a)molgen.mpg.de> scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1 King Dix <kingdix10(a)qq.com> PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> staging: media: imx: fix OF node leak in imx_media_add_of_subdevs() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> mtd: hyperbus: hbmc-am654: fix an OF node reference leak Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> mtd: hyperbus: hbmc-am654: Convert to platform remove callback returning void Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> mtd: hyperbus: Make hyperbus_unregister_device() return void Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Propagate buf->error to userspace Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: camif-core: Add check for clk_enable() Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: mipi-csis: Add check for clk_enable() Dave Stevenson <dave.stevenson(a)raspberrypi.com> media: i2c: ov9282: Correct the exposure offset Luca Weiss <luca.weiss(a)fairphone.com> media: i2c: imx412: Add missing newline to prints Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: marvell: Add check for clk_enable() Zijun Hu <quic_zijuhu(a)quicinc.com> PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy() Chen Ni <nichen(a)iscas.ac.cn> media: lmedm04: Handle errors for lme2510_int_read Oliver Neukum <oneukum(a)suse.com> media: rc: iguanair: handle timeouts Randy Dunlap <rdunlap(a)infradead.org> efi: sysfb_efi: fix W=1 warnings when EFI is not set Zijun Hu <quic_zijuhu(a)quicinc.com> of: reserved-memory: Do not make kmemleak ignore freed address Mike Rapoport <rppt(a)kernel.org> memblock: drop memblock_free_early_nid() and memblock_free_early() Mike Rapoport <rppt(a)kernel.org> xen/x86: free_p2m_page: use memblock_free_ptr() to free a virtual pointer Michael Guralnik <michaelgur(a)nvidia.com> RDMA/mlx5: Fix indirect mkey ODP page count Michael Guralnik <michaelgur(a)nvidia.com> RDMA/mlx5: Enforce umem boundaries for explicit ODP page faults Aharon Landau <aharonl(a)nvidia.com> RDMA/mlx5: Remove iova from struct mlx5_core_mkey Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device() Rafał Miłecki <rafal(a)milecki.pl> ARM: dts: mediatek: mt7623: fix IR nodename Vladimir Zapolskiy <vladimir.zapolskiy(a)linaro.org> arm64: dts: qcom: sdm845: Fix interrupt types of camss interrupts Neil Armstrong <neil.armstrong(a)linaro.org> arm64: dts: qcom: sm8150-microsoft-surface-duo: fix typos in da7280 properties Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8350: correct sleep clock frequency Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8250: correct sleep clock frequency Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm6125: correct sleep clock frequency Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sc7280: correct sleep clock frequency Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: msm8994: correct sleep clock frequency Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: msm8916: correct sleep clock frequency Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: msm8994: Describe USB interrupts Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: msm8996: Fix up USB3 interrupts Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8183-kukui-jacuzzi: Drop pp3300_panel voltage settings Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() Dmitry Osipenko <digetx(a)gmail.com> memory: tegra20-emc: Support matching timings by LPDDR2 configuration Dmitry Osipenko <digetx(a)gmail.com> memory: Add LPDDR2-info helpers Hsin-Te Yuan <yuanhsinte(a)chromium.org> arm64: dts: mediatek: mt8183: willow: Support second source touchscreen Hsin-Te Yuan <yuanhsinte(a)chromium.org> arm64: dts: mediatek: mt8183: kenzo: Support second source touchscreen Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property Dan Carpenter <dan.carpenter(a)linaro.org> rdma/cxgb4: Prevent potential integer overflow on 32bit Leon Romanovsky <leon(a)kernel.org> RDMA/mlx4: Avoid false error about access to uninitialized gids array Val Packett <val(a)packett.cool> arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A Val Packett <val(a)packett.cool> arm64: dts: mediatek: mt8516: add i2c clock-div property Fabien Parent <fparent(a)baylibre.com> arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks Val Packett <val(a)packett.cool> arm64: dts: mediatek: mt8516: fix wdt irq type Val Packett <val(a)packett.cool> arm64: dts: mediatek: mt8516: fix GICv2 range Hsin-Yi Wang <hsinyi(a)chromium.org> arm64: dts: mt8183: set DMIC one-wire mode on Damu Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: at91: pm: change BU Power Switch to automatic mode Chen Ridong <chenridong(a)huawei.com> padata: avoid UAF for reorder_work Chen Ridong <chenridong(a)huawei.com> padata: add pd get/put refcnt helper Chen Ridong <chenridong(a)huawei.com> padata: fix UAF in padata_reorder Puranjay Mohan <puranjay(a)kernel.org> bpf: Send signals asynchronously if !preemptible Jiachen Zhang <me(a)jcix.top> perf report: Fix misleading help message about --demangle Arnaldo Carvalho de Melo <acme(a)redhat.com> perf top: Don't complain about lack of vmlinux when not resolving some kernel samples Thomas Weißschuh <linux(a)weissschuh.net> padata: fix sysfs store callback check Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> crypto: ixp4xx - fix OF node reference leaks in init_ixp_crypto() Wenkai Lin <linwenkai6(a)hisilicon.com> crypto: hisilicon/sec2 - fix for aead invalid authsize Wenkai Lin <linwenkai6(a)hisilicon.com> crypto: hisilicon/sec2 - fix for aead icv error Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/sec2 - optimize the error return process Kai Ye <yekai13(a)huawei.com> crypto: hisilicon/sec - delete redundant blank lines Kai Ye <yekai13(a)huawei.com> crypto: hisilicon/sec - add some comments for soft fallback Ba Jing <bajing(a)cmss.chinamobile.com> ktest.pl: Remove unused declarations in run_bisect_test function Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> ASoC: renesas: rz-ssi: Use only the proper amount of dividers Zhongqiu Han <quic_zhonhan(a)quicinc.com> perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info() Zhongqiu Han <quic_zhonhan(a)quicinc.com> perf header: Fix one memory leakage in process_bpf_prog_info() Zhongqiu Han <quic_zhonhan(a)quicinc.com> perf header: Fix one memory leakage in process_bpf_btf() George Lander <lander(a)jagmn.com> ASoC: sun4i-spdif: Add clock multiplier settings Quentin Monnet <qmo(a)kernel.org> libbpf: Fix segfault due to libelf functions not setting errno Marco Leogrande <leogrande(a)google.com> tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net/rose: prevent integer overflows in rose_setsockopt() Mahdi Arghavani <ma.arghavani(a)yahoo.com> tcp_cubic: fix incorrect HyStart round start detection Roger Quadros <rogerq(a)kernel.org> net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() Florian Westphal <fw(a)strlen.de> netfilter: nft_flow_offload: update tcp state flags under lock Jamal Hadi Salim <jhs(a)mojatatu.com> net: sched: Disallow replacing of child qdisc from one parent to another Antoine Tenart <atenart(a)kernel.org> net: avoid race between device unregistration and ethnl ops Maher Sanalla <msanalla(a)nvidia.com> net/mlxfw: Drop hard coded max FW flash image size Liu Jian <liujian56(a)huawei.com> net: let net.core.dev_weight always be non-zero Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Fix error message Bo Gan <ganboing(a)gmail.com> clk: analogbits: Fix incorrect calculation of vco rate delta Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: adjust allocation of colocated AP data Ilan Peer <ilan.peer(a)intel.com> wifi: cfg80211: Handle specific BSSID in 6GHz scanning Dmitry V. Levin <ldv(a)strace.io> selftests: harness: fix printing of mismatch values in __EXPECT() Gautham R. Shenoy <gautham.shenoy(a)amd.com> cpufreq: ACPI: Fix max-frequency computation WangYuli <wangyuli(a)uniontech.com> wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO Mickaël Salaün <mic(a)digikod.net> landlock: Handle weird files Mickaël Salaün <mic(a)digikod.net> landlock: Move filesystem helpers and add a new one Guangguan Wang <guangguan.wang(a)linux.alibaba.com> net/smc: fix data error when recvmsg with MSG_PEEK flag Andreas Kemnade <andreas(a)kemnade.info> wifi: wlcore: fix unbalanced pm_runtime calls Zichen Xie <zichenxie0106(a)gmail.com> samples/landlock: Fix possible NULL dereference in parse_path() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> regulator: of: Implement the unwind path of of_regulator_match() Octavian Purdila <tavip(a)google.com> team: prevent adding a device which is already a team device lower Marek Vasut <marex(a)denx.de> clk: imx8mp: Fix clkout1/2 support Sultan Alsawaf (unemployed) <sultan(a)kerneltoast.com> cpufreq: schedutil: Fix superfluous updates caused by need_freq_update Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata() Matti Vaittinen <mazziesaccount(a)gmail.com> dt-bindings: mfd: bd71815: Fix rsense and typos He Rongguang <herongguang(a)linux.alibaba.com> cpupower: fix TSC MHz calculation Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> ACPI: fan: cleanup resources in the error path of .probe() Chen-Yu Tsai <wenst(a)chromium.org> regulator: dt-bindings: mt6315: Drop regulator-compatible property Jiri Kosina <jkosina(a)suse.com> HID: multitouch: fix support for Goodix PID 0x01e9 Jiri Kosina <jkosina(a)suse.com> Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" He Lugang <helugang(a)uniontech.com> HID: multitouch: Add support for lenovo Y9000P Touchpad Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: pci: wait for firmware loading before releasing memory Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: fix memory leaks and invalid access at probe error path Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: destroy workqueue at rtl_deinit_core Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: remove unused check_buddy_priv Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtlwifi: remove unused dualmac control leftovers Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtlwifi: remove unused timer and related code Jakob Koschel <jakobkoschel(a)gmail.com> rtlwifi: replace usage of found with dedicated list iterator variable Geert Uytterhoeven <geert+renesas(a)glider.be> dt-bindings: leds: class-multicolor: Fix path to color definitions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: leds: class-multicolor: reference class directly in multi-led node Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> dt-bindings: leds: Add multicolor PWM LED bindings Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> dt-bindings: leds: Optional multi-led unit address Bjorn Andersson <bjorn.andersson(a)linaro.org> dt-bindings: leds: Add Qualcomm Light Pulse Generator binding Rob Herring <robh(a)kernel.org> dt-bindings: Another pass removing cases of 'allOf' containing a '$ref' Pratyush Yadav <p.yadav(a)ti.com> spi: dt-bindings: add schema listing peripheral-specific properties Neil Armstrong <neil.armstrong(a)linaro.org> dt-bindings: mmc: controller: clarify the address-cells description Mingwei Zheng <zmw12306(a)gmail.com> spi: zynq-qspi: Add check for clk_enable() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: usb: fix workqueue leak when probe fails Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: fix init_sw_vars leak when probe fails Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: wait for firmware loading before releasing memory Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> wifi: rtlwifi: do not complete firmware loading needlessly Charles Han <hanchunchao(a)inspur.com> ipmi: ipmb: Add check devm_kasprintf() returned value Thomas Gleixner <tglx(a)linutronix.de> genirq: Make handle_enforce_irqctx() unconditionally available Ivan Stepchenko <sid(a)itb.spb.ru> drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table Alan Stern <stern(a)rowland.harvard.edu> HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections Sui Jingfeng <sui.jingfeng(a)linux.dev> drm/etnaviv: Fix page property being used for non writecombine buffers Peter Zijlstra <peterz(a)infradead.org> sched/fair: Fix value reported by hot tasks pulled in /proc/schedstat Chengming Zhou <zhouchengming(a)bytedance.com> sched/psi: Use task->psi_flags to clear in CPU migration David Howells <dhowells(a)redhat.com> afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call Christophe Leroy <christophe.leroy(a)csgroup.eu> select: Fix unbalanced user_access_end() Randy Dunlap <rdunlap(a)infradead.org> partitions: ldm: remove the initial kernel-doc notation Keisuke Nishimura <keisuke.nishimura(a)inria.fr> nvme: Add error check for xa_store in nvme_get_effects_log Eugen Hristev <eugen.hristev(a)linaro.org> pstore/blk: trivial typo fixes Yu Kuai <yukuai3(a)huawei.com> nbd: don't allow reconnect after disconnect Yang Erkun <yangerkun(a)huawei.com> block: retry call probe after request_module in blk_request_module Christoph Hellwig <hch(a)lst.de> block: deprecate autoloading based on dev_t Jinliang Zheng <alexjlzheng(a)gmail.com> fs: fix proc_handler for sysctl_nr_open Luis Chamberlain <mcgrof(a)kernel.org> fs: move fs stat sysctls to file_table.c Luis Chamberlain <mcgrof(a)kernel.org> fs: move inode sysctls to its own file Luis Chamberlain <mcgrof(a)kernel.org> sysctl: share unsigned long const values Xiaoming Ni <nixiaoming(a)huawei.com> sysctl: use const for typically used max/min proc sysctls Xiaoming Ni <nixiaoming(a)huawei.com> hung_task: move hung_task sysctl interface to hung_task.c David Howells <dhowells(a)redhat.com> afs: Fix directory format encoding struct David Howells <dhowells(a)redhat.com> afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY ------------- Diffstat: Documentation/dev-tools/kfence.rst | 12 ++ .../bindings/connector/usb-connector.yaml | 3 +- .../bindings/display/brcm,bcm2711-hdmi.yaml | 3 +- .../bindings/display/bridge/adi,adv7511.yaml | 5 +- .../bindings/display/bridge/synopsys,dw-hdmi.yaml | 5 +- .../bindings/display/panel/display-timings.yaml | 3 +- .../devicetree/bindings/display/ste,mcde.yaml | 4 +- .../devicetree/bindings/input/adc-joystick.yaml | 9 +- .../bindings/leds/cznic,turris-omnia-leds.yaml | 5 +- .../bindings/leds/leds-class-multicolor.yaml | 28 +-- .../devicetree/bindings/leds/leds-lp50xx.yaml | 5 +- .../bindings/leds/leds-pwm-multicolor.yaml | 78 +++++++ .../devicetree/bindings/leds/leds-qcom-lpg.yaml | 175 ++++++++++++++++ .../devicetree/bindings/mfd/google,cros-ec.yaml | 12 +- .../devicetree/bindings/mfd/rohm,bd71815-pmic.yaml | 20 +- .../devicetree/bindings/mmc/mmc-controller.yaml | 2 +- .../bindings/mtd/rockchip,nand-controller.yaml | 3 +- .../devicetree/bindings/net/ti,cpsw-switch.yaml | 3 +- .../devicetree/bindings/phy/phy-stm32-usbphyc.yaml | 3 +- .../bindings/power/supply/sbs,sbs-manager.yaml | 4 +- .../bindings/regulator/mt6315-regulator.yaml | 6 - .../bindings/remoteproc/ti,k3-r5f-rproc.yaml | 3 +- .../devicetree/bindings/soc/ti/ti,pruss.yaml | 15 +- .../devicetree/bindings/sound/st,stm32-sai.yaml | 3 +- .../devicetree/bindings/sound/tlv320adcx140.yaml | 13 +- .../devicetree/bindings/spi/spi-controller.yaml | 69 +------ .../bindings/spi/spi-peripheral-props.yaml | 87 ++++++++ .../devicetree/bindings/usb/st,stusb160x.yaml | 4 +- Documentation/kbuild/kconfig.rst | 9 + Makefile | 9 +- arch/alpha/include/uapi/asm/ptrace.h | 2 + arch/alpha/kernel/asm-offsets.c | 2 + arch/alpha/kernel/entry.S | 24 +-- arch/alpha/kernel/traps.c | 2 +- arch/alpha/mm/fault.c | 4 +- arch/arm/boot/dts/dra7-l4.dtsi | 2 + arch/arm/boot/dts/mt7623.dtsi | 2 +- arch/arm/mach-at91/pm.c | 31 ++- arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 29 +-- arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 25 +-- .../dts/mediatek/mt8183-kukui-jacuzzi-damu.dts | 4 + .../dts/mediatek/mt8183-kukui-jacuzzi-kenzo.dts | 15 ++ .../dts/mediatek/mt8183-kukui-jacuzzi-willow.dtsi | 15 ++ .../boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi | 2 - arch/arm64/boot/dts/mediatek/mt8183.dtsi | 1 + arch/arm64/boot/dts/mediatek/mt8516.dtsi | 38 ++-- arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 2 - arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8994.dtsi | 11 +- arch/arm64/boot/dts/qcom/msm8996.dtsi | 9 +- arch/arm64/boot/dts/qcom/sc7280.dtsi | 2 +- arch/arm64/boot/dts/qcom/sdm845.dtsi | 20 +- arch/arm64/boot/dts/qcom/sm6125.dtsi | 2 +- .../boot/dts/qcom/sm8150-microsoft-surface-duo.dts | 4 +- arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm8350.dtsi | 4 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +- arch/arm64/include/asm/mman.h | 9 +- arch/arm64/kernel/cacheinfo.c | 12 +- arch/arm64/kernel/vdso/vdso.lds.S | 1 + arch/arm64/kernel/vmlinux.lds.S | 1 + arch/hexagon/include/asm/cmpxchg.h | 2 +- arch/hexagon/kernel/traps.c | 4 +- arch/m68k/include/asm/vga.h | 8 +- arch/mips/kernel/ftrace.c | 2 +- arch/mips/loongson64/boardinfo.c | 2 - arch/mips/math-emu/cp1emu.c | 2 +- arch/mips/mm/init.c | 2 +- arch/powerpc/include/asm/book3s/64/hash-4k.h | 28 +++ arch/powerpc/include/asm/book3s/64/pgtable.h | 26 --- arch/powerpc/lib/code-patching.c | 2 +- arch/powerpc/platforms/pseries/eeh_pseries.c | 6 +- arch/powerpc/platforms/pseries/svm.c | 3 +- arch/s390/include/asm/futex.h | 2 +- arch/s390/kernel/smp.c | 2 +- arch/s390/kernel/traps.c | 6 +- arch/s390/kvm/vsie.c | 25 ++- arch/x86/Kconfig | 3 +- arch/x86/boot/compressed/Makefile | 1 + arch/x86/events/intel/core.c | 5 +- arch/x86/include/asm/mmu.h | 2 + arch/x86/include/asm/mmu_context.h | 1 + arch/x86/include/asm/msr-index.h | 3 +- arch/x86/include/asm/tlbflush.h | 1 + arch/x86/kernel/amd_nb.c | 4 + arch/x86/kernel/cpu/bugs.c | 20 +- arch/x86/kernel/cpu/cacheinfo.c | 2 +- arch/x86/kernel/cpu/cyrix.c | 4 +- arch/x86/kernel/cpu/intel.c | 52 +++-- arch/x86/kernel/cpu/sgx/encl.c | 108 ++++++++-- arch/x86/kernel/cpu/sgx/encl.h | 8 +- arch/x86/kernel/cpu/sgx/ioctl.c | 17 +- arch/x86/kernel/cpu/sgx/main.c | 31 +-- arch/x86/kernel/i8253.c | 11 +- arch/x86/kernel/static_call.c | 1 - arch/x86/kvm/hyperv.c | 6 +- arch/x86/mm/init.c | 23 ++- arch/x86/mm/tlb.c | 35 +++- arch/x86/xen/mmu_pv.c | 79 +++++-- arch/x86/xen/p2m.c | 2 +- arch/x86/xen/xen-head.S | 5 +- block/Kconfig | 12 ++ block/bdev.c | 9 +- block/blk-cgroup.c | 1 + block/genhd.c | 30 ++- block/partitions/efi.c | 2 +- block/partitions/ldm.h | 2 +- block/partitions/mac.c | 18 +- crypto/testmgr.h | 227 ++++++++++++++------ drivers/acpi/apei/ghes.c | 10 +- drivers/acpi/fan.c | 10 +- drivers/base/arch_numa.c | 2 +- drivers/base/regmap/regmap-irq.c | 2 + drivers/block/nbd.c | 1 + drivers/bus/mhi/host/pci_generic.c | 5 +- drivers/char/ipmi/ipmb_dev_int.c | 3 + drivers/char/tpm/eventlog/acpi.c | 16 +- drivers/char/tpm/eventlog/efi.c | 13 +- drivers/char/tpm/eventlog/of.c | 3 +- drivers/char/tpm/tpm-chip.c | 1 - drivers/clk/analogbits/wrpll-cln28hpc.c | 2 +- drivers/clk/imx/clk-imx8mp.c | 5 +- drivers/clk/qcom/clk-alpha-pll.c | 2 + drivers/clk/qcom/clk-rpmh.c | 2 +- drivers/clk/qcom/gcc-mdm9607.c | 2 +- drivers/clk/qcom/gcc-sm6350.c | 22 +- drivers/clk/sunxi-ng/ccu-sun50i-a100.c | 6 +- drivers/clocksource/i8253.c | 13 +- drivers/cpufreq/acpi-cpufreq.c | 36 +++- drivers/cpufreq/s3c64xx-cpufreq.c | 11 +- drivers/crypto/hisilicon/sec2/sec.h | 3 +- drivers/crypto/hisilicon/sec2/sec_crypto.c | 178 ++++++++-------- drivers/crypto/hisilicon/sec2/sec_crypto.h | 11 - drivers/crypto/ixp4xx_crypto.c | 3 + drivers/crypto/qce/aead.c | 2 +- drivers/crypto/qce/core.c | 13 +- drivers/crypto/qce/sha.c | 2 +- drivers/crypto/qce/skcipher.c | 2 +- drivers/dma/ti/edma.c | 3 +- drivers/firmware/Kconfig | 2 +- drivers/firmware/efi/efi.c | 6 +- drivers/firmware/efi/libstub/Makefile | 2 +- drivers/firmware/efi/libstub/randomalloc.c | 3 + drivers/firmware/efi/libstub/relocate.c | 3 + drivers/firmware/efi/sysfb_efi.c | 2 +- drivers/gpio/gpio-aggregator.c | 20 +- drivers/gpio/gpio-bcm-kona.c | 71 +++++-- drivers/gpio/gpio-mxc.c | 3 +- drivers/gpio/gpio-pca953x.c | 19 -- drivers/gpio/gpio-rcar.c | 31 +-- drivers/gpio/gpio-stmpe.c | 15 +- drivers/gpio/gpio-xilinx.c | 56 ++--- drivers/gpio/gpiolib.c | 13 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 14 ++ .../gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 2 + drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 1 - .../drm/arm/display/komeda/komeda_wb_connector.c | 4 + drivers/gpu/drm/drm_dp_cec.c | 14 +- drivers/gpu/drm/drm_fb_helper.c | 14 +- drivers/gpu/drm/drm_probe_helper.c | 116 ++++++++--- drivers/gpu/drm/etnaviv/etnaviv_gem.c | 16 +- drivers/gpu/drm/i915/display/skl_universal_plane.c | 4 - drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 4 +- drivers/gpu/drm/radeon/r300.c | 3 +- drivers/gpu/drm/radeon/radeon_asic.h | 1 + drivers/gpu/drm/radeon/rs400.c | 18 +- drivers/gpu/drm/rockchip/cdn-dp-core.c | 9 +- drivers/gpu/drm/scheduler/gpu_scheduler_trace.h | 4 +- drivers/gpu/drm/tidss/tidss_dispc.c | 22 +- drivers/gpu/drm/v3d/v3d_perfmon.c | 5 + drivers/hid/hid-appleir.c | 2 +- drivers/hid/hid-core.c | 2 + drivers/hid/hid-google-hammer.c | 2 + drivers/hid/hid-multitouch.c | 7 +- drivers/hid/hid-sensor-hub.c | 21 +- drivers/hid/intel-ish-hid/ishtp-hid.c | 4 +- drivers/hid/wacom_wac.c | 5 + drivers/hwmon/ad7314.c | 10 + drivers/hwmon/ntc_thermistor.c | 66 +++--- drivers/hwmon/pmbus/pmbus.c | 2 + drivers/hwmon/xgene-hwmon.c | 2 +- drivers/hwtracing/intel_th/pci.c | 15 ++ drivers/i2c/busses/i2c-npcm7xx.c | 7 + drivers/i2c/i2c-core-acpi.c | 22 ++ drivers/idle/intel_idle.c | 4 + drivers/iio/light/as73211.c | 24 ++- drivers/infiniband/hw/cxgb4/device.c | 6 +- drivers/infiniband/hw/mlx4/main.c | 6 +- drivers/infiniband/hw/mlx5/counters.c | 8 +- drivers/infiniband/hw/mlx5/devx.c | 1 - drivers/infiniband/hw/mlx5/mr.c | 16 +- drivers/infiniband/hw/mlx5/odp.c | 61 +++--- drivers/infiniband/hw/mlx5/qp.c | 4 +- drivers/leds/leds-lp8860.c | 2 +- drivers/leds/leds-netxbig.c | 1 + drivers/md/Kconfig | 4 + drivers/md/dm-crypt.c | 27 +-- drivers/media/dvb-frontends/cxd2841er.c | 8 +- drivers/media/i2c/ccs/ccs-core.c | 6 +- drivers/media/i2c/ccs/ccs-data.c | 14 +- drivers/media/i2c/imx412.c | 42 ++-- drivers/media/i2c/ov5640.c | 1 + drivers/media/i2c/ov9282.c | 2 +- drivers/media/platform/exynos4-is/mipi-csis.c | 10 +- drivers/media/platform/imx-jpeg/mxc-jpeg.c | 7 +- drivers/media/platform/marvell-ccic/mcam-core.c | 7 +- drivers/media/platform/s3c-camif/camif-core.c | 13 +- drivers/media/rc/iguanair.c | 4 +- drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +- drivers/media/usb/dvb-usb-v2/lmedm04.c | 12 +- drivers/media/usb/uvc/uvc_ctrl.c | 139 ++++++++++--- drivers/media/usb/uvc/uvc_driver.c | 105 +++++----- drivers/media/usb/uvc/uvc_queue.c | 3 +- drivers/media/usb/uvc/uvc_status.c | 1 + drivers/media/usb/uvc/uvc_v4l2.c | 4 +- drivers/media/usb/uvc/uvcvideo.h | 20 +- drivers/media/v4l2-core/v4l2-mc.c | 2 +- drivers/memory/jedec_ddr.h | 47 +++++ drivers/memory/jedec_ddr_data.c | 41 ++++ drivers/memory/of_memory.c | 87 ++++++++ drivers/memory/of_memory.h | 9 + drivers/memory/tegra/Kconfig | 1 + drivers/memory/tegra/tegra20-emc.c | 203 ++++++++++++++++-- drivers/mfd/lpc_ich.c | 3 +- drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/misc/fastrpc.c | 2 +- drivers/misc/mei/hw-me-regs.h | 2 + drivers/misc/mei/pci-me.c | 2 + drivers/mmc/core/sdio.c | 2 + drivers/mmc/host/sdhci-msm.c | 53 ++++- drivers/mtd/hyperbus/hbmc-am654.c | 29 +-- drivers/mtd/hyperbus/hyperbus-core.c | 8 +- drivers/mtd/hyperbus/rpc-if.c | 5 +- drivers/mtd/nand/onenand/onenand_base.c | 1 + drivers/mtd/nand/raw/cadence-nand-controller.c | 44 +++- drivers/net/caif/caif_virtio.c | 2 +- drivers/net/can/c_can/c_can_platform.c | 5 +- drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 +- drivers/net/ethernet/broadcom/bgmac.h | 3 +- drivers/net/ethernet/broadcom/tg3.c | 58 ++++++ drivers/net/ethernet/cadence/macb.h | 2 + drivers/net/ethernet/cadence/macb_main.c | 12 +- drivers/net/ethernet/davicom/dm9000.c | 3 +- drivers/net/ethernet/emulex/benet/be.h | 2 +- drivers/net/ethernet/emulex/benet/be_cmds.c | 197 +++++++++--------- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/freescale/enetc/enetc.c | 69 +++++-- drivers/net/ethernet/freescale/fec_main.c | 31 ++- drivers/net/ethernet/hisilicon/hns3/hnae3.c | 15 ++ drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 2 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- .../net/ethernet/mellanox/mlx5/core/lib/clock.c | 24 ++- drivers/net/ethernet/mellanox/mlx5/core/mr.c | 1 - drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 2 +- drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c | 2 - .../net/ethernet/mellanox/mlxsw/spectrum_ethtool.c | 4 +- drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 2 + drivers/net/ethernet/renesas/sh_eth.c | 4 + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- drivers/net/geneve.c | 16 +- drivers/net/gtp.c | 5 - drivers/net/loopback.c | 14 ++ drivers/net/netdevsim/ipsec.c | 12 +- drivers/net/netdevsim/netdevsim.h | 1 + drivers/net/netdevsim/udp_tunnels.c | 23 ++- drivers/net/phy/nxp-c45-tja11xx.c | 2 + drivers/net/ppp/ppp_generic.c | 28 ++- drivers/net/team/team.c | 11 +- drivers/net/tun.c | 2 +- drivers/net/usb/gl620a.c | 4 +- drivers/net/usb/rtl8150.c | 22 ++ .../wireless/broadcom/brcm80211/brcmfmac/core.c | 5 + .../broadcom/brcm80211/brcmsmac/phy/phy_n.c | 3 + drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 13 +- drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +- drivers/net/wireless/mediatek/mt76/usb.c | 4 +- drivers/net/wireless/realtek/rtlwifi/base.c | 42 ++-- drivers/net/wireless/realtek/rtlwifi/base.h | 2 - drivers/net/wireless/realtek/rtlwifi/pci.c | 67 +----- .../net/wireless/realtek/rtlwifi/rtl8192se/sw.c | 7 +- .../net/wireless/realtek/rtlwifi/rtl8821ae/fw.h | 4 +- drivers/net/wireless/realtek/rtlwifi/usb.c | 12 +- drivers/net/wireless/realtek/rtlwifi/wifi.h | 23 --- drivers/net/wireless/ti/wlcore/main.c | 10 +- drivers/net/wwan/iosm/iosm_ipc_pcie.c | 56 ++++- drivers/nvme/host/core.c | 16 +- drivers/nvme/host/ioctl.c | 3 +- drivers/nvme/host/pci.c | 4 +- drivers/nvme/target/tcp.c | 15 +- drivers/nvmem/core.c | 2 + drivers/nvmem/qcom-spmi-sdam.c | 1 + drivers/of/base.c | 8 +- drivers/of/of_reserved_mem.c | 3 +- drivers/parport/parport_pc.c | 5 + drivers/pci/controller/pcie-rcar-ep.c | 2 +- drivers/pci/endpoint/pci-epc-core.c | 2 +- drivers/pci/endpoint/pci-epf-core.c | 1 + drivers/pci/quirks.c | 1 + drivers/phy/samsung/phy-exynos5-usbdrd.c | 12 +- drivers/phy/tegra/xusb-tegra186.c | 11 + drivers/platform/x86/acer-wmi.c | 4 + drivers/platform/x86/thinkpad_acpi.c | 1 + drivers/power/supply/da9150-fg.c | 4 +- drivers/pps/clients/pps-gpio.c | 4 +- drivers/pps/clients/pps-ktimer.c | 4 +- drivers/pps/clients/pps-ldisc.c | 6 +- drivers/pps/clients/pps_parport.c | 4 +- drivers/pps/kapi.c | 10 +- drivers/pps/kc.c | 10 +- drivers/pps/pps.c | 127 ++++++------ drivers/ptp/ptp_chardev.c | 4 + drivers/ptp/ptp_clock.c | 8 + drivers/ptp/ptp_ocp.c | 2 +- drivers/rapidio/devices/rio_mport_cdev.c | 3 +- drivers/rapidio/rio-scan.c | 5 +- drivers/regulator/of_regulator.c | 14 +- drivers/rtc/rtc-pcf85063.c | 11 +- drivers/s390/char/sclp_early.c | 2 +- drivers/scsi/mpt3sas/mpt3sas_base.c | 3 +- drivers/scsi/qla2xxx/qla_def.h | 2 + drivers/scsi/qla2xxx/qla_dfs.c | 122 +++++++++-- drivers/scsi/qla2xxx/qla_gbl.h | 3 + drivers/scsi/qla2xxx/qla_init.c | 28 ++- drivers/scsi/scsi_lib.c | 58 +++--- drivers/scsi/storvsc_drv.c | 1 + drivers/scsi/ufs/ufs_bsg.c | 1 + drivers/slimbus/messaging.c | 5 +- drivers/soc/mediatek/mtk-devapc.c | 36 ++-- drivers/soc/qcom/smem_state.c | 3 +- drivers/soc/qcom/socinfo.c | 2 +- drivers/spi/spi-mxs.c | 3 +- drivers/spi/spi-zynq-qspi.c | 13 +- drivers/staging/media/imx/imx-media-of.c | 8 +- drivers/tee/optee/supp.c | 35 +--- drivers/tty/serial/8250/8250.h | 2 + drivers/tty/serial/8250/8250_dma.c | 16 ++ drivers/tty/serial/8250/8250_pci.c | 10 + drivers/tty/serial/8250/8250_port.c | 9 + drivers/tty/serial/sh-sci.c | 25 ++- drivers/tty/serial/xilinx_uartps.c | 10 +- drivers/usb/atm/cxacru.c | 13 +- drivers/usb/chipidea/ci_hdrc_imx.c | 38 ++-- drivers/usb/class/cdc-acm.c | 28 ++- drivers/usb/core/hub.c | 49 ++++- drivers/usb/core/quirks.c | 10 + drivers/usb/dwc2/gadget.c | 1 + drivers/usb/dwc3/core.c | 115 ++++++----- drivers/usb/dwc3/core.h | 2 +- drivers/usb/dwc3/drd.c | 4 +- drivers/usb/dwc3/gadget.c | 47 ++++- drivers/usb/gadget/composite.c | 17 +- drivers/usb/gadget/function/f_midi.c | 10 +- drivers/usb/gadget/function/f_tcm.c | 66 +++--- drivers/usb/gadget/udc/renesas_usb3.c | 2 +- drivers/usb/host/pci-quirks.c | 9 + drivers/usb/host/xhci-mem.c | 5 +- drivers/usb/host/xhci-pci.c | 18 +- drivers/usb/host/xhci-ring.c | 12 +- drivers/usb/host/xhci.c | 23 ++- drivers/usb/host/xhci.h | 11 +- drivers/usb/renesas_usbhs/common.c | 6 +- drivers/usb/renesas_usbhs/mod_gadget.c | 2 +- drivers/usb/roles/class.c | 5 +- drivers/usb/serial/option.c | 49 +++-- drivers/usb/typec/tcpm/tcpci.c | 13 +- drivers/usb/typec/tcpm/tcpci_rt1711h.c | 11 + drivers/usb/typec/tcpm/tcpm.c | 10 +- drivers/usb/typec/ucsi/ucsi.c | 2 +- drivers/vdpa/mlx5/core/resources.c | 1 - drivers/vfio/pci/vfio_pci_rdwr.c | 1 + drivers/vfio/platform/vfio_platform_common.c | 10 + drivers/video/fbdev/omap2/omapfb/dss/dss-of.c | 1 + drivers/virt/acrn/hsm.c | 6 +- fs/afs/cell.c | 1 + fs/afs/dir.c | 7 +- fs/afs/internal.h | 23 ++- fs/afs/server.c | 1 + fs/afs/server_list.c | 114 +++++++++- fs/afs/vl_alias.c | 2 +- fs/afs/volume.c | 40 ++-- fs/afs/xdr_fs.h | 2 +- fs/afs/yfsclient.c | 5 +- fs/binfmt_flat.c | 2 +- fs/btrfs/file.c | 6 +- fs/btrfs/inode.c | 4 +- fs/btrfs/relocation.c | 14 +- fs/btrfs/super.c | 2 +- fs/btrfs/transaction.c | 4 +- fs/cifs/smb2ops.c | 4 + fs/exfat/balloc.c | 10 +- fs/exfat/exfat_fs.h | 2 +- fs/exfat/fatent.c | 11 +- fs/f2fs/dir.c | 53 +++-- fs/f2fs/f2fs.h | 6 +- fs/f2fs/file.c | 13 ++ fs/f2fs/inline.c | 5 +- fs/file_table.c | 47 ++++- fs/inode.c | 39 +++- fs/ksmbd/transport_ipc.c | 9 + fs/nfs/flexfilelayout/flexfilelayout.c | 27 ++- fs/nfs/nfs42proc.c | 2 +- fs/nfs/nfs42xdr.c | 2 + fs/nfsd/nfs2acl.c | 2 + fs/nfsd/nfs3acl.c | 2 + fs/nfsd/nfs4callback.c | 8 +- fs/nilfs2/dir.c | 24 +-- fs/nilfs2/inode.c | 10 +- fs/nilfs2/mdt.c | 6 +- fs/nilfs2/namei.c | 37 ++-- fs/nilfs2/nilfs.h | 10 +- fs/nilfs2/page.c | 55 ++--- fs/nilfs2/page.h | 4 +- fs/nilfs2/segment.c | 4 +- fs/ocfs2/dir.c | 25 ++- fs/ocfs2/quota_global.c | 5 + fs/ocfs2/super.c | 2 +- fs/ocfs2/symlink.c | 5 +- fs/orangefs/orangefs-debugfs.c | 4 +- fs/overlayfs/copy_up.c | 44 ++-- fs/overlayfs/dir.c | 100 ++++----- fs/overlayfs/inode.c | 17 +- fs/overlayfs/namei.c | 6 +- fs/overlayfs/overlayfs.h | 96 ++++++--- fs/overlayfs/readdir.c | 32 +-- fs/overlayfs/super.c | 40 ++-- fs/overlayfs/util.c | 18 +- fs/proc/proc_sysctl.c | 3 + fs/pstore/blk.c | 4 +- fs/select.c | 4 +- fs/squashfs/inode.c | 5 +- fs/ubifs/debug.c | 22 +- fs/xfs/xfs_inode.c | 7 +- fs/xfs/xfs_qm_bhv.c | 41 ++-- fs/xfs/xfs_super.c | 11 +- include/asm-generic/vmlinux.lds.h | 2 +- include/drm/drm_probe_helper.h | 1 + include/linux/cgroup-defs.h | 6 +- include/linux/efi.h | 1 + include/linux/fs.h | 6 - include/linux/gpio/driver.h | 16 ++ include/linux/i8253.h | 1 + include/linux/irq.h | 2 + include/linux/kallsyms.h | 2 +- include/linux/kvm_host.h | 9 + include/linux/memblock.h | 12 -- include/linux/mlx5/driver.h | 2 - include/linux/mtd/hyperbus.h | 4 +- include/linux/netdevice.h | 8 + include/linux/pci_ids.h | 4 + include/linux/pps_kernel.h | 3 +- include/linux/sched.h | 4 +- include/linux/sched/sysctl.h | 14 +- include/linux/sched/task.h | 1 + include/linux/sysctl.h | 6 + include/linux/usb/hcd.h | 5 +- include/linux/usb/tcpm.h | 3 +- include/net/dst.h | 9 + include/net/flow_dissector.h | 16 ++ include/net/flow_offload.h | 6 + include/net/l3mdev.h | 2 + include/net/net_namespace.h | 15 +- include/net/netns/ipv4.h | 3 + include/net/route.h | 9 +- include/trace/events/oom.h | 36 +++- include/uapi/linux/input-event-codes.h | 1 + include/uapi/linux/seg6_iptunnel.h | 2 + kernel/acct.c | 134 +++++++----- kernel/bpf/syscall.c | 18 +- kernel/cgroup/cgroup.c | 20 +- kernel/debug/kdb/kdb_io.c | 2 + kernel/dma/swiotlb.c | 2 +- kernel/events/core.c | 17 +- kernel/hung_task.c | 81 +++++++- kernel/irq/debugfs.c | 1 + kernel/irq/internals.h | 9 +- kernel/padata.c | 45 +++- kernel/power/hibernate.c | 7 +- kernel/printk/printk.c | 2 +- kernel/sched/core.c | 10 +- kernel/sched/cpufreq_schedutil.c | 4 +- kernel/sched/fair.c | 23 ++- kernel/sched/stats.h | 22 +- kernel/sysctl.c | 146 ++----------- kernel/time/clocksource.c | 11 +- kernel/trace/bpf_trace.c | 2 +- kernel/trace/ftrace.c | 27 ++- lib/Kconfig.debug | 8 +- lib/Kconfig.kfence | 12 ++ lib/cpumask.c | 2 +- mm/kfence/core.c | 51 ++++- mm/memcontrol.c | 7 +- mm/memory.c | 6 +- mm/oom_kill.c | 14 +- mm/page_alloc.c | 1 + mm/percpu.c | 8 +- mm/sparse.c | 2 +- mm/vmalloc.c | 4 +- net/8021q/vlan.c | 3 +- net/batman-adv/bat_v.c | 2 - net/batman-adv/bat_v_elp.c | 123 +++++++---- net/batman-adv/bat_v_elp.h | 2 - net/batman-adv/types.h | 3 - net/bluetooth/l2cap_core.c | 9 +- net/bluetooth/l2cap_sock.c | 7 +- net/can/j1939/socket.c | 4 +- net/can/j1939/transport.c | 5 +- net/core/dev.c | 37 +++- net/core/drop_monitor.c | 39 ++-- net/core/flow_dissector.c | 49 +++-- net/core/flow_offload.c | 7 + net/core/neighbour.c | 11 +- net/core/skbuff.c | 2 +- net/core/sysctl_net_core.c | 5 +- net/ethtool/netlink.c | 2 +- net/hsr/hsr_forward.c | 7 +- net/ipv4/arp.c | 6 +- net/ipv4/devinet.c | 3 +- net/ipv4/ipmr_base.c | 3 - net/ipv4/route.c | 102 ++++++--- net/ipv4/tcp_cubic.c | 8 +- net/ipv4/tcp_minisocks.c | 10 +- net/ipv4/tcp_offload.c | 11 +- net/ipv4/udp.c | 4 +- net/ipv4/udp_offload.c | 8 +- net/ipv6/ila/ila_lwt.c | 4 +- net/ipv6/mcast.c | 14 +- net/ipv6/ndisc.c | 28 +-- net/ipv6/route.c | 7 +- net/ipv6/rpl_iptunnel.c | 62 +++--- net/ipv6/seg6_iptunnel.c | 227 +++++++++++++++++--- net/ipv6/udp.c | 4 +- net/llc/llc_s_ac.c | 49 +++-- net/mptcp/options.c | 13 +- net/mptcp/pm_netlink.c | 6 - net/mptcp/protocol.c | 1 + net/mptcp/protocol.h | 30 +-- net/ncsi/internal.h | 2 + net/ncsi/ncsi-cmd.c | 3 +- net/ncsi/ncsi-manage.c | 38 +++- net/ncsi/ncsi-pkt.h | 10 + net/ncsi/ncsi-rsp.c | 58 ++++-- net/netfilter/nf_tables_api.c | 8 +- net/netfilter/nft_flow_offload.c | 16 +- net/nfc/nci/hci.c | 2 + net/openvswitch/datapath.c | 12 +- net/rose/af_rose.c | 40 ++-- net/rose/rose_timer.c | 15 ++ net/sched/cls_flower.c | 8 +- net/sched/sch_api.c | 4 + net/sched/sch_cake.c | 140 +++++++------ net/sched/sch_fifo.c | 3 + net/sched/sch_netem.c | 2 +- net/smc/af_smc.c | 2 +- net/smc/smc_rx.c | 37 ++-- net/smc/smc_rx.h | 8 +- net/sunrpc/cache.c | 10 +- net/tipc/crypto.c | 4 +- net/vmw_vsock/af_vsock.c | 82 +++++--- net/wireless/nl80211.c | 5 + net/wireless/reg.c | 3 +- net/wireless/scan.c | 35 ++++ net/xfrm/xfrm_replay.c | 10 +- samples/landlock/sandboxer.c | 7 + scripts/Makefile.extrawarn | 5 +- scripts/genksyms/genksyms.c | 11 +- scripts/genksyms/genksyms.h | 2 +- scripts/genksyms/parse.y | 18 +- scripts/kconfig/conf.c | 6 + scripts/kconfig/confdata.c | 102 ++++----- scripts/kconfig/lkc_proto.h | 2 + scripts/kconfig/symbol.c | 10 + security/landlock/fs.c | 86 ++++---- security/safesetid/securityfs.c | 3 + security/tomoyo/common.c | 2 +- sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_conexant.c | 1 + sound/pci/hda/patch_realtek.c | 78 +++++++ sound/soc/codecs/es8328.c | 15 +- sound/soc/intel/boards/bytcr_rt5640.c | 17 +- sound/soc/sh/rz-ssi.c | 5 +- sound/soc/sunxi/sun4i-spdif.c | 7 + sound/usb/midi.c | 2 +- sound/usb/quirks.c | 3 + sound/usb/usx2y/usbusx2y.c | 11 + sound/usb/usx2y/usbusx2y.h | 26 +++ sound/usb/usx2y/usbusx2yaudio.c | 27 --- tools/bootconfig/main.c | 4 +- tools/lib/bpf/linker.c | 22 +- tools/perf/bench/epoll-wait.c | 7 +- tools/perf/builtin-report.c | 2 +- tools/perf/builtin-top.c | 2 +- tools/perf/builtin-trace.c | 6 +- tools/perf/util/bpf-event.c | 10 +- tools/perf/util/env.c | 13 +- tools/perf/util/env.h | 4 +- tools/perf/util/header.c | 8 +- .../cpupower/utils/idle_monitor/mperf_monitor.c | 15 +- tools/testing/ktest/ktest.pl | 7 +- tools/testing/selftests/bpf/test_tc_tunnel.sh | 1 + .../drivers/net/netdevsim/udp_tunnel_nic.sh | 16 +- tools/testing/selftests/kselftest_harness.h | 24 +-- tools/testing/selftests/landlock/fs_test.c | 3 +- tools/testing/selftests/net/ipsec.c | 3 +- tools/testing/selftests/net/pmtu.sh | 229 ++++++++++++++++++++- tools/testing/selftests/net/rtnetlink.sh | 4 +- tools/testing/selftests/net/udpgso.c | 26 +++ 611 files changed, 7032 insertions(+), 3364 deletions(-)

2 months, 2 weeks

9
632
0 0

[PATCH 6.1 000/197] 6.1.132-rc3 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.132 release. There are 197 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 30 Mar 2025 07:43:56 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.132-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.132-rc3 Darrick J. Wong <djwong(a)kernel.org> xfs: give xfs_extfree_intent its own perag reference Acs, Jakub <acsjakub(a)amazon.de> block, bfq: fix re-introduced UAF in bic_set_bfqq() Zi Yan <ziy(a)nvidia.com> mm/migrate: fix shmem xarray update during migration Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: mvm: ensure offloading TID queue exists Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Change new sparse cluster processing Vitaly Prosyak <vitaly.prosyak(a)amd.com> drm/amdgpu: fix use-after-free bug Justin Klaassen <justin(a)tidylabs.net> arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Yunfei Dong <yunfei.dong(a)mediatek.com> media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Fix coverity issue with unintentional integer overflow Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Use u64_stats_t for statistic. Arthur Mongodin <amongodin(a)randorisec.fr> mptcp: Fix data stream corruption in the address announcement Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix incorrect validation for num_aces field of smb_acl David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Saranya R <quic_sarar(a)quicinc.com> soc: qcom: pdr: Fix the potential deadlock Sven Eckelmann <sven(a)narfation.org> batman-adv: Ignore own maximum aggregation size during RX Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> xsk: fix an integer overflow in xp_create_and_assign_umem() Ard Biesheuvel <ardb(a)kernel.org> efi/libstub: Avoid physical address 0x0 when doing random allocation Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: shmobile: smp: Enforce shmobile_smp_* alignment Ye Bin <yebin10(a)huawei.com> proc: fix UAF in proc_get_inode() Gu Bowen <gubowen5(a)huawei.com> mmc: atmel-mci: Add missing clk_disable_unprepare() Kamal Dasu <kamal.dasu(a)broadcom.com> mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card Christian Eggers <ceggers(a)arri.de> regulator: check that dummy regulator has been probed before using it Maíra Canal <mcanal(a)igalia.com> drm/v3d: Don't run jobs that have errors flagged in its fence Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: disable transceiver during system PM Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: only change CAN state when link up in system PM Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix page entries in the AFL list Andreas Kemnade <andreas(a)kemnade.info> i2c: omap: fix IRQ storms Guillaume Nault <gnault(a)redhat.com> Revert "gre: Fix IPv6 link-local address generation." Lin Ma <linma(a)zju.edu.cn> net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: fix recursion loops Dan Carpenter <dan.carpenter(a)linaro.org> net: atm: fix use after free in lec_send() Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: Fix error code in chan_alloc_skb_cb() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix wrong value of max_sge_rd Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix soft lockup during bt pages loop Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: Don't mark timer regs unconfigured Arnd Bergmann <arnd(a)arndb.de> ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Peng Fan <peng.fan(a)nxp.com> soc: imx8m: Unregister cpufreq and soc dev in cleanup path Marek Vasut <marex(a)denx.de> soc: imx8m: Use devm_* to simplify probe failure handling Marek Vasut <marex(a)denx.de> soc: imx8m: Remove global soc_uid Cosmin Ratiu <cratiu(a)nvidia.com> xfrm_output: Force software GSO only in tunnel mode Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> firmware: imx-scu: fix OF node leak in .probe() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential UAF in cifs_dump_full_key() Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: Fix a C2HTermReq error message Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: disable Fn key handling on the Omoton KB066 Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Fix match_session bug preventing session reuse Steve French <stfrench(a)microsoft.com> smb3: add support for IAKerb Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Populate vmemmap at the page level if not section aligned Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: sis630: Fix an error handling path in sis630_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali15x3: Fix an error handling path in ali15x3_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali1535: Fix an error handling path in ali1535_probe() Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing closetimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing actimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acdirmax mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acregmax mount option Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing macros deps Martin Rodriguez Reboredo <yakoyoku(a)gmail.com> scripts: generate_rust_analyzer: provide `cfg`s for `core` and `alloc` Vinay Varma <varmavinaym(a)gmail.com> scripts: `make rust-analyzer` for out-of-tree modules Asahi Lina <lina(a)asahilina.net> scripts: generate_rust_analyzer: Handle sub-modules with no Makefile Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Ivan Abramov <i.abramov(a)mt-integration.ru> drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: ops: Consistently treat platform_max as control value George Stark <gnstark(a)salutedevices.com> leds: mlxreg: Use devm_mutex_init() for mutex initialization Xueming Feng <kuro(a)kuroa.me> tcp: fix forever orphan socket caused by tcp_abort Eric Dumazet <edumazet(a)google.com> tcp: fix races in tcp_abort() Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: Handle memfd_secret() files in build_id_parse() Matthew Maurer <mmaurer(a)google.com> rust: Disallow BTF generation with Rust + LTO Haoxiang Li <haoxiang_li2024(a)163.com> qlcnic: fix memory leak issues in qlcnic_sriov_common.c Thomas Mizrahi <thomasmizra(a)gmail.com> ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Varada Pavani <v.pavani(a)samsung.com> clk: samsung: update PLL locktime for PLL142XX used on FSD platform Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix slab-use-after-free on hdcp_work Alex Hung <alex.hung(a)amd.com> drm/amd/display: Assign normalized_pix_clk when color depth = 14 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Restore correct backlight brightness after a GPU reset Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Fix locking when skipping CSN before topology probing Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Filter out redundant DPMS calls Florent Revest <revest(a)chromium.org> x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Johan Hovold <johan(a)kernel.org> USB: serial: option: match on interface class for Telit FN990B Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FE990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE990B compositions Boon Khai Ng <boon.khai.ng(a)intel.com> USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for more devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for several devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add required quirks for missing old boardnames Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Darrick J. Wong <djwong(a)kernel.org> xfs: remove conditional building of rt geometry validator functions Andrey Albershteyn <aalbersh(a)redhat.com> xfs: reset XFS_ATTR_INCOMPLETE filter on node removal Zhang Tianci <zhangtianci.1997(a)bytedance.com> xfs: update dir3 leaf block metadata after swap Jiachen Zhang <zhangjiachen.jaycee(a)bytedance.com> xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real Long Li <leo.lilong(a)huawei.com> xfs: fix perag leak when growfs fails Long Li <leo.lilong(a)huawei.com> xfs: add lock protection when remove perag from radix tree Dave Chinner <dchinner(a)redhat.com> xfs: initialise di_crc in xfs_log_dinode Darrick J. Wong <djwong(a)kernel.org> xfs: force all buffers to be written during btree bulk load Darrick J. Wong <djwong(a)kernel.org> xfs: recompute growfsrtfree transaction reservation while growing rt volume Darrick J. Wong <djwong(a)kernel.org> xfs: remove unused fields from struct xbtree_ifakeroot Darrick J. Wong <djwong(a)kernel.org> xfs: don't allow overly small or large realtime volumes Darrick J. Wong <djwong(a)kernel.org> xfs: fix 32-bit truncation in xfs_compute_rextslog Darrick J. Wong <djwong(a)kernel.org> xfs: make rextslog computation consistent with mkfs Darrick J. Wong <djwong(a)kernel.org> xfs: don't leak recovered attri intent items Christoph Hellwig <hch(a)lst.de> xfs: consider minlen sized extents in xfs_rtallocate_extent_block Darrick J. Wong <djwong(a)kernel.org> xfs: convert rt bitmap extent lengths to xfs_rtbxlen_t Darrick J. Wong <djwong(a)kernel.org> xfs: move the xfs_rtbitmap.c declarations to xfs_rtbitmap.h Darrick J. Wong <djwong(a)kernel.org> xfs: reserve less log space when recovering log intent items Dave Chinner <dchinner(a)redhat.com> xfs: use deferred frees for btree block freeing Dave Chinner <dchinner(a)redhat.com> xfs: fix bounds check in xfs_defer_agfl_block() Dave Chinner <dchinner(a)redhat.com> xfs: validate block number being freed before adding to xefi Darrick J. Wong <djwong(a)kernel.org> xfs: pass per-ag references to xfs_free_extent Darrick J. Wong <djwong(a)kernel.org> xfs: pass the xfs_bmbt_irec directly through the log intent code Darrick J. Wong <djwong(a)kernel.org> xfs: fix confusing xfs_extent_item variable names Darrick J. Wong <djwong(a)kernel.org> xfs: pass xfs_extent_free_item directly through the log intent code Darrick J. Wong <djwong(a)kernel.org> xfs: pass refcount intent directly through the log intent code Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix corner case forgetting to vunmap Jens Axboe <axboe(a)kernel.dk> io_uring: don't attempt to mmap larger than what the user asks for Jens Axboe <axboe(a)kernel.dk> io_uring: get rid of remap_pfn_range() for mapping rings/sqes Jens Axboe <axboe(a)kernel.dk> mm: add nommu variant of vm_insert_pages() Jens Axboe <axboe(a)kernel.dk> io_uring: add ring freeing helper Jens Axboe <axboe(a)kernel.dk> io_uring: return error pointer from io_mem_alloc() Ming Lei <ming.lei(a)redhat.com> block: fix 'kmem_cache of name 'bio-108' already exists' Thomas Zimmermann <tzimmermann(a)suse.de> drm/nouveau: Do not override forced connector status Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: safety check before fallback Arnd Bergmann <arnd(a)arndb.de> x86/irq: Define trace events conditionally Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Use better start period for frequency mode Miklos Szeredi <mszeredi(a)redhat.com> fuse: don't truncate cached, mutated symlink Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Set the SDOUT polarity correctly Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Fix power control mask Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Fix volume scale Daniel Wagner <wagi(a)kernel.org> nvme: only allow entering LIVE from CONNECTING state Yu-Chun Lin <eleanor15x(a)gmail.com> sctp: Fix undefined behavior in left shift operation Ruozhu Li <david.li(a)jaguarmicro.com> nvmet-rdma: recheck queue state is LIVE in state lock in recv done Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: add basic support for the C2HTermReq PDU Christopher Lentocha <christopherericlentocha(a)gmail.com> nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Stephan Gerhold <stephan.gerhold(a)linaro.org> net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Terry Cheong <htcheong(a)chromium.org> ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Vitaly Rodionov <vitalyr(a)opensource.cirrus.com> ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: adjust convert rate limitation Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Jan Beulich <jbeulich(a)suse.com> Xen/swiotlb: mark xen_swiotlb_fixup() __init Daniel Lezcano <daniel.lezcano(a)linaro.org> thermal/cpufreq_cooling: Remove structure member documentation Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: Fix CHPID "configure" attribute caching Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Sybil Isabel Dorsett <sybdorsett(a)proton.me> platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Jann Horn <jannh(a)google.com> sched: Clarify wake_up_q()'s write to task->wake_q.next Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: fix up the F6 key on the Omoton KB066 keyboard Ievgen Vovk <YevgenVovk(a)ukr.net> HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: ignore non-functional sensor in HP 5MP Camera Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Send clock sync message immediately after reset Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Brahmajit Das <brahmajit.xyz(a)gmail.com> vboxsf: fix building with GCC 15 Eric W. Biederman <ebiederm(a)xmission.com> alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Paulo Alcantara <pc(a)manguebit.com> smb: client: fix noisy when tree connecting to DFS interlink targets Gannon Kolding <gannon.kolding(a)gmail.com> ACPI: resource: IRQ override for Eluktronics MECH-17 Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix kernel oops when debug level > 2 Rik van Riel <riel(a)surriel.com> scsi: core: Use GFP_NOIO to avoid circular locking dependency Chengen Du <chengen.du(a)canonical.com> iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> powercap: call put_device() on an error path in powercap_register_control_type() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> hrtimers: Mark is_migration_base() with __always_inline Daniel Wagner <wagi(a)kernel.org> nvme-fc: go straight to connecting state when initializing Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Jianbo Liu <jianbol(a)nvidia.com> net/mlx5: Bridge, fix the crash caused by LAG state check Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove misbehaving actions length check Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 link-local address generation. Alexey Kashavkin <akashavkin(a)gmail.com> netfilter: nft_exthdr: fix offset with ipv4_find_option() Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: Prevent creation of classes with TC_H_ROOT Dan Carpenter <dan.carpenter(a)linaro.org> ipvs: prevent integer overflow in do_ip_vs_get_ctl() Kohei Enju <enjuk(a)amazon.com> netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Hangbin Liu <liuhangbin(a)gmail.com> bonding: fix incorrect MAC address setting to receive NS messages Amit Cohen <amcohen(a)nvidia.com> net: switchdev: Convert blocking notification chain to a raw one Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: handle errors in mlx5_chains_create_table() Michael Kelley <mhklinux(a)outlook.com> Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Michael Kelley <mhklinux(a)outlook.com> drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Breno Leitao <leitao(a)debian.org> netpoll: hold rcu read lock in __netpoll_send_skb() Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i2c: Copy headers if cloned Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Verify after ATU Load ops Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix enabling passive scanning Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: cfg80211: cancel wiphy_work before freeing wiphy Jun Yang <juny24602(a)gmail.com> sched: address a potential NULL pointer dereference in the GRED scheduler. Nicklas Bo Jensen <njensen(a)akamai.com> netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix memory leak in aRFS after reset Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Fix incorrect regmap max_registers value Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: iounmap() the correct memory when removing a device Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super Felix Moessbauer <felix.moessbauer(a)siemens.com> hrtimer: Use and report correct timerslack values for realtime tasks Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Prevent boot crash when the boot CPU is nohz_full David Woodhouse <dwmw(a)amazon.co.uk> clockevents/drivers/i8253: Fix stop sequence for timer 0 ------------- Diffstat: Documentation/timers/no_hz.rst | 7 +- Makefile | 15 +- arch/alpha/include/asm/elf.h | 6 +- arch/alpha/include/asm/pgtable.h | 2 +- arch/alpha/include/asm/processor.h | 8 +- arch/alpha/kernel/osf_sys.c | 11 +- arch/arm/boot/dts/bcm2711.dtsi | 11 +- arch/arm/mach-omap1/Kconfig | 1 + arch/arm/mach-shmobile/headsmp.S | 1 + .../boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +- .../arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 +- arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 +- arch/arm64/mm/mmu.c | 5 +- arch/x86/events/intel/core.c | 85 ++++++++++ arch/x86/kernel/cpu/microcode/amd.c | 2 +- arch/x86/kernel/cpu/mshyperv.c | 11 -- arch/x86/kernel/irq.c | 2 + block/bfq-cgroup.c | 2 +- block/bio.c | 2 +- drivers/acpi/resource.c | 6 + drivers/clk/samsung/clk-pll.c | 7 +- drivers/clocksource/i8253.c | 36 +++-- drivers/firmware/efi/libstub/randomalloc.c | 4 + drivers/firmware/imx/imx-scu.c | 1 + drivers/firmware/iscsi_ibft.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c | 20 ++- drivers/gpu/drm/amd/amdgpu/nv.c | 2 +- drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 ++ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 12 ++ drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 +++-- drivers/gpu/drm/drm_atomic_uapi.c | 4 + drivers/gpu/drm/drm_connector.c | 4 + drivers/gpu/drm/gma500/mid_bios.c | 5 + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 9 +- drivers/gpu/drm/mediatek/mtk_drm_plane.c | 13 +- drivers/gpu/drm/nouveau/nouveau_connector.c | 1 - drivers/gpu/drm/radeon/radeon_vce.c | 2 +- drivers/gpu/drm/v3d/v3d_sched.c | 9 +- drivers/hid/hid-apple.c | 13 +- drivers/hid/hid-ids.h | 2 + drivers/hid/hid-quirks.c | 1 + drivers/hid/intel-ish-hid/ipc/ipc.c | 15 +- drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 + drivers/hv/vmbus_drv.c | 13 ++ drivers/i2c/busses/i2c-ali1535.c | 12 +- drivers/i2c/busses/i2c-ali15x3.c | 12 +- drivers/i2c/busses/i2c-omap.c | 26 +-- drivers/i2c/busses/i2c-sis630.c | 12 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 - drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 16 +- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 10 +- drivers/input/serio/i8042-acpipnpio.h | 111 +++++++------ drivers/leds/leds-mlxreg.c | 16 +- .../mediatek/vcodec/vdec/vdec_vp8_req_if.c | 10 +- drivers/mmc/host/atmel-mci.c | 4 +- drivers/mmc/host/sdhci-brcmstb.c | 10 ++ drivers/net/bonding/bond_options.c | 55 ++++++- drivers/net/can/flexcan/flexcan-core.c | 18 ++- drivers/net/can/rcar/rcar_canfd.c | 28 ++-- drivers/net/dsa/mv88e6xxx/chip.c | 59 +++++-- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +- .../ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +- .../ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 + .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 +- drivers/net/mctp/mctp-i2c.c | 5 + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 ++++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 +- drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvme/host/core.c | 2 - drivers/nvme/host/fc.c | 3 +- drivers/nvme/host/pci.c | 2 + drivers/nvme/host/tcp.c | 43 +++++ drivers/nvme/target/rdma.c | 33 ++-- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 50 ++++-- drivers/powercap/powercap_sys.c | 3 +- drivers/regulator/core.c | 12 +- drivers/s390/cio/chp.c | 3 +- drivers/scsi/qla1280.c | 2 +- drivers/scsi/scsi_scan.c | 2 +- drivers/soc/imx/soc-imx8m.c | 151 ++++++++---------- drivers/soc/qcom/pdr_interface.c | 8 +- drivers/thermal/cpufreq_cooling.c | 2 - drivers/usb/serial/ftdi_sio.c | 14 ++ drivers/usb/serial/ftdi_sio_ids.h | 13 ++ drivers/usb/serial/option.c | 48 ++++-- drivers/video/fbdev/hyperv_fb.c | 2 +- drivers/xen/swiotlb-xen.c | 2 +- fs/fuse/dir.c | 2 +- fs/namei.c | 24 ++- fs/ntfs3/attrib.c | 176 ++++++++++++++------- fs/ntfs3/file.c | 151 ++++-------------- fs/ntfs3/frecord.c | 2 +- fs/ntfs3/index.c | 4 +- fs/ntfs3/inode.c | 12 +- fs/ntfs3/ntfs_fs.h | 9 +- fs/ntfs3/super.c | 68 +++++--- fs/proc/base.c | 9 +- fs/proc/generic.c | 10 +- fs/proc/inode.c | 6 +- fs/proc/internal.h | 14 ++ fs/select.c | 11 +- fs/smb/client/asn1.c | 2 + fs/smb/client/cifs_spnego.c | 4 +- fs/smb/client/cifsglob.h | 4 + fs/smb/client/connect.c | 16 +- fs/smb/client/fs_context.c | 14 +- fs/smb/client/ioctl.c | 6 +- fs/smb/client/sess.c | 3 +- fs/smb/client/smb2pdu.c | 4 +- fs/smb/server/smbacl.c | 5 +- fs/vboxsf/super.c | 3 +- fs/xfs/libxfs/xfs_ag.c | 45 ++++-- fs/xfs/libxfs/xfs_ag.h | 3 + fs/xfs/libxfs/xfs_alloc.c | 77 +++++---- fs/xfs/libxfs/xfs_alloc.h | 24 ++- fs/xfs/libxfs/xfs_attr.c | 6 +- fs/xfs/libxfs/xfs_bmap.c | 121 +++++++------- fs/xfs/libxfs/xfs_bmap.h | 5 +- fs/xfs/libxfs/xfs_bmap_btree.c | 8 +- fs/xfs/libxfs/xfs_btree_staging.c | 4 +- fs/xfs/libxfs/xfs_btree_staging.h | 6 - fs/xfs/libxfs/xfs_da_btree.c | 7 + fs/xfs/libxfs/xfs_format.h | 2 +- fs/xfs/libxfs/xfs_ialloc.c | 24 ++- fs/xfs/libxfs/xfs_ialloc_btree.c | 6 +- fs/xfs/libxfs/xfs_log_recover.h | 22 +++ fs/xfs/libxfs/xfs_refcount.c | 116 +++++++------- fs/xfs/libxfs/xfs_refcount.h | 4 +- fs/xfs/libxfs/xfs_refcount_btree.c | 9 +- fs/xfs/libxfs/xfs_rtbitmap.c | 2 + fs/xfs/libxfs/xfs_rtbitmap.h | 83 ++++++++++ fs/xfs/libxfs/xfs_sb.c | 20 ++- fs/xfs/libxfs/xfs_sb.h | 2 + fs/xfs/libxfs/xfs_types.h | 13 ++ fs/xfs/scrub/repair.c | 3 +- fs/xfs/scrub/rtbitmap.c | 3 +- fs/xfs/xfs_attr_item.c | 16 +- fs/xfs/xfs_bmap_item.c | 85 ++++------ fs/xfs/xfs_buf.c | 44 +++++- fs/xfs/xfs_buf.h | 1 + fs/xfs/xfs_extfree_item.c | 144 ++++++++++------- fs/xfs/xfs_fsmap.c | 2 +- fs/xfs/xfs_fsops.c | 5 +- fs/xfs/xfs_inode_item.c | 3 + fs/xfs/xfs_refcount_item.c | 68 ++++---- fs/xfs/xfs_reflink.c | 7 +- fs/xfs/xfs_rmap_item.c | 6 +- fs/xfs/xfs_rtalloc.c | 14 +- fs/xfs/xfs_rtalloc.h | 73 --------- fs/xfs/xfs_trace.h | 15 +- include/linux/fs.h | 2 + include/linux/i8253.h | 1 - include/linux/io_uring_types.h | 5 + include/linux/nvme-tcp.h | 2 + include/linux/proc_fs.h | 7 +- include/net/bluetooth/hci_core.h | 108 +++++-------- include/sound/soc.h | 5 +- include/uapi/linux/io_uring.h | 1 + init/Kconfig | 2 +- io_uring/io_uring.c | 163 ++++++++++++++++--- io_uring/io_uring.h | 2 + kernel/sched/core.c | 13 +- kernel/sys.c | 2 + kernel/time/hrtimer.c | 40 ++--- lib/buildid.c | 5 + mm/migrate.c | 16 +- mm/nommu.c | 7 + net/atm/lec.c | 3 +- net/batman-adv/bat_iv_ogm.c | 3 +- net/batman-adv/bat_v_ogm.c | 3 +- net/bluetooth/6lowpan.c | 7 +- net/bluetooth/hci_core.c | 10 +- net/bluetooth/hci_event.c | 37 +++-- net/bluetooth/iso.c | 6 - net/bluetooth/l2cap_core.c | 12 +- net/bluetooth/rfcomm/core.c | 6 - net/bluetooth/sco.c | 12 +- net/core/lwtunnel.c | 65 ++++++-- net/core/neighbour.c | 1 + net/core/netpoll.c | 9 +- net/ipv4/tcp.c | 19 ++- net/ipv6/route.c | 5 +- net/mptcp/options.c | 6 +- net/mptcp/protocol.h | 2 + net/netfilter/ipvs/ip_vs_ctl.c | 8 +- net/netfilter/nf_conncount.c | 6 +- net/netfilter/nft_counter.c | 90 +++++------ net/netfilter/nft_ct.c | 6 +- net/netfilter/nft_exthdr.c | 10 +- net/openvswitch/flow_netlink.c | 15 +- net/sched/sch_api.c | 6 + net/sched/sch_gred.c | 3 +- net/sctp/stream.c | 2 +- net/switchdev/switchdev.c | 25 ++- net/wireless/core.c | 7 + net/xdp/xsk_buff_pool.c | 2 +- net/xfrm/xfrm_output.c | 2 +- rust/Makefile | 7 +- scripts/generate_rust_analyzer.py | 64 ++++++-- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/arizona.c | 14 +- sound/soc/codecs/madera.c | 10 +- sound/soc/codecs/tas2764.c | 10 +- sound/soc/codecs/tas2764.h | 8 +- sound/soc/codecs/tas2770.c | 2 +- sound/soc/codecs/wm0010.c | 13 +- sound/soc/codecs/wm5110.c | 8 +- sound/soc/sh/rcar/core.c | 14 -- sound/soc/sh/rcar/rsnd.h | 1 - sound/soc/sh/rcar/src.c | 116 +++++++++++--- sound/soc/soc-ops.c | 15 +- sound/soc/sof/intel/hda-codec.c | 1 + 225 files changed, 2538 insertions(+), 1522 deletions(-)

2 months, 2 weeks

9
9
0 0

[PATCH] drm/xe: Invalidate L3 read-only cachelines for geometry streams too

by Kenneth Graunke

Historically, the Vertex Fetcher unit has not been an L3 client. That meant that, when a buffer containing vertex data was written to, it was necessary to issue a PIPE_CONTROL::VF Cache Invalidate to invalidate any VF L2 cachelines associated with that buffer, so the new value would be properly read from memory. Since Tigerlake and later, VERTEX_BUFFER_STATE and 3DSTATE_INDEX_BUFFER have included an "L3 Bypass Enable" bit which userspace drivers can set to request that the vertex fetcher unit snoop L3. However, unlike most true L3 clients, the "VF Cache Invalidate" bit continues to only invalidate the VF L2 cache - and not any associated L3 lines. To handle that, PIPE_CONTROL has a new "L3 Read Only Cache Invalidation Bit", which according to the docs, "controls the invalidation of the Geometry streams cached in L3 cache at the top of the pipe." In other words, the vertex and index buffer data that gets cached in L3 when "L3 Bypass Disable" is set. Mesa always sets L3 Bypass Disable so that the VF unit snoops L3, and whenever it issues a VF Cache Invalidate, it also issues a L3 Read Only Cache Invalidate so that both L2 and L3 vertex data is invalidated. xe is issuing VF cache invalidates too (which handles cases like CPU writes to a buffer between GPU batches). Because userspace may enable L3 snooping, it needs to issue an L3 Read Only Cache Invalidate as well. Fixes significant flickering in Firefox on Meteorlake, which was writing to vertex buffers via the CPU between batches; the missing L3 Read Only invalidates were causing the vertex fetcher to read stale data from L3. References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4460 Cc: stable(a)vger.kernel.org # v6.13+ --- drivers/gpu/drm/xe/instructions/xe_gpu_commands.h | 1 + drivers/gpu/drm/xe/xe_ring_ops.c | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h b/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h index a255946b6f77e..8cfcd3360896c 100644 --- a/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h +++ b/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h @@ -41,6 +41,7 @@ #define GFX_OP_PIPE_CONTROL(len) ((0x3<<29)|(0x3<<27)|(0x2<<24)|((len)-2)) +#define PIPE_CONTROL0_L3_READ_ONLY_CACHE_INVALIDATE BIT(10) /* gen12 */ #define PIPE_CONTROL0_HDC_PIPELINE_FLUSH BIT(9) /* gen12 */ #define PIPE_CONTROL_COMMAND_CACHE_INVALIDATE (1<<29) diff --git a/drivers/gpu/drm/xe/xe_ring_ops.c b/drivers/gpu/drm/xe/xe_ring_ops.c index 0c230ee53bba5..9d8901a33205a 100644 --- a/drivers/gpu/drm/xe/xe_ring_ops.c +++ b/drivers/gpu/drm/xe/xe_ring_ops.c @@ -141,7 +141,8 @@ emit_pipe_control(u32 *dw, int i, u32 bit_group_0, u32 bit_group_1, u32 offset, static int emit_pipe_invalidate(u32 mask_flags, bool invalidate_tlb, u32 *dw, int i) { - u32 flags = PIPE_CONTROL_CS_STALL | + u32 flags0 = 0; + u32 flags1 = PIPE_CONTROL_CS_STALL | PIPE_CONTROL_COMMAND_CACHE_INVALIDATE | PIPE_CONTROL_INSTRUCTION_CACHE_INVALIDATE | PIPE_CONTROL_TEXTURE_CACHE_INVALIDATE | @@ -152,11 +153,15 @@ static int emit_pipe_invalidate(u32 mask_flags, bool invalidate_tlb, u32 *dw, PIPE_CONTROL_STORE_DATA_INDEX; if (invalidate_tlb) - flags |= PIPE_CONTROL_TLB_INVALIDATE; + flags1 |= PIPE_CONTROL_TLB_INVALIDATE; - flags &= ~mask_flags; + flags1 &= ~mask_flags; - return emit_pipe_control(dw, i, 0, flags, LRC_PPHWSP_FLUSH_INVAL_SCRATCH_ADDR, 0); + if (flags1 & PIPE_CONTROL_VF_CACHE_INVALIDATE) + flags0 |= PIPE_CONTROL0_L3_READ_ONLY_CACHE_INVALIDATE; + + return emit_pipe_control(dw, i, flags0, flags1, + LRC_PPHWSP_FLUSH_INVAL_SCRATCH_ADDR, 0); } static int emit_store_imm_ppgtt_posted(u64 addr, u64 value, -- 2.48.1

2 months, 3 weeks

3
5
0 0

Linux 6.13.9

by Greg Kroah-Hartman

I'm announcing the release of the 6.13.9 kernel. All users of the 6.13 kernel series must upgrade. The updated 6.13.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.13.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/net/can/renesas,rcar-canfd.yaml | 2 Makefile | 2 arch/arm/boot/dts/broadcom/bcm2711-rpi.dtsi | 5 arch/arm/boot/dts/broadcom/bcm2711.dtsi | 12 arch/arm/boot/dts/broadcom/bcm4709-asus-rt-ac3200.dts | 8 arch/arm/boot/dts/broadcom/bcm47094-asus-rt-ac5300.dts | 8 arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 arch/arm/mach-davinci/Kconfig | 1 arch/arm/mach-omap1/Kconfig | 1 arch/arm/mach-shmobile/headsmp.S | 1 arch/arm64/boot/dts/broadcom/bcm2712.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi | 6 arch/arm64/boot/dts/qcom/sdm845.dtsi | 1 arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts | 12 arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi | 2 arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 12 arch/arm64/boot/dts/rockchip/rk3566-lubancat-1.dts | 1 arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts | 1 arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 1 arch/arm64/include/asm/kvm_host.h | 25 arch/arm64/kernel/fpsimd.c | 25 arch/arm64/kvm/arm.c | 9 arch/arm64/kvm/fpsimd.c | 100 - arch/arm64/kvm/hyp/entry.S | 5 arch/arm64/kvm/hyp/include/hyp/switch.h | 133 + arch/arm64/kvm/hyp/nvhe/hyp-main.c | 11 arch/arm64/kvm/hyp/nvhe/pkvm.c | 30 arch/arm64/kvm/hyp/nvhe/switch.c | 134 + arch/arm64/kvm/hyp/vhe/switch.c | 21 arch/riscv/boot/dts/starfive/jh7110-pinfunc.h | 2 drivers/accel/qaic/qaic_data.c | 9 drivers/ata/libata-core.c | 14 drivers/dpll/dpll_core.c | 2 drivers/firmware/efi/libstub/randomalloc.c | 4 drivers/firmware/imx/imx-scu.c | 1 drivers/firmware/qcom/qcom_qseecom_uefisecapp.c | 18 drivers/firmware/qcom/qcom_scm.c | 4 drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 22 drivers/gpu/drm/amd/amdgpu/nv.c | 20 drivers/gpu/drm/amd/amdgpu/soc15.c | 21 drivers/gpu/drm/amd/amdgpu/vi.c | 43 drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h | 677 +++++----- drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm | 82 - drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 8 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 11 drivers/gpu/drm/amd/pm/amdgpu_pm.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 94 - drivers/gpu/drm/radeon/radeon_vce.c | 2 drivers/gpu/drm/scheduler/sched_entity.c | 11 drivers/gpu/drm/v3d/v3d_sched.c | 9 drivers/gpu/drm/xe/xe_bo.h | 2 drivers/gpu/drm/xe/xe_dma_buf.c | 2 drivers/gpu/host1x/dev.c | 6 drivers/i2c/busses/i2c-omap.c | 26 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 drivers/infiniband/hw/hns/hns_roce_alloc.c | 4 drivers/infiniband/hw/hns/hns_roce_cq.c | 1 drivers/infiniband/hw/hns/hns_roce_hem.c | 16 drivers/infiniband/hw/hns/hns_roce_main.c | 2 drivers/infiniband/hw/hns/hns_roce_qp.c | 20 drivers/infiniband/hw/mlx5/ah.c | 14 drivers/infiniband/sw/rxe/rxe.c | 25 drivers/media/dvb-frontends/rtl2832_sdr.c | 2 drivers/mmc/host/atmel-mci.c | 4 drivers/mmc/host/sdhci-brcmstb.c | 10 drivers/net/can/flexcan/flexcan-core.c | 18 drivers/net/can/rcar/rcar_canfd.c | 28 drivers/net/can/usb/ucan.c | 43 drivers/net/ethernet/microsoft/mana/gdma_main.c | 14 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 32 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 1 drivers/net/ethernet/ti/icssg/icssg_prueth.h | 2 drivers/net/ethernet/ti/icssg/icssg_stats.c | 4 drivers/net/phy/phy_link_topology.c | 2 drivers/pmdomain/amlogic/meson-secure-pwrc.c | 2 drivers/regulator/core.c | 12 drivers/regulator/dummy.c | 2 drivers/reset/reset-microchip-sparx5.c | 19 drivers/soc/hisilicon/kunpeng_hccs.c | 4 drivers/soc/imx/soc-imx8m.c | 26 drivers/soc/qcom/pdr_interface.c | 8 fs/libfs.c | 2 fs/netfs/write_collect.c | 3 fs/proc/generic.c | 10 fs/proc/inode.c | 6 fs/proc/internal.h | 14 fs/smb/server/smbacl.c | 5 include/linux/key.h | 1 include/linux/libata.h | 2 include/linux/proc_fs.h | 7 include/net/bluetooth/hci.h | 2 include/net/mana/gdma.h | 11 io_uring/net.c | 5 kernel/dma/direct.c | 28 kernel/sched/core.c | 21 kernel/trace/trace_fprobe.c | 30 mm/filemap.c | 13 mm/huge_memory.c | 2 mm/memcontrol.c | 9 mm/migrate.c | 10 mm/page_alloc.c | 14 net/atm/lec.c | 3 net/batman-adv/bat_iv_ogm.c | 3 net/batman-adv/bat_v_ogm.c | 3 net/bluetooth/6lowpan.c | 7 net/core/lwtunnel.c | 65 net/core/neighbour.c | 1 net/devlink/core.c | 2 net/ipv6/addrconf.c | 15 net/ipv6/ioam6_iptunnel.c | 8 net/ipv6/route.c | 5 net/ipv6/tcpv6_offload.c | 21 net/mptcp/options.c | 6 net/xdp/xsk_buff_pool.c | 2 net/xfrm/xfrm_output.c | 43 security/keys/gc.c | 4 security/keys/key.c | 2 tools/testing/selftests/mm/run_vmtests.sh | 4 124 files changed, 1323 insertions(+), 1097 deletions(-) Alex Deucher (1): drm/amdgpu/pm: wire up hwmon fan speed for smu 14.0.2 Alexander Stein (1): arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Alexandre Cassen (1): xfrm: fix tunnel mode TX datapath in packet offload mode Andreas Kemnade (1): i2c: omap: fix IRQ storms Ard Biesheuvel (1): efi/libstub: Avoid physical address 0x0 when doing random allocation Arkadiusz Bokowy (1): Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters Arnd Bergmann (1): ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Arthur Mongodin (1): mptcp: Fix data stream corruption in the address announcement Baochen Qiang (1): dma-mapping: fix missing clear bdr in check_ram_in_range_map() Biju Das (2): dt-bindings: can: renesas,rcar-canfd: Fix typo in pattern properties for R-Car V4M can: rcar_canfd: Fix page entries in the AFL list Chester A. Unal (2): ARM: dts: BCM5301X: Fix switch port labels of ASUS RT-AC5300 ARM: dts: BCM5301X: Fix switch port labels of ASUS RT-AC3200 Christian Eggers (2): regulator: dummy: force synchronous probing regulator: check that dummy regulator has been probed before using it Cosmin Ratiu (1): xfrm_output: Force software GSO only in tunnel mode Dan Carpenter (4): firmware: qcom: scm: Fix error code in probe() Bluetooth: Fix error code in chan_alloc_skb_cb() net: atm: fix use after free in lec_send() accel/qaic: Fix integer overflow in qaic_validate_req() David Belanger (1): drm/amdgpu: Restore uncached behaviour on GFX12 David Howells (1): keys: Fix UAF in key_put() David Lechner (1): ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX David Rosca (3): drm/amdgpu: Remove JPEG from vega and carrizo video caps drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Dietmar Eggemann (1): Revert "sched/core: Reduce cost of sched_move_task when config autogroup" Dragan Simic (1): arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi E Shattow (1): riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions Felix Fietkau (1): net: ipv6: fix TCP GSO segmentation with NAT Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Gavrilov Ilia (1): xsk: fix an integer overflow in xp_create_and_assign_umem() Geert Uytterhoeven (1): ARM: shmobile: smp: Enforce shmobile_smp_* alignment Greg Kroah-Hartman (1): Linux 6.13.9 Gu Bowen (1): mmc: atmel-mci: Add missing clk_disable_unprepare() Guillaume Nault (1): Revert "gre: Fix IPv6 link-local address generation." Haibo Chen (2): can: flexcan: only change CAN state when link up in system PM can: flexcan: disable transceiver during system PM Haiyang Zhang (1): net: mana: Support holes in device list reply msg Hans Verkuil (1): media: rtl2832_sdr: assign vb2 lock before vb2_queue_init Harish Kasiviswanathan (1): drm/amd/pm: add unique_id for gfx12 Heiko Stuebner (2): arm64: dts: rockchip: remove supports-cqe from rk3588 jaguar arm64: dts: rockchip: remove supports-cqe from rk3588 tiger Horatiu Vultur (1): reset: mchp: sparx5: Fix for lan966x Huisong Li (1): soc: hisilicon: kunpeng_hccs: Fix incorrect string assembly Jason Gunthorpe (1): gpu: host1x: Do not assume that a NULL domain means no DMA IOMMU Jay Cornwall (1): drm/amdkfd: Fix instruction hazard in gfx12 trap handler Jeffrey Hugo (1): accel/qaic: Fix possible data corruption in BOs > 2G Jens Axboe (1): io_uring/net: don't clear REQ_F_NEED_CLEANUP unconditionally Joe Hattori (1): firmware: imx-scu: fix OF node leak in .probe() Johan Hovold (1): firmware: qcom: uefisecapp: fix efivars registration race Junxian Huang (6): RDMA/hns: Fix soft lockup during bt pages loop RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() RDMA/hns: Fix invalid sq params not being blocked RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() RDMA/hns: Fix missing xa_destroy() RDMA/hns: Fix wrong value of max_sge_rd Justin Iurman (2): net: lwtunnel: fix recursion loops net: ipv6: ioam6: fix lwtunnel_output() loop Justin Klaassen (1): arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Kamal Dasu (1): mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Kashyap Desai (1): RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Kirill A. Shutemov (1): mm/page_alloc: fix memory accept before watermarks gets initialized Konrad Dybcio (1): Revert "arm64: dts: qcom: sdm845: Affirm IDR0.CCTW on apps_smmu" Kuniyuki Iwashima (2): ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Lin Ma (1): net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES MD Danish Anwar (1): net: ti: icssg-prueth: Add lock to stats Mario Limonciello (1): drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} Masami Hiramatsu (Google) (2): tracing: tprobe-events: Fix to clean up tprobe correctly when module unload tracing: tprobe-events: Fix leakage of module refcount Max Kellermann (1): netfs: Call `invalidate_cache` only if implemented Maíra Canal (1): drm/v3d: Don't run jobs that have errors flagged in its fence Michal Swiatkowski (3): devlink: fix xa_alloc_cyclic() error handling dpll: fix xa_alloc_cyclic() error handling phy: fix xa_alloc_cyclic() error handling Namjae Jeon (1): ksmbd: fix incorrect validation for num_aces field of smb_acl Nikita Zhandarovich (1): drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Niklas Cassel (1): ata: libata-core: Add ATA_QUIRK_NO_LPM_ON_ATI for certain Samsung SSDs Pavel Begunkov (1): io_uring/net: fix sendzc double notif flush Peng Fan (1): soc: imx8m: Unregister cpufreq and soc dev in cleanup path Phil Elwell (3): ARM: dts: bcm2711: PL011 UARTs are actually r1p5 arm64: dts: bcm2712: PL011 UARTs are actually r1p5 ARM: dts: bcm2711: Don't mark timer regs unconfigured Philip Yang (1): drm/amdkfd: Fix user queue validation on Gfx7/8 Qasim Ijaz (1): RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() Quentin Schulz (2): arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck on Haikou Rafael Aquini (1): selftests/mm: run_vmtests.sh: fix half_ufd_size_MB calculation Raphael S. Carvalho (1): mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT Saranya R (1): soc: qcom: pdr: Fix the potential deadlock Saravanan Vajravel (1): RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Shakeel Butt (1): memcg: drain obj stock on cpu hotplug teardown Stefan Eichenberger (3): arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 Stefan Wahren (1): ARM: dts: bcm2711: Fix xHCI power-domain Sven Eckelmann (1): batman-adv: Ignore own maximum aggregation size during RX Tomasz Pakuła (1): drm/amdgpu/pm: Handle SCLK offset correctly in overdrive for smu 14.0.2 Tomasz Rusinowicz (1): drm/xe: Fix exporting xe buffers multiple times Vignesh Raghavendra (1): net: ethernet: ti: am65-cpsw: Fix NAPI registration sequence Vincent Mailhol (1): can: ucan: fix out of bound read in strscpy() source Wentao Liang (1): drm/amdgpu/gfx12: correct cleanup of 'me' field with gfx_v12_0_me_fini() Xianwei Zhao (1): pmdomain: amlogic: fix T7 ISP secpower Yao Zi (1): arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1 Ye Bin (1): proc: fix UAF in proc_get_inode() Yilin Chen (1): drm/amd/display: Fix message for support_edp0_on_dp1 Yongjian Sun (1): libfs: Fix duplicate directory entry in offset_dir_lookup Zhu Yanjun (1): RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests Zi Yan (2): mm/migrate: fix shmem xarray update during migration mm/huge_memory: drop beyond-EOF folios with the right number of refs qianyi liu (1): drm/sched: Fix fence reference count leak

2 months, 3 weeks

1
1
0 0

Linux 6.12.21

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.21 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/net/can/renesas,rcar-canfd.yaml | 2 Makefile | 2 arch/arm/boot/dts/broadcom/bcm2711-rpi.dtsi | 5 arch/arm/boot/dts/broadcom/bcm2711.dtsi | 12 arch/arm/boot/dts/broadcom/bcm4709-asus-rt-ac3200.dts | 8 arch/arm/boot/dts/broadcom/bcm47094-asus-rt-ac5300.dts | 8 arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 arch/arm/mach-davinci/Kconfig | 1 arch/arm/mach-omap1/Kconfig | 1 arch/arm/mach-shmobile/headsmp.S | 1 arch/arm64/boot/dts/broadcom/bcm2712.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 - arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi | 6 arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts | 12 arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 arch/arm64/boot/dts/rockchip/rk3566-lubancat-1.dts | 1 arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts | 1 arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 1 arch/arm64/include/asm/kvm_host.h | 25 - arch/arm64/kernel/fpsimd.c | 25 - arch/arm64/kvm/arm.c | 9 arch/arm64/kvm/fpsimd.c | 100 ------ arch/arm64/kvm/hyp/entry.S | 5 arch/arm64/kvm/hyp/include/hyp/switch.h | 133 ++++++-- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 11 arch/arm64/kvm/hyp/nvhe/pkvm.c | 29 - arch/arm64/kvm/hyp/nvhe/switch.c | 134 ++++---- arch/arm64/kvm/hyp/vhe/switch.c | 21 - arch/riscv/boot/dts/starfive/jh7110-pinfunc.h | 2 drivers/accel/qaic/qaic_data.c | 9 drivers/ata/libata-core.c | 14 drivers/dpll/dpll_core.c | 2 drivers/firmware/efi/libstub/randomalloc.c | 4 drivers/firmware/imx/imx-scu.c | 1 drivers/firmware/qcom/qcom_qseecom_uefisecapp.c | 18 - drivers/firmware/qcom/qcom_scm.c | 4 drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 22 - drivers/gpu/drm/amd/amdgpu/nv.c | 20 - drivers/gpu/drm/amd/amdgpu/soc15.c | 21 - drivers/gpu/drm/amd/amdgpu/vi.c | 43 +- drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 8 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 11 drivers/gpu/drm/amd/pm/amdgpu_pm.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 94 +++--- drivers/gpu/drm/radeon/radeon_vce.c | 2 drivers/gpu/drm/scheduler/sched_entity.c | 11 drivers/gpu/drm/v3d/v3d_sched.c | 9 drivers/gpu/drm/xe/xe_bo.h | 2 drivers/gpu/drm/xe/xe_dma_buf.c | 2 drivers/gpu/host1x/dev.c | 6 drivers/i2c/busses/i2c-omap.c | 26 - drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 drivers/infiniband/hw/hns/hns_roce_alloc.c | 4 drivers/infiniband/hw/hns/hns_roce_cq.c | 1 drivers/infiniband/hw/hns/hns_roce_hem.c | 16 + drivers/infiniband/hw/hns/hns_roce_main.c | 2 drivers/infiniband/hw/hns/hns_roce_qp.c | 20 - drivers/infiniband/hw/mlx5/ah.c | 14 drivers/infiniband/sw/rxe/rxe.c | 25 - drivers/mmc/host/atmel-mci.c | 4 drivers/mmc/host/sdhci-brcmstb.c | 10 drivers/net/can/flexcan/flexcan-core.c | 18 + drivers/net/can/rcar/rcar_canfd.c | 28 - drivers/net/can/usb/ucan.c | 43 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 14 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 32 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 1 drivers/net/ethernet/ti/icssg/icssg_prueth.h | 2 drivers/net/ethernet/ti/icssg/icssg_stats.c | 4 drivers/net/phy/phy_link_topology.c | 2 drivers/pmdomain/amlogic/meson-secure-pwrc.c | 2 drivers/regulator/core.c | 12 drivers/regulator/dummy.c | 2 drivers/soc/imx/soc-imx8m.c | 149 ++++------ drivers/soc/qcom/pdr_interface.c | 8 fs/libfs.c | 2 fs/netfs/write_collect.c | 3 fs/proc/generic.c | 10 fs/proc/inode.c | 6 fs/proc/internal.h | 14 fs/smb/server/smbacl.c | 5 include/linux/key.h | 1 include/linux/libata.h | 2 include/linux/proc_fs.h | 7 include/net/bluetooth/hci.h | 2 include/net/mana/gdma.h | 11 io_uring/net.c | 5 kernel/dma/direct.c | 28 + kernel/sched/core.c | 21 - kernel/trace/trace_fprobe.c | 30 -- mm/filemap.c | 13 mm/huge_memory.c | 2 mm/memcontrol.c | 9 mm/migrate.c | 10 mm/page_alloc.c | 14 net/atm/lec.c | 3 net/batman-adv/bat_iv_ogm.c | 3 net/batman-adv/bat_v_ogm.c | 3 net/bluetooth/6lowpan.c | 7 net/core/lwtunnel.c | 65 +++- net/core/neighbour.c | 1 net/devlink/core.c | 2 net/ipv6/addrconf.c | 15 - net/ipv6/ioam6_iptunnel.c | 8 net/ipv6/route.c | 5 net/ipv6/tcpv6_offload.c | 21 + net/mptcp/options.c | 6 net/xdp/xsk_buff_pool.c | 2 net/xfrm/xfrm_output.c | 43 ++ security/keys/gc.c | 4 security/keys/key.c | 2 tools/lib/subcmd/parse-options.c | 2 tools/testing/selftests/mm/run_vmtests.sh | 4 118 files changed, 935 insertions(+), 812 deletions(-) Alex Deucher (1): drm/amdgpu/pm: wire up hwmon fan speed for smu 14.0.2 Alexander Stein (1): arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Alexandre Cassen (1): xfrm: fix tunnel mode TX datapath in packet offload mode Andreas Kemnade (1): i2c: omap: fix IRQ storms Ard Biesheuvel (1): efi/libstub: Avoid physical address 0x0 when doing random allocation Arkadiusz Bokowy (1): Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters Arnd Bergmann (1): ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Arthur Mongodin (1): mptcp: Fix data stream corruption in the address announcement Baochen Qiang (1): dma-mapping: fix missing clear bdr in check_ram_in_range_map() Biju Das (2): dt-bindings: can: renesas,rcar-canfd: Fix typo in pattern properties for R-Car V4M can: rcar_canfd: Fix page entries in the AFL list Chester A. Unal (2): ARM: dts: BCM5301X: Fix switch port labels of ASUS RT-AC5300 ARM: dts: BCM5301X: Fix switch port labels of ASUS RT-AC3200 Christian Eggers (2): regulator: dummy: force synchronous probing regulator: check that dummy regulator has been probed before using it Cosmin Ratiu (1): xfrm_output: Force software GSO only in tunnel mode Dan Carpenter (4): firmware: qcom: scm: Fix error code in probe() Bluetooth: Fix error code in chan_alloc_skb_cb() net: atm: fix use after free in lec_send() accel/qaic: Fix integer overflow in qaic_validate_req() David Belanger (1): drm/amdgpu: Restore uncached behaviour on GFX12 David Howells (1): keys: Fix UAF in key_put() David Lechner (1): ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX David Rosca (3): drm/amdgpu: Remove JPEG from vega and carrizo video caps drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Dietmar Eggemann (1): Revert "sched/core: Reduce cost of sched_move_task when config autogroup" E Shattow (1): riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions Eder Zulian (1): libsubcmd: Silence compiler warning Felix Fietkau (1): net: ipv6: fix TCP GSO segmentation with NAT Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Gavrilov Ilia (1): xsk: fix an integer overflow in xp_create_and_assign_umem() Geert Uytterhoeven (1): ARM: shmobile: smp: Enforce shmobile_smp_* alignment Greg Kroah-Hartman (1): Linux 6.12.21 Gu Bowen (1): mmc: atmel-mci: Add missing clk_disable_unprepare() Guillaume Nault (1): Revert "gre: Fix IPv6 link-local address generation." Haibo Chen (2): can: flexcan: only change CAN state when link up in system PM can: flexcan: disable transceiver during system PM Haiyang Zhang (1): net: mana: Support holes in device list reply msg Harish Kasiviswanathan (1): drm/amd/pm: add unique_id for gfx12 Heiko Stuebner (2): arm64: dts: rockchip: remove supports-cqe from rk3588 jaguar arm64: dts: rockchip: remove supports-cqe from rk3588 tiger Jason Gunthorpe (1): gpu: host1x: Do not assume that a NULL domain means no DMA IOMMU Jeffrey Hugo (1): accel/qaic: Fix possible data corruption in BOs > 2G Jens Axboe (1): io_uring/net: don't clear REQ_F_NEED_CLEANUP unconditionally Joe Hattori (1): firmware: imx-scu: fix OF node leak in .probe() Johan Hovold (1): firmware: qcom: uefisecapp: fix efivars registration race Junxian Huang (6): RDMA/hns: Fix soft lockup during bt pages loop RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() RDMA/hns: Fix invalid sq params not being blocked RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() RDMA/hns: Fix missing xa_destroy() RDMA/hns: Fix wrong value of max_sge_rd Justin Iurman (2): net: lwtunnel: fix recursion loops net: ipv6: ioam6: fix lwtunnel_output() loop Justin Klaassen (1): arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Kamal Dasu (1): mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Kashyap Desai (1): RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Kirill A. Shutemov (1): mm/page_alloc: fix memory accept before watermarks gets initialized Kuniyuki Iwashima (2): ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Lin Ma (1): net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES MD Danish Anwar (1): net: ti: icssg-prueth: Add lock to stats Marek Vasut (2): soc: imx8m: Remove global soc_uid soc: imx8m: Use devm_* to simplify probe failure handling Mario Limonciello (1): drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} Masami Hiramatsu (Google) (2): tracing: tprobe-events: Fix to clean up tprobe correctly when module unload tracing: tprobe-events: Fix leakage of module refcount Max Kellermann (1): netfs: Call `invalidate_cache` only if implemented Maíra Canal (1): drm/v3d: Don't run jobs that have errors flagged in its fence Michal Swiatkowski (3): devlink: fix xa_alloc_cyclic() error handling dpll: fix xa_alloc_cyclic() error handling phy: fix xa_alloc_cyclic() error handling Namjae Jeon (1): ksmbd: fix incorrect validation for num_aces field of smb_acl Nikita Zhandarovich (1): drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Niklas Cassel (1): ata: libata-core: Add ATA_QUIRK_NO_LPM_ON_ATI for certain Samsung SSDs Pavel Begunkov (1): io_uring/net: fix sendzc double notif flush Peng Fan (1): soc: imx8m: Unregister cpufreq and soc dev in cleanup path Phil Elwell (3): ARM: dts: bcm2711: PL011 UARTs are actually r1p5 arm64: dts: bcm2712: PL011 UARTs are actually r1p5 ARM: dts: bcm2711: Don't mark timer regs unconfigured Philip Yang (1): drm/amdkfd: Fix user queue validation on Gfx7/8 Qasim Ijaz (1): RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() Quentin Schulz (2): arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck on Haikou Rafael Aquini (1): selftests/mm: run_vmtests.sh: fix half_ufd_size_MB calculation Raphael S. Carvalho (1): mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT Saranya R (1): soc: qcom: pdr: Fix the potential deadlock Saravanan Vajravel (1): RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Shakeel Butt (1): memcg: drain obj stock on cpu hotplug teardown Stefan Eichenberger (3): arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 Stefan Wahren (1): ARM: dts: bcm2711: Fix xHCI power-domain Sven Eckelmann (1): batman-adv: Ignore own maximum aggregation size during RX Tomasz Pakuła (1): drm/amdgpu/pm: Handle SCLK offset correctly in overdrive for smu 14.0.2 Tomasz Rusinowicz (1): drm/xe: Fix exporting xe buffers multiple times Vignesh Raghavendra (1): net: ethernet: ti: am65-cpsw: Fix NAPI registration sequence Vincent Mailhol (1): can: ucan: fix out of bound read in strscpy() source Wentao Liang (1): drm/amdgpu/gfx12: correct cleanup of 'me' field with gfx_v12_0_me_fini() Xianwei Zhao (1): pmdomain: amlogic: fix T7 ISP secpower Yao Zi (1): arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1 Ye Bin (1): proc: fix UAF in proc_get_inode() Yilin Chen (1): drm/amd/display: Fix message for support_edp0_on_dp1 Yongjian Sun (1): libfs: Fix duplicate directory entry in offset_dir_lookup Zhu Yanjun (1): RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests Zi Yan (2): mm/migrate: fix shmem xarray update during migration mm/huge_memory: drop beyond-EOF folios with the right number of refs qianyi liu (1): drm/sched: Fix fence reference count leak

2 months, 3 weeks

1
1
0 0

Linux 6.1.132

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.132 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/timers/no_hz.rst | 7 Makefile | 13 arch/alpha/include/asm/elf.h | 6 arch/alpha/include/asm/pgtable.h | 2 arch/alpha/include/asm/processor.h | 8 arch/alpha/kernel/osf_sys.c | 11 arch/arm/boot/dts/bcm2711.dtsi | 11 arch/arm/mach-omap1/Kconfig | 1 arch/arm/mach-shmobile/headsmp.S | 1 arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 arch/arm64/mm/mmu.c | 5 arch/x86/events/intel/core.c | 85 ++++ arch/x86/kernel/cpu/microcode/amd.c | 2 arch/x86/kernel/cpu/mshyperv.c | 11 arch/x86/kernel/irq.c | 2 block/bfq-cgroup.c | 2 block/bio.c | 2 drivers/acpi/resource.c | 6 drivers/clk/samsung/clk-pll.c | 7 drivers/clocksource/i8253.c | 36 +- drivers/firmware/efi/libstub/randomalloc.c | 4 drivers/firmware/imx/imx-scu.c | 1 drivers/firmware/iscsi_ibft.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c | 20 - drivers/gpu/drm/amd/amdgpu/nv.c | 2 drivers/gpu/drm/amd/amdgpu/soc15.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 12 drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 +- drivers/gpu/drm/drm_atomic_uapi.c | 4 drivers/gpu/drm/drm_connector.c | 4 drivers/gpu/drm/gma500/mid_bios.c | 5 drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 drivers/gpu/drm/mediatek/mtk_drm_gem.c | 9 drivers/gpu/drm/mediatek/mtk_drm_plane.c | 13 drivers/gpu/drm/nouveau/nouveau_connector.c | 1 drivers/gpu/drm/radeon/radeon_vce.c | 2 drivers/gpu/drm/v3d/v3d_sched.c | 9 drivers/hid/hid-apple.c | 13 drivers/hid/hid-ids.h | 2 drivers/hid/hid-quirks.c | 1 drivers/hid/intel-ish-hid/ipc/ipc.c | 15 drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 drivers/hv/vmbus_drv.c | 13 drivers/i2c/busses/i2c-ali1535.c | 12 drivers/i2c/busses/i2c-ali15x3.c | 12 drivers/i2c/busses/i2c-omap.c | 26 - drivers/i2c/busses/i2c-sis630.c | 12 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 drivers/infiniband/hw/hns/hns_roce_hem.c | 16 drivers/infiniband/hw/hns/hns_roce_main.c | 2 drivers/infiniband/hw/hns/hns_roce_qp.c | 10 drivers/input/serio/i8042-acpipnpio.h | 111 +++--- drivers/leds/leds-mlxreg.c | 16 drivers/media/platform/mediatek/vcodec/vdec/vdec_vp8_req_if.c | 10 drivers/mmc/host/atmel-mci.c | 4 drivers/mmc/host/sdhci-brcmstb.c | 10 drivers/net/bonding/bond_options.c | 55 ++- drivers/net/can/flexcan/flexcan-core.c | 18 - drivers/net/can/rcar/rcar_canfd.c | 28 - drivers/net/dsa/mv88e6xxx/chip.c | 59 ++- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 drivers/net/ethernet/intel/ice/ice_arfs.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 drivers/net/mctp/mctp-i2c.c | 5 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 + drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 drivers/net/wwan/mhi_wwan_mbim.c | 2 drivers/nvme/host/core.c | 2 drivers/nvme/host/fc.c | 3 drivers/nvme/host/pci.c | 2 drivers/nvme/host/tcp.c | 43 ++ drivers/nvme/target/rdma.c | 33 + drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 drivers/platform/x86/thinkpad_acpi.c | 50 ++ drivers/powercap/powercap_sys.c | 3 drivers/regulator/core.c | 12 drivers/s390/cio/chp.c | 3 drivers/scsi/qla1280.c | 2 drivers/scsi/scsi_scan.c | 2 drivers/soc/imx/soc-imx8m.c | 149 +++----- drivers/soc/qcom/pdr_interface.c | 8 drivers/thermal/cpufreq_cooling.c | 2 drivers/usb/serial/ftdi_sio.c | 14 drivers/usb/serial/ftdi_sio_ids.h | 13 drivers/usb/serial/option.c | 48 +- drivers/video/fbdev/hyperv_fb.c | 2 drivers/xen/swiotlb-xen.c | 2 fs/fuse/dir.c | 2 fs/namei.c | 24 + fs/ntfs3/attrib.c | 176 ++++++---- fs/ntfs3/file.c | 151 +------- fs/ntfs3/frecord.c | 2 fs/ntfs3/index.c | 4 fs/ntfs3/inode.c | 12 fs/ntfs3/ntfs_fs.h | 9 fs/ntfs3/super.c | 68 ++- fs/proc/base.c | 9 fs/proc/generic.c | 10 fs/proc/inode.c | 6 fs/proc/internal.h | 14 fs/select.c | 11 fs/smb/client/asn1.c | 2 fs/smb/client/cifs_spnego.c | 4 fs/smb/client/cifsglob.h | 4 fs/smb/client/connect.c | 16 fs/smb/client/fs_context.c | 14 fs/smb/client/ioctl.c | 6 fs/smb/client/sess.c | 3 fs/smb/client/smb2pdu.c | 4 fs/smb/server/smbacl.c | 5 fs/vboxsf/super.c | 3 fs/xfs/libxfs/xfs_ag.c | 45 +- fs/xfs/libxfs/xfs_ag.h | 3 fs/xfs/libxfs/xfs_alloc.c | 77 ++-- fs/xfs/libxfs/xfs_alloc.h | 24 - fs/xfs/libxfs/xfs_attr.c | 6 fs/xfs/libxfs/xfs_bmap.c | 121 +++--- fs/xfs/libxfs/xfs_bmap.h | 5 fs/xfs/libxfs/xfs_bmap_btree.c | 8 fs/xfs/libxfs/xfs_btree_staging.c | 4 fs/xfs/libxfs/xfs_btree_staging.h | 6 fs/xfs/libxfs/xfs_da_btree.c | 7 fs/xfs/libxfs/xfs_format.h | 2 fs/xfs/libxfs/xfs_ialloc.c | 24 - fs/xfs/libxfs/xfs_ialloc_btree.c | 6 fs/xfs/libxfs/xfs_log_recover.h | 22 + fs/xfs/libxfs/xfs_refcount.c | 116 +++--- fs/xfs/libxfs/xfs_refcount.h | 4 fs/xfs/libxfs/xfs_refcount_btree.c | 9 fs/xfs/libxfs/xfs_rtbitmap.c | 2 fs/xfs/libxfs/xfs_rtbitmap.h | 83 ++++ fs/xfs/libxfs/xfs_sb.c | 20 + fs/xfs/libxfs/xfs_sb.h | 2 fs/xfs/libxfs/xfs_types.h | 13 fs/xfs/scrub/repair.c | 3 fs/xfs/scrub/rtbitmap.c | 3 fs/xfs/xfs_attr_item.c | 16 fs/xfs/xfs_bmap_item.c | 85 +--- fs/xfs/xfs_buf.c | 44 ++ fs/xfs/xfs_buf.h | 1 fs/xfs/xfs_extfree_item.c | 144 ++++---- fs/xfs/xfs_fsmap.c | 2 fs/xfs/xfs_fsops.c | 5 fs/xfs/xfs_inode_item.c | 3 fs/xfs/xfs_refcount_item.c | 68 +-- fs/xfs/xfs_reflink.c | 7 fs/xfs/xfs_rmap_item.c | 6 fs/xfs/xfs_rtalloc.c | 14 fs/xfs/xfs_rtalloc.h | 73 ---- fs/xfs/xfs_trace.h | 15 include/linux/fs.h | 2 include/linux/i8253.h | 1 include/linux/io_uring_types.h | 5 include/linux/nvme-tcp.h | 2 include/linux/proc_fs.h | 7 include/net/bluetooth/hci_core.h | 108 ++---- include/sound/soc.h | 5 include/uapi/linux/io_uring.h | 1 init/Kconfig | 2 io_uring/io_uring.c | 163 +++++++-- io_uring/io_uring.h | 2 kernel/sched/core.c | 13 kernel/sys.c | 2 kernel/time/hrtimer.c | 40 -- lib/buildid.c | 5 mm/migrate.c | 16 mm/nommu.c | 7 net/atm/lec.c | 3 net/batman-adv/bat_iv_ogm.c | 3 net/batman-adv/bat_v_ogm.c | 3 net/bluetooth/6lowpan.c | 7 net/bluetooth/hci_core.c | 10 net/bluetooth/hci_event.c | 37 +- net/bluetooth/iso.c | 6 net/bluetooth/l2cap_core.c | 12 net/bluetooth/rfcomm/core.c | 6 net/bluetooth/sco.c | 12 net/core/lwtunnel.c | 65 +++ net/core/neighbour.c | 1 net/core/netpoll.c | 9 net/ipv4/tcp.c | 19 - net/ipv6/route.c | 5 net/mptcp/options.c | 6 net/mptcp/protocol.h | 2 net/netfilter/ipvs/ip_vs_ctl.c | 8 net/netfilter/nf_conncount.c | 6 net/netfilter/nft_counter.c | 90 ++--- net/netfilter/nft_ct.c | 6 net/netfilter/nft_exthdr.c | 10 net/openvswitch/flow_netlink.c | 15 net/sched/sch_api.c | 6 net/sched/sch_gred.c | 3 net/sctp/stream.c | 2 net/switchdev/switchdev.c | 25 + net/wireless/core.c | 7 net/xdp/xsk_buff_pool.c | 2 net/xfrm/xfrm_output.c | 2 rust/Makefile | 7 scripts/generate_rust_analyzer.py | 64 ++- sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/arizona.c | 14 sound/soc/codecs/madera.c | 10 sound/soc/codecs/tas2764.c | 10 sound/soc/codecs/tas2764.h | 8 sound/soc/codecs/tas2770.c | 2 sound/soc/codecs/wm0010.c | 13 sound/soc/codecs/wm5110.c | 8 sound/soc/sh/rcar/core.c | 14 sound/soc/sh/rcar/rsnd.h | 1 sound/soc/sh/rcar/src.c | 116 +++++- sound/soc/soc-ops.c | 15 sound/soc/sof/intel/hda-codec.c | 1 225 files changed, 2536 insertions(+), 1520 deletions(-) Acs, Jakub (1): block, bfq: fix re-introduced UAF in bic_set_bfqq() Alex Henrie (2): HID: apple: fix up the F6 key on the Omoton KB066 keyboard HID: apple: disable Fn key handling on the Omoton KB066 Alex Hung (1): drm/amd/display: Assign normalized_pix_clk when color depth = 14 Alexander Stein (1): arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Alexey Kashavkin (1): netfilter: nft_exthdr: fix offset with ipv4_find_option() Amit Cohen (1): net: switchdev: Convert blocking notification chain to a raw one Andreas Kemnade (1): i2c: omap: fix IRQ storms Andrey Albershteyn (1): xfs: reset XFS_ATTR_INCOMPLETE filter on node removal Andrii Nakryiko (1): lib/buildid: Handle memfd_secret() files in build_id_parse() Andy Shevchenko (1): hrtimers: Mark is_migration_base() with __always_inline Ard Biesheuvel (1): efi/libstub: Avoid physical address 0x0 when doing random allocation Arnd Bergmann (2): x86/irq: Define trace events conditionally ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Arthur Mongodin (1): mptcp: Fix data stream corruption in the address announcement Artur Weber (1): pinctrl: bcm281xx: Fix incorrect regmap max_registers value Asahi Lina (1): scripts: generate_rust_analyzer: Handle sub-modules with no Makefile Benjamin Berg (1): wifi: iwlwifi: mvm: ensure offloading TID queue exists Biju Das (1): can: rcar_canfd: Fix page entries in the AFL list Boon Khai Ng (1): USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Brahmajit Das (1): vboxsf: fix building with GCC 15 Breno Leitao (1): netpoll: hold rcu read lock in __netpoll_send_skb() Carolina Jubran (1): net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Charles Keepax (1): ASoC: ops: Consistently treat platform_max as control value Chengen Du (1): iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Chia-Lin Kao (AceLan) (1): HID: ignore non-functional sensor in HP 5MP Camera Christian Eggers (1): regulator: check that dummy regulator has been probed before using it Christoph Hellwig (1): xfs: consider minlen sized extents in xfs_rtallocate_extent_block Christophe JAILLET (4): ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() i2c: ali1535: Fix an error handling path in ali1535_probe() i2c: ali15x3: Fix an error handling path in ali15x3_probe() i2c: sis630: Fix an error handling path in sis630_probe() Christopher Lentocha (1): nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Cong Wang (1): net_sched: Prevent creation of classes with TC_H_ROOT Cosmin Ratiu (1): xfrm_output: Force software GSO only in tunnel mode Dan Carpenter (3): ipvs: prevent integer overflow in do_ip_vs_get_ctl() Bluetooth: Fix error code in chan_alloc_skb_cb() net: atm: fix use after free in lec_send() Daniel Lezcano (1): thermal/cpufreq_cooling: Remove structure member documentation Daniel Wagner (2): nvme-fc: go straight to connecting state when initializing nvme: only allow entering LIVE from CONNECTING state Darrick J. Wong (17): xfs: pass refcount intent directly through the log intent code xfs: pass xfs_extent_free_item directly through the log intent code xfs: fix confusing xfs_extent_item variable names xfs: pass the xfs_bmbt_irec directly through the log intent code xfs: pass per-ag references to xfs_free_extent xfs: reserve less log space when recovering log intent items xfs: move the xfs_rtbitmap.c declarations to xfs_rtbitmap.h xfs: convert rt bitmap extent lengths to xfs_rtbxlen_t xfs: don't leak recovered attri intent items xfs: make rextslog computation consistent with mkfs xfs: fix 32-bit truncation in xfs_compute_rextslog xfs: don't allow overly small or large realtime volumes xfs: remove unused fields from struct xbtree_ifakeroot xfs: recompute growfsrtfree transaction reservation while growing rt volume xfs: force all buffers to be written during btree bulk load xfs: remove conditional building of rt geometry validator functions xfs: give xfs_extfree_intent its own perag reference Dave Chinner (4): xfs: validate block number being freed before adding to xefi xfs: fix bounds check in xfs_defer_agfl_block() xfs: use deferred frees for btree block freeing xfs: initialise di_crc in xfs_log_dinode David Rosca (1): drm/amdgpu: Fix JPEG video caps max size for navi1x and raven David Woodhouse (1): clockevents/drivers/i8253: Fix stop sequence for timer 0 Edson Juliano Drosdeck (1): ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Eric Dumazet (1): tcp: fix races in tcp_abort() Eric W. Biederman (1): alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE990B compositions USB: serial: option: fix Telit Cinterion FE990A name Felix Moessbauer (1): hrtimer: Use and report correct timerslack values for realtime tasks Florent Revest (1): x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Gannon Kolding (1): ACPI: resource: IRQ override for Eluktronics MECH-17 Gavrilov Ilia (1): xsk: fix an integer overflow in xp_create_and_assign_umem() Geert Uytterhoeven (1): ARM: shmobile: smp: Enforce shmobile_smp_* alignment George Stark (1): leds: mlxreg: Use devm_mutex_init() for mutex initialization Greg Kroah-Hartman (1): Linux 6.1.132 Grzegorz Nitka (1): ice: fix memory leak in aRFS after reset Gu Bowen (1): mmc: atmel-mci: Add missing clk_disable_unprepare() Guillaume Nault (2): gre: Fix IPv6 link-local address generation. Revert "gre: Fix IPv6 link-local address generation." Haibo Chen (2): can: flexcan: only change CAN state when link up in system PM can: flexcan: disable transceiver during system PM Hangbin Liu (1): bonding: fix incorrect MAC address setting to receive NS messages Haoxiang Li (1): qlcnic: fix memory leak issues in qlcnic_sriov_common.c Hector Martin (3): ASoC: tas2770: Fix volume scale ASoC: tas2764: Fix power control mask ASoC: tas2764: Set the SDOUT polarity correctly Henrique Carvalho (1): smb: client: Fix match_session bug preventing session reuse Ievgen Vovk (1): HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Ilya Maximets (1): net: openvswitch: remove misbehaving actions length check Imre Deak (1): drm/dp_mst: Fix locking when skipping CSN before topology probing Ivan Abramov (1): drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Jan Beulich (1): Xen/swiotlb: mark xen_swiotlb_fixup() __init Jann Horn (1): sched: Clarify wake_up_q()'s write to task->wake_q.next Jason-JH.Lin (1): drm/mediatek: Fix coverity issue with unintentional integer overflow Jens Axboe (5): io_uring: return error pointer from io_mem_alloc() io_uring: add ring freeing helper mm: add nommu variant of vm_insert_pages() io_uring: get rid of remap_pfn_range() for mapping rings/sqes io_uring: don't attempt to mmap larger than what the user asks for Jiachen Zhang (1): xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real Jianbo Liu (1): net/mlx5: Bridge, fix the crash caused by LAG state check Joe Hattori (2): powercap: call put_device() on an error path in powercap_register_control_type() firmware: imx-scu: fix OF node leak in .probe() Johan Hovold (1): USB: serial: option: match on interface class for Telit FN990B Joseph Huang (1): net: dsa: mv88e6xxx: Verify after ATU Load ops Jun Yang (1): sched: address a potential NULL pointer dereference in the GRED scheduler. Junxian Huang (4): RDMA/hns: Fix soft lockup during bt pages loop RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() RDMA/hns: Fix wrong value of max_sge_rd Justin Iurman (1): net: lwtunnel: fix recursion loops Justin Klaassen (1): arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Kamal Dasu (1): mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Kan Liang (1): perf/x86/intel: Use better start period for frequency mode Kashyap Desai (1): RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Kohei Enju (1): netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Konstantin Komarov (2): fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super fs/ntfs3: Change new sparse cluster processing Kuninori Morimoto (2): ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() ASoC: rsnd: adjust convert rate limitation Kuniyuki Iwashima (2): ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Lin Ma (1): net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Long Li (2): xfs: add lock protection when remove perag from radix tree xfs: fix perag leak when growfs fails Luiz Augusto von Dentz (2): Bluetooth: hci_event: Fix enabling passive scanning Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Magnus Lindholm (1): scsi: qla1280: Fix kernel oops when debug level > 2 Marek Vasut (2): soc: imx8m: Remove global soc_uid soc: imx8m: Use devm_* to simplify probe failure handling Mario Limonciello (3): drm/amd/display: Restore correct backlight brightness after a GPU reset drm/amd/display: Fix slab-use-after-free on hdcp_work drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Mark Pearson (1): platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Martin Rodriguez Reboredo (1): scripts: generate_rust_analyzer: provide `cfg`s for `core` and `alloc` Matt Johnston (1): net: mctp i2c: Copy headers if cloned Matthew Maurer (1): rust: Disallow BTF generation with Rust + LTO Matthieu Baerts (NGI0) (1): mptcp: safety check before fallback Maurizio Lombardi (2): nvme-tcp: add basic support for the C2HTermReq PDU nvme-tcp: Fix a C2HTermReq error message Maíra Canal (1): drm/v3d: Don't run jobs that have errors flagged in its fence Michael Kelley (3): fbdev: hyperv_fb: iounmap() the correct memory when removing a device drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Miklos Szeredi (1): fuse: don't truncate cached, mutated symlink Ming Lei (1): block: fix 'kmem_cache of name 'bio-108' already exists' Miri Korenblit (1): wifi: cfg80211: cancel wiphy_work before freeing wiphy Murad Masimov (4): cifs: Fix integer overflow while processing acregmax mount option cifs: Fix integer overflow while processing acdirmax mount option cifs: Fix integer overflow while processing actimeo mount option cifs: Fix integer overflow while processing closetimeo mount option Namjae Jeon (1): ksmbd: fix incorrect validation for num_aces field of smb_acl Nicklas Bo Jensen (1): netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Nikita Zhandarovich (1): drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Oleg Nesterov (1): sched/isolation: Prevent boot crash when the boot CPU is nohz_full Paulo Alcantara (2): smb: client: fix noisy when tree connecting to DFS interlink targets smb: client: fix potential UAF in cifs_dump_full_key() Pavel Begunkov (1): io_uring: fix corner case forgetting to vunmap Peng Fan (1): soc: imx8m: Unregister cpufreq and soc dev in cleanup path Peter Oberparleiter (1): s390/cio: Fix CHPID "configure" attribute caching Phil Elwell (2): ARM: dts: bcm2711: PL011 UARTs are actually r1p5 ARM: dts: bcm2711: Don't mark timer regs unconfigured Rik van Riel (1): scsi: core: Use GFP_NOIO to avoid circular locking dependency Ruozhu Li (1): nvmet-rdma: recheck queue state is LIVE in state lock in recv done Saranya R (1): soc: qcom: pdr: Fix the potential deadlock Saravanan Vajravel (1): RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Sebastian Andrzej Siewior (2): netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. netfilter: nft_counter: Use u64_stats_t for statistic. Stefan Eichenberger (1): arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card Stephan Gerhold (1): net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Steve French (1): smb3: add support for IAKerb Sven Eckelmann (1): batman-adv: Ignore own maximum aggregation size during RX Sybil Isabel Dorsett (1): platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Taehee Yoo (1): eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Tamir Duberstein (1): scripts: generate_rust_analyzer: add missing macros deps Terry Cheong (1): ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Thomas Mizrahi (1): ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Thomas Zimmermann (1): drm/nouveau: Do not override forced connector status Varada Pavani (1): clk: samsung: update PLL locktime for PLL142XX used on FSD platform Ville Syrjälä (1): drm/atomic: Filter out redundant DPMS calls Vinay Varma (1): scripts: `make rust-analyzer` for out-of-tree modules Vitaly Prosyak (1): drm/amdgpu: fix use-after-free bug Vitaly Rodionov (1): ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Wentao Liang (1): net/mlx5: handle errors in mlx5_chains_create_table() Werner Sembach (4): Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Input: i8042 - add required quirks for missing old boardnames Input: i8042 - swap old quirk combination with new quirk for several devices Input: i8042 - swap old quirk combination with new quirk for more devices Xueming Feng (1): tcp: fix forever orphan socket caused by tcp_abort Ye Bin (1): proc: fix UAF in proc_get_inode() Yu-Chun Lin (1): sctp: Fix undefined behavior in left shift operation Yunfei Dong (1): media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning Zhang Lixu (2): HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell HID: intel-ish-hid: Send clock sync message immediately after reset Zhang Tianci (1): xfs: update dir3 leaf block metadata after swap Zhenhua Huang (1): arm64: mm: Populate vmemmap at the page level if not section aligned Zi Yan (1): mm/migrate: fix shmem xarray update during migration

2 months, 3 weeks

1
1
0 0

Linux 6.6.85

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.85 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/broadcom/bcm2711.dtsi | 11 - arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 - arch/arm/mach-davinci/Kconfig | 1 arch/arm/mach-omap1/Kconfig | 1 arch/arm/mach-shmobile/headsmp.S | 1 arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 - arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi | 6 arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts | 2 arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 arch/arm64/boot/dts/rockchip/rk3566-lubancat-1.dts | 1 arch/arm64/include/asm/kvm_host.h | 7 arch/arm64/include/asm/kvm_hyp.h | 1 arch/arm64/kernel/fpsimd.c | 25 -- arch/arm64/kvm/arm.c | 1 arch/arm64/kvm/fpsimd.c | 89 +-------- arch/arm64/kvm/hyp/entry.S | 5 arch/arm64/kvm/hyp/include/hyp/switch.h | 106 +++++++---- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 15 - arch/arm64/kvm/hyp/nvhe/pkvm.c | 29 --- arch/arm64/kvm/hyp/nvhe/switch.c | 106 +++++++---- arch/arm64/kvm/hyp/vhe/switch.c | 13 - arch/arm64/kvm/reset.c | 3 arch/riscv/boot/dts/starfive/jh7110-pinfunc.h | 2 drivers/accel/qaic/qaic_data.c | 9 drivers/firmware/efi/libstub/randomalloc.c | 4 drivers/firmware/imx/imx-scu.c | 1 drivers/gpu/drm/amd/amdgpu/nv.c | 20 +- drivers/gpu/drm/amd/amdgpu/soc15.c | 20 +- drivers/gpu/drm/amd/amdgpu/vi.c | 36 +-- drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 15 + drivers/gpu/drm/radeon/radeon_vce.c | 2 drivers/gpu/drm/scheduler/sched_entity.c | 11 - drivers/gpu/drm/v3d/v3d_sched.c | 9 drivers/i2c/busses/i2c-omap.c | 26 -- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 drivers/infiniband/hw/hns/hns_roce_hem.c | 16 + drivers/infiniband/hw/hns/hns_roce_main.c | 2 drivers/infiniband/hw/hns/hns_roce_qp.c | 10 - drivers/infiniband/hw/mlx5/ah.c | 14 - drivers/mmc/host/atmel-mci.c | 4 drivers/mmc/host/sdhci-brcmstb.c | 10 + drivers/net/can/flexcan/flexcan-core.c | 18 + drivers/net/can/rcar/rcar_canfd.c | 28 +-- drivers/net/can/usb/ucan.c | 43 +--- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 - drivers/net/wireless/intel/iwlwifi/fw/file.h | 4 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 37 +++ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 +++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 drivers/regulator/core.c | 12 + drivers/regulator/dummy.c | 2 drivers/soc/imx/soc-imx8m.c | 149 +++++++--------- drivers/soc/qcom/pdr_interface.c | 8 fs/btrfs/tree-checker.c | 30 +-- fs/btrfs/tree-checker.h | 1 fs/proc/generic.c | 10 - fs/proc/inode.c | 6 fs/proc/internal.h | 14 + fs/smb/server/smbacl.c | 5 include/linux/proc_fs.h | 7 include/net/bluetooth/hci.h | 2 kernel/sched/core.c | 22 -- mm/filemap.c | 13 + mm/migrate.c | 10 - net/atm/lec.c | 3 net/batman-adv/bat_iv_ogm.c | 3 net/batman-adv/bat_v_ogm.c | 3 net/bluetooth/6lowpan.c | 7 net/core/lwtunnel.c | 65 +++++- net/core/neighbour.c | 1 net/ipv6/addrconf.c | 15 - net/ipv6/route.c | 5 net/mptcp/options.c | 6 net/netfilter/nft_counter.c | 90 ++++----- net/xdp/xsk_buff_pool.c | 2 net/xfrm/xfrm_output.c | 43 ++++ 80 files changed, 794 insertions(+), 595 deletions(-) Alexander Stein (1): arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Alexandre Cassen (1): xfrm: fix tunnel mode TX datapath in packet offload mode Andreas Kemnade (1): i2c: omap: fix IRQ storms Ard Biesheuvel (1): efi/libstub: Avoid physical address 0x0 when doing random allocation Arkadiusz Bokowy (1): Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters Arnd Bergmann (1): ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Arthur Mongodin (1): mptcp: Fix data stream corruption in the address announcement Benjamin Berg (1): wifi: iwlwifi: mvm: ensure offloading TID queue exists Biju Das (1): can: rcar_canfd: Fix page entries in the AFL list Christian Eggers (2): regulator: dummy: force synchronous probing regulator: check that dummy regulator has been probed before using it Cosmin Ratiu (1): xfrm_output: Force software GSO only in tunnel mode Dan Carpenter (3): Bluetooth: Fix error code in chan_alloc_skb_cb() net: atm: fix use after free in lec_send() accel/qaic: Fix integer overflow in qaic_validate_req() David Lechner (1): ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX David Rosca (2): drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Dietmar Eggemann (1): Revert "sched/core: Reduce cost of sched_move_task when config autogroup" E Shattow (1): riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Gavrilov Ilia (1): xsk: fix an integer overflow in xp_create_and_assign_umem() Geert Uytterhoeven (1): ARM: shmobile: smp: Enforce shmobile_smp_* alignment Greg Kroah-Hartman (1): Linux 6.6.85 Gu Bowen (1): mmc: atmel-mci: Add missing clk_disable_unprepare() Guillaume Nault (1): Revert "gre: Fix IPv6 link-local address generation." Haibo Chen (2): can: flexcan: only change CAN state when link up in system PM can: flexcan: disable transceiver during system PM Jeffrey Hugo (1): accel/qaic: Fix possible data corruption in BOs > 2G Joe Hattori (1): firmware: imx-scu: fix OF node leak in .probe() Josef Bacik (1): btrfs: make sure that WRITTEN is set on all metadata blocks Junxian Huang (4): RDMA/hns: Fix soft lockup during bt pages loop RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() RDMA/hns: Fix wrong value of max_sge_rd Justin Iurman (1): net: lwtunnel: fix recursion loops Justin Klaassen (1): arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Kamal Dasu (1): mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Kashyap Desai (1): RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Kuniyuki Iwashima (2): ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Lin Ma (1): net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Marek Vasut (2): soc: imx8m: Remove global soc_uid soc: imx8m: Use devm_* to simplify probe failure handling Mario Limonciello (1): drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} Martin Tsai (1): drm/amd/display: should support dmub hw lock on Replay Maíra Canal (1): drm/v3d: Don't run jobs that have errors flagged in its fence Miri Korenblit (1): wifi: iwlwifi: support BIOS override for 5G9 in CA also in LARI version 8 Namjae Jeon (1): ksmbd: fix incorrect validation for num_aces field of smb_acl Nikita Zhandarovich (1): drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Peng Fan (1): soc: imx8m: Unregister cpufreq and soc dev in cleanup path Phil Elwell (2): ARM: dts: bcm2711: PL011 UARTs are actually r1p5 ARM: dts: bcm2711: Don't mark timer regs unconfigured Qasim Ijaz (1): RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() Quentin Schulz (1): arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou Raphael S. Carvalho (1): mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT Saranya R (1): soc: qcom: pdr: Fix the potential deadlock Saravanan Vajravel (1): RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Sebastian Andrzej Siewior (1): netfilter: nft_counter: Use u64_stats_t for statistic. Shravya KN (1): bnxt_en: Fix receive ring space parameters when XDP is active Stefan Eichenberger (3): arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 Sven Eckelmann (1): batman-adv: Ignore own maximum aggregation size during RX Vincent Mailhol (1): can: ucan: fix out of bound read in strscpy() source Yao Zi (1): arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1 Ye Bin (1): proc: fix UAF in proc_get_inode() Zi Yan (1): mm/migrate: fix shmem xarray update during migration qianyi liu (1): drm/sched: Fix fence reference count leak

2 months, 3 weeks

1
1
0 0

[PATCH v2] ACPI: video: Handle fetching EDID as ACPI_TYPE_PACKAGE

by Gergo Koteles

The _DDC method should return a buffer, or an integer in case of an error. But some Lenovo laptops incorrectly return EDID as buffer in ACPI package. Calling _DDC generates this ACPI Warning: ACPI Warning: \_SB.PCI0.GP17.VGA.LCD._DDC: Return type mismatch - \ found Package, expected Integer/Buffer (20240827/nspredef-254) Use the first element of the package to get the EDID buffer. The DSDT: Name (AUOP, Package (0x01) { Buffer (0x80) { ... } }) ... Method (_DDC, 1, NotSerialized) // _DDC: Display Data Current { If ((PAID == AUID)) { Return (AUOP) /* \_SB_.PCI0.GP17.VGA_.LCD_.AUOP */ } ElseIf ((PAID == IVID)) { Return (IVOP) /* \_SB_.PCI0.GP17.VGA_.LCD_.IVOP */ } ElseIf ((PAID == BOID)) { Return (BOEP) /* \_SB_.PCI0.GP17.VGA_.LCD_.BOEP */ } ElseIf ((PAID == SAID)) { Return (SUNG) /* \_SB_.PCI0.GP17.VGA_.LCD_.SUNG */ } Return (Zero) } Link: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/Apx_B_Video_Extensions/output… Cc: stable(a)vger.kernel.org Fixes: c6a837088bed ("drm/amd/display: Fetch the EDID from _DDC if available for eDP") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4085 Signed-off-by: Gergo Koteles <soyer(a)irl.hu> --- Changes in v2: - Added comment - Improved commit message - Link to v1: https://lore.kernel.org/all/4cef341fdf7a0e877c50b502fc95ee8be28aa811.174312… drivers/acpi/acpi_video.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c index efdadc74e3f4..103f29661576 100644 --- a/drivers/acpi/acpi_video.c +++ b/drivers/acpi/acpi_video.c @@ -649,6 +649,13 @@ acpi_video_device_EDID(struct acpi_video_device *device, void **edid, int length obj = buffer.pointer; + /* + * Some buggy implementations incorrectly return the EDID buffer in an ACPI package. + * In this case, extract the buffer from the package. + */ + if (obj && obj->type == ACPI_TYPE_PACKAGE && obj->package.count == 1) + obj = &obj->package.elements[0]; + if (obj && obj->type == ACPI_TYPE_BUFFER) { *edid = kmemdup(obj->buffer.pointer, obj->buffer.length, GFP_KERNEL); ret = *edid ? obj->buffer.length : -ENOMEM; @@ -658,7 +665,7 @@ acpi_video_device_EDID(struct acpi_video_device *device, void **edid, int length ret = -EFAULT; } - kfree(obj); + kfree(buffer.pointer); return ret; } -- 2.49.0

2 months, 3 weeks

1
0
0 0

[PATCH v2] arm64: mops: Do not dereference src reg for a set operation

by Keir Fraser

The source register is not used for SET* and reading it can result in a UBSAN out-of-bounds array access error, specifically when the MOPS exception is taken from a SET* sequence with XZR (reg 31) as the source. Architecturally this is the only case where a src/dst/size field in the ESR can be reported as 31. Prior to 2de451a329cf662b the code in do_el0_mops() was benign as the use of pt_regs_read_reg() prevented the out-of-bounds access. Fixes: 2de451a329cf662b ("KVM: arm64: Add handler for MOPS exceptions") Cc: Kristina Martsenko <kristina.martsenko(a)arm.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: stable(a)vger.kernel.org Reviewed-by: Marc Zyngier <maz(a)kernel.org> Signed-off-by: Keir Fraser <keirf(a)google.com> --- arch/arm64/include/asm/traps.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/traps.h b/arch/arm64/include/asm/traps.h index d780d1bd2eac..82cf1f879c61 100644 --- a/arch/arm64/include/asm/traps.h +++ b/arch/arm64/include/asm/traps.h @@ -109,10 +109,9 @@ static inline void arm64_mops_reset_regs(struct user_pt_regs *regs, unsigned lon int dstreg = ESR_ELx_MOPS_ISS_DESTREG(esr); int srcreg = ESR_ELx_MOPS_ISS_SRCREG(esr); int sizereg = ESR_ELx_MOPS_ISS_SIZEREG(esr); - unsigned long dst, src, size; + unsigned long dst, size; dst = regs->regs[dstreg]; - src = regs->regs[srcreg]; size = regs->regs[sizereg]; /* @@ -129,6 +128,7 @@ static inline void arm64_mops_reset_regs(struct user_pt_regs *regs, unsigned lon } } else { /* CPY* instruction */ + unsigned long src = regs->regs[srcreg]; if (!(option_a ^ wrong_option)) { /* Format is from Option B */ if (regs->pstate & PSR_N_BIT) { -- 2.49.0.395.g12beb8f557-goog

2 months, 3 weeks

3
2
0 0

[PATCH V3] block: fix conversion of GPT partition name to 7-bit

by Ming Lei

From: Olivier Gayot <olivier.gayot(a)canonical.com> The utf16_le_to_7bit function claims to, naively, convert a UTF-16 string to a 7-bit ASCII string. By naively, we mean that it: * drops the first byte of every character in the original UTF-16 string * checks if all characters are printable, and otherwise replaces them by exclamation mark "!". This means that theoretically, all characters outside the 7-bit ASCII range should be replaced by another character. Examples: * lower-case alpha (ɒ) 0x0252 becomes 0x52 (R) * ligature OE (œ) 0x0153 becomes 0x53 (S) * hangul letter pieup (ㅂ) 0x3142 becomes 0x42 (B) * upper-case gamma (Ɣ) 0x0194 becomes 0x94 (not printable) so gets replaced by "!" The result of this conversion for the GPT partition name is passed to user-space as PARTNAME via udev, which is confusing and feels questionable. However, there is a flaw in the conversion function itself. By dropping one byte of each character and using isprint() to check if the remaining byte corresponds to a printable character, we do not actually guarantee that the resulting character is 7-bit ASCII. This happens because we pass 8-bit characters to isprint(), which in the kernel returns 1 for many values > 0x7f - as defined in ctype.c. This results in many values which should be replaced by "!" to be kept as-is, despite not being valid 7-bit ASCII. Examples: * e with acute accent (é) 0x00E9 becomes 0xE9 - kept as-is because isprint(0xE9) returns 1. * euro sign (€) 0x20AC becomes 0xAC - kept as-is because isprint(0xAC) returns 1. This way has broken pyudev utility[1], fixes it by using a mask of 7 bits instead of 8 bits before calling isprint. Link: https://github.com/pyudev/pyudev/issues/490#issuecomment-2685794648 [1] Link: https://lore.kernel.org/linux-block/4cac90c2-e414-4ebb-ae62-2a4589d9dc6e@ca… Cc: Mulhern <amulhern(a)redhat.com> Cc: Davidlohr Bueso <dave(a)stgolabs.net> Cc: stable(a)vger.kernel.org Signed-off-by: Olivier Gayot <olivier.gayot(a)canonical.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- V3: - userspace break words in commit log - Cc more list and guys V2: - No change - resubmitted with subsystem maintainers in CC block/partitions/efi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/partitions/efi.c b/block/partitions/efi.c index 5e9be13a56a8..7acba66eed48 100644 --- a/block/partitions/efi.c +++ b/block/partitions/efi.c @@ -682,7 +682,7 @@ static void utf16_le_to_7bit(const __le16 *in, unsigned int size, u8 *out) out[size] = 0; while (i < size) { - u8 c = le16_to_cpu(in[i]) & 0xff; + u8 c = le16_to_cpu(in[i]) & 0x7f; if (c && !isprint(c)) c = '!'; -- 2.47.0

2 months, 3 weeks

5
5
0 0

FAILED: patch "[PATCH] usb: typec: ucsi: Fix NULL pointer access" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b13abcb7ddd8d38de769486db5bd917537b32ab1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025030920-fancy-such-266d@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b13abcb7ddd8d38de769486db5bd917537b32ab1 Mon Sep 17 00:00:00 2001 From: Andrei Kuchynski <akuchynski(a)chromium.org> Date: Wed, 5 Mar 2025 11:17:39 +0000 Subject: [PATCH] usb: typec: ucsi: Fix NULL pointer access Resources should be released only after all threads that utilize them have been destroyed. This commit ensures that resources are not released prematurely by waiting for the associated workqueue to complete before deallocating them. Cc: stable <stable(a)kernel.org> Fixes: b9aa02ca39a4 ("usb: typec: ucsi: Add polling mechanism for partner tasks like alt mode checking") Signed-off-by: Andrei Kuchynski <akuchynski(a)chromium.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250305111739.1489003-2-akuchynski@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index 7a56d3f840d7..2a2915b0a645 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -1825,11 +1825,11 @@ static int ucsi_init(struct ucsi *ucsi) err_unregister: for (con = connector; con->port; con++) { + if (con->wq) + destroy_workqueue(con->wq); ucsi_unregister_partner(con); ucsi_unregister_altmodes(con, UCSI_RECIPIENT_CON); ucsi_unregister_port_psy(con); - if (con->wq) - destroy_workqueue(con->wq); usb_power_delivery_unregister_capabilities(con->port_sink_caps); con->port_sink_caps = NULL; @@ -2013,10 +2013,6 @@ void ucsi_unregister(struct ucsi *ucsi) for (i = 0; i < ucsi->cap.num_connectors; i++) { cancel_work_sync(&ucsi->connector[i].work); - ucsi_unregister_partner(&ucsi->connector[i]); - ucsi_unregister_altmodes(&ucsi->connector[i], - UCSI_RECIPIENT_CON); - ucsi_unregister_port_psy(&ucsi->connector[i]); if (ucsi->connector[i].wq) { struct ucsi_work *uwork; @@ -2032,6 +2028,11 @@ void ucsi_unregister(struct ucsi *ucsi) destroy_workqueue(ucsi->connector[i].wq); } + ucsi_unregister_partner(&ucsi->connector[i]); + ucsi_unregister_altmodes(&ucsi->connector[i], + UCSI_RECIPIENT_CON); + ucsi_unregister_port_psy(&ucsi->connector[i]); + usb_power_delivery_unregister_capabilities(ucsi->connector[i].port_sink_caps); ucsi->connector[i].port_sink_caps = NULL; usb_power_delivery_unregister_capabilities(ucsi->connector[i].port_source_caps);

2 months, 3 weeks

3
2
0 0

[PATCH 6.6.y] drm/amd/display: Check denominator crb_pipes before used

by Cliff Liu

From: Alex Hung <alex.hung(a)amd.com> [ Upstream commit ea79068d4073bf303f8203f2625af7d9185a1bc6 ] [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity. Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Signed-off-by: Jerry Zuo <jerry.zuo(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Cliff Liu <donghua.liu(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c index 3f3b555b4523..597fa0364a3a 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c @@ -1753,7 +1753,7 @@ static int dcn315_populate_dml_pipes_from_context( bool split_required = pipe->stream->timing.pix_clk_100hz >= dcn_get_max_non_odm_pix_rate_100hz(&dc->dml.soc) || (pipe->plane_state && pipe->plane_state->src_rect.width > 5120); - if (remaining_det_segs > MIN_RESERVED_DET_SEGS) + if (remaining_det_segs > MIN_RESERVED_DET_SEGS && crb_pipes != 0) pipes[pipe_cnt].pipe.src.det_size_override += (remaining_det_segs - MIN_RESERVED_DET_SEGS) / crb_pipes + (crb_idx < (remaining_det_segs - MIN_RESERVED_DET_SEGS) % crb_pipes ? 1 : 0); if (pipes[pipe_cnt].pipe.src.det_size_override > 2 * DCN3_15_MAX_DET_SEGS) { -- 2.43.0

2 months, 3 weeks

2
1
0 0

[PATCH 6.1] xfs: give xfs_extfree_intent its own perag reference

by Leah Rumancik

From: "Darrick J. Wong" <djwong(a)kernel.org> [ Upstream commit f6b384631e1e3482c24e35b53adbd3da50e47e8f ] Give the xfs_extfree_intent an passive reference to the perag structure data. This reference will be used to enable scrub intent draining functionality in subsequent patches. The space being freed must already be allocated, so we need to able to run even if the AG is being offlined or shrunk. Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Reviewed-by: Dave Chinner <dchinner(a)redhat.com> Signed-off-by: Leah Rumancik <leah.rumancik(a)gmail.com> Acked-by: "Darrick J. Wong" <djwong(a)kernel.org> --- This is to fix build fialure noted here: https://lore.kernel.org/stable/8c6125d7-363c-42b3-bdbb-f802cb8b4408@web.de/ Tested on auto group x 9 configs with no regressions seen. Already ack'd on xfs-stable list. fs/xfs/libxfs/xfs_alloc.c | 7 +++-- fs/xfs/libxfs/xfs_alloc.h | 4 +++ fs/xfs/xfs_extfree_item.c | 58 +++++++++++++++++++++++++-------------- 3 files changed, 47 insertions(+), 22 deletions(-) diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c index e44f3f5c6d27..c08265f19136 100644 --- a/fs/xfs/libxfs/xfs_alloc.c +++ b/fs/xfs/libxfs/xfs_alloc.c @@ -2509,30 +2509,31 @@ xfs_defer_agfl_block( xefi->xefi_owner = oinfo->oi_owner; xefi->xefi_agresv = XFS_AG_RESV_AGFL; trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1); + xfs_extent_free_get_group(mp, xefi); xfs_defer_add(tp, XFS_DEFER_OPS_TYPE_AGFL_FREE, &xefi->xefi_list); return 0; } /* * Add the extent to the list of extents to be free at transaction end. * The list is maintained sorted (by block number). */ int __xfs_free_extent_later( struct xfs_trans *tp, xfs_fsblock_t bno, xfs_filblks_t len, const struct xfs_owner_info *oinfo, enum xfs_ag_resv_type type, bool skip_discard) { struct xfs_extent_free_item *xefi; -#ifdef DEBUG struct xfs_mount *mp = tp->t_mountp; +#ifdef DEBUG xfs_agnumber_t agno; xfs_agblock_t agbno; ASSERT(bno != NULLFSBLOCK); ASSERT(len > 0); @@ -2567,13 +2568,15 @@ __xfs_free_extent_later( xefi->xefi_flags |= XFS_EFI_BMBT_BLOCK; xefi->xefi_owner = oinfo->oi_owner; } else { xefi->xefi_owner = XFS_RMAP_OWN_NULL; } - trace_xfs_bmap_free_defer(tp->t_mountp, + trace_xfs_bmap_free_defer(mp, XFS_FSB_TO_AGNO(tp->t_mountp, bno), 0, XFS_FSB_TO_AGBNO(tp->t_mountp, bno), len); + + xfs_extent_free_get_group(mp, xefi); xfs_defer_add(tp, XFS_DEFER_OPS_TYPE_FREE, &xefi->xefi_list); return 0; } #ifdef DEBUG diff --git a/fs/xfs/libxfs/xfs_alloc.h b/fs/xfs/libxfs/xfs_alloc.h index bbedb18651de..2dd93d62150f 100644 --- a/fs/xfs/libxfs/xfs_alloc.h +++ b/fs/xfs/libxfs/xfs_alloc.h @@ -224,14 +224,18 @@ int __xfs_free_extent_later(struct xfs_trans *tp, xfs_fsblock_t bno, struct xfs_extent_free_item { struct list_head xefi_list; uint64_t xefi_owner; xfs_fsblock_t xefi_startblock;/* starting fs block number */ xfs_extlen_t xefi_blockcount;/* number of blocks in extent */ + struct xfs_perag *xefi_pag; unsigned int xefi_flags; enum xfs_ag_resv_type xefi_agresv; }; +void xfs_extent_free_get_group(struct xfs_mount *mp, + struct xfs_extent_free_item *xefi); + #define XFS_EFI_SKIP_DISCARD (1U << 0) /* don't issue discard */ #define XFS_EFI_ATTR_FORK (1U << 1) /* freeing attr fork block */ #define XFS_EFI_BMBT_BLOCK (1U << 2) /* freeing bmap btree block */ static inline int diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c index 9c726f082285..ab9d0e8b77da 100644 --- a/fs/xfs/xfs_extfree_item.c +++ b/fs/xfs/xfs_extfree_item.c @@ -348,32 +348,27 @@ xfs_trans_free_extent( struct xfs_extent_free_item *xefi) { struct xfs_owner_info oinfo = { }; struct xfs_mount *mp = tp->t_mountp; struct xfs_extent *extp; - struct xfs_perag *pag; uint next_extent; - xfs_agnumber_t agno = XFS_FSB_TO_AGNO(mp, - xefi->xefi_startblock); xfs_agblock_t agbno = XFS_FSB_TO_AGBNO(mp, xefi->xefi_startblock); int error; oinfo.oi_owner = xefi->xefi_owner; if (xefi->xefi_flags & XFS_EFI_ATTR_FORK) oinfo.oi_flags |= XFS_OWNER_INFO_ATTR_FORK; if (xefi->xefi_flags & XFS_EFI_BMBT_BLOCK) oinfo.oi_flags |= XFS_OWNER_INFO_BMBT_BLOCK; - trace_xfs_bmap_free_deferred(tp->t_mountp, agno, 0, agbno, - xefi->xefi_blockcount); + trace_xfs_bmap_free_deferred(tp->t_mountp, xefi->xefi_pag->pag_agno, 0, + agbno, xefi->xefi_blockcount); - pag = xfs_perag_get(mp, agno); - error = __xfs_free_extent(tp, pag, agbno, xefi->xefi_blockcount, - &oinfo, xefi->xefi_agresv, + error = __xfs_free_extent(tp, xefi->xefi_pag, agbno, + xefi->xefi_blockcount, &oinfo, xefi->xefi_agresv, xefi->xefi_flags & XFS_EFI_SKIP_DISCARD); - xfs_perag_put(pag); /* * Mark the transaction dirty, even on error. This ensures the * transaction is aborted, which: * @@ -398,18 +393,17 @@ static int xfs_extent_free_diff_items( void *priv, const struct list_head *a, const struct list_head *b) { - struct xfs_mount *mp = priv; struct xfs_extent_free_item *ra; struct xfs_extent_free_item *rb; ra = container_of(a, struct xfs_extent_free_item, xefi_list); rb = container_of(b, struct xfs_extent_free_item, xefi_list); - return XFS_FSB_TO_AGNO(mp, ra->xefi_startblock) - - XFS_FSB_TO_AGNO(mp, rb->xefi_startblock); + + return ra->xefi_pag->pag_agno - rb->xefi_pag->pag_agno; } /* Log a free extent to the intent item. */ STATIC void xfs_extent_free_log_item( @@ -464,44 +458,68 @@ xfs_extent_free_create_done( unsigned int count) { return &xfs_trans_get_efd(tp, EFI_ITEM(intent), count)->efd_item; } +/* Take a passive ref to the AG containing the space we're freeing. */ +void +xfs_extent_free_get_group( + struct xfs_mount *mp, + struct xfs_extent_free_item *xefi) +{ + xfs_agnumber_t agno; + + agno = XFS_FSB_TO_AGNO(mp, xefi->xefi_startblock); + xefi->xefi_pag = xfs_perag_get(mp, agno); +} + +/* Release a passive AG ref after some freeing work. */ +static inline void +xfs_extent_free_put_group( + struct xfs_extent_free_item *xefi) +{ + xfs_perag_put(xefi->xefi_pag); +} + /* Process a free extent. */ STATIC int xfs_extent_free_finish_item( struct xfs_trans *tp, struct xfs_log_item *done, struct list_head *item, struct xfs_btree_cur **state) { struct xfs_extent_free_item *xefi; int error; xefi = container_of(item, struct xfs_extent_free_item, xefi_list); error = xfs_trans_free_extent(tp, EFD_ITEM(done), xefi); + + xfs_extent_free_put_group(xefi); kmem_cache_free(xfs_extfree_item_cache, xefi); return error; } /* Abort all pending EFIs. */ STATIC void xfs_extent_free_abort_intent( struct xfs_log_item *intent) { xfs_efi_release(EFI_ITEM(intent)); } /* Cancel a free extent. */ STATIC void xfs_extent_free_cancel_item( struct list_head *item) { struct xfs_extent_free_item *xefi; xefi = container_of(item, struct xfs_extent_free_item, xefi_list); + + xfs_extent_free_put_group(xefi); kmem_cache_free(xfs_extfree_item_cache, xefi); } const struct xfs_defer_op_type xfs_extent_free_defer_type = { .max_items = XFS_EFI_MAX_FAST_EXTENTS, @@ -528,46 +546,44 @@ xfs_agfl_free_finish_item( struct xfs_efd_log_item *efdp = EFD_ITEM(done); struct xfs_extent_free_item *xefi; struct xfs_extent *extp; struct xfs_buf *agbp; int error; - xfs_agnumber_t agno; xfs_agblock_t agbno; uint next_extent; - struct xfs_perag *pag; xefi = container_of(item, struct xfs_extent_free_item, xefi_list); ASSERT(xefi->xefi_blockcount == 1); - agno = XFS_FSB_TO_AGNO(mp, xefi->xefi_startblock); agbno = XFS_FSB_TO_AGBNO(mp, xefi->xefi_startblock); oinfo.oi_owner = xefi->xefi_owner; - trace_xfs_agfl_free_deferred(mp, agno, 0, agbno, xefi->xefi_blockcount); + trace_xfs_agfl_free_deferred(mp, xefi->xefi_pag->pag_agno, 0, agbno, + xefi->xefi_blockcount); - pag = xfs_perag_get(mp, agno); - error = xfs_alloc_read_agf(pag, tp, 0, &agbp); + error = xfs_alloc_read_agf(xefi->xefi_pag, tp, 0, &agbp); if (!error) - error = xfs_free_agfl_block(tp, agno, agbno, agbp, &oinfo); - xfs_perag_put(pag); + error = xfs_free_agfl_block(tp, xefi->xefi_pag->pag_agno, + agbno, agbp, &oinfo); /* * Mark the transaction dirty, even on error. This ensures the * transaction is aborted, which: * * 1.) releases the EFI and frees the EFD * 2.) shuts down the filesystem */ tp->t_flags |= XFS_TRANS_DIRTY; set_bit(XFS_LI_DIRTY, &efdp->efd_item.li_flags); next_extent = efdp->efd_next_extent; ASSERT(next_extent < efdp->efd_format.efd_nextents); extp = &(efdp->efd_format.efd_extents[next_extent]); extp->ext_start = xefi->xefi_startblock; extp->ext_len = xefi->xefi_blockcount; efdp->efd_next_extent++; + xfs_extent_free_put_group(xefi); kmem_cache_free(xfs_extfree_item_cache, xefi); return error; } /* sub-type with special handling for AGFL deferred frees */ @@ -640,11 +656,13 @@ xfs_efi_item_recover( extp = &efip->efi_format.efi_extents[i]; fake.xefi_startblock = extp->ext_start; fake.xefi_blockcount = extp->ext_len; + xfs_extent_free_get_group(mp, &fake); error = xfs_trans_free_extent(tp, efdp, &fake); + xfs_extent_free_put_group(&fake); if (error == -EFSCORRUPTED) XFS_CORRUPTION_ERROR(__func__, XFS_ERRLEVEL_LOW, mp, extp, sizeof(*extp)); if (error) goto abort_error; -- 2.49.0.472.ge94155a9ec-goog

2 months, 3 weeks

3
2
0 0

[PATCH 6.6.y] reset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC

by jianqi.ren.cn＠windriver.com

From: Changhuang Liang <changhuang.liang(a)starfivetech.com> [ Upstream commit 2cf59663660799ce16f4dfbed97cdceac7a7fa11 ] data->asserted will be NULL on JH7110 SoC since commit 82327b127d41 ("reset: starfive: Add StarFive JH7110 reset driver") was added. Add the judgment condition to avoid errors when calling reset_control_status on JH7110 SoC. Fixes: 82327b127d41 ("reset: starfive: Add StarFive JH7110 reset driver") Signed-off-by: Changhuang Liang <changhuang.liang(a)starfivetech.com> Acked-by: Hal Feng <hal.feng(a)starfivetech.com> Reviewed-by: Philipp Zabel <p.zabel(a)pengutronix.de> Link: https://lore.kernel.org/r/20240925112442.1732416-1-changhuang.liang@starfiv… Signed-off-by: Philipp Zabel <p.zabel(a)pengutronix.de> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/reset/starfive/reset-starfive-jh71x0.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/reset/starfive/reset-starfive-jh71x0.c b/drivers/reset/starfive/reset-starfive-jh71x0.c index 55bbbd2de52c..29ce3486752f 100644 --- a/drivers/reset/starfive/reset-starfive-jh71x0.c +++ b/drivers/reset/starfive/reset-starfive-jh71x0.c @@ -94,6 +94,9 @@ static int jh71x0_reset_status(struct reset_controller_dev *rcdev, void __iomem *reg_status = data->status + offset * sizeof(u32); u32 value = readl(reg_status); + if (!data->asserted) + return !(value & mask); + return !((value ^ data->asserted[offset]) & mask); } -- 2.25.1

2 months, 3 weeks

2
1
0 0

[PATCH 6.6.y] scsi: ufs: qcom: Only free platform MSIs when ESI is enabled

by jianqi.ren.cn＠windriver.com

From: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> commit 64506b3d23a337e98a74b18dcb10c8619365f2bd upstream. Otherwise, it will result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Call trace: mutex_lock+0xc/0x54 platform_device_msi_free_irqs_all+0x14/0x20 ufs_qcom_remove+0x34/0x48 [ufs_qcom] platform_remove+0x28/0x44 device_remove+0x4c/0x80 device_release_driver_internal+0xd8/0x178 driver_detach+0x50/0x9c bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom] __arm64_sys_delete_module+0x180/0x260 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xdc el0t_64_sync_handler+0xc0/0xc4 el0t_64_sync+0x190/0x194 Cc: stable(a)vger.kernel.org # 6.3 Fixes: 519b6274a777 ("scsi: ufs: qcom: Add MCQ ESI config vendor specific ops") Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-2-45ad8b62f02e@linaro.org Reviewed-by: Bean Huo <beanhuo(a)micron.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/ufs/host/ufs-qcom.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c index c5a6b133d364..51ed40529f9a 100644 --- a/drivers/ufs/host/ufs-qcom.c +++ b/drivers/ufs/host/ufs-qcom.c @@ -1918,10 +1918,12 @@ static int ufs_qcom_probe(struct platform_device *pdev) static int ufs_qcom_remove(struct platform_device *pdev) { struct ufs_hba *hba = platform_get_drvdata(pdev); + struct ufs_qcom_host *host = ufshcd_get_variant(hba); pm_runtime_get_sync(&(pdev)->dev); ufshcd_remove(hba); - platform_msi_domain_free_irqs(hba->dev); + if (host->esi_enabled) + platform_msi_domain_free_irqs(hba->dev); return 0; } -- 2.25.1

2 months, 3 weeks

2
1
0 0

[PATCH 5.10] gso: fix udp gso fraglist segmentation after pull from frag_list

by Alexey Nepomnyashih

From: Willem de Bruijn <willemb(a)google.com> commit a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab upstream. Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest. Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediate… Fixes: 9fd1ff5d2ac7 ("udp: Support UDP fraglist GRO/GSO.") Signed-off-by: Willem de Bruijn <willemb(a)google.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20241001171752.107580-1-willemdebruijn.kernel@gmai… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Alexey Nepomnyashih <sdl(a)nppct.ru> --- net/ipv4/udp_offload.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index b6952b88b505..515d591d00b9 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -8,6 +8,7 @@ #include <linux/skbuff.h> #include <net/udp.h> +#include <net/ip6_checksum.h> #include <net/protocol.h> #include <net/inet_common.h> @@ -269,8 +270,26 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, __sum16 check; __be16 newlen; - if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) - return __udp_gso_segment_list(gso_skb, features, is_ipv6); + if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) { + /* Detect modified geometry and pass those to skb_segment. */ + if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size) + return __udp_gso_segment_list(gso_skb, features, is_ipv6); + + /* Setup csum, as fraglist skips this in udp4_gro_receive. */ + gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head; + gso_skb->csum_offset = offsetof(struct udphdr, check); + gso_skb->ip_summed = CHECKSUM_PARTIAL; + + uh = udp_hdr(gso_skb); + if (is_ipv6) + uh->check = ~udp_v6_check(gso_skb->len, + &ipv6_hdr(gso_skb)->saddr, + &ipv6_hdr(gso_skb)->daddr, 0); + else + uh->check = ~udp_v4_check(gso_skb->len, + ip_hdr(gso_skb)->saddr, + ip_hdr(gso_skb)->daddr, 0); + } mss = skb_shinfo(gso_skb)->gso_size; if (gso_skb->len <= sizeof(*uh) + mss) -- 2.43.0

2 months, 3 weeks

2
1
0 0

[PATCH 2/2] accel/ivpu: Fix PM related deadlocks in MS IOCTLs

by Maciej Falkowski

From: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Prevent runtime resume/suspend while MS IOCTLs are in progress. Failed suspend will call ivpu_ms_cleanup() that would try to acquire file_priv->ms_lock, which is already held by the IOCTLs. Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support") Cc: <stable(a)vger.kernel.org> # v6.11+ Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Signed-off-by: Maciej Falkowski <maciej.falkowski(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_debugfs.c | 4 ++-- drivers/accel/ivpu/ivpu_ms.c | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/drivers/accel/ivpu/ivpu_debugfs.c b/drivers/accel/ivpu/ivpu_debugfs.c index 0825851656a2..f0dad0c9ce33 100644 --- a/drivers/accel/ivpu/ivpu_debugfs.c +++ b/drivers/accel/ivpu/ivpu_debugfs.c @@ -332,7 +332,7 @@ ivpu_force_recovery_fn(struct file *file, const char __user *user_buf, size_t si return -EINVAL; ret = ivpu_rpm_get(vdev); - if (ret) + if (ret < 0) return ret; ivpu_pm_trigger_recovery(vdev, "debugfs"); @@ -383,7 +383,7 @@ static int dct_active_set(void *data, u64 active_percent) return -EINVAL; ret = ivpu_rpm_get(vdev); - if (ret) + if (ret < 0) return ret; if (active_percent) diff --git a/drivers/accel/ivpu/ivpu_ms.c b/drivers/accel/ivpu/ivpu_ms.c index eb485cf15ad6..2a043baf10ca 100644 --- a/drivers/accel/ivpu/ivpu_ms.c +++ b/drivers/accel/ivpu/ivpu_ms.c @@ -45,6 +45,10 @@ int ivpu_ms_start_ioctl(struct drm_device *dev, void *data, struct drm_file *fil args->sampling_period_ns < MS_MIN_SAMPLE_PERIOD_NS) return -EINVAL; + ret = ivpu_rpm_get(vdev); + if (ret < 0) + return ret; + mutex_lock(&file_priv->ms_lock); if (get_instance_by_mask(file_priv, args->metric_group_mask)) { @@ -97,6 +101,8 @@ int ivpu_ms_start_ioctl(struct drm_device *dev, void *data, struct drm_file *fil kfree(ms); unlock: mutex_unlock(&file_priv->ms_lock); + + ivpu_rpm_put(vdev); return ret; } @@ -161,6 +167,10 @@ int ivpu_ms_get_data_ioctl(struct drm_device *dev, void *data, struct drm_file * if (!args->metric_group_mask) return -EINVAL; + ret = ivpu_rpm_get(vdev); + if (ret < 0) + return ret; + mutex_lock(&file_priv->ms_lock); ms = get_instance_by_mask(file_priv, args->metric_group_mask); @@ -188,6 +198,7 @@ int ivpu_ms_get_data_ioctl(struct drm_device *dev, void *data, struct drm_file * unlock: mutex_unlock(&file_priv->ms_lock); + ivpu_rpm_put(vdev); return ret; } @@ -205,11 +216,17 @@ int ivpu_ms_stop_ioctl(struct drm_device *dev, void *data, struct drm_file *file { struct ivpu_file_priv *file_priv = file->driver_priv; struct drm_ivpu_metric_streamer_stop *args = data; + struct ivpu_device *vdev = file_priv->vdev; struct ivpu_ms_instance *ms; + int ret; if (!args->metric_group_mask) return -EINVAL; + ret = ivpu_rpm_get(vdev); + if (ret < 0) + return ret; + mutex_lock(&file_priv->ms_lock); ms = get_instance_by_mask(file_priv, args->metric_group_mask); @@ -218,6 +235,7 @@ int ivpu_ms_stop_ioctl(struct drm_device *dev, void *data, struct drm_file *file mutex_unlock(&file_priv->ms_lock); + ivpu_rpm_put(vdev); return ms ? 0 : -EINVAL; } -- 2.43.0

2 months, 3 weeks

2
1
0 0

[PATCH 1/2] accel/ivpu: Fix deadlock in ivpu_ms_cleanup()

by Maciej Falkowski

From: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Fix deadlock in ivpu_ms_cleanup() by preventing runtime resume after file_priv->ms_lock is acquired. During a failure in runtime resume, a cold boot is executed, which calls ivpu_ms_cleanup_all(). This function calls ivpu_ms_cleanup() that acquires file_priv->ms_lock and causes the deadlock. Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support") Cc: <stable(a)vger.kernel.org> # v6.11+ Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Signed-off-by: Maciej Falkowski <maciej.falkowski(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_ms.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/accel/ivpu/ivpu_ms.c b/drivers/accel/ivpu/ivpu_ms.c index ffe7b10f8a76..eb485cf15ad6 100644 --- a/drivers/accel/ivpu/ivpu_ms.c +++ b/drivers/accel/ivpu/ivpu_ms.c @@ -4,6 +4,7 @@ */ #include <drm/drm_file.h> +#include <linux/pm_runtime.h> #include "ivpu_drv.h" #include "ivpu_gem.h" @@ -281,6 +282,9 @@ int ivpu_ms_get_info_ioctl(struct drm_device *dev, void *data, struct drm_file * void ivpu_ms_cleanup(struct ivpu_file_priv *file_priv) { struct ivpu_ms_instance *ms, *tmp; + struct ivpu_device *vdev = file_priv->vdev; + + pm_runtime_get_sync(vdev->drm.dev); mutex_lock(&file_priv->ms_lock); @@ -293,6 +297,8 @@ void ivpu_ms_cleanup(struct ivpu_file_priv *file_priv) free_instance(file_priv, ms); mutex_unlock(&file_priv->ms_lock); + + pm_runtime_put_autosuspend(vdev->drm.dev); } void ivpu_ms_cleanup_all(struct ivpu_device *vdev) -- 2.43.0

2 months, 3 weeks

3
5
0 0

[PATCH 6.6 00/76] 6.6.85-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.85 release. There are 76 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 28 Mar 2025 15:43:33 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.85-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.85-rc2 Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Use u64_stats_t for statistic. Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: mvm: ensure offloading TID queue exists Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: support BIOS override for 5G9 in CA also in LARI version 8 Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix receive ring space parameters when XDP is active Josef Bacik <josef(a)toxicpanda.com> btrfs: make sure that WRITTEN is set on all metadata blocks Dietmar Eggemann <dietmar.eggemann(a)arm.com> Revert "sched/core: Reduce cost of sched_move_task when config autogroup" Justin Klaassen <justin(a)tidylabs.net> arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Eagerly switch ZCR_EL{1,2} Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Mark some header functions as inline Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Refactor exit handlers Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove host FPSIMD saving for non-protected KVM Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state Fuad Tabba <tabba(a)google.com> KVM: arm64: Calculate cptr_el2 traps on activating traps Arthur Mongodin <amongodin(a)randorisec.fr> mptcp: Fix data stream corruption in the address announcement Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix incorrect validation for num_aces field of smb_acl Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Martin Tsai <martin.tsai(a)amd.com> drm/amd/display: should support dmub hw lock on Replay David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix JPEG video caps max size for navi1x and raven David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size qianyi liu <liuqianyi125(a)gmail.com> drm/sched: Fix fence reference count leak Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Saranya R <quic_sarar(a)quicinc.com> soc: qcom: pdr: Fix the potential deadlock Sven Eckelmann <sven(a)narfation.org> batman-adv: Ignore own maximum aggregation size during RX Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> xsk: fix an integer overflow in xp_create_and_assign_umem() Ard Biesheuvel <ardb(a)kernel.org> efi/libstub: Avoid physical address 0x0 when doing random allocation Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: shmobile: smp: Enforce shmobile_smp_* alignment Stefan Eichenberger <stefan.eichenberger(a)toradex.com> ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Ye Bin <yebin10(a)huawei.com> proc: fix UAF in proc_get_inode() Zi Yan <ziy(a)nvidia.com> mm/migrate: fix shmem xarray update during migration Raphael S. Carvalho <raphaelsc(a)scylladb.com> mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT Gu Bowen <gubowen5(a)huawei.com> mmc: atmel-mci: Add missing clk_disable_unprepare() Kamal Dasu <kamal.dasu(a)broadcom.com> mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card Dan Carpenter <dan.carpenter(a)linaro.org> accel/qaic: Fix integer overflow in qaic_validate_req() Christian Eggers <ceggers(a)arri.de> regulator: check that dummy regulator has been probed before using it Christian Eggers <ceggers(a)arri.de> regulator: dummy: force synchronous probing E Shattow <e(a)freeshell.de> riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions Maíra Canal <mcanal(a)igalia.com> drm/v3d: Don't run jobs that have errors flagged in its fence Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: disable transceiver during system PM Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: only change CAN state when link up in system PM Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> can: ucan: fix out of bound read in strscpy() source Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix page entries in the AFL list Andreas Kemnade <andreas(a)kemnade.info> i2c: omap: fix IRQ storms Guillaume Nault <gnault(a)redhat.com> Revert "gre: Fix IPv6 link-local address generation." Lin Ma <linma(a)zju.edu.cn> net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: fix recursion loops Dan Carpenter <dan.carpenter(a)linaro.org> net: atm: fix use after free in lec_send() Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). David Lechner <dlechner(a)baylibre.com> ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX Jeffrey Hugo <quic_jhugo(a)quicinc.com> accel/qaic: Fix possible data corruption in BOs > 2G Arkadiusz Bokowy <arkadiusz.bokowy(a)gmail.com> Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: Fix error code in chan_alloc_skb_cb() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix wrong value of max_sge_rd Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix soft lockup during bt pages loop Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: Don't mark timer regs unconfigured Arnd Bergmann <arnd(a)arndb.de> ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Qasim Ijaz <qasdev00(a)gmail.com> RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Yao Zi <ziyao(a)disroot.org> arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1 Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Peng Fan <peng.fan(a)nxp.com> soc: imx8m: Unregister cpufreq and soc dev in cleanup path Marek Vasut <marex(a)denx.de> soc: imx8m: Use devm_* to simplify probe failure handling Marek Vasut <marex(a)denx.de> soc: imx8m: Remove global soc_uid Cosmin Ratiu <cratiu(a)nvidia.com> xfrm_output: Force software GSO only in tunnel mode Alexandre Cassen <acassen(a)corp.free.fr> xfrm: fix tunnel mode TX datapath in packet offload mode Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> firmware: imx-scu: fix OF node leak in .probe() ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/broadcom/bcm2711.dtsi | 11 +- arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 +- arch/arm/mach-davinci/Kconfig | 1 + arch/arm/mach-omap1/Kconfig | 1 + arch/arm/mach-shmobile/headsmp.S | 1 + .../boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +- .../arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 +-- .../boot/dts/freescale/imx8mp-verdin-dahlia.dtsi | 6 +- .../boot/dts/rockchip/px30-ringneck-haikou.dts | 2 + arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3566-lubancat-1.dts | 1 - arch/arm64/include/asm/kvm_host.h | 7 +- arch/arm64/include/asm/kvm_hyp.h | 1 + arch/arm64/kernel/fpsimd.c | 25 ---- arch/arm64/kvm/arm.c | 1 - arch/arm64/kvm/fpsimd.c | 89 +++--------- arch/arm64/kvm/hyp/entry.S | 5 + arch/arm64/kvm/hyp/include/hyp/switch.h | 106 ++++++++++----- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 15 +- arch/arm64/kvm/hyp/nvhe/pkvm.c | 29 +--- arch/arm64/kvm/hyp/nvhe/switch.c | 112 ++++++++++----- arch/arm64/kvm/hyp/vhe/switch.c | 13 +- arch/arm64/kvm/reset.c | 3 + arch/riscv/boot/dts/starfive/jh7110-pinfunc.h | 2 +- drivers/accel/qaic/qaic_data.c | 9 +- drivers/firmware/efi/libstub/randomalloc.c | 4 + drivers/firmware/imx/imx-scu.c | 1 + drivers/gpu/drm/amd/amdgpu/nv.c | 20 +-- drivers/gpu/drm/amd/amdgpu/soc15.c | 20 +-- drivers/gpu/drm/amd/amdgpu/vi.c | 36 ++--- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 15 ++ drivers/gpu/drm/radeon/radeon_vce.c | 2 +- drivers/gpu/drm/scheduler/sched_entity.c | 11 +- drivers/gpu/drm/v3d/v3d_sched.c | 9 +- drivers/i2c/busses/i2c-omap.c | 26 +--- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 - drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 16 ++- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 10 +- drivers/infiniband/hw/mlx5/ah.c | 14 +- drivers/mmc/host/atmel-mci.c | 4 +- drivers/mmc/host/sdhci-brcmstb.c | 10 ++ drivers/net/can/flexcan/flexcan-core.c | 18 ++- drivers/net/can/rcar/rcar_canfd.c | 28 ++-- drivers/net/can/usb/ucan.c | 43 +++--- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +- drivers/net/wireless/intel/iwlwifi/fw/file.h | 4 +- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 37 ++++- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 ++++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 +- drivers/regulator/core.c | 12 +- drivers/regulator/dummy.c | 2 +- drivers/soc/imx/soc-imx8m.c | 151 ++++++++++----------- drivers/soc/qcom/pdr_interface.c | 8 +- fs/btrfs/tree-checker.c | 30 ++-- fs/btrfs/tree-checker.h | 1 + fs/proc/generic.c | 10 +- fs/proc/inode.c | 6 +- fs/proc/internal.h | 14 ++ fs/smb/server/smbacl.c | 5 +- include/linux/proc_fs.h | 7 +- include/net/bluetooth/hci.h | 2 +- kernel/sched/core.c | 22 +-- mm/filemap.c | 13 +- mm/memcontrol.c | 9 ++ mm/migrate.c | 10 +- net/atm/lec.c | 3 +- net/batman-adv/bat_iv_ogm.c | 3 +- net/batman-adv/bat_v_ogm.c | 3 +- net/bluetooth/6lowpan.c | 7 +- net/core/lwtunnel.c | 65 +++++++-- net/core/neighbour.c | 1 + net/ipv6/addrconf.c | 15 +- net/ipv6/route.c | 5 +- net/mptcp/options.c | 6 +- net/netfilter/nft_counter.c | 90 ++++++------ net/xdp/xsk_buff_pool.c | 2 +- net/xfrm/xfrm_output.c | 43 +++++- 81 files changed, 808 insertions(+), 600 deletions(-)

2 months, 3 weeks

9
12
0 0

FAILED: patch "[PATCH] memcg: drain obj stock on cpu hotplug teardown" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032853-copy-crank-1c82@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb Mon Sep 17 00:00:00 2001 From: Shakeel Butt <shakeel.butt(a)linux.dev> Date: Mon, 10 Mar 2025 16:09:34 -0700 Subject: [PATCH] memcg: drain obj stock on cpu hotplug teardown Currently on cpu hotplug teardown, only memcg stock is drained but we need to drain the obj stock as well otherwise we will miss the stats accumulated on the target cpu as well as the nr_bytes cached. The stats include MEMCG_KMEM, NR_SLAB_RECLAIMABLE_B & NR_SLAB_UNRECLAIMABLE_B. In addition we are leaking reference to struct obj_cgroup object. Link: https://lkml.kernel.org/r/20250310230934.2913113-1-shakeel.butt@linux.dev Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") Signed-off-by: Shakeel Butt <shakeel.butt(a)linux.dev> Reviewed-by: Roman Gushchin <roman.gushchin(a)linux.dev> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 8f9b35f80e24..a037ec92881d 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -1921,9 +1921,18 @@ void drain_all_stock(struct mem_cgroup *root_memcg) static int memcg_hotplug_cpu_dead(unsigned int cpu) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old; + unsigned long flags; stock = &per_cpu(memcg_stock, cpu); + + /* drain_obj_stock requires stock_lock */ + local_lock_irqsave(&memcg_stock.stock_lock, flags); + old = drain_obj_stock(stock); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + drain_stock(stock); + obj_cgroup_put(old); return 0; }

2 months, 3 weeks

1
0
0 0