- Linux-stable-mirror - lists.linaro.org

[PATCH 2/2] soc: qcom: pbs: fix device leak on lookup

by Johan Hovold

Make sure to drop the reference taken to the pbs platform device when looking up its driver data. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 5b2dd77be1d8 ("soc: qcom: add QCOM PBS driver") Cc: stable(a)vger.kernel.org # 6.9 Cc: Anjelique Melendez <quic_amelende(a)quicinc.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/soc/qcom/qcom-pbs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/soc/qcom/qcom-pbs.c b/drivers/soc/qcom/qcom-pbs.c index 1cc5d045f9dd..06b4a596e275 100644 --- a/drivers/soc/qcom/qcom-pbs.c +++ b/drivers/soc/qcom/qcom-pbs.c @@ -173,6 +173,8 @@ struct pbs_dev *get_pbs_client_device(struct device *dev) return ERR_PTR(-EINVAL); } + platform_device_put(pdev); + return pbs; } EXPORT_SYMBOL_GPL(get_pbs_client_device); -- 2.49.1

6 days, 2 hours

2
1
0 0

[PATCH V2] LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled

by Huacai Chen

ARCH_STRICT_ALIGN is used for hardware without UAL, now it only control the -mstrict-align flag. However, ACPI structures are packed by default so will cause unaligned accesses. To avoid this, define ACPI_MISALIGNMENT_NOT_SUPPORTED in asm/acenv.h to align ACPI structures if ARCH_STRICT_ALIGN enabled. Cc: stable(a)vger.kernel.org Reported-by: Binbin Zhou <zhoubinbin(a)loongson.cn> Suggested-by: Xi Ruoyao <xry111(a)xry111.site> Suggested-by: Jiaxun Yang <jiaxun.yang(a)flygoat.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- V2: Modify asm/acenv.h instead of Makefile. arch/loongarch/include/asm/acenv.h | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/arch/loongarch/include/asm/acenv.h b/arch/loongarch/include/asm/acenv.h index 52f298f7293b..483c955f2ae5 100644 --- a/arch/loongarch/include/asm/acenv.h +++ b/arch/loongarch/include/asm/acenv.h @@ -10,9 +10,8 @@ #ifndef _ASM_LOONGARCH_ACENV_H #define _ASM_LOONGARCH_ACENV_H -/* - * This header is required by ACPI core, but we have nothing to fill in - * right now. Will be updated later when needed. - */ +#ifdef CONFIG_ARCH_STRICT_ALIGN +#define ACPI_MISALIGNMENT_NOT_SUPPORTED +#endif /* CONFIG_ARCH_STRICT_ALIGN */ #endif /* _ASM_LOONGARCH_ACENV_H */ -- 2.47.3

6 days, 2 hours

6
7
0 0

[PATCH 1/2] soc: apple: mailbox: fix device leak on lookup

by Johan Hovold

Make sure to drop the reference taken to the mbox platform device when looking up its driver data. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 6e1457fcad3f ("soc: apple: mailbox: Add ASC/M3 mailbox driver") Cc: stable(a)vger.kernel.org # 6.8 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/soc/apple/mailbox.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/soc/apple/mailbox.c b/drivers/soc/apple/mailbox.c index 49a0955e82d6..1685da1da23d 100644 --- a/drivers/soc/apple/mailbox.c +++ b/drivers/soc/apple/mailbox.c @@ -299,11 +299,18 @@ struct apple_mbox *apple_mbox_get(struct device *dev, int index) return ERR_PTR(-EPROBE_DEFER); mbox = platform_get_drvdata(pdev); - if (!mbox) - return ERR_PTR(-EPROBE_DEFER); + if (!mbox) { + mbox = ERR_PTR(-EPROBE_DEFER); + goto out_put_pdev; + } + + if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) { + mbox = ERR_PTR(-ENODEV); + goto out_put_pdev; + } - if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) - return ERR_PTR(-ENODEV); +out_put_pdev: + put_device(&pdev->dev); return mbox; } -- 2.49.1

6 days, 3 hours

2
1
0 0

[PATCH v7 1/3] drm/buddy: Optimize free block management with RB tree

by Arunpravin Paneer Selvam

Replace the freelist (O(n)) used for free block management with a red-black tree, providing more efficient O(log n) search, insert, and delete operations. This improves scalability and performance when managing large numbers of free blocks per order (e.g., hundreds or thousands). In the VK-CTS memory stress subtest, the buddy manager merges fragmented memory and inserts freed blocks into the freelist. Since freelist insertion is O(n), this becomes a bottleneck as fragmentation increases. Benchmarking shows list_insert_sorted() consumes ~52.69% CPU with the freelist, compared to just 0.03% with the RB tree (rbtree_insert.isra.0), despite performing the same sorted insert. This also improves performance in heavily fragmented workloads, such as games or graphics tests that stress memory. As the buddy allocator evolves with new features such as clear-page tracking, the resulting fragmentation and complexity have grown. These RB-tree based design changes are introduced to address that growth and ensure the allocator continues to perform efficiently under fragmented conditions. The RB tree implementation with separate clear/dirty trees provides: - O(n log n) aggregate complexity for all operations instead of O(n^2) - Elimination of soft lockups and system instability - Improved code maintainability and clarity - Better scalability for large memory systems - Predictable performance under fragmentation v3(Matthew): - Remove RB_EMPTY_NODE check in force_merge function. - Rename rb for loop macros to have less generic names and move to .c file. - Make the rb node rb and link field as union. v4(Jani Nikula): - The kernel-doc comment should be "/**" - Move all the rbtree macros to rbtree.h and add parens to ensure correct precedence. v5: - Remove the inline in a .c file (Jani Nikula). v6(Peter Zijlstra): - Add rb_add() function replacing the existing rbtree_insert() code. v7: - A full walk iteration in rbtree is slower than the list (Peter Zijlstra). - The existing rbtree_postorder_for_each_entry_safe macro should be used in scenarios where traversal order is not a critical factor (Christian). Cc: stable(a)vger.kernel.org Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality") Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 188 ++++++++++++++++++++++-------------- include/drm/drm_buddy.h | 11 ++- 2 files changed, 124 insertions(+), 75 deletions(-) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a94061f373de..67aa67229cc3 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -14,6 +14,8 @@ static struct kmem_cache *slab_blocks; +#define rbtree_get_free_block(node) rb_entry((node), struct drm_buddy_block, rb) + static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm, struct drm_buddy_block *parent, unsigned int order, @@ -31,6 +33,8 @@ static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm, block->header |= order; block->parent = parent; + RB_CLEAR_NODE(&block->rb); + BUG_ON(block->header & DRM_BUDDY_HEADER_UNUSED); return block; } @@ -41,23 +45,49 @@ static void drm_block_free(struct drm_buddy *mm, kmem_cache_free(slab_blocks, block); } -static void list_insert_sorted(struct drm_buddy *mm, - struct drm_buddy_block *block) +static bool drm_buddy_block_offset_less(const struct drm_buddy_block *block, + const struct drm_buddy_block *node) { - struct drm_buddy_block *node; - struct list_head *head; + return drm_buddy_block_offset(block) < drm_buddy_block_offset(node); +} - head = &mm->free_list[drm_buddy_block_order(block)]; - if (list_empty(head)) { - list_add(&block->link, head); - return; - } +static bool rbtree_block_offset_less(struct rb_node *block, + const struct rb_node *node) +{ + return drm_buddy_block_offset_less(rbtree_get_free_block(block), + rbtree_get_free_block(node)); +} - list_for_each_entry(node, head, link) - if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node)) - break; +static void rbtree_insert(struct drm_buddy *mm, + struct drm_buddy_block *block) +{ + rb_add(&block->rb, + &mm->free_tree[drm_buddy_block_order(block)], + rbtree_block_offset_less); +} + +static void rbtree_remove(struct drm_buddy *mm, + struct drm_buddy_block *block) +{ + struct rb_root *root; + + root = &mm->free_tree[drm_buddy_block_order(block)]; + rb_erase(&block->rb, root); - __list_add(&block->link, node->link.prev, &node->link); + RB_CLEAR_NODE(&block->rb); +} + +static struct drm_buddy_block * +rbtree_last_entry(struct drm_buddy *mm, unsigned int order) +{ + struct rb_node *node = rb_last(&mm->free_tree[order]); + + return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL; +} + +static bool rbtree_is_empty(struct drm_buddy *mm, unsigned int order) +{ + return RB_EMPTY_ROOT(&mm->free_tree[order]); } static void clear_reset(struct drm_buddy_block *block) @@ -70,12 +100,13 @@ static void mark_cleared(struct drm_buddy_block *block) block->header |= DRM_BUDDY_HEADER_CLEAR; } -static void mark_allocated(struct drm_buddy_block *block) +static void mark_allocated(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_ALLOCATED; - list_del(&block->link); + rbtree_remove(mm, block); } static void mark_free(struct drm_buddy *mm, @@ -84,15 +115,16 @@ static void mark_free(struct drm_buddy *mm, block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_FREE; - list_insert_sorted(mm, block); + rbtree_insert(mm, block); } -static void mark_split(struct drm_buddy_block *block) +static void mark_split(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_SPLIT; - list_del(&block->link); + rbtree_remove(mm, block); } static inline bool overlaps(u64 s1, u64 e1, u64 s2, u64 e2) @@ -148,7 +180,7 @@ static unsigned int __drm_buddy_free(struct drm_buddy *mm, mark_cleared(parent); } - list_del(&buddy->link); + rbtree_remove(mm, buddy); if (force_merge && drm_buddy_block_is_clear(buddy)) mm->clear_avail -= drm_buddy_block_size(mm, buddy); @@ -179,13 +211,19 @@ static int __force_merge(struct drm_buddy *mm, return -EINVAL; for (i = min_order - 1; i >= 0; i--) { - struct drm_buddy_block *block, *prev; + struct rb_root *root = &mm->free_tree[i]; + struct rb_node *iter; + + iter = rb_last(root); - list_for_each_entry_safe_reverse(block, prev, &mm->free_list[i], link) { - struct drm_buddy_block *buddy; + while (iter) { + struct drm_buddy_block *block, *buddy; u64 block_start, block_end; - if (!block->parent) + block = rbtree_get_free_block(iter); + iter = rb_prev(iter); + + if (!block || !block->parent) continue; block_start = drm_buddy_block_offset(block); @@ -201,15 +239,10 @@ static int __force_merge(struct drm_buddy *mm, WARN_ON(drm_buddy_block_is_clear(block) == drm_buddy_block_is_clear(buddy)); - /* - * If the prev block is same as buddy, don't access the - * block in the next iteration as we would free the - * buddy block as part of the free function. - */ - if (prev == buddy) - prev = list_prev_entry(prev, link); + if (iter == &buddy->rb) + iter = rb_prev(iter); - list_del(&block->link); + rbtree_remove(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -258,14 +291,14 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) BUG_ON(mm->max_order > DRM_BUDDY_MAX_ORDER); - mm->free_list = kmalloc_array(mm->max_order + 1, - sizeof(struct list_head), + mm->free_tree = kmalloc_array(mm->max_order + 1, + sizeof(struct rb_root), GFP_KERNEL); - if (!mm->free_list) + if (!mm->free_tree) return -ENOMEM; for (i = 0; i <= mm->max_order; ++i) - INIT_LIST_HEAD(&mm->free_list[i]); + mm->free_tree[i] = RB_ROOT; mm->n_roots = hweight64(size); @@ -273,7 +306,7 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) sizeof(struct drm_buddy_block *), GFP_KERNEL); if (!mm->roots) - goto out_free_list; + goto out_free_tree; offset = 0; i = 0; @@ -312,8 +345,8 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) while (i--) drm_block_free(mm, mm->roots[i]); kfree(mm->roots); -out_free_list: - kfree(mm->free_list); +out_free_tree: + kfree(mm->free_tree); return -ENOMEM; } EXPORT_SYMBOL(drm_buddy_init); @@ -323,7 +356,7 @@ EXPORT_SYMBOL(drm_buddy_init); * * @mm: DRM buddy manager to free * - * Cleanup memory manager resources and the freelist + * Cleanup memory manager resources and the freetree */ void drm_buddy_fini(struct drm_buddy *mm) { @@ -350,7 +383,7 @@ void drm_buddy_fini(struct drm_buddy *mm) WARN_ON(mm->avail != mm->size); kfree(mm->roots); - kfree(mm->free_list); + kfree(mm->free_tree); } EXPORT_SYMBOL(drm_buddy_fini); @@ -383,7 +416,7 @@ static int split_block(struct drm_buddy *mm, clear_reset(block); } - mark_split(block); + mark_split(mm, block); return 0; } @@ -412,7 +445,7 @@ EXPORT_SYMBOL(drm_get_buddy); * @is_clear: blocks clear state * * Reset the clear state based on @is_clear value for each block - * in the freelist. + * in the freetree. */ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) { @@ -431,9 +464,9 @@ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) } for (i = 0; i <= mm->max_order; ++i) { - struct drm_buddy_block *block; + struct drm_buddy_block *block, *tmp; - list_for_each_entry_reverse(block, &mm->free_list[i], link) { + rbtree_postorder_for_each_entry_safe(block, tmp, &mm->free_tree[i], rb) { if (is_clear != drm_buddy_block_is_clear(block)) { if (is_clear) { mark_cleared(block); @@ -639,14 +672,18 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, unsigned int i; for (i = order; i <= mm->max_order; ++i) { + struct rb_node *iter = rb_last(&mm->free_tree[i]); struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[i], link) { - if (block_incompatible(tmp_block, flags)) - continue; + while (iter) { + tmp_block = rbtree_get_free_block(iter); - block = tmp_block; - break; + if (!block_incompatible(tmp_block, flags)) { + block = tmp_block; + break; + } + + iter = rb_prev(iter); } if (!block) @@ -667,7 +704,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, } static struct drm_buddy_block * -alloc_from_freelist(struct drm_buddy *mm, +alloc_from_freetree(struct drm_buddy *mm, unsigned int order, unsigned long flags) { @@ -682,14 +719,18 @@ alloc_from_freelist(struct drm_buddy *mm, tmp = drm_buddy_block_order(block); } else { for (tmp = order; tmp <= mm->max_order; ++tmp) { + struct rb_node *iter = rb_last(&mm->free_tree[tmp]); struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[tmp], link) { - if (block_incompatible(tmp_block, flags)) - continue; + while (iter) { + tmp_block = rbtree_get_free_block(iter); - block = tmp_block; - break; + if (!block_incompatible(tmp_block, flags)) { + block = tmp_block; + break; + } + + iter = rb_prev(iter); } if (block) @@ -700,10 +741,8 @@ alloc_from_freelist(struct drm_buddy *mm, if (!block) { /* Fallback method */ for (tmp = order; tmp <= mm->max_order; ++tmp) { - if (!list_empty(&mm->free_list[tmp])) { - block = list_last_entry(&mm->free_list[tmp], - struct drm_buddy_block, - link); + if (!rbtree_is_empty(mm, tmp)) { + block = rbtree_last_entry(mm, tmp); if (block) break; } @@ -771,7 +810,7 @@ static int __alloc_range(struct drm_buddy *mm, if (contains(start, end, block_start, block_end)) { if (drm_buddy_block_is_free(block)) { - mark_allocated(block); + mark_allocated(mm, block); total_allocated += drm_buddy_block_size(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) @@ -849,8 +888,8 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, { u64 rhs_offset, lhs_offset, lhs_size, filled; struct drm_buddy_block *block; - struct list_head *list; LIST_HEAD(blocks_lhs); + struct rb_node *iter; unsigned long pages; unsigned int order; u64 modify_size; @@ -862,11 +901,14 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, if (order == 0) return -ENOSPC; - list = &mm->free_list[order]; - if (list_empty(list)) + if (rbtree_is_empty(mm, order)) return -ENOSPC; - list_for_each_entry_reverse(block, list, link) { + iter = rb_last(&mm->free_tree[order]); + + while (iter) { + block = rbtree_get_free_block(iter); + /* Allocate blocks traversing RHS */ rhs_offset = drm_buddy_block_offset(block); err = __drm_buddy_alloc_range(mm, rhs_offset, size, @@ -891,6 +933,8 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, } /* Free blocks for the next iteration */ drm_buddy_free_list_internal(mm, blocks); + + iter = rb_prev(iter); } return -ENOSPC; @@ -976,7 +1020,7 @@ int drm_buddy_block_trim(struct drm_buddy *mm, list_add(&block->tmp_link, &dfs); err = __alloc_range(mm, &dfs, new_start, new_size, blocks, NULL); if (err) { - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -999,8 +1043,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, return __drm_buddy_alloc_range_bias(mm, start, end, order, flags); else - /* Allocate from freelist */ - return alloc_from_freelist(mm, order, flags); + /* Allocate from freetree */ + return alloc_from_freetree(mm, order, flags); } /** @@ -1017,8 +1061,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, * alloc_range_bias() called on range limitations, which traverses * the tree and returns the desired block. * - * alloc_from_freelist() called when *no* range restrictions - * are enforced, which picks the block from the freelist. + * alloc_from_freetree() called when *no* range restrictions + * are enforced, which picks the block from the freetree. * * Returns: * 0 on success, error code on failure. @@ -1120,7 +1164,7 @@ int drm_buddy_alloc_blocks(struct drm_buddy *mm, } } while (1); - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -1201,10 +1245,10 @@ void drm_buddy_print(struct drm_buddy *mm, struct drm_printer *p) mm->chunk_size >> 10, mm->size >> 20, mm->avail >> 20, mm->clear_avail >> 20); for (order = mm->max_order; order >= 0; order--) { - struct drm_buddy_block *block; + struct drm_buddy_block *block, *tmp; u64 count = 0, free; - list_for_each_entry(block, &mm->free_list[order], link) { + rbtree_postorder_for_each_entry_safe(block, tmp, &mm->free_tree[order], rb) { BUG_ON(!drm_buddy_block_is_free(block)); count++; } diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 513837632b7d..9ee105d4309f 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -10,6 +10,7 @@ #include <linux/list.h> #include <linux/slab.h> #include <linux/sched.h> +#include <linux/rbtree.h> #include <drm/drm_print.h> @@ -53,7 +54,11 @@ struct drm_buddy_block { * a list, if so desired. As soon as the block is freed with * drm_buddy_free* ownership is given back to the mm. */ - struct list_head link; + union { + struct rb_node rb; + struct list_head link; + }; + struct list_head tmp_link; }; @@ -68,7 +73,7 @@ struct drm_buddy_block { */ struct drm_buddy { /* Maintain a free list for each order. */ - struct list_head *free_list; + struct rb_root *free_tree; /* * Maintain explicit binary tree(s) to track the allocation of the @@ -94,7 +99,7 @@ struct drm_buddy { }; static inline u64 -drm_buddy_block_offset(struct drm_buddy_block *block) +drm_buddy_block_offset(const struct drm_buddy_block *block) { return block->header & DRM_BUDDY_HEADER_OFFSET; } base-commit: 3a9cf301794c1a49d95eeb13119ff490fb5cfe88 -- 2.34.1

6 days, 4 hours

3
4
0 0

[PATCH 6.12 000/105] 6.12.49-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.49 release. There are 105 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.49-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.49-rc1 David Laight <David.Laight(a)ACULAB.COM> minmax.h: remove some #defines that are only expanded once David Laight <David.Laight(a)ACULAB.COM> minmax.h: simplify the variants of clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: move all the clamp() definitions after the min/max() ones David Laight <David.Laight(a)ACULAB.COM> minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: reduce the #define expansion of min(), max() and clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: update some comments David Laight <David.Laight(a)ACULAB.COM> minmax.h: add whitespace around operators and after commas Bruno Thomsen <bruno.thomsen(a)gmail.com> rtc: pcf2127: fix SPI command byte for PCF2131 backport Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: remove option to change a default ring's TRB cycle bit Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: introduce macro for ring segment list iteration Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Hugh Dickins <hughd(a)google.com> mm/gup: check ref_count instead of lru before migration Shivank Garg <shivankg(a)amd.com> mm: add folio_expected_ref_count() for reference count calculation Sankararaman Jayaraman <sankararaman.jayaraman(a)broadcom.com> vmxnet3: unregister xdp rxq info in the reset path Sean Christopherson <seanjc(a)google.com> KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions Borislav Petkov <bp(a)alien8.de> x86/bugs: KVM: Add support for SRSO_MSR_FIX Borislav Petkov (AMD) <bp(a)alien8.de> x86/bugs: Add SRSO_USER_KERNEL_NO support Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 Yang Xiuwei <yangxiuwei(a)kylinos.cn> io_uring: fix incorrect io_kiocb reference in io_link_skb Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg Stefan Metzmacher <metze(a)samba.org> smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) Paulo Alcantara <pc(a)manguebit.org> smb: client: fix filename matching of deferred files Dan Carpenter <dan.carpenter(a)linaro.org> drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/tile: Release kobject for the failure path Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> ASoC: Intel: catpt: Expose correct bit depth to userspace Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct PLL rate rounding Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: drop WARN_ON_ONCE() from incremental length check Jens Axboe <axboe(a)kernel.dk> io_uring/msg_ring: kill alloc_cache for io_kiocb allocations Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Jens Axboe <axboe(a)kernel.dk> io_uring: backport io_should_terminate_tw() Pavel Begunkov <asml.silence(a)gmail.com> io_uring/cmd: let cmds to know about dying task Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd/pgtbl: Fix possible race while increase page table level Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Guangshuo Li <202321181(a)mail.sdu.edu.cn> LoongArch: vDSO: Check kcalloc() result in init_vdso() Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Fix unreliable stack for live patching Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark special atomic instruction as INSN_BUG type Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark types based on break immediate code Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Update help info of ARCH_STRICT_ALIGN Hugh Dickins <hughd(a)google.com> mm: revert "mm: vmscan.c: fix OOM on swap stress test" Li Zhe <lizhe.67(a)bytedance.com> gup: optimize longterm pin_user_pages() for large folio Mikulas Patocka <mpatocka(a)redhat.com> dm-stripe: fix a possible integer overflow Mikulas Patocka <mpatocka(a)redhat.com> dm-raid: don't set io_min and io_opt for raid1 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Fix crash in icl_update_topdown_event() Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Sathesh B Edara <sedara(a)marvell.com> octeon_ep: fix VF MAC address lifecycle handling Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Harden uplink netdev access against device unbind Kohei Enju <enjuk(a)amazon.com> igc: don't fail igc_probe() on LED setup error Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix Rx page leak on multi-buffer frames Jacob Keller <jacob.e.keller(a)intel.com> ice: store max_frame and rx_buf_len only in ice_rx_ring Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Geliang Tang <geliang(a)kernel.org> selftests: mptcp: sockopt: fix error messages Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: tfo: record 'deny join id0' info Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Hangbin Liu <liuhangbin(a)gmail.com> bonding: set random address only when slaves already exist Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Anderson Nascimento <anderson(a)allelesecurity.com> net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix FD copy size in os_rcv_fd_msg() Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Christoph Hellwig <hch(a)lst.de> nvme: fix PI insert on write Ajay.Kathat(a)microchip.com <Ajay.Kathat(a)microchip.com> wifi: wilc1000: avoid buffer overflow in WID string configuration ------------- Diffstat: Documentation/admin-guide/hw-vuln/srso.rst | 13 ++ Documentation/netlink/specs/mptcp_pm.yaml | 4 +- Makefile | 4 +- arch/loongarch/Kconfig | 8 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/kernel/env.c | 2 + arch/loongarch/kernel/stacktrace.c | 3 +- arch/loongarch/kernel/vdso.c | 3 + arch/um/drivers/virtio_uml.c | 6 +- arch/um/os-Linux/file.c | 2 +- arch/x86/events/intel/core.c | 2 +- arch/x86/include/asm/cpufeatures.h | 5 + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/bugs.c | 28 ++- arch/x86/kvm/svm/svm.c | 68 ++++++- arch/x86/kvm/svm/svm.h | 2 + arch/x86/lib/msr.c | 2 + crypto/af_alg.c | 10 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 +++- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 +- drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 25 ++- drivers/iommu/intel/iommu.c | 7 +- drivers/md/dm-raid.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - drivers/net/ethernet/intel/ice/ice.h | 3 - drivers/net/ethernet/intel/ice/ice_base.c | 34 ++-- drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++++---- drivers/net/ethernet/intel/ice/ice_txrx.h | 4 +- drivers/net/ethernet/intel/ice/ice_virtchnl.c | 7 +- drivers/net/ethernet/intel/igc/igc.h | 1 + drivers/net/ethernet/intel/igc/igc_main.c | 12 +- .../ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 + .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 ++- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 +- drivers/net/ethernet/natsemi/ns83820.c | 13 +- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/net/vmxnet3/vmxnet3_drv.c | 10 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 39 ++-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 +- drivers/nvme/host/core.c | 18 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/platform/x86/asus-nb-wmi.c | 25 ++- drivers/platform/x86/asus-wmi.h | 3 +- drivers/power/supply/bq27xxx_battery.c | 4 +- drivers/rtc/rtc-pcf2127.c | 10 +- drivers/usb/host/xhci-dbgcap.c | 94 ++++++--- drivers/usb/host/xhci-debugfs.c | 5 +- drivers/usb/host/xhci-mem.c | 74 +++---- drivers/usb/host/xhci.c | 22 +-- drivers/usb/host/xhci.h | 9 +- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/cifsproto.h | 4 +- fs/smb/client/inode.c | 6 +- fs/smb/client/misc.c | 36 ++-- fs/smb/client/smbdirect.c | 7 +- fs/smb/server/transport_rdma.c | 26 ++- include/crypto/if_alg.h | 10 +- include/linux/io_uring_types.h | 4 +- include/linux/minmax.h | 219 ++++++++++----------- include/linux/mlx5/driver.h | 1 + include/linux/mm.h | 55 ++++++ include/uapi/linux/mptcp.h | 2 + include/uapi/linux/mptcp_pm.h | 4 +- io_uring/io_uring.c | 12 +- io_uring/io_uring.h | 13 ++ io_uring/kbuf.h | 2 +- io_uring/msg_ring.c | 24 +-- io_uring/notif.c | 2 +- io_uring/poll.c | 3 +- io_uring/timeout.c | 2 +- io_uring/uring_cmd.c | 6 +- kernel/cgroup/cgroup.c | 43 +++- mm/gup.c | 41 +++- mm/migrate.c | 22 +-- mm/vmscan.c | 2 +- net/ipv4/tcp.c | 5 + net/ipv4/tcp_ao.c | 4 +- net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 16 ++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 +- net/rfkill/rfkill-gpio.c | 4 +- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 +- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/wm8940.c | 9 +- sound/soc/codecs/wm8974.c | 8 +- sound/soc/intel/catpt/pcm.c | 23 ++- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 +- sound/soc/sof/intel/hda-stream.c | 2 +- tools/arch/loongarch/include/asm/inst.h | 12 ++ tools/objtool/arch/loongarch/decode.c | 33 +++- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 118 files changed, 1069 insertions(+), 571 deletions(-)

6 days, 4 hours

14
118
0 0

[PATCH v3 00/12] media: uvcvideo: Add support for orientation and rotation.

by Ricardo Ribalda

The ACPI has ways to annotate the location of a USB device. Wire that annotation to a v4l2 control. To support all possible devices, add a way to annotate USB devices on DT as well. The original binding discussion happened here: https://lore.kernel.org/linux-devicetree/20241212-usb-orientation-v1-1-0b69… The following patches are needed regardless if we finally add support for orientation and rotation or not: - media: uvcvideo: Always set default_value - media: uvcvideo: Set a function for UVC_EXT_GPIO_UNIT Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v3: - refactor dt bindings - add media: uvcvideo: Use current_value for read-only controls - get_(max|cur|def) = swentity_get_cur - virtual_entity add codestyle - Codestyle - Fix xu get_info and get_len - Drop ACPI_DEVICE_SWNODE_DEV_ROTATION - Add missing select V4L2_FWNODE - Link to v2: https://lore.kernel.org/r/20250605-uvc-orientation-v2-0-5710f9d030aa@chromi… Changes in v2: - Add support for rotation - Rename fwnode to swentity - Remove the patch to move the gpio file - Remove patches already in media-committers - Change priority of data origins - Patch mipi-disco - Link to v1: https://lore.kernel.org/r/20250403-uvc-orientation-v1-0-1a0cc595a62d@chromi… --- Ricardo Ribalda (12): media: uvcvideo: Always set default_value media: uvcvideo: Set a function for UVC_EXT_GPIO_UNIT media: v4l: fwnode: Support ACPI's _PLD for v4l2_fwnode_device_parse ACPI: mipi-disco-img: Do not duplicate rotation info into swnodes media: ipu-bridge: Use v4l2_fwnode_device_parse helper media: ipu-bridge: Use v4l2_fwnode for unknown rotations dt-bindings: media: Add usb-camera-module media: uvcvideo: Add support for V4L2_CID_CAMERA_ORIENTATION media: uvcvideo: Fill ctrl->info.selector earlier media: uvcvideo: Add uvc_ctrl_query_entity helper media: uvcvideo: Use current_value for read-only controls media: uvcvideo: Add support for V4L2_CID_CAMERA_ROTATION .../bindings/media/usb-camera-module.yaml | 46 +++++ MAINTAINERS | 1 + drivers/acpi/mipi-disco-img.c | 15 -- drivers/media/pci/intel/Kconfig | 1 + drivers/media/pci/intel/ipu-bridge.c | 58 +++--- drivers/media/usb/uvc/Kconfig | 1 + drivers/media/usb/uvc/Makefile | 3 +- drivers/media/usb/uvc/uvc_ctrl.c | 201 +++++++++++++++------ drivers/media/usb/uvc/uvc_driver.c | 22 ++- drivers/media/usb/uvc/uvc_entity.c | 3 +- drivers/media/usb/uvc/uvc_swentity.c | 107 +++++++++++ drivers/media/usb/uvc/uvcvideo.h | 22 +++ drivers/media/v4l2-core/v4l2-fwnode.c | 84 ++++++++- include/acpi/acpi_bus.h | 1 - include/linux/usb/uvc.h | 3 + 15 files changed, 441 insertions(+), 127 deletions(-) --- base-commit: afb100a5ea7a13d7e6937dcd3b36b19dc6cc9328 change-id: 20250403-uvc-orientation-5f7f19da5adb Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

6 days, 7 hours

1
2
0 0

[PATCH] fix error code overwriting in smb2_get_info_filesystem()

by Matvey Kovalev

If client doesn't negotiate with SMB3.1.1 POSIX Extensions, then proper error code won't be returned due to overwriting. Return error immediately. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e2f34481b24db ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org Signed-off-by: Matvey Kovalev <matvey.kovalev(a)ispras.ru> --- fs/smb/server/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index a565fc36cee6d..a1db006ab6e92 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -5628,7 +5628,8 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, if (!work->tcon->posix_extensions) { pr_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); - rc = -EOPNOTSUPP; + path_put(&path); + return -EOPNOTSUPP; } else { info = (struct filesystem_posix_info *)(rsp->Buffer); info->OptimalTransferSize = cpu_to_le32(stfs.f_bsize); -- 2.43.0.windows.1

6 days, 8 hours

3
2
0 0

[PATCH v1] gpio: mpfs: fix setting gpio direction to output

by Conor Dooley

From: Conor Dooley <conor.dooley(a)microchip.com> mpfs_gpio_direction_output() actually sets the line to input mode. Use the correct register settings for output mode so that this function actually works as intended. This was a copy-paste mistake made when converting to regmap during the driver submission process. It went unnoticed because my test for output mode is toggling LEDs on an Icicle kit which functions with the incorrect code. The internal reporter has yet to test the patch, but on their system the incorrect setting may be the reason for failures to drive the GPIO lines on the BeagleV-fire board. CC: stable(a)vger.kernel.org Fixes: a987b78f3615e ("gpio: mpfs: add polarfire soc gpio support") Signed-off-by: Conor Dooley <conor.dooley(a)microchip.com> --- CC: Conor Dooley <conor.dooley(a)microchip.com> CC: Daire McNamara <daire.mcnamara(a)microchip.com> CC: Cyril.Jean(a)microchip.com CC: Linus Walleij <linus.walleij(a)linaro.org> CC: Bartosz Golaszewski <brgl(a)bgdev.pl> CC: linux-riscv(a)lists.infradead.org CC: linux-gpio(a)vger.kernel.org CC: linux-kernel(a)vger.kernel.org --- drivers/gpio/gpio-mpfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpio-mpfs.c b/drivers/gpio/gpio-mpfs.c index 82d557a7e5d8d..9468795b96348 100644 --- a/drivers/gpio/gpio-mpfs.c +++ b/drivers/gpio/gpio-mpfs.c @@ -69,7 +69,7 @@ static int mpfs_gpio_direction_output(struct gpio_chip *gc, unsigned int gpio_in struct mpfs_gpio_chip *mpfs_gpio = gpiochip_get_data(gc); regmap_update_bits(mpfs_gpio->regs, MPFS_GPIO_CTRL(gpio_index), - MPFS_GPIO_DIR_MASK, MPFS_GPIO_EN_IN); + MPFS_GPIO_DIR_MASK, MPFS_GPIO_EN_OUT | MPFS_GPIO_EN_OUT_BUF); regmap_update_bits(mpfs_gpio->regs, mpfs_gpio->offsets->outp, BIT(gpio_index), value << gpio_index); -- 2.47.3

6 days, 9 hours

2
2
0 0

[PATCH v2] wifi: mt76: Fix DTS power-limits on little endian systems

by Sven Eckelmann (Plasma Cloud)

The power-limits for ru and mcs and stored in the devicetree as bytewise array (often with sizes which are not a multiple of 4). These arrays have a prefix which defines for how many modes a line is applied. This prefix is also only a byte - but the code still tried to fix the endianness of this byte with a be32 operation. As result, loading was mostly failing or was sending completely unexpected values to the firmware. Since the other rates are also stored in the devicetree as bytewise arrays, just drop the u32 access + be32_to_cpu conversion and directly access them as bytes arrays. Cc: stable(a)vger.kernel.org Fixes: 22b980badc0f ("mt76: add functions for parsing rate power limits from DT") Fixes: a9627d992b5e ("mt76: extend DT rate power limits to support 11ax devices") Signed-off-by: Sven Eckelmann (Plasma Cloud) <se(a)simonwunderlich.de> --- Changes in v2: - Fix second Fixes line, thanks Zhi-Jun You - Link to v1: https://lore.kernel.org/r/20250917-fix-power-limits-v1-1-616e859a9881@simon… --- drivers/net/wireless/mediatek/mt76/eeprom.c | 37 +++++++++++++++++++---------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/eeprom.c b/drivers/net/wireless/mediatek/mt76/eeprom.c index a987c5e4eff6c6b0a014b4b069dc1259ffa82d31..6ce8e4af18fe53c10a0cb7290bf65962ce9cdde4 100644 --- a/drivers/net/wireless/mediatek/mt76/eeprom.c +++ b/drivers/net/wireless/mediatek/mt76/eeprom.c @@ -253,6 +253,19 @@ mt76_get_of_array(struct device_node *np, char *name, size_t *len, int min) return prop->value; } +static const s8 * +mt76_get_of_array_s8(struct device_node *np, char *name, size_t *len, int min) +{ + struct property *prop = of_find_property(np, name, NULL); + + if (!prop || !prop->value || prop->length < min) + return NULL; + + *len = prop->length; + + return prop->value; +} + struct device_node * mt76_find_channel_node(struct device_node *np, struct ieee80211_channel *chan) { @@ -294,7 +307,7 @@ mt76_get_txs_delta(struct device_node *np, u8 nss) } static void -mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const __be32 *data, +mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const s8 *data, s8 target_power, s8 nss_delta, s8 *max_power) { int i; @@ -303,15 +316,14 @@ mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const __be32 *data, return; for (i = 0; i < pwr_len; i++) { - pwr[i] = min_t(s8, target_power, - be32_to_cpu(data[i]) + nss_delta); + pwr[i] = min_t(s8, target_power, data[i] + nss_delta); *max_power = max(*max_power, pwr[i]); } } static void mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num, - const __be32 *data, size_t len, s8 target_power, + const s8 *data, size_t len, s8 target_power, s8 nss_delta, s8 *max_power) { int i, cur; @@ -319,8 +331,7 @@ mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num, if (!data) return; - len /= 4; - cur = be32_to_cpu(data[0]); + cur = data[0]; for (i = 0; i < pwr_num; i++) { if (len < pwr_len + 1) break; @@ -335,7 +346,7 @@ mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num, if (!len) break; - cur = be32_to_cpu(data[0]); + cur = data[0]; } } @@ -346,7 +357,7 @@ s8 mt76_get_rate_power_limits(struct mt76_phy *phy, { struct mt76_dev *dev = phy->dev; struct device_node *np; - const __be32 *val; + const s8 *val; char name[16]; u32 mcs_rates = dev->drv->mcs_rates; u32 ru_rates = ARRAY_SIZE(dest->ru[0]); @@ -392,21 +403,21 @@ s8 mt76_get_rate_power_limits(struct mt76_phy *phy, txs_delta = mt76_get_txs_delta(np, hweight16(phy->chainmask)); - val = mt76_get_of_array(np, "rates-cck", &len, ARRAY_SIZE(dest->cck)); + val = mt76_get_of_array_s8(np, "rates-cck", &len, ARRAY_SIZE(dest->cck)); mt76_apply_array_limit(dest->cck, ARRAY_SIZE(dest->cck), val, target_power, txs_delta, &max_power); - val = mt76_get_of_array(np, "rates-ofdm", - &len, ARRAY_SIZE(dest->ofdm)); + val = mt76_get_of_array_s8(np, "rates-ofdm", + &len, ARRAY_SIZE(dest->ofdm)); mt76_apply_array_limit(dest->ofdm, ARRAY_SIZE(dest->ofdm), val, target_power, txs_delta, &max_power); - val = mt76_get_of_array(np, "rates-mcs", &len, mcs_rates + 1); + val = mt76_get_of_array_s8(np, "rates-mcs", &len, mcs_rates + 1); mt76_apply_multi_array_limit(dest->mcs[0], ARRAY_SIZE(dest->mcs[0]), ARRAY_SIZE(dest->mcs), val, len, target_power, txs_delta, &max_power); - val = mt76_get_of_array(np, "rates-ru", &len, ru_rates + 1); + val = mt76_get_of_array_s8(np, "rates-ru", &len, ru_rates + 1); mt76_apply_multi_array_limit(dest->ru[0], ARRAY_SIZE(dest->ru[0]), ARRAY_SIZE(dest->ru), val, len, target_power, txs_delta, &max_power); --- base-commit: b36d55610215a976267197ddc914902c494705d7 change-id: 20250917-fix-power-limits-5ce07b993681 Best regards, -- Sven Eckelmann (Plasma Cloud) <se(a)simonwunderlich.de>

6 days, 11 hours

1
0
0 0

501K IAA Mobility 2025 Contacts!

by Garnet Conwell

Hi, Access a comprehensive, verified database of 501,853 IAA Mobility 2025 attendees and 750 exhibitors to grow your network and maximize business opportunities. What you’ll get: Contact name, Job Title, Business Name, Physical Address, Phone Numbers, Official Email address and many more. Delivered within 48 hours and 100% opt-in and GDPR compliant. Special Discount: Enjoy 20% off for a limited time! Would you prefer the entire attendee database or a customized segment tailored by geography, job role, or industry? I’ll forward the same to our Business Development Manager, who will provide you with more details about list acquisition. Best regards, Garnet Conwell Sr. Marketing Manager P.S. To opt out of future emails, simply reply “Unfollow.”

6 days, 11 hours

1
0
0 0

[PATCH v3] netfs: fix reference leak

by David Howells

From: Max Kellermann <max.kellermann(a)ionos.com> Commit 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") modified netfs_alloc_request() to initialize the reference counter to 2 instead of 1. The rationale was that the requet's "work" would release the second reference after completion (via netfs_{read,write}_collection_worker()). That works most of the time if all goes well. However, it leaks this additional reference if the request is released before the I/O operation has been submitted: the error code path only decrements the reference counter once and the work item will never be queued because there will never be a completion. This has caused outages of our whole server cluster today because tasks were blocked in netfs_wait_for_outstanding_io(), leading to deadlocks in Ceph (another bug that I will address soon in another patch). This was caused by a netfs_pgpriv2_begin_copy_to_cache() call which failed in fscache_begin_write_operation(). The leaked netfs_io_request was never completed, leaving `netfs_inode.io_count` with a positive value forever. All of this is super-fragile code. Finding out which code paths will lead to an eventual completion and which do not is hard to see: - Some functions like netfs_create_write_req() allocate a request, but will never submit any I/O. - netfs_unbuffered_read_iter_locked() calls netfs_unbuffered_read() and then netfs_put_request(); however, netfs_unbuffered_read() can also fail early before submitting the I/O request, therefore another netfs_put_request() call must be added there. A rule of thumb is that functions that return a `netfs_io_request` do not submit I/O, and all of their callers must be checked. For my taste, the whole netfs code needs an overhaul to make reference counting easier to understand and less fragile & obscure. But to fix this bug here and now and produce a patch that is adequate for a stable backport, I tried a minimal approach that quickly frees the request object upon early failure. I decided against adding a second netfs_put_request() each time because that would cause code duplication which obscures the code further. Instead, I added the function netfs_put_failed_request() which frees such a failed request synchronously under the assumption that the reference count is exactly 2 (as initially set by netfs_alloc_request() and never touched), verified by a WARN_ON_ONCE(). It then deinitializes the request object (without going through the "cleanup_work" indirection) and frees the allocation (with RCU protection to protect against concurrent access by netfs_requests_seq_start()). All code paths that fail early have been changed to call netfs_put_failed_request() instead of netfs_put_request(). Additionally, I have added a netfs_put_request() call to netfs_unbuffered_read() as explained above because the netfs_put_failed_request() approach does not work there. Fixes: 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: Paulo Alcantara <pc(a)manguebit.org> cc: netfs(a)lists.linux.dev, cc: linux-fsdevel(a)vger.kernel.org, cc: stable(a)vger.kernel.org --- Changes ======= ver #3) - Log the refcount in the tracepoint in netfs_put_failed_request(). ver #2) - Fix missing RCU handling in netfs_put_failed_request(). fs/netfs/buffered_read.c | 10 +++++----- fs/netfs/direct_read.c | 7 ++++++- fs/netfs/direct_write.c | 6 +++++- fs/netfs/internal.h | 1 + fs/netfs/objects.c | 28 +++++++++++++++++++++++++--- fs/netfs/read_pgpriv2.c | 2 +- fs/netfs/read_single.c | 2 +- fs/netfs/write_issue.c | 3 +-- 8 files changed, 45 insertions(+), 14 deletions(-) diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c index 18b3dc74c70e..37ab6f28b5ad 100644 --- a/fs/netfs/buffered_read.c +++ b/fs/netfs/buffered_read.c @@ -369,7 +369,7 @@ void netfs_readahead(struct readahead_control *ractl) return netfs_put_request(rreq, netfs_rreq_trace_put_return); cleanup_free: - return netfs_put_request(rreq, netfs_rreq_trace_put_failed); + return netfs_put_failed_request(rreq); } EXPORT_SYMBOL(netfs_readahead); @@ -472,7 +472,7 @@ static int netfs_read_gaps(struct file *file, struct folio *folio) return ret < 0 ? ret : 0; discard: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); alloc_error: folio_unlock(folio); return ret; @@ -532,7 +532,7 @@ int netfs_read_folio(struct file *file, struct folio *folio) return ret < 0 ? ret : 0; discard: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); alloc_error: folio_unlock(folio); return ret; @@ -699,7 +699,7 @@ int netfs_write_begin(struct netfs_inode *ctx, return 0; error_put: - netfs_put_request(rreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(rreq); error: if (folio) { folio_unlock(folio); @@ -754,7 +754,7 @@ int netfs_prefetch_for_write(struct file *file, struct folio *folio, return ret < 0 ? ret : 0; error_put: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); error: _leave(" = %d", ret); return ret; diff --git a/fs/netfs/direct_read.c b/fs/netfs/direct_read.c index a05e13472baf..a498ee8d6674 100644 --- a/fs/netfs/direct_read.c +++ b/fs/netfs/direct_read.c @@ -131,6 +131,7 @@ static ssize_t netfs_unbuffered_read(struct netfs_io_request *rreq, bool sync) if (rreq->len == 0) { pr_err("Zero-sized read [R=%x]\n", rreq->debug_id); + netfs_put_request(rreq, netfs_rreq_trace_put_discard); return -EIO; } @@ -205,7 +206,7 @@ ssize_t netfs_unbuffered_read_iter_locked(struct kiocb *iocb, struct iov_iter *i if (user_backed_iter(iter)) { ret = netfs_extract_user_iter(iter, rreq->len, &rreq->buffer.iter, 0); if (ret < 0) - goto out; + goto error_put; rreq->direct_bv = (struct bio_vec *)rreq->buffer.iter.bvec; rreq->direct_bv_count = ret; rreq->direct_bv_unpin = iov_iter_extract_will_pin(iter); @@ -238,6 +239,10 @@ ssize_t netfs_unbuffered_read_iter_locked(struct kiocb *iocb, struct iov_iter *i if (ret > 0) orig_count -= ret; return ret; + +error_put: + netfs_put_failed_request(rreq); + return ret; } EXPORT_SYMBOL(netfs_unbuffered_read_iter_locked); diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c index a16660ab7f83..a9d1c3b2c084 100644 --- a/fs/netfs/direct_write.c +++ b/fs/netfs/direct_write.c @@ -57,7 +57,7 @@ ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov_iter * n = netfs_extract_user_iter(iter, len, &wreq->buffer.iter, 0); if (n < 0) { ret = n; - goto out; + goto error_put; } wreq->direct_bv = (struct bio_vec *)wreq->buffer.iter.bvec; wreq->direct_bv_count = n; @@ -101,6 +101,10 @@ ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov_iter * out: netfs_put_request(wreq, netfs_rreq_trace_put_return); return ret; + +error_put: + netfs_put_failed_request(wreq); + return ret; } EXPORT_SYMBOL(netfs_unbuffered_write_iter_locked); diff --git a/fs/netfs/internal.h b/fs/netfs/internal.h index d4f16fefd965..4319611f5354 100644 --- a/fs/netfs/internal.h +++ b/fs/netfs/internal.h @@ -87,6 +87,7 @@ struct netfs_io_request *netfs_alloc_request(struct address_space *mapping, void netfs_get_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace what); void netfs_clear_subrequests(struct netfs_io_request *rreq); void netfs_put_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace what); +void netfs_put_failed_request(struct netfs_io_request *rreq); struct netfs_io_subrequest *netfs_alloc_subrequest(struct netfs_io_request *rreq); static inline void netfs_see_request(struct netfs_io_request *rreq, diff --git a/fs/netfs/objects.c b/fs/netfs/objects.c index e8c99738b5bb..39d5e13f7248 100644 --- a/fs/netfs/objects.c +++ b/fs/netfs/objects.c @@ -116,10 +116,8 @@ static void netfs_free_request_rcu(struct rcu_head *rcu) netfs_stat_d(&netfs_n_rh_rreq); } -static void netfs_free_request(struct work_struct *work) +static void netfs_deinit_request(struct netfs_io_request *rreq) { - struct netfs_io_request *rreq = - container_of(work, struct netfs_io_request, cleanup_work); struct netfs_inode *ictx = netfs_inode(rreq->inode); unsigned int i; @@ -149,6 +147,14 @@ static void netfs_free_request(struct work_struct *work) if (atomic_dec_and_test(&ictx->io_count)) wake_up_var(&ictx->io_count); +} + +static void netfs_free_request(struct work_struct *work) +{ + struct netfs_io_request *rreq = + container_of(work, struct netfs_io_request, cleanup_work); + + netfs_deinit_request(rreq); call_rcu(&rreq->rcu, netfs_free_request_rcu); } @@ -167,6 +173,22 @@ void netfs_put_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace } } +/* + * Free a request (synchronously) that was just allocated but has + * failed before it could be submitted. + */ +void netfs_put_failed_request(struct netfs_io_request *rreq) +{ + /* new requests have two references (see + * netfs_alloc_request(), and this function is only allowed on + * new request objects + */ + WARN_ON_ONCE(refcount_read(&rreq->ref) != 2); + + trace_netfs_rreq_ref(rreq->debug_id, 0, netfs_rreq_trace_put_failed); + netfs_free_request(&rreq->cleanup_work); +} + /* * Allocate and partially initialise an I/O request structure. */ diff --git a/fs/netfs/read_pgpriv2.c b/fs/netfs/read_pgpriv2.c index 8097bc069c1d..a1489aa29f78 100644 --- a/fs/netfs/read_pgpriv2.c +++ b/fs/netfs/read_pgpriv2.c @@ -118,7 +118,7 @@ static struct netfs_io_request *netfs_pgpriv2_begin_copy_to_cache( return creq; cancel_put: - netfs_put_request(creq, netfs_rreq_trace_put_return); + netfs_put_failed_request(creq); cancel: rreq->copy_to_cache = ERR_PTR(-ENOBUFS); clear_bit(NETFS_RREQ_FOLIO_COPY_TO_CACHE, &rreq->flags); diff --git a/fs/netfs/read_single.c b/fs/netfs/read_single.c index fa622a6cd56d..5c0dc4efc792 100644 --- a/fs/netfs/read_single.c +++ b/fs/netfs/read_single.c @@ -189,7 +189,7 @@ ssize_t netfs_read_single(struct inode *inode, struct file *file, struct iov_ite return ret; cleanup_free: - netfs_put_request(rreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(rreq); return ret; } EXPORT_SYMBOL(netfs_read_single); diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c index 0584cba1a043..dd8743bc8d7f 100644 --- a/fs/netfs/write_issue.c +++ b/fs/netfs/write_issue.c @@ -133,8 +133,7 @@ struct netfs_io_request *netfs_create_write_req(struct address_space *mapping, return wreq; nomem: - wreq->error = -ENOMEM; - netfs_put_request(wreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(wreq); return ERR_PTR(-ENOMEM); }

6 days, 12 hours

2
3
0 0

[PATCH v6 3/4] PCI: dwc: Skip PME_Turn_Off message if there is no endpoint connected

by Richard Zhu

A chip freeze is observed on i.MX7D when PCIe RC kicks off the PM_PME message and no any devices are connected on the port. To workaroud such kind of issue, skip PME_Turn_Off message if there is no endpoint connected. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 57a1ba08c427..b303a74b0fd7 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1008,12 +1008,15 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) u32 val; int ret; - if (pci->pp.ops->pme_turn_off) { - pci->pp.ops->pme_turn_off(&pci->pp); - } else { - ret = dw_pcie_pme_turn_off(pci); - if (ret) - return ret; + /* Skip PME_Turn_Off message if there is no endpoint connected */ + if (dw_pcie_get_ltssm(pci) > DW_PCIE_LTSSM_DETECT_WAIT) { + if (pci->pp.ops->pme_turn_off) { + pci->pp.ops->pme_turn_off(&pci->pp); + } else { + ret = dw_pcie_pme_turn_off(pci); + if (ret) + return ret; + } } if (dwc_quirk(pci, QUIRK_NOL2POLL_IN_PM)) { -- 2.37.1

6 days, 15 hours

3
2
0 0

You have a donation of two Million Five Hundred Thousand

by Dr Leonard Valentinovic Blavatnik.

6 days, 21 hours

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() has been removed from the -mm tree. Its filename was mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Akinobu Mita <akinobu.mita(a)gmail.com> Subject: mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() Date: Sat, 20 Sep 2025 22:25:46 +0900 The callback return value is ignored in damon_sysfs_damon_call(), which means that it is not possible to detect invalid user input when writing commands such as 'commit' to /sys/kernel/mm/damon/admin/kdamonds/<K>/state. Fix it. Link: https://lkml.kernel.org/r/20250920132546.5822-1-akinobu.mita@gmail.com Fixes: f64539dcdb87 ("mm/damon/sysfs: use damon_call() for update_schemes_stats") Signed-off-by: Akinobu Mita <akinobu.mita(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/sysfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/damon/sysfs.c~mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call +++ a/mm/damon/sysfs.c @@ -1592,12 +1592,14 @@ static int damon_sysfs_damon_call(int (* struct damon_sysfs_kdamond *kdamond) { struct damon_call_control call_control = {}; + int err; if (!kdamond->damon_ctx) return -EINVAL; call_control.fn = fn; call_control.data = kdamond; - return damon_call(kdamond->damon_ctx, &call_control); + err = damon_call(kdamond->damon_ctx, &call_control); + return err ? err : call_control.return_code; } struct damon_sysfs_schemes_walk_data { _ Patches currently in -mm which might be from akinobu.mita(a)gmail.com are

6 days, 21 hours

1
0
0 0

[merged mm-hotfixes-stable] fs-proc-task_mmu-check-p-vec_buf-for-null.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc/task_mmu: check p->vec_buf for NULL has been removed from the -mm tree. Its filename was fs-proc-task_mmu-check-p-vec_buf-for-null.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jakub Acs <acsjakub(a)amazon.de> Subject: fs/proc/task_mmu: check p->vec_buf for NULL Date: Mon, 22 Sep 2025 08:22:05 +0000 When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Link: https://lkml.kernel.org/r/20250922082206.6889-1-acsjakub@amazon.de Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Reviewed-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Micha�� Miros��aw" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-check-p-vec_buf-for-null +++ a/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(s { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else _ Patches currently in -mm which might be from acsjakub(a)amazon.de are

6 days, 21 hours

1
0
0 0

[merged mm-hotfixes-stable] kmsan-fix-out-of-bounds-access-to-shadow-memory.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kmsan: fix out-of-bounds access to shadow memory has been removed from the -mm tree. Its filename was kmsan-fix-out-of-bounds-access-to-shadow-memory.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Eric Biggers <ebiggers(a)kernel.org> Subject: kmsan: fix out-of-bounds access to shadow memory Date: Thu, 11 Sep 2025 12:58:58 -0700 Running sha224_kunit on a KMSAN-enabled kernel results in a crash in kmsan_internal_set_shadow_origin(): BUG: unable to handle page fault for address: ffffbc3840291000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) Tainted: [N]=TEST Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 [...] Call Trace: <TASK> __msan_memset+0xee/0x1a0 sha224_final+0x9e/0x350 test_hash_buffer_overruns+0x46f/0x5f0 ? kmsan_get_shadow_origin_ptr+0x46/0xa0 ? __pfx_test_hash_buffer_overruns+0x10/0x10 kunit_try_run_case+0x198/0xa00 This occurs when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page, i.e. the next page is unmapped. The bug is that the loop at the end of kmsan_internal_set_shadow_origin() accesses the wrong shadow memory bytes when the address is not 4-byte aligned. Since each 4 bytes are associated with an origin, it rounds the address and size so that it can access all the origins that contain the buffer. However, when it checks the corresponding shadow bytes for a particular origin, it incorrectly uses the original unrounded shadow address. This results in reads from shadow memory beyond the end of the buffer's shadow memory, which crashes when that memory is not mapped. To fix this, correctly align the shadow address before accessing the 4 shadow bytes corresponding to each origin. Link: https://lkml.kernel.org/r/20250911195858.394235-1-ebiggers@kernel.org Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning") Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Tested-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: Alexander Potapenko <glider(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kmsan/core.c | 10 +++++++--- mm/kmsan/kmsan_test.c | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) --- a/mm/kmsan/core.c~kmsan-fix-out-of-bounds-access-to-shadow-memory +++ a/mm/kmsan/core.c @@ -195,7 +195,8 @@ void kmsan_internal_set_shadow_origin(vo u32 origin, bool checked) { u64 address = (u64)addr; - u32 *shadow_start, *origin_start; + void *shadow_start; + u32 *aligned_shadow, *origin_start; size_t pad = 0; KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); @@ -214,9 +215,12 @@ void kmsan_internal_set_shadow_origin(vo } __memset(shadow_start, b, size); - if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + aligned_shadow = shadow_start; + } else { pad = address % KMSAN_ORIGIN_SIZE; address -= pad; + aligned_shadow = shadow_start - pad; size += pad; } size = ALIGN(size, KMSAN_ORIGIN_SIZE); @@ -230,7 +234,7 @@ void kmsan_internal_set_shadow_origin(vo * corresponding shadow slot is zero. */ for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) { - if (origin || !shadow_start[i]) + if (origin || !aligned_shadow[i]) origin_start[i] = origin; } } --- a/mm/kmsan/kmsan_test.c~kmsan-fix-out-of-bounds-access-to-shadow-memory +++ a/mm/kmsan/kmsan_test.c @@ -556,6 +556,21 @@ DEFINE_TEST_MEMSETXX(16) DEFINE_TEST_MEMSETXX(32) DEFINE_TEST_MEMSETXX(64) +/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */ +static void test_memset_on_guarded_buffer(struct kunit *test) +{ + void *buf = vmalloc(PAGE_SIZE); + + kunit_info(test, + "memset() on ends of guarded buffer should not crash\n"); + + for (size_t size = 0; size <= 128; size++) { + memset(buf, 0xff, size); + memset(buf + PAGE_SIZE - size, 0xff, size); + } + vfree(buf); +} + static noinline void fibonacci(int *array, int size, int start) { if (start < 2 || (start == size)) @@ -677,6 +692,7 @@ static struct kunit_case kmsan_test_case KUNIT_CASE(test_memset16), KUNIT_CASE(test_memset32), KUNIT_CASE(test_memset64), + KUNIT_CASE(test_memset_on_guarded_buffer), KUNIT_CASE(test_long_origin_chain), KUNIT_CASE(test_stackdepot_roundtrip), KUNIT_CASE(test_unpoison_memory), _ Patches currently in -mm which might be from ebiggers(a)kernel.org are

6 days, 21 hours

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: fix folio is still mapped when deleted has been removed from the -mm tree. Its filename was mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jinjiang Tu <tujinjiang(a)huawei.com> Subject: mm/hugetlb: fix folio is still mapped when deleted Date: Fri, 12 Sep 2025 15:41:39 +0800 Migration may be raced with fallocating hole. remove_inode_single_folio will unmap the folio if the folio is still mapped. However, it's called without folio lock. If the folio is migrated and the mapped pte has been converted to migration entry, folio_mapped() returns false, and won't unmap it. Due to extra refcount held by remove_inode_single_folio, migration fails, restores migration entry to normal pte, and the folio is mapped again. As a result, we triggered BUG in filemap_unaccount_folio. The log is as follows: BUG: Bad page cache in process hugetlb pfn:156c00 page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f4(hugetlb) page dumped because: still mapped when deleted CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x4f/0x70 filemap_unaccount_folio+0xc4/0x1c0 __filemap_remove_folio+0x38/0x1c0 filemap_remove_folio+0x41/0xd0 remove_inode_hugepages+0x142/0x250 hugetlbfs_fallocate+0x471/0x5a0 vfs_fallocate+0x149/0x380 Hold folio lock before checking if the folio is mapped to avold race with migration. Link: https://lkml.kernel.org/r/20250912074139.3575005-1-tujinjiang@huawei.com Fixes: 4aae8d1c051e ("mm/hugetlbfs: unmap pages if page fault raced with hole punch") Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/hugetlbfs/inode.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/fs/hugetlbfs/inode.c~mm-hugetlb-fix-folio-is-still-mapped-when-deleted +++ a/fs/hugetlbfs/inode.c @@ -517,14 +517,16 @@ static bool remove_inode_single_folio(st /* * If folio is mapped, it was faulted in after being - * unmapped in caller. Unmap (again) while holding - * the fault mutex. The mutex will prevent faults - * until we finish removing the folio. + * unmapped in caller or hugetlb_vmdelete_list() skips + * unmapping it due to fail to grab lock. Unmap (again) + * while holding the fault mutex. The mutex will prevent + * faults until we finish removing the folio. Hold folio + * lock to guarantee no concurrent migration. */ + folio_lock(folio); if (unlikely(folio_mapped(folio))) hugetlb_unmap_file_folio(h, mapping, folio, index); - folio_lock(folio); /* * We must remove the folio from page cache before removing * the region/ reserve map (hugetlb_unreserve_pages). In _ Patches currently in -mm which might be from tujinjiang(a)huawei.com are

6 days, 21 hours

1
0
0 0

[failures] hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list has been removed from the -mm tree. Its filename was hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch This patch was dropped because it had testing failures ------------------------------------------------------ From: Deepanshu Kartikey <kartikey406(a)gmail.com> Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list Date: Thu, 25 Sep 2025 20:19:32 +0530 hugetlb_vmdelete_list() uses trylock to acquire VMA locks during truncate operations. As per the original design in commit 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization"), if the trylock fails or the VMA has no lock, it should skip that VMA. Any remaining mapped pages are handled by remove_inode_hugepages() which is called after hugetlb_vmdelete_list() and uses proper lock ordering to guarantee unmapping success. Currently, when hugetlb_vma_trylock_write() returns success (1) for VMAs without shareable locks, the code proceeds to call unmap_hugepage_range(). This causes assertion failures in huge_pmd_unshare() �� hugetlb_vma_assert_locked() because no lock is actually held: WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted Call Trace: hugetlb_vma_assert_locked+0x1dd/0x250 huge_pmd_unshare+0x2c8/0x540 __unmap_hugepage_range+0x6e3/0x1aa0 unmap_hugepage_range+0x32e/0x410 hugetlb_vmdelete_list+0x189/0x1f0 Fix by explicitly skipping VMAs without shareable locks after trylock succeeds, consistent with the original design where such VMAs are deferred to remove_inode_hugepages() for proper handling. Link: https://lkml.kernel.org/r/20250925144934.150299-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> Reported-by: syzbot+f26d7c75c26ec19790e7(a)syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7 Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Tested-by: syzbot+f26d7c75c26ec19790e7(a)syzkaller.appspotmail.com Cc: David Hildenbrand <david(a)redhat.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/hugetlbfs/inode.c~hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list +++ a/fs/hugetlbfs/inode.c @@ -487,7 +487,8 @@ hugetlb_vmdelete_list(struct rb_root_cac if (!hugetlb_vma_trylock_write(vma)) continue; - + if (!__vma_shareable_lock(vma)) + continue; v_start = vma_offset_start(vma, start); v_end = vma_offset_end(vma, end); _ Patches currently in -mm which might be from kartikey406(a)gmail.com are

6 days, 23 hours

1
0
0 0

[tip: timers/clocksource] clocksource/drivers/clps711x: Fix resource leaks in error paths

by tip-bot2 for Zhen Ni

The following commit has been merged into the timers/clocksource branch of tip: Commit-ID: cd32e596f02fc981674573402c1138f616df1728 Gitweb: https://git.kernel.org/tip/cd32e596f02fc981674573402c1138f616df1728 Author: Zhen Ni <zhen.ni(a)easystack.cn> AuthorDate: Thu, 14 Aug 2025 20:33:24 +08:00 Committer: Daniel Lezcano <daniel.lezcano(a)linaro.org> CommitterDate: Tue, 23 Sep 2025 12:42:27 +02:00 clocksource/drivers/clps711x: Fix resource leaks in error paths The current implementation of clps711x_timer_init() has multiple error paths that directly return without releasing the base I/O memory mapped via of_iomap(). Fix of_iomap leaks in error paths. Fixes: 04410efbb6bc ("clocksource/drivers/clps711x: Convert init function to return error") Fixes: 2a6a8e2d9004 ("clocksource/drivers/clps711x: Remove board support") Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> Signed-off-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250814123324.1516495-1-zhen.ni@easystack.cn --- drivers/clocksource/clps711x-timer.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/drivers/clocksource/clps711x-timer.c b/drivers/clocksource/clps711x-timer.c index e95fdc4..bbceb02 100644 --- a/drivers/clocksource/clps711x-timer.c +++ b/drivers/clocksource/clps711x-timer.c @@ -78,24 +78,33 @@ static int __init clps711x_timer_init(struct device_node *np) unsigned int irq = irq_of_parse_and_map(np, 0); struct clk *clock = of_clk_get(np, 0); void __iomem *base = of_iomap(np, 0); + int ret = 0; if (!base) return -ENOMEM; - if (!irq) - return -EINVAL; - if (IS_ERR(clock)) - return PTR_ERR(clock); + if (!irq) { + ret = -EINVAL; + goto unmap_io; + } + if (IS_ERR(clock)) { + ret = PTR_ERR(clock); + goto unmap_io; + } switch (of_alias_get_id(np, "timer")) { case CLPS711X_CLKSRC_CLOCKSOURCE: clps711x_clksrc_init(clock, base); break; case CLPS711X_CLKSRC_CLOCKEVENT: - return _clps711x_clkevt_init(clock, base, irq); + ret = _clps711x_clkevt_init(clock, base, irq); + break; default: - return -EINVAL; + ret = -EINVAL; + break; } - return 0; +unmap_io: + iounmap(base); + return ret; } TIMER_OF_DECLARE(clps711x, "cirrus,ep7209-timer", clps711x_timer_init);

6 days, 23 hours

1
0
0 0

[to-be-updated] mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memblock: correct totalram_pages accounting with KMSAN has been removed from the -mm tree. Its filename was mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Alexander Potapenko <glider(a)google.com> Subject: mm/memblock: correct totalram_pages accounting with KMSAN Date: Wed, 24 Sep 2025 12:03:01 +0200 When KMSAN is enabled, `kmsan_memblock_free_pages()` can hold back pages for metadata instead of returning them to the early allocator. The callers, however, would unconditionally increment `totalram_pages`, assuming the pages were always freed. This resulted in an incorrect calculation of the total available RAM, causing the kernel to believe it had more memory than it actually did. This patch refactors `memblock_free_pages()` to return the number of pages it successfully frees. If KMSAN stashes the pages, the function now returns 0; otherwise, it returns the number of pages in the block. The callers in `memblock.c` have been updated to use this return value, ensuring that `totalram_pages` is incremented only by the number of pages actually returned to the allocator. This corrects the total RAM accounting when KMSAN is active. Link: https://lkml.kernel.org/r/20250924100301.1558645-1-glider@google.com Fixes: 3c2065098260 ("init: kmsan: call KMSAN initialization routines") Signed-off-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Aleksandr Nogikh <nogikh(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Markus Elfring <Markus.Elfring(a)web.de> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 4 ++-- mm/memblock.c | 21 +++++++++++---------- mm/mm_init.c | 9 +++++---- 3 files changed, 18 insertions(+), 16 deletions(-) --- a/mm/internal.h~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/internal.h @@ -742,8 +742,8 @@ static inline void clear_zone_contiguous extern int __isolate_free_page(struct page *page, unsigned int order); extern void __putback_isolated_page(struct page *page, unsigned int order, int mt); -extern void memblock_free_pages(struct page *page, unsigned long pfn, - unsigned int order); +unsigned long memblock_free_pages(struct page *page, unsigned long pfn, + unsigned int order); extern void __free_pages_core(struct page *page, unsigned int order, enum meminit_context context); --- a/mm/memblock.c~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/memblock.c @@ -1826,6 +1826,7 @@ void *__init __memblock_alloc_or_panic(p void __init memblock_free_late(phys_addr_t base, phys_addr_t size) { phys_addr_t cursor, end; + unsigned long freed_pages = 0; end = base + size - 1; memblock_dbg("%s: [%pa-%pa] %pS\n", @@ -1834,10 +1835,9 @@ void __init memblock_free_late(phys_addr cursor = PFN_UP(base); end = PFN_DOWN(base + size); - for (; cursor < end; cursor++) { - memblock_free_pages(pfn_to_page(cursor), cursor, 0); - totalram_pages_inc(); - } + for (; cursor < end; cursor++) + freed_pages += memblock_free_pages(pfn_to_page(cursor), cursor, 0); + totalram_pages_add(freed_pages); } /* @@ -2259,9 +2259,11 @@ static void __init free_unused_memmap(vo #endif } -static void __init __free_pages_memory(unsigned long start, unsigned long end) +static unsigned long __init __free_pages_memory(unsigned long start, + unsigned long end) { int order; + unsigned long freed = 0; while (start < end) { /* @@ -2279,14 +2281,15 @@ static void __init __free_pages_memory(u while (start + (1UL << order) > end) order--; - memblock_free_pages(pfn_to_page(start), start, order); + freed += memblock_free_pages(pfn_to_page(start), start, order); start += (1UL << order); } + return freed; } static unsigned long __init __free_memory_core(phys_addr_t start, - phys_addr_t end) + phys_addr_t end) { unsigned long start_pfn = PFN_UP(start); unsigned long end_pfn = PFN_DOWN(end); @@ -2297,9 +2300,7 @@ static unsigned long __init __free_memor if (start_pfn >= end_pfn) return 0; - __free_pages_memory(start_pfn, end_pfn); - - return end_pfn - start_pfn; + return __free_pages_memory(start_pfn, end_pfn); } static void __init memmap_init_reserved_pages(void) --- a/mm/mm_init.c~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/mm_init.c @@ -2547,24 +2547,25 @@ void *__init alloc_large_system_hash(con return table; } -void __init memblock_free_pages(struct page *page, unsigned long pfn, - unsigned int order) +unsigned long __init memblock_free_pages(struct page *page, unsigned long pfn, + unsigned int order) { if (IS_ENABLED(CONFIG_DEFERRED_STRUCT_PAGE_INIT)) { int nid = early_pfn_to_nid(pfn); if (!early_page_initialised(pfn, nid)) - return; + return 0; } if (!kmsan_memblock_free_pages(page, order)) { /* KMSAN will take care of these pages. */ - return; + return 0; } /* pages were reserved and not allocated */ clear_page_tag_ref(page); __free_pages_core(page, order, MEMINIT_EARLY); + return 1UL << order; } DEFINE_STATIC_KEY_MAYBE(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, init_on_alloc); _ Patches currently in -mm which might be from glider(a)google.com are

1 week

1
0
0 0

+ hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list has been added to the -mm mm-new branch. Its filename is hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Deepanshu Kartikey <kartikey406(a)gmail.com> Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list Date: Thu, 25 Sep 2025 20:19:32 +0530 hugetlb_vmdelete_list() uses trylock to acquire VMA locks during truncate operations. As per the original design in commit 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization"), if the trylock fails or the VMA has no lock, it should skip that VMA. Any remaining mapped pages are handled by remove_inode_hugepages() which is called after hugetlb_vmdelete_list() and uses proper lock ordering to guarantee unmapping success. Currently, when hugetlb_vma_trylock_write() returns success (1) for VMAs without shareable locks, the code proceeds to call unmap_hugepage_range(). This causes assertion failures in huge_pmd_unshare() �� hugetlb_vma_assert_locked() because no lock is actually held: WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted Call Trace: hugetlb_vma_assert_locked+0x1dd/0x250 huge_pmd_unshare+0x2c8/0x540 __unmap_hugepage_range+0x6e3/0x1aa0 unmap_hugepage_range+0x32e/0x410 hugetlb_vmdelete_list+0x189/0x1f0 Fix by explicitly skipping VMAs without shareable locks after trylock succeeds, consistent with the original design where such VMAs are deferred to remove_inode_hugepages() for proper handling. Link: https://lkml.kernel.org/r/20250925144934.150299-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> Reported-by: syzbot+f26d7c75c26ec19790e7(a)syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7 Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Tested-by: syzbot+f26d7c75c26ec19790e7(a)syzkaller.appspotmail.com Cc: David Hildenbrand <david(a)redhat.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/hugetlbfs/inode.c~hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list +++ a/fs/hugetlbfs/inode.c @@ -487,7 +487,8 @@ hugetlb_vmdelete_list(struct rb_root_cac if (!hugetlb_vma_trylock_write(vma)) continue; - + if (!__vma_shareable_lock(vma)) + continue; v_start = vma_offset_start(vma, start); v_end = vma_offset_end(vma, end); _ Patches currently in -mm which might be from kartikey406(a)gmail.com are hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch

1 week

1
0
0 0

Gratulujeme, ponuka daru

by Kristine Wellenstein Charity

1 week

1
0
0 0

[PATCH v2] fs/proc: check p->vec_buf for NULL

by Jakub Acs

When PAGEMAP_SCAN ioctl invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Michał Mirosław" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: linux-kernel(a)vger.kernel.org Cc: linux-fsdevel(a)vger.kernel.org Cc: stable(a)vger.kernel.org --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 29cca0e6d0ff..b26ae556b446 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(struct pagemap_scan_private *p, { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 week

3
2
0 0

[PATCH] PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock

by Marek Vasut

The tegra_msi_irq_unmask() function may be called from a PCI driver request_threaded_irq() function. This triggers kernel/irq/manage.c __setup_irq() which locks raw spinlock &desc->lock descriptor lock and with that descriptor lock held, calls tegra_msi_irq_unmask(). Since the &desc->lock descriptor lock is a raw spinlock , and the tegra_msi .mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait context' with CONFIG_PROVE_RAW_LOCK_NESTING=y . Use scoped_guard() to simplify the locking. Fixes: 2c99e55f7955 ("PCI: tegra: Convert to MSI domains") Cc: stable(a)vger.kernel.org Reported-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Signed-off-by: Marek Vasut <marek.vasut+renesas(a)mailbox.org> --- Cc: "Krzysztof Wilczyński" <kwilczynski(a)kernel.org> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Jonathan Hunter <jonathanh(a)nvidia.com> Cc: Lorenzo Pieralisi <lpieralisi(a)kernel.org> Cc: Manivannan Sadhasivam <mani(a)kernel.org> Cc: Rob Herring <robh(a)kernel.org> Cc: Thierry Reding <thierry.reding(a)gmail.com> Cc: linux-kernel(a)vger.kernel.org Cc: linux-pci(a)vger.kernel.org Cc: linux-tegra(a)vger.kernel.org --- NOTE: I don't have tegra hardware to test, this is based on input from Geert https://patchwork.kernel.org/project/linux-pci/patch/20250909162707.13927-2… --- drivers/pci/controller/pci-tegra.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/drivers/pci/controller/pci-tegra.c b/drivers/pci/controller/pci-tegra.c index bb88767a37979..942ddfca3bf6b 100644 --- a/drivers/pci/controller/pci-tegra.c +++ b/drivers/pci/controller/pci-tegra.c @@ -14,6 +14,7 @@ */ #include <linux/clk.h> +#include <linux/cleanup.h> #include <linux/debugfs.h> #include <linux/delay.h> #include <linux/export.h> @@ -270,7 +271,7 @@ struct tegra_msi { DECLARE_BITMAP(used, INT_PCI_MSI_NR); struct irq_domain *domain; struct mutex map_lock; - spinlock_t mask_lock; + raw_spinlock_t mask_lock; void *virt; dma_addr_t phys; int irq; @@ -1581,14 +1582,13 @@ static void tegra_msi_irq_mask(struct irq_data *d) struct tegra_msi *msi = irq_data_get_irq_chip_data(d); struct tegra_pcie *pcie = msi_to_pcie(msi); unsigned int index = d->hwirq / 32; - unsigned long flags; u32 value; - spin_lock_irqsave(&msi->mask_lock, flags); - value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); - value &= ~BIT(d->hwirq % 32); - afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); - spin_unlock_irqrestore(&msi->mask_lock, flags); + scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { + value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); + value &= ~BIT(d->hwirq % 32); + afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); + } } static void tegra_msi_irq_unmask(struct irq_data *d) @@ -1596,14 +1596,13 @@ static void tegra_msi_irq_unmask(struct irq_data *d) struct tegra_msi *msi = irq_data_get_irq_chip_data(d); struct tegra_pcie *pcie = msi_to_pcie(msi); unsigned int index = d->hwirq / 32; - unsigned long flags; u32 value; - spin_lock_irqsave(&msi->mask_lock, flags); - value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); - value |= BIT(d->hwirq % 32); - afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); - spin_unlock_irqrestore(&msi->mask_lock, flags); + scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { + value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); + value |= BIT(d->hwirq % 32); + afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); + } } static void tegra_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) @@ -1711,7 +1710,7 @@ static int tegra_pcie_msi_setup(struct tegra_pcie *pcie) int err; mutex_init(&msi->map_lock); - spin_lock_init(&msi->mask_lock); + raw_spin_lock_init(&msi->mask_lock); if (IS_ENABLED(CONFIG_PCI_MSI)) { err = tegra_allocate_domains(msi); -- 2.51.0

1 week

2
1
0 0

[PATCH v3] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Guangshuo Li

devm_kcalloc() may fail. ndtest_probe() allocates three DMA address arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses them in ndtest_nvdimm_init(), which can lead to a NULL pointer dereference under low-memory conditions. Check all three allocations and return -ENOMEM if any allocation fails, jumping to the common error path. Do not emit an extra error message since the allocator already warns on allocation failure. Fixes: 9399ab61ad82 ("ndtest: Add dimms to the two buses") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- changelog: v3: - Add NULL checks for all three devm_kcalloc() calls and goto the common error label on failure. v2: - Drop pr_err() on allocation failure; only NULL-check and return -ENOMEM. - No other changes. --- tools/testing/nvdimm/test/ndtest.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tools/testing/nvdimm/test/ndtest.c b/tools/testing/nvdimm/test/ndtest.c index 68a064ce598c..8e3b6be53839 100644 --- a/tools/testing/nvdimm/test/ndtest.c +++ b/tools/testing/nvdimm/test/ndtest.c @@ -850,11 +850,22 @@ static int ndtest_probe(struct platform_device *pdev) p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->dcr_dma) { + rc = -ENOMEM; + goto err; + } p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->label_dma) { + rc = -ENOMEM; + goto err; + } p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); - + if (!p->dimm_dma) { + rc = -ENOMEM; + goto err; + } rc = ndtest_nvdimm_init(p); if (rc) goto err; -- 2.43.0

1 week

4
3
0 0

[GIT PULL] virtio,vhost: last minute fixes

by Michael S. Tsirkin

I have a couple more fixes I'm testing but the issues have been with us for a long time, and they come from code review not from the field IIUC so no rush I think. The following changes since commit 76eeb9b8de9880ca38696b2fb56ac45ac0a25c6c: Linux 6.17-rc5 (2025-09-07 14:22:57 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus for you to fetch changes up to cde7e7c3f8745a61458cea61aa28f37c3f5ae2b4: MAINTAINERS, mailmap: Update address for Peter Hilber (2025-09-21 17:44:20 -0400) ---------------------------------------------------------------- virtio,vhost: last minute fixes More small fixes. Most notably this fixes crashes and hangs in vhost-net. Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> ---------------------------------------------------------------- Alok Tiwari (1): vhost-scsi: fix argument order in tport allocation error message Alyssa Ross (1): virtio_config: clarify output parameters Ashwini Sahu (1): uapi: vduse: fix typo in comment Jason Wang (2): vhost-net: unbreak busy polling vhost-net: flush batched before enabling notifications Michael S. Tsirkin (1): Revert "vhost/net: Defer TX queue re-enable until after sendmsg" Peter Hilber (1): MAINTAINERS, mailmap: Update address for Peter Hilber Sebastian Andrzej Siewior (1): vhost: Take a reference on the task in struct vhost_task. .mailmap | 1 + MAINTAINERS | 2 +- drivers/vhost/net.c | 40 +++++++++++++++++----------------------- drivers/vhost/scsi.c | 2 +- include/linux/virtio_config.h | 11 ++++++----- include/uapi/linux/vduse.h | 2 +- kernel/vhost_task.c | 3 ++- 7 files changed, 29 insertions(+), 32 deletions(-)

1 week

2
1
0 0

[PATCH v6 1/4] PCI: dwc: Remove the L1SS check before putting the link into L2

by Richard Zhu

The ASPM configuration shouldn't leak out here. Remove the L1SS check during L2 entry. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Suggested-by: Bjorn Helgaas <helgaas(a)kernel.org> Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 952f8594b501..9d46d1f0334b 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1005,17 +1005,9 @@ static int dw_pcie_pme_turn_off(struct dw_pcie *pci) int dw_pcie_suspend_noirq(struct dw_pcie *pci) { - u8 offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP); u32 val; int ret; - /* - * If L1SS is supported, then do not put the link into L2 as some - * devices such as NVMe expect low resume latency. - */ - if (dw_pcie_readw_dbi(pci, offset + PCI_EXP_LNKCTL) & PCI_EXP_LNKCTL_ASPM_L1) - return 0; - if (pci->pp.ops->pme_turn_off) { pci->pp.ops->pme_turn_off(&pci->pp); } else { -- 2.37.1

1 week

3
4
0 0

[PATCH v2 1/3] PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()

by Niklas Cassel

The pci_epc_raise_irq() supplies a MSI or MSI-X interrupt number in range (1-N), see kdoc for pci_epc_raise_irq(). Thus, for MSI pci_epc_raise_irq() will supply interrupt number 1-32. Convert the interrupt number to an MSI vector. With this, the PCI endpoint kselftest test case MSI_TEST passes. Also, set msi_capable to true, as the driver obviously supports MSI. This helps pci_endpoint_test to use the optimal IRQ type when using PCITEST_IRQ_TYPE_AUTO. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 7c295ec6f0f16..63d310e5335f4 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1969,10 +1969,10 @@ static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) static int tegra_pcie_ep_raise_msi_irq(struct tegra_pcie_dw *pcie, u16 irq) { - if (unlikely(irq > 31)) + if (unlikely(irq > 32)) return -EINVAL; - appl_writel(pcie, BIT(irq), APPL_MSI_CTRL_1); + appl_writel(pcie, BIT(irq - 1), APPL_MSI_CTRL_1); return 0; } @@ -2012,6 +2012,7 @@ static int tegra_pcie_ep_raise_irq(struct dw_pcie_ep *ep, u8 func_no, static const struct pci_epc_features tegra_pcie_epc_features = { .linkup_notifier = true, + .msi_capable = true, .bar[BAR_0] = { .type = BAR_FIXED, .fixed_size = SZ_1M, .only_64bit = true, }, .bar[BAR_1] = { .type = BAR_RESERVED, }, -- 2.51.0

1 week

2
3
0 0

Re: Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 6.1/5.15/5.10/5.4-stable tree

by Takashi Sakamoto

Hi Sasha, As the commit message notice, this patch should not be applied to kernel v6.4 or before. I would like you to exclude this from your queue for the following versions: * Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 5.4-stable tree * Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 5.10-stable tree * Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 5.15-stable tree * Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 6.1-stable tree Thankss Takashi Sakamoto On Thu, Sep 25, 2025 at 07:33:23AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > firewire: core: fix overlooked update of subsystem ABI version > > to the 6.1-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > firewire-core-fix-overlooked-update-of-subsystem-abi.patch > and it can be found in the queue-6.1 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit bbb4ab1d7b1ad7fff7a85aa9144d0edc5a70bacc > Author: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> > Date: Sat Sep 20 11:51:48 2025 +0900 > > firewire: core: fix overlooked update of subsystem ABI version > > [ Upstream commit 853a57ba263adfecf4430b936d6862bc475b4bb5 ] > > In kernel v6.5, several functions were added to the cdev layer. This > required updating the default version of subsystem ABI up to 6, but > this requirement was overlooked. > > This commit updates the version accordingly. > > Fixes: 6add87e9764d ("firewire: cdev: add new version of ABI to notify time stamp at request/response subaction of transaction#") > Link: https://lore.kernel.org/r/20250920025148.163402-1-o-takashi@sakamocchi.jp > Signed-off-by: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c > index 958aa4662ccb0..5cb0059f57e6b 100644 > --- a/drivers/firewire/core-cdev.c > +++ b/drivers/firewire/core-cdev.c > @@ -39,7 +39,7 @@ > /* > * ABI version history is documented in linux/firewire-cdev.h. > */ > -#define FW_CDEV_KERNEL_VERSION 5 > +#define FW_CDEV_KERNEL_VERSION 6 > #define FW_CDEV_VERSION_EVENT_REQUEST2 4 > #define FW_CDEV_VERSION_ALLOCATE_REGION_END 4 > #define FW_CDEV_VERSION_AUTO_FLUSH_ISO_OVERFLOW 5

1 week

2
1
0 0

[PATCH] i2c: microchip: pci1xxxx: bound-check SMBus block read length

by Guangshuo Li

The SMBus block read path trusts the device-provided count byte and copies that many bytes from the master buffer: buf[0] = readb(p3); read_count = buf[0]; memcpy_fromio(&buf[1], p3 + 1, read_count); Without validating 'read_count', a malicious or misbehaving device can cause an out-of-bounds write to the caller's buffer and may also trigger out-of-range MMIO reads beyond the controller's buffer window. SMBus Block Read returns up to 32 data bytes as per the kernel documentation, so clamp the length to [1, I2C_SMBUS_BLOCK_MAX], verify the caller's buffer has at least 'read_count + 1' bytes available, and defensively ensure it does not exceed the controller buffer. Also break out of the chunking loop after a successful SMBus read. Return -EPROTO for invalid counts and -EMSGSIZE when the provided buffer is too small. Fixes: 361693697249 ("i2c: microchip: pci1xxxx: Add driver for I2C host controller in multifunction endpoint of pci1xxxx switch") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- drivers/i2c/busses/i2c-mchp-pci1xxxx.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-mchp-pci1xxxx.c b/drivers/i2c/busses/i2c-mchp-pci1xxxx.c index 5ef136c3ecb1..2307c8ec2dc7 100644 --- a/drivers/i2c/busses/i2c-mchp-pci1xxxx.c +++ b/drivers/i2c/busses/i2c-mchp-pci1xxxx.c @@ -880,7 +880,22 @@ static int pci1xxxx_i2c_read(struct pci1xxxx_i2c *i2c, u8 slaveaddr, } if (i2c->flags & I2C_FLAGS_SMB_BLK_READ) { - buf[0] = readb(p3); + u8 cnt = readb(p3); + + if (!cnt || cnt > I2C_SMBUS_BLOCK_MAX) { + retval = -EPROTO; + goto cleanup; + } + if (cnt > total_len - 1) { + retval = -EMSGSIZE; + goto cleanup; + } + if (cnt > (SMBUS_BUF_MAX_SIZE - 1)) { + retval = -EOVERFLOW; + goto cleanup; + } + + buf[0] = cnt; read_count = buf[0]; memcpy_fromio(&buf[1], p3 + 1, read_count); } else { -- 2.43.0

1 week

1
0
0 0

[PATCH 6.1 000/132] 6.1.143-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.143 release. There are 132 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 05 Jul 2025 14:39:10 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.143-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.143-rc1 Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Sibi Sankar <quic_sibis(a)quicinc.com> firmware: arm_scmi: Ensure that the message-id supports fastchannel Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Add a common helper to check if a message is supported Pavel Begunkov <asml.silence(a)gmail.com> io_uring/kbuf: account ring io_buffer_list memory Jens Axboe <axboe(a)kernel.dk> nvme: always punt polled uring_cmd end_io work to task_work Brett A C Sheffield (Librecast) <bacs(a)librecast.net> Revert "ipv6: save dontfrag in cork" Nathan Chancellor <nathan(a)kernel.org> x86/tools: Drop duplicate unlikely() definition in insn_decoder_test.c Sergio González Collado <sergio.collado(a)gmail.com> Kunit to check the longest symbol length Heiko Carstens <hca(a)linux.ibm.com> s390/entry: Fix last breaking event handling in case of stack corruption Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix W=stringop-overflow warning in bnxt_dcb.c Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix W=1 warning in bnxt_dcb.c from fortify memcpy() Jakub Kicinski <kuba(a)kernel.org> eth: bnxt: fix one of the W=1 warnings about fortified memcpy() Chen Ni <nichen(a)iscas.ac.cn> fbdev: hyperv_fb: Convert comma to semicolon Gustavo A. R. Silva <gustavoars(a)kernel.org> fs: omfs: Use flexible-array member in struct omfs_extent Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: remove unsafe_memcpy use in session setup Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: Use unsafe_memcpy() for ntlm_negotiate Frank Min <Frank.Min(a)amd.com> drm/amdgpu: Add kicker device detection John Olender <john.olender(a)gmail.com> drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram Wentao Liang <vulab(a)iscas.ac.cn> drm/amd/display: Add null pointer check for get_first_active_display() Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix phy de-init and flag it so Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Stephan Gerhold <stephan.gerhold(a)linaro.org> drm/msm/gpu: Fix crash when throttling GPU immediately during boot Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Maíra Canal <mcanal(a)igalia.com> drm/etnaviv: Protect the scheduler's pending list with its lock Chen Yu <yu.c.chen(a)intel.com> scsi: megaraid_sas: Fix invalid node index Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Iusico Maxim <iusico.maxim(a)libero.it> HID: lenovo: Restrict F7/9/11 mode to compact keyboards only Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Filipe Manana <fdmanana(a)suse.com> btrfs: fix a race between renames and directory logging Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Fabio Estevam <festevam(a)gmail.com> serial: imx: Restore original RXTL for console to fix data loss Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Jayesh Choudhary <j-choudhary(a)ti.com> drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type Wolfram Sang <wsa+renesas(a)sang-engineering.com> drm/bridge: ti-sn65dsi86: make use of debugfs_init callback Jakub Kicinski <kuba(a)kernel.org> net: selftests: fix TCP packet checksum Salvatore Bonaccorso <carnil(a)debian.org> ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't set -ECONNRESET for consumed OOB skb. Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Imre Deak <imre.deak(a)intel.com> drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Fedor Pchelkin <pchelkin(a)ispras.ru> s390/pkey: Prevent overflow in size calculation for memdup_user() Oliver Schramm <oliver.schramm97(a)gmail.com> ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't leave consecutive consumed OOB skbs. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Don't call skb_get() for OOB skb. Thomas Zimmermann <tzimmermann(a)suse.de> dummycon: Trigger redraw when switching consoles with deferred takeover Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: make consw::con_switch() return a bool Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: sanitize arguments of consw::con_clear() Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: make init parameter of consw::con_init() a bool Jiri Slaby (SUSE) <jirislaby(a)kernel.org> vgacon: remove unneeded forward declarations Jiri Slaby (SUSE) <jirislaby(a)kernel.org> vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen() Janne Grunau <j(a)jannau.net> PCI: apple: Set only available ports up Zhang Zekun <zhangzekun11(a)huawei.com> PCI: apple: Use helper function for_each_child_of_node_scoped() Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Query the ringbuffer size for device Saurabh Sengar <ssengar(a)linux.microsoft.com> Drivers: hv: vmbus: Add utility function for querying ring size Long Li <longli(a)microsoft.com> Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary Rick Edgecombe <rick.p.edgecombe(a)intel.com> Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails Kameron Carr <kameroncarr(a)linux.microsoft.com> Drivers: hv: Change hv_free_hyperv_page() to take void * argument Long Li <longli(a)microsoft.com> Drivers: hv: move panic report code from vmbus to hv early init code Michael Kelley <mikelley(a)microsoft.com> Drivers: hv: vmbus: Remove second mapping of VMBus monitor pages Guilherme G. Piccoli <gpiccoli(a)igalia.com> drivers: hv, hyperv_fb: Untangle and refactor Hyper-V panic notifiers Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9335: Fix missing free of regulator supplies Peng Fan <peng.fan(a)nxp.com> ASoC: codec: wcd9335: Convert to GPIO descriptors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Cleanup after an allocation error Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Reset slot data pointers when freed Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead Ming Qian <ming.qian(a)nxp.com> media: imx-jpeg: Support to assign slot for encoder/decoder Ming Qian <ming.qian(a)nxp.com> media: imx-jpeg: Add a timeout mechanism for each frame Jason Wang <wangborong(a)cdjrlc.com> media: imx-jpeg: Remove unnecessary memset() after dma_alloc_coherent() Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Qu Wenruo <wqu(a)suse.com> btrfs: handle csum tree error with rescue=ibadroots correctly Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Mario Limonciello <mario.limonciello(a)amd.com> ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Jakub Lewalski <jakub.lewalski(a)nokia.com> tty: serial: uartlite: register uart driver in init Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Purva Yeshi <purvayeshi550(a)gmail.com> iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: dwc2: also exit clock_gating when stopping udc while suspended James Clark <james.clark(a)linaro.org> coresight: Only check bottom two claim bits Benjamin Berg <benjamin.berg(a)intel.com> um: use proper care when taking mmap lock during segfault Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yifan Zhang <yifan1.zhang(a)amd.com> amd/amdkfd: fix a kfd_process ref leak Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Hector Martin <marcan(a)marcan.st> PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Lukas Wunner <lukas(a)wunner.de> Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices" FUJITA Tomonori <fujita.tomonori(a)gmail.com> rust: module: place cleanup_module() in .exit.text section Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Scott Mayhew <smayhew(a)redhat.com> NFSv4: xattr handlers should check for absent nfs filehandles Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Han Young <hanyang.tony(a)bytedance.com> NFSv4: Always set NLINK even if the server doesn't support it Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers Pali Rohár <pali(a)kernel.org> cifs: Correctly set SMB1 SessionKey field in Session Setup Request ------------- Diffstat: Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/s390/kernel/entry.S | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/include/asm/asm-prototypes.h | 5 + arch/um/kernel/trap.c | 129 ++++- arch/x86/tools/insn_decoder_test.c | 5 +- arch/x86/um/asm/checksum.h | 3 + drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/firmware/arm_scmi/driver.c | 44 ++ drivers/firmware/arm_scmi/protocols.h | 6 + drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | 17 + drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 6 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 + drivers/gpu/drm/bridge/cdns-dsi.c | 32 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 109 ++-- drivers/gpu/drm/display/drm_dp_helper.c | 2 +- drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 +- drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 + drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/hid/hid-lenovo.c | 11 +- drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 15 +- drivers/hv/connection.c | 134 ++--- drivers/hv/hv.c | 36 -- drivers/hv/hv_common.c | 231 ++++++++ drivers/hv/hyperv_vmbus.h | 7 +- drivers/hv/vmbus_drv.c | 206 +------ drivers/hwmon/pmbus/max34440.c | 48 +- drivers/hwtracing/coresight/coresight-core.c | 3 +- drivers/hwtracing/coresight/coresight-priv.h | 2 + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/adc/ad_sigma_delta.c | 4 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/iommu/amd/init.c | 3 - drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.h | 1 - drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 216 ++++--- drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 42 +- drivers/mfd/max14577.c | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 26 +- drivers/net/ethernet/broadcom/bnxt/bnxt_hsi.h | 644 +++------------------ drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/nvme/host/ioctl.c | 15 +- drivers/pci/controller/pcie-apple.c | 7 +- drivers/s390/crypto/pkey_api.c | 2 +- drivers/scsi/megaraid/megaraid_sas_base.c | 6 +- drivers/staging/rtl8723bs/core/rtw_security.c | 44 +- drivers/tty/serial/imx.c | 17 +- drivers/tty/serial/uartlite.c | 25 +- drivers/tty/vt/vt.c | 12 +- drivers/uio/uio_hv_generic.c | 10 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/usb.c | 14 +- drivers/usb/dwc2/gadget.c | 6 + drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/typec/altmodes/displayport.c | 4 + drivers/usb/typec/mux.c | 4 +- drivers/video/console/dummycon.c | 24 +- drivers/video/console/mdacon.c | 21 +- drivers/video/console/newport_con.c | 12 +- drivers/video/console/sticon.c | 14 +- drivers/video/console/vgacon.c | 34 +- drivers/video/fbdev/core/fbcon.c | 40 +- drivers/video/fbdev/core/fbmem.c | 18 +- drivers/video/fbdev/hyperv_fb.c | 8 + fs/btrfs/disk-io.c | 3 +- fs/btrfs/inode.c | 83 ++- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +- fs/namespace.c | 8 +- fs/nfs/inode.c | 2 + fs/nfs/nfs4proc.c | 17 +- fs/omfs/file.c | 12 +- fs/omfs/omfs_fs.h | 2 +- fs/overlayfs/util.c | 4 +- fs/smb/client/cifsglob.h | 1 + fs/smb/client/cifspdu.h | 6 +- fs/smb/client/cifssmb.c | 1 + fs/smb/client/misc.c | 8 + fs/smb/client/sess.c | 1 + fs/smb/server/smb2pdu.c | 62 +- include/asm-generic/mshyperv.h | 2 +- include/linux/console.h | 13 +- include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/uapi/linux/vm_sockets.h | 4 + io_uring/kbuf.c | 2 +- lib/Kconfig.debug | 9 + lib/Makefile | 2 + lib/longest_symbol_kunit.c | 82 +++ net/atm/clip.c | 11 +- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/core/selftests.c | 5 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/util.c | 2 +- net/unix/af_unix.c | 58 +- net/unix/garbage.c | 24 +- rust/macros/module.rs | 1 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/wcd9335.c | 62 +- sound/usb/quirks.c | 2 + sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 124 files changed, 1597 insertions(+), 1489 deletions(-)

1 week

14
153
0 0

[PATCH 5.15 1/1] af_unix: Don't leave consecutive consumed OOB skbs.

by Lee Jones

From: Kuniyuki Iwashima <kuniyu(a)google.com> Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free) Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv(). After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb. Then, the following happens during the next recv() without MSG_OOB 1. unix_stream_read_generic() peeks the first consumed OOB skb 2. manage_oob() returns the next consumed OOB skb 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb 4. unix_stream_read_generic() reads and frees the OOB skb , and the last recv(MSG_OOB) triggers KASAN splat. The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs. while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... } In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs. So, nothing good comes out of such a situation. Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily. Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027) Read of size 4 at addr ffff888106ef2904 by task python3/315 CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:636) unix_stream_read_actor (net/unix/af_unix.c:3027) unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:348) kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) __alloc_skb (net/core/skbuff.c:660 (discriminator 4)) alloc_skb_with_frags (./include/linux/skbuff.h:1336 net/core/skbuff.c:6668) sock_alloc_send_pskb (net/core/sock.c:2993) unix_stream_sendmsg (./include/net/sock.h:1847 net/unix/af_unix.c:2256 net/unix/af_unix.c:2418) __sys_sendto (net/socket.c:712 (discriminator 20) net/socket.c:727 (discriminator 20) net/socket.c:2226 (discriminator 20)) __x64_sys_sendto (net/socket.c:2233 (discriminator 1) net/socket.c:2229 (discriminator 1) net/socket.c:2229 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1)) __kasan_slab_free (mm/kasan/common.c:271) kmem_cache_free (mm/slub.c:4643 (discriminator 3) mm/slub.c:4745 (discriminator 3)) unix_stream_read_generic (net/unix/af_unix.c:3010) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) The buggy address belongs to the object at ffff888106ef28c0 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 68 bytes inside of freed 224-byte region [ffff888106ef28c0, ffff888106ef29a0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888106ef3cc0 pfn:0x106ef2 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: f5(slab) raw: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004 raw: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000 head: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004 head: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000 head: 0200000000000001 ffffea00041bbc81 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106ef2800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff888106ef2880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888106ef2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106ef2980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888106ef2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 314001f0bf92 ("af_unix: Add OOB support") Reported-by: Jann Horn <jannh(a)google.com> Signed-off-by: Kuniyuki Iwashima <kuniyu(a)google.com> Reviewed-by: Jann Horn <jannh(a)google.com> Link: https://patch.msgid.link/20250619041457.1132791-2-kuni1840@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> (cherry picked from commit 32ca245464e1479bfea8592b9db227fdc1641705) [Lee: Shifted hunk inside the if() statement and surrounded the else with {}'s) Signed-off-by: Lee Jones <lee(a)kernel.org> --- net/unix/af_unix.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 12c4a27e1655..1676bffe7259 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -2504,11 +2504,11 @@ struct unix_stream_read_state { #if IS_ENABLED(CONFIG_AF_UNIX_OOB) static int unix_stream_recv_urg(struct unix_stream_read_state *state) { + struct sk_buff *oob_skb, *read_skb = NULL; struct socket *sock = state->socket; struct sock *sk = sock->sk; struct unix_sock *u = unix_sk(sk); int chunk = 1; - struct sk_buff *oob_skb; mutex_lock(&u->iolock); unix_state_lock(sk); @@ -2523,10 +2523,17 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state) oob_skb = u->oob_skb; - if (!(state->flags & MSG_PEEK)) + if (!(state->flags & MSG_PEEK)) { WRITE_ONCE(u->oob_skb, NULL); - else + + if (oob_skb->prev != (struct sk_buff *)&sk->sk_receive_queue && + !unix_skb_len(oob_skb->prev)) { + read_skb = oob_skb->prev; + __skb_unlink(read_skb, &sk->sk_receive_queue); + } + } else { skb_get(oob_skb); + } spin_unlock(&sk->sk_receive_queue.lock); unix_state_unlock(sk); @@ -2540,6 +2547,8 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state) mutex_unlock(&u->iolock); + consume_skb(read_skb); + if (chunk < 0) return -EFAULT; -- 2.51.0.570.gb178f27e6d-goog

1 week

1
0
0 0

[PATCH 1/2] PCI: rcar-host: Drop PMSR spinlock

by Marek Vasut

The pmsr_lock spinlock used to be necessary to synchronize access to the PMSR register, because that access could have been triggered from either config space access in rcar_pcie_config_access() or an exception handler rcar_pcie_aarch32_abort_handler(). The rcar_pcie_aarch32_abort_handler() case is no longer applicable since commit 6e36203bc14c ("PCI: rcar: Use PCI_SET_ERROR_RESPONSE after read which triggered an exception"), which performs more accurate, controlled invocation of the exception, and a fixup. This leaves rcar_pcie_config_access() as the only call site from which rcar_pcie_wakeup() is called. The rcar_pcie_config_access() can only be called from the controller struct pci_ops .read and .write callbacks, and those are serialized in drivers/pci/access.c using raw spinlock 'pci_lock' . CONFIG_PCI_LOCKLESS_CONFIG is never set on this platform. Since the 'pci_lock' is a raw spinlock , and the 'pmsr_lock' is not a raw spinlock, this constellation triggers 'BUG: Invalid wait context' with CONFIG_PROVE_RAW_LOCK_NESTING=y . Remove the pmsr_lock to fix the locking. Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook") Reported-by: Duy Nguyen <duy.nguyen.rh(a)renesas.com> Reported-by: Thuan Nguyen <thuan.nguyen-hong(a)banvien.com.vn> Cc: stable(a)vger.kernel.org Signed-off-by: Marek Vasut <marek.vasut+renesas(a)mailbox.org> --- ============================= [ BUG: Invalid wait context ] 6.17.0-rc4-next-20250905-00048-ga08e553145e7-dirty #1116 Not tainted ----------------------------- swapper/0/1 is trying to lock: ffffffd92cf69c30 (pmsr_lock){....}-{3:3}, at: rcar_pcie_config_access+0x48/0x260 other info that might help us debug this: context-{5:5} 3 locks held by swapper/0/1: #0: ffffff84c0f890f8 (&dev->mutex){....}-{4:4}, at: device_lock+0x14/0x1c #1: ffffffd92cf675b0 (pci_rescan_remove_lock){+.+.}-{4:4}, at: pci_lock_rescan_remove+0x18/0x20 #2: ffffffd92cf674a0 (pci_lock){....}-{2:2}, at: pci_bus_read_config_dword+0x54/0xd8 stack backtrace: CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-next-20250905-00048-ga08e553145e7-dirty #1116 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) Call trace: dump_backtrace+0x6c/0x7c (C) show_stack+0x14/0x1c dump_stack_lvl+0x68/0x8c dump_stack+0x14/0x1c __lock_acquire+0x3e8/0x1064 lock_acquire+0x17c/0x2ac _raw_spin_lock_irqsave+0x54/0x70 rcar_pcie_config_access+0x48/0x260 rcar_pcie_read_conf+0x44/0xd8 pci_bus_read_config_dword+0x78/0xd8 pci_bus_generic_read_dev_vendor_id+0x30/0x138 pci_bus_read_dev_vendor_id+0x60/0x68 pci_scan_single_device+0x11c/0x1ec pci_scan_slot+0x7c/0x170 pci_scan_child_bus_extend+0x5c/0x29c pci_scan_child_bus+0x10/0x18 pci_scan_root_bus_bridge+0x90/0xc8 pci_host_probe+0x24/0xc4 rcar_pcie_probe+0x5e8/0x650 platform_probe+0x58/0x88 really_probe+0x190/0x350 __driver_probe_device+0x120/0x138 driver_probe_device+0x38/0xec __driver_attach+0x158/0x168 bus_for_each_dev+0x7c/0xd0 driver_attach+0x20/0x28 bus_add_driver+0xe0/0x1d8 driver_register+0xac/0xe8 __platform_driver_register+0x1c/0x24 rcar_pcie_driver_init+0x18/0x20 do_one_initcall+0xd4/0x220 kernel_init_freeable+0x308/0x30c kernel_init+0x20/0x11c ret_from_fork+0x10/0x20 --- Cc: "Krzysztof Wilczyński" <kwilczynski(a)kernel.org> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Geert Uytterhoeven <geert+renesas(a)glider.be> Cc: Lorenzo Pieralisi <lpieralisi(a)kernel.org> Cc: Magnus Damm <magnus.damm(a)gmail.com> Cc: Manivannan Sadhasivam <mani(a)kernel.org> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Rob Herring <robh(a)kernel.org> Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Cc: linux-pci(a)vger.kernel.org Cc: linux-renesas-soc(a)vger.kernel.org --- drivers/pci/controller/pcie-rcar-host.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/drivers/pci/controller/pcie-rcar-host.c b/drivers/pci/controller/pcie-rcar-host.c index 4780e0109e583..625a00f3b2230 100644 --- a/drivers/pci/controller/pcie-rcar-host.c +++ b/drivers/pci/controller/pcie-rcar-host.c @@ -52,20 +52,13 @@ struct rcar_pcie_host { int (*phy_init_fn)(struct rcar_pcie_host *host); }; -static DEFINE_SPINLOCK(pmsr_lock); - static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) { - unsigned long flags; u32 pmsr, val; int ret = 0; - spin_lock_irqsave(&pmsr_lock, flags); - - if (!pcie_base || pm_runtime_suspended(pcie_dev)) { - ret = -EINVAL; - goto unlock_exit; - } + if (!pcie_base || pm_runtime_suspended(pcie_dev)) + return -EINVAL; pmsr = readl(pcie_base + PMSR); @@ -87,8 +80,6 @@ static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) writel(L1FAEG | PMEL1RX, pcie_base + PMSR); } -unlock_exit: - spin_unlock_irqrestore(&pmsr_lock, flags); return ret; } -- 2.51.0

1 week

5
8
0 0

[PATCH] media: platform: mtk-mdp3: fix device leaks at probe

by Johan Hovold

Make sure to drop the references taken when looking up the subsys devices during probe on probe failure (e.g. probe deferral) and on driver unbind. Similarly, drop the SCP device reference after retrieving its platform data during probe to avoid leaking it. Note that holding a reference to a device does not prevent its driver data from going away. Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver") Cc: stable(a)vger.kernel.org # 6.1 Cc: Moudy Ho <moudy.ho(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- .../media/platform/mediatek/mdp3/mtk-mdp3-core.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c index 8de2c8e4d333..fc117a6a822c 100644 --- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c +++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c @@ -157,10 +157,18 @@ void mdp_video_device_release(struct video_device *vdev) kfree(mdp); } +static void mdp_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int mdp_mm_subsys_deploy(struct mdp_dev *mdp, enum mdp_infra_id id) { struct platform_device *mm_pdev = NULL; struct device **dev; + int ret; int i; if (!mdp) @@ -194,6 +202,11 @@ static int mdp_mm_subsys_deploy(struct mdp_dev *mdp, enum mdp_infra_id id) if (WARN_ON(!mm_pdev)) return -ENODEV; + ret = devm_add_action_or_reset(&mdp->pdev->dev, mdp_put_device, + &mm_pdev->dev); + if (ret) + return ret; + *dev = &mm_pdev->dev; } @@ -279,6 +292,7 @@ static int mdp_probe(struct platform_device *pdev) goto err_destroy_clock_wq; } mdp->scp = platform_get_drvdata(mm_pdev); + put_device(&mm_pdev->dev); } mdp->rproc_handle = scp_get_rproc(mdp->scp); -- 2.49.1

1 week

2
1
0 0

Gratulujeme, ponuka daru

by Kristine Charity Services

1 week

1
0
0 0

[PATCH 14/14] iommu/tegra: fix device leak on probe_device()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during probe_device(). Fixes: 891846516317 ("memory: Add NVIDIA Tegra memory controller support") Cc: stable(a)vger.kernel.org # 3.19 Cc: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/tegra-smmu.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c index 36cdd5fbab07..f6f26a072820 100644 --- a/drivers/iommu/tegra-smmu.c +++ b/drivers/iommu/tegra-smmu.c @@ -830,10 +830,9 @@ static struct tegra_smmu *tegra_smmu_find(struct device_node *np) return NULL; mc = platform_get_drvdata(pdev); - if (!mc) { - put_device(&pdev->dev); + put_device(&pdev->dev); + if (!mc) return NULL; - } return mc->smmu; } -- 2.49.1

1 week

1
0
0 0

[PATCH 13/14] iommu/sun50i: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver") Cc: stable(a)vger.kernel.org # 5.8 Cc: Maxime Ripard <mripard(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/sun50i-iommu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c index de10b569d9a9..6306570d57db 100644 --- a/drivers/iommu/sun50i-iommu.c +++ b/drivers/iommu/sun50i-iommu.c @@ -839,6 +839,8 @@ static int sun50i_iommu_of_xlate(struct device *dev, dev_iommu_priv_set(dev, platform_get_drvdata(iommu_pdev)); + put_device(&iommu_pdev->dev); + return iommu_fwspec_add_ids(dev, &id, 1); } -- 2.49.1

1 week

1
0
0 0

[PATCH 09/14] iommu/mediatek-v1: fix device leaks on probe()

by Johan Hovold

Make sure to drop the references taken to the larb devices during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW") Cc: stable(a)vger.kernel.org # 4.8 Cc: Honghui Zhang <honghui.zhang(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/mtk_iommu_v1.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c index de9153c0a82f..44b965a2db92 100644 --- a/drivers/iommu/mtk_iommu_v1.c +++ b/drivers/iommu/mtk_iommu_v1.c @@ -648,8 +648,10 @@ static int mtk_iommu_v1_probe(struct platform_device *pdev) struct platform_device *plarbdev; larbnode = of_parse_phandle(dev->of_node, "mediatek,larbs", i); - if (!larbnode) - return -EINVAL; + if (!larbnode) { + ret = -EINVAL; + goto out_put_larbs; + } if (!of_device_is_available(larbnode)) { of_node_put(larbnode); @@ -659,11 +661,14 @@ static int mtk_iommu_v1_probe(struct platform_device *pdev) plarbdev = of_find_device_by_node(larbnode); if (!plarbdev) { of_node_put(larbnode); - return -ENODEV; + ret = -ENODEV; + goto out_put_larbs; } if (!plarbdev->dev.driver) { of_node_put(larbnode); - return -EPROBE_DEFER; + put_device(&plarbdev->dev); + ret = -EPROBE_DEFER; + goto out_put_larbs; } data->larb_imu[i].dev = &plarbdev->dev; @@ -675,7 +680,7 @@ static int mtk_iommu_v1_probe(struct platform_device *pdev) ret = mtk_iommu_v1_hw_init(data); if (ret) - return ret; + goto out_put_larbs; ret = iommu_device_sysfs_add(&data->iommu, &pdev->dev, NULL, dev_name(&pdev->dev)); @@ -697,12 +702,17 @@ static int mtk_iommu_v1_probe(struct platform_device *pdev) iommu_device_sysfs_remove(&data->iommu); out_clk_unprepare: clk_disable_unprepare(data->bclk); +out_put_larbs: + for (i = 0; i < MTK_LARB_NR_MAX; i++) + put_device(data->larb_imu[i].dev); + return ret; } static void mtk_iommu_v1_remove(struct platform_device *pdev) { struct mtk_iommu_v1_data *data = platform_get_drvdata(pdev); + int i; iommu_device_sysfs_remove(&data->iommu); iommu_device_unregister(&data->iommu); @@ -710,6 +720,9 @@ static void mtk_iommu_v1_remove(struct platform_device *pdev) clk_disable_unprepare(data->bclk); devm_free_irq(&pdev->dev, data->irq, data); component_master_del(&pdev->dev, &mtk_iommu_v1_com_ops); + + for (i = 0; i < MTK_LARB_NR_MAX; i++) + put_device(data->larb_imu[i].dev); } static int __maybe_unused mtk_iommu_v1_suspend(struct device *dev) -- 2.49.1

1 week

1
0
0 0

[PATCH 08/14] iommu/mediatek-v1: fix device leak on probe_device()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during probe_device(). Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW") Cc: stable(a)vger.kernel.org # 4.8 Cc: Honghui Zhang <honghui.zhang(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/mtk_iommu_v1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c index 10cc0b1197e8..de9153c0a82f 100644 --- a/drivers/iommu/mtk_iommu_v1.c +++ b/drivers/iommu/mtk_iommu_v1.c @@ -435,6 +435,8 @@ static int mtk_iommu_v1_create_mapping(struct device *dev, return -EINVAL; dev_iommu_priv_set(dev, platform_get_drvdata(m4updev)); + + put_device(&m4updev->dev); } ret = iommu_fwspec_add_ids(dev, args->args, 1); -- 2.49.1

1 week

1
0
0 0

[PATCH 06/14] iommu/mediatek: fix device leaks on probe()

by Johan Hovold

Make sure to drop the references taken to the larb devices during probe on probe failure (e.g. probe deferral) and on driver unbind. Note that commit 26593928564c ("iommu/mediatek: Add error path for loop of mm_dts_parse") fixed the leaks in a couple of error paths, but the references are still leaking on success and late failures. Fixes: 0df4fabe208d ("iommu/mediatek: Add mt8173 IOMMU driver") Cc: stable(a)vger.kernel.org # 4.6 Cc: Yong Wu <yong.wu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/mtk_iommu.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c index 8d8e85186188..20a5ba80f983 100644 --- a/drivers/iommu/mtk_iommu.c +++ b/drivers/iommu/mtk_iommu.c @@ -1216,13 +1216,17 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m platform_device_put(plarbdev); } - if (!frst_avail_smicomm_node) - return -EINVAL; + if (!frst_avail_smicomm_node) { + ret = -EINVAL; + goto err_larbdev_put; + } pcommdev = of_find_device_by_node(frst_avail_smicomm_node); of_node_put(frst_avail_smicomm_node); - if (!pcommdev) - return -ENODEV; + if (!pcommdev) { + ret = -ENODEV; + goto err_larbdev_put; + } data->smicomm_dev = &pcommdev->dev; link = device_link_add(data->smicomm_dev, dev, @@ -1230,7 +1234,8 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m platform_device_put(pcommdev); if (!link) { dev_err(dev, "Unable to link %s.\n", dev_name(data->smicomm_dev)); - return -EINVAL; + ret = -EINVAL; + goto err_larbdev_put; } return 0; @@ -1402,8 +1407,12 @@ static int mtk_iommu_probe(struct platform_device *pdev) iommu_device_sysfs_remove(&data->iommu); out_list_del: list_del(&data->list); - if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) + if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) { device_link_remove(data->smicomm_dev, dev); + + for (i = 0; i < MTK_LARB_NR_MAX; i++) + put_device(data->larb_imu[i].dev); + } out_runtime_disable: pm_runtime_disable(dev); return ret; @@ -1423,6 +1432,9 @@ static void mtk_iommu_remove(struct platform_device *pdev) if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) { device_link_remove(data->smicomm_dev, &pdev->dev); component_master_del(&pdev->dev, &mtk_iommu_com_ops); + + for (i = 0; i < MTK_LARB_NR_MAX; i++) + put_device(data->larb_imu[i].dev); } pm_runtime_disable(&pdev->dev); for (i = 0; i < data->plat_data->banks_num; i++) { -- 2.49.1

1 week

1
0
0 0

[PATCH 05/14] iommu/mediatek: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: 0df4fabe208d ("iommu/mediatek: Add mt8173 IOMMU driver") Cc: stable(a)vger.kernel.org # 4.6 Cc: Yong Wu <yong.wu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/mtk_iommu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c index 0e0285348d2b..8d8e85186188 100644 --- a/drivers/iommu/mtk_iommu.c +++ b/drivers/iommu/mtk_iommu.c @@ -974,6 +974,8 @@ static int mtk_iommu_of_xlate(struct device *dev, return -EINVAL; dev_iommu_priv_set(dev, platform_get_drvdata(m4updev)); + + put_device(&m4updev->dev); } return iommu_fwspec_add_ids(dev, args->args, 1); -- 2.49.1

1 week

1
0
0 0

[PATCH 04/14] iommu/ipmmu-vmsa: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: 7b2d59611fef ("iommu/ipmmu-vmsa: Replace local utlb code with fwspec ids") Cc: stable(a)vger.kernel.org # 4.14 Cc: Magnus Damm <damm+renesas(a)opensource.se> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/ipmmu-vmsa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c index ffa892f65714..02a2a55ffa0a 100644 --- a/drivers/iommu/ipmmu-vmsa.c +++ b/drivers/iommu/ipmmu-vmsa.c @@ -720,6 +720,8 @@ static int ipmmu_init_platform_device(struct device *dev, dev_iommu_priv_set(dev, platform_get_drvdata(ipmmu_pdev)); + put_device(&ipmmu_pdev->dev); + return 0; } -- 2.49.1

1 week

1
0
0 0

[PATCH 03/14] iommu/exynos: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: aa759fd376fb ("iommu/exynos: Add callback for initializing devices from device tree") Cc: stable(a)vger.kernel.org # 4.2 Cc: Marek Szyprowski <m.szyprowski(a)samsung.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/exynos-iommu.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/drivers/iommu/exynos-iommu.c b/drivers/iommu/exynos-iommu.c index b6edd178fe25..ce9e935cb84c 100644 --- a/drivers/iommu/exynos-iommu.c +++ b/drivers/iommu/exynos-iommu.c @@ -1446,17 +1446,14 @@ static int exynos_iommu_of_xlate(struct device *dev, return -ENODEV; data = platform_get_drvdata(sysmmu); - if (!data) { - put_device(&sysmmu->dev); + put_device(&sysmmu->dev); + if (!data) return -ENODEV; - } if (!owner) { owner = kzalloc(sizeof(*owner), GFP_KERNEL); - if (!owner) { - put_device(&sysmmu->dev); + if (!owner) return -ENOMEM; - } INIT_LIST_HEAD(&owner->controllers); mutex_init(&owner->rpm_lock); -- 2.49.1

1 week

1
0
0 0

[PATCH 02/14] iommu/qcom: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Note that commit e2eae09939a8 ("iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate()") fixed the leak in a couple of error paths, but the reference is still leaking on success and late failures. Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu") Cc: stable(a)vger.kernel.org # 4.14: e2eae09939a8 Cc: Rob Clark <robin.clark(a)oss.qualcomm.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c index c5be95e56031..9c1166a3af6c 100644 --- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c +++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c @@ -565,14 +565,14 @@ static int qcom_iommu_of_xlate(struct device *dev, qcom_iommu = platform_get_drvdata(iommu_pdev); + put_device(&iommu_pdev->dev); + /* make sure the asid specified in dt is valid, so we don't have * to sanity check this elsewhere: */ if (WARN_ON(asid > qcom_iommu->max_asid) || - WARN_ON(qcom_iommu->ctxs[asid] == NULL)) { - put_device(&iommu_pdev->dev); + WARN_ON(qcom_iommu->ctxs[asid] == NULL)) return -EINVAL; - } if (!dev_iommu_priv_get(dev)) { dev_iommu_priv_set(dev, qcom_iommu); @@ -581,10 +581,8 @@ static int qcom_iommu_of_xlate(struct device *dev, * multiple different iommu devices. Multiple context * banks are ok, but multiple devices are not: */ - if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) { - put_device(&iommu_pdev->dev); + if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) return -EINVAL; - } } return iommu_fwspec_add_ids(dev, &asid, 1); -- 2.49.1

1 week

1
0
0 0

[PATCH 01/14] iommu/apple-dart: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: 46d1fb072e76 ("iommu/dart: Add DART iommu driver") Cc: stable(a)vger.kernel.org # 5.15 Cc: Sven Peter <sven(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/apple-dart.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/apple-dart.c b/drivers/iommu/apple-dart.c index 190f28d76615..1aa7c10262a8 100644 --- a/drivers/iommu/apple-dart.c +++ b/drivers/iommu/apple-dart.c @@ -790,6 +790,8 @@ static int apple_dart_of_xlate(struct device *dev, struct apple_dart *cfg_dart; int i, sid; + put_device(&iommu_pdev->dev); + if (args->args_count != 1) return -EINVAL; sid = args->args[0]; -- 2.49.1

1 week

1
0
0 0

[PATCH v2] cpufreq: Handle CPUFREQ_ETERNAL with a default transition latency

by Shawn Guo

From: Shawn Guo <shawnguo(a)kernel.org> A regression is seen with 6.6 -> 6.12 kernel upgrade on platforms where cpufreq-dt driver sets cpuinfo.transition_latency as CPUFREQ_ETERNAL (-1), due to that platform's DT doesn't provide the optional property 'clock-latency-ns'. The dbs sampling_rate was 10000 us on 6.6 and suddently becomes 6442450 us (4294967295 / 1000 * 1.5) on 6.12 for these platforms, because the default transition delay was dropped by the commits below. commit 37c6dccd6837 ("cpufreq: Remove LATENCY_MULTIPLIER") commit a755d0e2d41b ("cpufreq: Honour transition_latency over transition_delay_us") commit e13aa799c2a6 ("cpufreq: Change default transition delay to 2ms") It slows down dbs governor's reacting to CPU loading change dramatically. Also, as transition_delay_us is used by schedutil governor as rate_limit_us, it shows a negative impact on device idle power consumption, because the device gets slightly less time in the lowest OPP. Fix the regressions by defining a default transition latency for handling the case of CPUFREQ_ETERNAL. Cc: stable(a)vger.kernel.org Fixes: 37c6dccd6837 ("cpufreq: Remove LATENCY_MULTIPLIER") Signed-off-by: Shawn Guo <shawnguo(a)kernel.org> --- Changes for v2: - Follow Rafael's suggestion to define a default transition latency for handling CPUFREQ_ETERNAL, and pave the way to get rid of CPUFREQ_ETERNAL completely later. v1: https://lkml.org/lkml/2025/9/10/294 drivers/cpufreq/cpufreq.c | 3 +++ include/linux/cpufreq.h | 2 ++ 2 files changed, 5 insertions(+) diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c index fc7eace8b65b..c69d10f0e8ec 100644 --- a/drivers/cpufreq/cpufreq.c +++ b/drivers/cpufreq/cpufreq.c @@ -549,6 +549,9 @@ unsigned int cpufreq_policy_transition_delay_us(struct cpufreq_policy *policy) if (policy->transition_delay_us) return policy->transition_delay_us; + if (policy->cpuinfo.transition_latency == CPUFREQ_ETERNAL) + policy->cpuinfo.transition_latency = CPUFREQ_DEFAULT_TANSITION_LATENCY_NS; + latency = policy->cpuinfo.transition_latency / NSEC_PER_USEC; if (latency) /* Give a 50% breathing room between updates */ diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h index 95f3807c8c55..935e9a660039 100644 --- a/include/linux/cpufreq.h +++ b/include/linux/cpufreq.h @@ -36,6 +36,8 @@ /* Print length for names. Extra 1 space for accommodating '\n' in prints */ #define CPUFREQ_NAME_PLEN (CPUFREQ_NAME_LEN + 1) +#define CPUFREQ_DEFAULT_TANSITION_LATENCY_NS NSEC_PER_MSEC + struct cpufreq_governor; enum cpufreq_table_sorting { -- 2.43.0

1 week

3
4
0 0

Linux 6.16.9

by Greg Kroah-Hartman

I'm announcing the release of the 6.16.9 kernel. All users of the 6.16 kernel series must upgrade. The updated 6.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/8250.yaml | 77 +++-- Documentation/netlink/specs/conntrack.yaml | 9 Documentation/netlink/specs/mptcp_pm.yaml | 4 Makefile | 2 arch/loongarch/Kconfig | 12 arch/loongarch/Makefile | 15 arch/loongarch/include/asm/acenv.h | 7 arch/loongarch/include/asm/kvm_mmu.h | 20 + arch/loongarch/kernel/env.c | 2 arch/loongarch/kernel/stacktrace.c | 3 arch/loongarch/kernel/vdso.c | 3 arch/loongarch/kvm/intc/eiointc.c | 87 +++-- arch/loongarch/kvm/intc/pch_pic.c | 21 - arch/loongarch/kvm/mmu.c | 8 arch/s390/include/asm/pci_insn.h | 10 arch/um/drivers/virtio_uml.c | 6 arch/um/os-Linux/file.c | 2 arch/x86/include/asm/sev.h | 38 +- arch/x86/kvm/svm/svm.c | 3 crypto/af_alg.c | 10 drivers/block/zram/zram_drv.c | 8 drivers/clk/sunxi-ng/ccu_mp.c | 2 drivers/crypto/ccp/sev-dev.c | 2 drivers/dpll/dpll_netlink.c | 4 drivers/gpio/gpiolib-acpi-core.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 16 - drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 24 - drivers/gpu/drm/amd/amdkfd/kfd_device.c | 36 ++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 ++ drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 2 drivers/gpu/drm/bridge/analogix/anx7625.c | 6 drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 drivers/gpu/drm/xe/abi/guc_actions_abi.h | 5 drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 40 ++ drivers/gpu/drm/xe/xe_exec_queue.c | 22 - drivers/gpu/drm/xe/xe_exec_queue_types.h | 8 drivers/gpu/drm/xe/xe_execlist.c | 25 + drivers/gpu/drm/xe/xe_execlist_types.h | 2 drivers/gpu/drm/xe/xe_gt.c | 3 drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 1 drivers/gpu/drm/xe/xe_guc.c | 62 +++- drivers/gpu/drm/xe/xe_guc.h | 1 drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 4 drivers/gpu/drm/xe/xe_guc_submit.c | 139 +++++++-- drivers/gpu/drm/xe/xe_guc_submit.h | 2 drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 drivers/gpu/drm/xe/xe_uc.c | 4 drivers/gpu/drm/xe/xe_vm.c | 4 drivers/iommu/amd/amd_iommu_types.h | 1 drivers/iommu/amd/init.c | 9 drivers/iommu/amd/io_pgtable.c | 25 + drivers/iommu/intel/iommu.c | 7 drivers/iommu/s390-iommu.c | 29 + drivers/md/dm-raid.c | 6 drivers/md/dm-stripe.c | 10 drivers/mmc/host/mvsdio.c | 2 drivers/mmc/host/sdhci-pci-gli.c | 68 ++++ drivers/mmc/host/sdhci-uhs2.c | 3 drivers/mmc/host/sdhci.c | 34 +- drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/cnic.c | 3 drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++--- drivers/net/ethernet/intel/ice/ice_txrx.h | 1 drivers/net/ethernet/intel/igc/igc.h | 1 drivers/net/ethernet/intel/igc/igc_main.c | 12 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 22 - drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 16 + drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 1 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 + drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 drivers/net/ethernet/mellanox/mlx5/core/port.c | 6 drivers/net/ethernet/natsemi/ns83820.c | 13 drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 drivers/net/wireless/mediatek/mt76/mac80211.c | 2 drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 37 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 drivers/nvme/host/core.c | 18 - drivers/pcmcia/omap_cf.c | 8 drivers/platform/x86/asus-nb-wmi.c | 25 + drivers/platform/x86/asus-wmi.h | 3 drivers/power/supply/bq27xxx_battery.c | 4 fs/btrfs/delayed-inode.c | 3 fs/btrfs/inode.c | 11 fs/btrfs/tree-checker.c | 4 fs/btrfs/tree-log.c | 2 fs/btrfs/zoned.c | 2 fs/nilfs2/sysfs.c | 4 fs/nilfs2/sysfs.h | 8 fs/smb/client/cifsproto.h | 4 fs/smb/client/inode.c | 23 + fs/smb/client/misc.c | 38 +- fs/smb/client/smbdirect.c | 132 +++++--- fs/smb/client/smbdirect.h | 23 - fs/smb/common/smbdirect/smbdirect_socket.h | 29 + fs/smb/server/transport_rdma.c | 183 ++++++++---- include/crypto/if_alg.h | 10 include/linux/io_uring_types.h | 3 include/linux/mlx5/driver.h | 1 include/linux/swap.h | 10 include/net/dst_metadata.h | 11 include/net/sock.h | 5 include/sound/sdca.h | 1 include/uapi/linux/mptcp.h | 2 include/uapi/linux/mptcp_pm.h | 4 io_uring/io-wq.c | 6 io_uring/io_uring.c | 10 io_uring/io_uring.h | 4 io_uring/msg_ring.c | 24 - io_uring/notif.c | 2 io_uring/poll.c | 2 io_uring/timeout.c | 2 io_uring/uring_cmd.c | 2 kernel/cgroup/cgroup.c | 43 ++ kernel/sched/ext.c | 6 mm/gup.c | 52 ++- mm/mlock.c | 6 mm/swap.c | 50 +-- mm/vmscan.c | 2 net/ipv4/tcp.c | 5 net/ipv4/tcp_ao.c | 4 net/mac80211/driver-ops.h | 2 net/mac80211/main.c | 7 net/mptcp/options.c | 6 net/mptcp/pm_netlink.c | 7 net/mptcp/protocol.c | 16 + net/mptcp/subflow.c | 4 net/rds/ib_frmr.c | 20 - net/rfkill/rfkill-gpio.c | 4 net/rxrpc/rxgk.c | 18 - net/rxrpc/rxgk_app.c | 29 + net/rxrpc/rxgk_common.h | 14 net/tls/tls.h | 1 net/tls/tls_strp.c | 14 net/tls/tls_sw.c | 3 samples/damon/mtier.c | 25 - samples/damon/prcl.c | 31 +- samples/damon/wsse.c | 22 - sound/firewire/motu/motu-hwdep.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/acp/acp-i2s.c | 11 sound/soc/codecs/sma1307.c | 7 sound/soc/codecs/wm8940.c | 9 sound/soc/codecs/wm8974.c | 8 sound/soc/intel/catpt/pcm.c | 23 + sound/soc/qcom/qdsp6/audioreach.c | 1 sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 sound/soc/sdca/sdca_device.c | 20 + sound/soc/sdca/sdca_functions.c | 13 sound/soc/sdca/sdca_regmap.c | 2 sound/soc/sof/intel/hda-stream.c | 2 sound/usb/qcom/qc_audio_offload.c | 92 +++--- tools/arch/loongarch/include/asm/inst.h | 12 tools/objtool/arch/loongarch/decode.c | 33 +- tools/perf/util/maps.c | 9 tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 - tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 169 files changed, 1794 insertions(+), 821 deletions(-) Ajay.Kathat(a)microchip.com (1): wifi: wilc1000: avoid buffer overflow in WID string configuration Alex Deucher (2): drm/amdkfd: add proper handling for S0ix drm/amdgpu: suspend KFD and KGD user queues for S0ix Alex Elder (1): dt-bindings: serial: 8250: move a constraint Alexey Nepomnyashih (1): net: liquidio: fix overflow in octeon_init_instr_queue() Amadeusz Sławiński (1): ASoC: Intel: catpt: Expose correct bit depth to userspace Anderson Nascimento (1): net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Andrea Righi (1): Revert "sched_ext: Skip per-CPU tasks in scx_bpf_reenqueue_local()" Antheas Kapenekakis (2): platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Ben Chuang (3): mmc: sdhci: Move the code related to setting the clock from sdhci_set_ios_common() into sdhci_set_ios() mmc: sdhci-pci-gli: GL9767: Fix initializing the UHS-II interface during a power-on mmc: sdhci-uhs2: Fix calling incorrect sdhci_set_clock() function Bibo Mao (5): LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_ctrl_access() LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_regs_access() LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_sw_status_access() LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_pch_pic_regs_access() LoongArch: KVM: Fix VM migration failure with PTW enabled Borislav Petkov (AMD) (1): crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() Charles Keepax (4): ASoC: wm8940: Correct PLL rate rounding ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding ASoC: SDCA: Fix return value in sdca_regmap_mbq_size() Chen Ridong (1): cgroup: split cgroup_destroy_wq into 3 workqueues Chen-Yu Tsai (1): clk: sunxi-ng: mp: Fix dual-divider clock rate readback Christoph Hellwig (1): nvme: fix PI insert on write Colin Ian King (1): ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Dan Carpenter (2): ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded() drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() Daniele Ceraolo Spurio (3): drm/xe: Fix error handling if PXP fails to start drm/xe/guc: Enable extended CAT error reporting drm/xe/guc: Set RCS/CCS yield policy David Howells (2): rxrpc: Fix unhandled errors in rxgk_verify_packet_integrity() rxrpc: Fix untrusted unsigned subtract Duoming Zhou (2): cnic: Fix use-after-free bugs in cnic_delete_task octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Eric Dumazet (1): net: clear sk->sk_ino in sk_set_socket(sk, NULL) Eugene Koira (1): iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Felix Fietkau (1): wifi: mt76: do not add non-sta wcid entries to the poll list Filipe Manana (1): btrfs: fix invalid extref key setup when replaying dentry Frank Li (1): dt-bindings: serial: 8250: allow clock 'uartclk' and 'reg' for nxp,lpc1850-uart Geert Uytterhoeven (1): pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Geliang Tang (1): selftests: mptcp: sockopt: fix error messages Greg Kroah-Hartman (1): Linux 6.16.9 Guangshuo Li (1): LoongArch: vDSO: Check kcalloc() result in init_vdso() H. Nikolaus Schaller (2): power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 Hangbin Liu (2): bonding: set random address only when slaves already exist bonding: don't set oif to bond dev when getting NS target destination Hans de Goede (1): net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Herbert Xu (2): crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto: af_alg - Set merge to zero early in af_alg_sendmsg Honggyu Kim (1): samples/damon: change enable parameters to enabled Huacai Chen (1): LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Hugh Dickins (5): mm/gup: check ref_count instead of lru before migration mm: revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" mm/gup: local lru_add_drain() to avoid lru_add_drain_all() mm: revert "mm: vmscan.c: fix OOM on swap stress test" mm: folio_may_be_lru_cached() unless folio_test_large() Håkon Bugge (1): rds: ib: Increment i_fastreg_wrs before bailing out Ian Rogers (1): perf maps: Ensure kmap is set up for all inserts Ilya Maximets (1): net: dst_metadata: fix IP_DF bit not extracted from tunnel headers Ioana Ciornei (1): dpaa2-switch: fix buffer pool seeding for control traffic Ivan Lipski (1): drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Ivan Vecera (1): dpll: fix clock quality level reporting Jacob Keller (1): ice: fix Rx page leak on multi-buffer frames Jakub Kicinski (1): tls: make sure to abort the stream if headers are bogus Jamie Bainbridge (1): qed: Don't collect too many protection override GRC elements Jedrzej Jagielski (2): ixgbe: initialize aci.lock before it's used ixgbe: destroy aci.lock later within ixgbe_remove path Jens Axboe (2): io_uring: include dying ring in task_work "should cancel" state io_uring/msg_ring: kill alloc_cache for io_kiocb allocations Jianbo Liu (1): net/mlx5e: Harden uplink netdev access against device unbind Johannes Thumshirn (1): btrfs: zoned: fix incorrect ASSERT in btrfs_zoned_reserve_data_reloc_bg() Kamal Heib (1): octeon_ep: Validate the VF ID Kohei Enju (1): igc: don't fail igc_probe() on LED setup error Krzysztof Kozlowski (1): ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Kuniyuki Iwashima (1): tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Lachlan Hodges (1): wifi: mac80211: increase scan_ies_len for S1G Lama Kayal (1): net/mlx5e: Add a miss level for ipsec crypto offload Li Tian (1): net/mlx5: Not returning mlx5_link_info table when speed is unknown Li Zhe (1): gup: optimize longterm pin_user_pages() for large folio Liao Yuanhong (1): wifi: mac80211: fix incorrect type for ret Loic Poulain (1): drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Maciej Fijalkowski (1): i40e: remove redundant memory barrier when cleaning Tx descs Maciej S. Szmigiero (1): KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Maciej Strozek (1): ASoC: SDCA: Add quirk for incorrect function types for 3 systems Mario Limonciello (1): drm/amd: Only restore cached manual clock settings in restore if OD enabled Matthew Rosato (1): iommu/s390: Fix memory corruption when using identity domain Matthieu Baerts (NGI0) (7): mptcp: set remote_deny_join_id0 on SYN recv selftests: mptcp: userspace pm: validate deny-join-id0 flag mptcp: tfo: record 'deny join id0' info mptcp: propagate shutdown to subflows when possible selftests: mptcp: connect: catch IO errors on listen side selftests: mptcp: avoid spurious errors on TCP disconnect mptcp: pm: nl: announce deny-join-id0 flag Max Kellermann (1): io_uring/io-wq: fix `max_workers` breakage and `nr_workers` underflow Miaoqian Lin (1): um: virtio_uml: Fix use-after-free after put_device in probe Michal Wajdeczko (1): drm/xe/pf: Drop rounddown_pow_of_two fair LMEM limitation Mikulas Patocka (2): dm-raid: don't set io_min and io_opt for raid1 dm-stripe: fix a possible integer overflow Mohammad Rafi Shaik (2): ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Namjae Jeon (1): ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Nathan Chancellor (1): nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Niklas Schnelle (1): iommu/s390: Make attach succeed when the device was surprise removed Paulo Alcantara (2): smb: client: fix filename matching of deferred files smb: client: fix file open check in __cifs_unlink() Praful Adiga (1): ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Qi Xi (1): drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Qu Wenruo (1): btrfs: tree-checker: fix the incorrect inode ref size check Remy D. Farley (1): doc/netlink: Fix typos in operation attributes Sathesh B Edara (1): octeon_ep: fix VF MAC address lifecycle handling SeongJae Park (3): samples/damon/prcl: fix boot time enable crash samples/damon/mtier: avoid starting DAMON before initialization samples/damon/prcl: avoid starting DAMON before initialization Sergey Senozhatsky (1): zram: fix slot write race condition Shuicheng Lin (1): drm/xe/tile: Release kobject for the failure path Stefan Metzmacher (10): smb: server: let smb_direct_writev() respect SMB_DIRECT_MAX_SEND_SGES ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size smb: smbdirect: introduce smbdirect_socket.recv_io.expected smb: client: make use of smbdirect_socket->recv_io.expected smb: smbdirect: introduce struct smbdirect_recv_io smb: client: make use of struct smbdirect_recv_io smb: client: let recv_done verify data_offset, data_length and remaining_data_length smb: client: use disable[_delayed]_work_sync in smbdirect.c smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Sébastien Szymanski (1): gpiolib: acpi: initialize acpi_gpio_info struct Takashi Iwai (1): ALSA: usb: qcom: Fix false-positive address space check Takashi Sakamoto (1): ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Tao Cui (1): LoongArch: Check the return value when creating kobj Tariq Toukan (1): Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Thomas Fourier (1): mmc: mvsdio: Fix dma_unmap_sg() nents value Tiezhu Yang (6): LoongArch: Update help info of ARCH_STRICT_ALIGN objtool/LoongArch: Mark types based on break immediate code objtool/LoongArch: Mark special atomic instruction as INSN_BUG type LoongArch: Fix unreliable stack for live patching LoongArch: Make LTO case independent in Makefile LoongArch: Handle jump tables options for RUST Tiwei Bie (1): um: Fix FD copy size in os_rcv_fd_msg() Tom Lendacky (1): x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT Vasant Hegde (2): iommu/amd/pgtbl: Fix possible race while increase page table level iommu/amd: Fix alias device DTE setting Venkata Prasad Potturu (1): ASoC: amd: acp: Fix incorrect retrival of acp_chip_info Yang Xiuwei (1): io_uring: fix incorrect io_kiocb reference in io_link_skb Yeounsu Moon (1): net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Yixun Lan (1): dt-bindings: serial: 8250: spacemit: set clocks property as required Zhen Ni (1): iommu/amd: Fix ivrs_base memleak in early_amd_iommu_init() austinchang (1): btrfs: initialize inode::file_extent_tree after i_mode has been set

1 week

1
1
0 0

Linux 6.12.49

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.49 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/hw-vuln/srso.rst | 13 Documentation/netlink/specs/mptcp_pm.yaml | 4 Makefile | 2 arch/loongarch/Kconfig | 8 arch/loongarch/include/asm/acenv.h | 7 arch/loongarch/kernel/env.c | 2 arch/loongarch/kernel/stacktrace.c | 3 arch/loongarch/kernel/vdso.c | 3 arch/um/drivers/virtio_uml.c | 6 arch/um/os-Linux/file.c | 2 arch/x86/events/intel/core.c | 2 arch/x86/include/asm/cpufeatures.h | 5 arch/x86/include/asm/msr-index.h | 1 arch/x86/kernel/cpu/bugs.c | 28 +- arch/x86/kvm/svm/svm.c | 68 ++++ arch/x86/kvm/svm/svm.h | 2 arch/x86/lib/msr.c | 2 crypto/af_alg.c | 10 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 ++ drivers/gpu/drm/bridge/analogix/anx7625.c | 6 drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 drivers/gpu/drm/xe/xe_vm.c | 4 drivers/iommu/amd/amd_iommu_types.h | 1 drivers/iommu/amd/io_pgtable.c | 25 + drivers/iommu/intel/iommu.c | 7 drivers/md/dm-raid.c | 6 drivers/md/dm-stripe.c | 10 drivers/mmc/host/mvsdio.c | 2 drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/cnic.c | 3 drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 drivers/net/ethernet/intel/ice/ice.h | 3 drivers/net/ethernet/intel/ice/ice_base.c | 34 +- drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++--- drivers/net/ethernet/intel/ice/ice_txrx.h | 4 drivers/net/ethernet/intel/ice/ice_virtchnl.c | 7 drivers/net/ethernet/intel/igc/igc.h | 1 drivers/net/ethernet/intel/igc/igc_main.c | 12 drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 + drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 + drivers/net/ethernet/natsemi/ns83820.c | 13 drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 drivers/net/vmxnet3/vmxnet3_drv.c | 10 drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 37 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 drivers/nvme/host/core.c | 18 - drivers/pcmcia/omap_cf.c | 8 drivers/platform/x86/asus-nb-wmi.c | 25 + drivers/platform/x86/asus-wmi.h | 3 drivers/power/supply/bq27xxx_battery.c | 4 drivers/rtc/rtc-pcf2127.c | 10 drivers/usb/host/xhci-dbgcap.c | 94 ++++-- drivers/usb/host/xhci-debugfs.c | 5 drivers/usb/host/xhci-mem.c | 74 ++--- drivers/usb/host/xhci.c | 24 - drivers/usb/host/xhci.h | 9 fs/btrfs/tree-checker.c | 4 fs/btrfs/tree-log.c | 2 fs/nilfs2/sysfs.c | 4 fs/nilfs2/sysfs.h | 8 fs/smb/client/cifsproto.h | 4 fs/smb/client/inode.c | 6 fs/smb/client/misc.c | 38 +- fs/smb/client/smbdirect.c | 7 fs/smb/server/transport_rdma.c | 26 + include/crypto/if_alg.h | 10 include/linux/io_uring_types.h | 4 include/linux/minmax.h | 205 ++++++--------- include/linux/mlx5/driver.h | 1 include/linux/mm.h | 55 ++++ include/uapi/linux/mptcp.h | 2 include/uapi/linux/mptcp_pm.h | 4 io_uring/io_uring.c | 12 io_uring/io_uring.h | 13 io_uring/kbuf.h | 2 io_uring/msg_ring.c | 24 - io_uring/notif.c | 2 io_uring/poll.c | 3 io_uring/timeout.c | 2 io_uring/uring_cmd.c | 6 kernel/cgroup/cgroup.c | 43 ++- mm/gup.c | 41 ++- mm/migrate.c | 22 - mm/vmscan.c | 2 net/ipv4/tcp.c | 5 net/ipv4/tcp_ao.c | 4 net/mac80211/driver-ops.h | 2 net/mac80211/main.c | 7 net/mptcp/options.c | 6 net/mptcp/pm_netlink.c | 7 net/mptcp/protocol.c | 16 + net/mptcp/subflow.c | 4 net/rds/ib_frmr.c | 20 - net/rfkill/rfkill-gpio.c | 4 net/tls/tls.h | 1 net/tls/tls_strp.c | 14 - net/tls/tls_sw.c | 3 sound/firewire/motu/motu-hwdep.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/codecs/wm8940.c | 9 sound/soc/codecs/wm8974.c | 8 sound/soc/intel/catpt/pcm.c | 23 + sound/soc/qcom/qdsp6/audioreach.c | 1 sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 sound/soc/sof/intel/hda-stream.c | 2 tools/arch/loongarch/include/asm/inst.h | 12 tools/objtool/arch/loongarch/decode.c | 33 ++ tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 - tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 - 118 files changed, 1062 insertions(+), 564 deletions(-) Ajay.Kathat(a)microchip.com (1): wifi: wilc1000: avoid buffer overflow in WID string configuration Alexey Nepomnyashih (1): net: liquidio: fix overflow in octeon_init_instr_queue() Amadeusz Sławiński (1): ASoC: Intel: catpt: Expose correct bit depth to userspace Anderson Nascimento (1): net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Antheas Kapenekakis (2): platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Borislav Petkov (1): x86/bugs: KVM: Add support for SRSO_MSR_FIX Borislav Petkov (AMD) (1): x86/bugs: Add SRSO_USER_KERNEL_NO support Bruno Thomsen (1): rtc: pcf2127: fix SPI command byte for PCF2131 backport Charles Keepax (3): ASoC: wm8940: Correct PLL rate rounding ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding Chen Ridong (1): cgroup: split cgroup_destroy_wq into 3 workqueues Christoph Hellwig (1): nvme: fix PI insert on write Colin Ian King (1): ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Dan Carpenter (1): drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() David Laight (7): minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once Duoming Zhou (2): cnic: Fix use-after-free bugs in cnic_delete_task octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Eugene Koira (1): iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Filipe Manana (1): btrfs: fix invalid extref key setup when replaying dentry Geert Uytterhoeven (1): pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Geliang Tang (1): selftests: mptcp: sockopt: fix error messages Greg Kroah-Hartman (1): Linux 6.12.49 Guangshuo Li (1): LoongArch: vDSO: Check kcalloc() result in init_vdso() H. Nikolaus Schaller (2): power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 Hangbin Liu (2): bonding: set random address only when slaves already exist bonding: don't set oif to bond dev when getting NS target destination Hans de Goede (1): net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Herbert Xu (2): crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto: af_alg - Set merge to zero early in af_alg_sendmsg Huacai Chen (1): LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Hugh Dickins (2): mm: revert "mm: vmscan.c: fix OOM on swap stress test" mm/gup: check ref_count instead of lru before migration Håkon Bugge (1): rds: ib: Increment i_fastreg_wrs before bailing out Ioana Ciornei (1): dpaa2-switch: fix buffer pool seeding for control traffic Ivan Lipski (1): drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Jacob Keller (2): ice: store max_frame and rx_buf_len only in ice_rx_ring ice: fix Rx page leak on multi-buffer frames Jakub Kicinski (1): tls: make sure to abort the stream if headers are bogus Jamie Bainbridge (1): qed: Don't collect too many protection override GRC elements Jens Axboe (4): io_uring: backport io_should_terminate_tw() io_uring: include dying ring in task_work "should cancel" state io_uring/msg_ring: kill alloc_cache for io_kiocb allocations io_uring/kbuf: drop WARN_ON_ONCE() from incremental length check Jianbo Liu (1): net/mlx5e: Harden uplink netdev access against device unbind Kan Liang (1): perf/x86/intel: Fix crash in icl_update_topdown_event() Kohei Enju (1): igc: don't fail igc_probe() on LED setup error Krzysztof Kozlowski (1): ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Kuniyuki Iwashima (1): tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Lachlan Hodges (1): wifi: mac80211: increase scan_ies_len for S1G Li Zhe (1): gup: optimize longterm pin_user_pages() for large folio Liao Yuanhong (1): wifi: mac80211: fix incorrect type for ret Loic Poulain (1): drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Maciej Fijalkowski (1): i40e: remove redundant memory barrier when cleaning Tx descs Maciej S. Szmigiero (1): KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Mathias Nyman (2): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects Matthieu Baerts (NGI0) (7): mptcp: set remote_deny_join_id0 on SYN recv selftests: mptcp: userspace pm: validate deny-join-id0 flag mptcp: tfo: record 'deny join id0' info mptcp: propagate shutdown to subflows when possible selftests: mptcp: connect: catch IO errors on listen side selftests: mptcp: avoid spurious errors on TCP disconnect mptcp: pm: nl: announce deny-join-id0 flag Miaoqian Lin (1): um: virtio_uml: Fix use-after-free after put_device in probe Mikulas Patocka (2): dm-raid: don't set io_min and io_opt for raid1 dm-stripe: fix a possible integer overflow Mohammad Rafi Shaik (2): ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Namjae Jeon (1): ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Nathan Chancellor (1): nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Niklas Neronin (2): usb: xhci: introduce macro for ring segment list iteration usb: xhci: remove option to change a default ring's TRB cycle bit Paulo Alcantara (1): smb: client: fix filename matching of deferred files Pavel Begunkov (1): io_uring/cmd: let cmds to know about dying task Praful Adiga (1): ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Qi Xi (1): drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Qu Wenruo (1): btrfs: tree-checker: fix the incorrect inode ref size check Sankararaman Jayaraman (1): vmxnet3: unregister xdp rxq info in the reset path Sathesh B Edara (1): octeon_ep: fix VF MAC address lifecycle handling Sean Christopherson (1): KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions Shivank Garg (1): mm: add folio_expected_ref_count() for reference count calculation Shuicheng Lin (1): drm/xe/tile: Release kobject for the failure path Stefan Metzmacher (3): ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Takashi Sakamoto (1): ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Tao Cui (1): LoongArch: Check the return value when creating kobj Tariq Toukan (1): Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Thomas Fourier (1): mmc: mvsdio: Fix dma_unmap_sg() nents value Tiezhu Yang (4): LoongArch: Update help info of ARCH_STRICT_ALIGN objtool/LoongArch: Mark types based on break immediate code objtool/LoongArch: Mark special atomic instruction as INSN_BUG type LoongArch: Fix unreliable stack for live patching Tiwei Bie (1): um: Fix FD copy size in os_rcv_fd_msg() Vasant Hegde (1): iommu/amd/pgtbl: Fix possible race while increase page table level Yang Xiuwei (1): io_uring: fix incorrect io_kiocb reference in io_link_skb Yeounsu Moon (1): net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure

1 week

1
1
0 0

Linux 6.6.108

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.108 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/loongarch/Kconfig | 8 + arch/loongarch/include/asm/acenv.h | 7 - arch/loongarch/kernel/env.c | 2 arch/um/drivers/virtio_uml.c | 6 - arch/x86/kvm/svm/svm.c | 3 arch/x86/mm/pgtable.c | 2 crypto/af_alg.c | 10 + drivers/block/loop.c | 38 +----- drivers/edac/sb_edac.c | 4 drivers/gpu/drm/bridge/analogix/anx7625.c | 6 - drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 - drivers/gpu/drm/drm_color_mgmt.c | 2 drivers/iommu/amd/amd_iommu_types.h | 1 drivers/iommu/amd/io_pgtable.c | 26 +++- drivers/iommu/intel/iommu.c | 7 + drivers/md/dm-integrity.c | 6 - drivers/mmc/host/mvsdio.c | 2 drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/cnic.c | 3 drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 +++- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 85 +++++++++++++-- drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 ++ drivers/net/ethernet/natsemi/ns83820.c | 13 +- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 - drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 drivers/net/vmxnet3/vmxnet3_drv.c | 10 - drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 37 ++++-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 drivers/pcmcia/omap_cf.c | 8 + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 9 - drivers/phy/marvell/phy-berlin-usb.c | 7 - drivers/phy/ralink/phy-ralink-usb.c | 10 - drivers/phy/rockchip/phy-rockchip-pcie.c | 11 - drivers/phy/rockchip/phy-rockchip-usb.c | 10 - drivers/phy/ti/phy-omap-control.c | 9 - drivers/phy/ti/phy-omap-usb2.c | 24 +++- drivers/phy/ti/phy-ti-pipe3.c | 14 -- drivers/power/supply/bq27xxx_battery.c | 4 drivers/rtc/rtc-pcf2127.c | 10 - drivers/usb/host/xhci-dbgcap.c | 94 ++++++++++++----- fs/btrfs/tree-checker.c | 4 fs/btrfs/tree-log.c | 2 fs/nilfs2/sysfs.c | 4 fs/nilfs2/sysfs.h | 8 - fs/smb/client/smbdirect.c | 4 fs/smb/server/transport_rdma.c | 26 +++- include/crypto/if_alg.h | 10 + include/linux/minmax.h | 26 +++- include/linux/mlx5/driver.h | 1 include/linux/pageblock-flags.h | 2 include/uapi/linux/mptcp.h | 6 - io_uring/io_uring.c | 7 - io_uring/io_uring.h | 13 ++ io_uring/poll.c | 3 io_uring/timeout.c | 2 kernel/cgroup/cgroup.c | 43 ++++++- net/ipv4/proc.c | 2 net/ipv4/tcp.c | 5 net/ipv6/proc.c | 2 net/mac80211/driver-ops.h | 2 net/mac80211/main.c | 7 + net/mptcp/options.c | 6 - net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 16 ++ net/mptcp/subflow.c | 4 net/rds/ib_frmr.c | 20 ++- net/rfkill/rfkill-gpio.c | 4 net/tls/tls.h | 1 net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 sound/firewire/motu/motu-hwdep.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/codecs/wm8940.c | 9 + sound/soc/codecs/wm8974.c | 8 + sound/soc/qcom/qdsp6/audioreach.c | 1 sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 - sound/soc/sof/intel/hda-stream.c | 2 tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 + tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 87 files changed, 599 insertions(+), 298 deletions(-) Ajay.Kathat(a)microchip.com (1): wifi: wilc1000: avoid buffer overflow in WID string configuration Alexey Nepomnyashih (1): net: liquidio: fix overflow in octeon_init_instr_queue() Bruno Thomsen (1): rtc: pcf2127: fix SPI command byte for PCF2131 backport Charles Keepax (3): ASoC: wm8940: Correct PLL rate rounding ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding Chen Ridong (1): cgroup: split cgroup_destroy_wq into 3 workqueues Colin Ian King (1): ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Duoming Zhou (2): cnic: Fix use-after-free bugs in cnic_delete_task octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Eric Hagberg (1): Revert "loop: Avoid updating block size under exclusive owner" Eugene Koira (1): iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Filipe Manana (1): btrfs: fix invalid extref key setup when replaying dentry Geert Uytterhoeven (1): pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Geliang Tang (1): selftests: mptcp: sockopt: fix error messages Greg Kroah-Hartman (1): Linux 6.6.108 H. Nikolaus Schaller (2): power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 Hangbin Liu (2): bonding: set random address only when slaves already exist bonding: don't set oif to bond dev when getting NS target destination Hans de Goede (1): net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Herbert Xu (2): crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto: af_alg - Set merge to zero early in af_alg_sendmsg Huacai Chen (1): LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Håkon Bugge (1): rds: ib: Increment i_fastreg_wrs before bailing out Ioana Ciornei (1): dpaa2-switch: fix buffer pool seeding for control traffic Jakub Kicinski (1): tls: make sure to abort the stream if headers are bogus Jamie Bainbridge (1): qed: Don't collect too many protection override GRC elements Jens Axboe (2): io_uring: backport io_should_terminate_tw() io_uring: include dying ring in task_work "should cancel" state Jianbo Liu (2): net/mlx5e: Consider aggregated port speed during rate configuration net/mlx5e: Harden uplink netdev access against device unbind Johan Hovold (1): phy: ti: omap-usb2: fix device leak at unbind Krzysztof Kozlowski (1): ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Kuniyuki Iwashima (1): tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Lachlan Hodges (1): wifi: mac80211: increase scan_ies_len for S1G Liao Yuanhong (1): wifi: mac80211: fix incorrect type for ret Linus Torvalds (3): minmax: avoid overly complicated constant expressions in VM code minmax: simplify and clarify min_t()/max_t() implementation minmax: add a few more MIN_T/MAX_T users Loic Poulain (1): drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Maciej Fijalkowski (1): i40e: remove redundant memory barrier when cleaning Tx descs Maciej S. Szmigiero (1): KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Mathias Nyman (2): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects Matthieu Baerts (NGI0) (7): mptcp: set remote_deny_join_id0 on SYN recv mptcp: tfo: record 'deny join id0' info selftests: mptcp: connect: catch IO errors on listen side selftests: mptcp: avoid spurious errors on TCP disconnect mptcp: pm: nl: announce deny-join-id0 flag selftests: mptcp: userspace pm: validate deny-join-id0 flag mptcp: propagate shutdown to subflows when possible Miaoqian Lin (1): um: virtio_uml: Fix use-after-free after put_device in probe Mohammad Rafi Shaik (2): ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Namjae Jeon (1): ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Nathan Chancellor (1): nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Praful Adiga (1): ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Qi Xi (1): drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Qu Wenruo (1): btrfs: tree-checker: fix the incorrect inode ref size check Rob Herring (1): phy: Use device_get_match_data() Sankararaman Jayaraman (1): vmxnet3: unregister xdp rxq info in the reset path Stefan Metzmacher (2): ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Takashi Sakamoto (1): ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Tao Cui (1): LoongArch: Check the return value when creating kobj Tariq Toukan (1): Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Thomas Fourier (1): mmc: mvsdio: Fix dma_unmap_sg() nents value Tiezhu Yang (1): LoongArch: Update help info of ARCH_STRICT_ALIGN Vasant Hegde (1): iommu/amd/pgtbl: Fix possible race while increase page table level Yeounsu Moon (1): net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure

1 week

1
1
0 0

Linux 6.1.154

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.154 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/loongarch/include/asm/acenv.h | 7 - arch/loongarch/kernel/env.c | 2 arch/um/drivers/virtio_uml.c | 6 arch/x86/kvm/svm/svm.c | 3 crypto/af_alg.c | 112 ++++++----------- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 drivers/iommu/intel/iommu.c | 7 - drivers/mmc/host/mvsdio.c | 2 drivers/net/bonding/bond_main.c | 1 drivers/net/ethernet/broadcom/cnic.c | 3 drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 drivers/net/ethernet/natsemi/ns83820.c | 13 - drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 - drivers/pcmcia/omap_cf.c | 8 + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 9 - drivers/phy/marvell/phy-berlin-usb.c | 7 - drivers/phy/ralink/phy-ralink-usb.c | 10 - drivers/phy/rockchip/phy-rockchip-pcie.c | 11 - drivers/phy/rockchip/phy-rockchip-usb.c | 10 - drivers/phy/ti/phy-omap-control.c | 9 - drivers/phy/ti/phy-omap-usb2.c | 24 ++- drivers/phy/ti/phy-ti-pipe3.c | 14 -- drivers/power/supply/bq27xxx_battery.c | 4 drivers/usb/host/xhci-dbgcap.c | 94 ++++++++++---- fs/btrfs/tree-checker.c | 4 fs/btrfs/tree-log.c | 2 fs/nilfs2/sysfs.c | 4 fs/nilfs2/sysfs.h | 8 - fs/smb/client/smbdirect.c | 4 fs/smb/server/transport_rdma.c | 26 ++- include/crypto/if_alg.h | 10 - include/uapi/linux/mptcp.h | 6 io_uring/io_uring.c | 13 + io_uring/io_uring.h | 13 + io_uring/poll.c | 3 io_uring/timeout.c | 2 kernel/cgroup/cgroup.c | 43 +++++- net/ipv4/tcp.c | 5 net/mac80211/driver-ops.h | 2 net/mac80211/main.c | 7 - net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 15 ++ net/mptcp/subflow.c | 4 net/rds/ib_frmr.c | 20 +-- net/rfkill/rfkill-gpio.c | 22 ++- net/tls/tls.h | 1 net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 sound/firewire/motu/motu-hwdep.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/codecs/wm8940.c | 2 sound/soc/codecs/wm8974.c | 8 - sound/soc/qcom/qdsp6/audioreach.c | 1 sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 38 +++-- sound/soc/sof/intel/hda-stream.c | 2 tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 - tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 64 files changed, 440 insertions(+), 272 deletions(-) Alexey Nepomnyashih (1): net: liquidio: fix overflow in octeon_init_instr_queue() Charles Keepax (2): ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding Chen Ridong (1): cgroup: split cgroup_destroy_wq into 3 workqueues Colin Ian King (1): ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message David Howells (2): crypto: af_alg: Indent the loop in af_alg_sendmsg() crypto: af_alg: Convert af_alg_sendpage() to use MSG_SPLICE_PAGES Duoming Zhou (2): cnic: Fix use-after-free bugs in cnic_delete_task octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Eugene Koira (1): iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Filipe Manana (1): btrfs: fix invalid extref key setup when replaying dentry Geert Uytterhoeven (1): pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Greg Kroah-Hartman (1): Linux 6.1.154 H. Nikolaus Schaller (2): power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 Hangbin Liu (1): bonding: don't set oif to bond dev when getting NS target destination Hans de Goede (1): net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Herbert Xu (2): crypto: af_alg - Set merge to zero early in af_alg_sendmsg crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Huacai Chen (1): LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Håkon Bugge (1): rds: ib: Increment i_fastreg_wrs before bailing out Ioana Ciornei (1): dpaa2-switch: fix buffer pool seeding for control traffic Jakub Kicinski (1): tls: make sure to abort the stream if headers are bogus Jamie Bainbridge (1): qed: Don't collect too many protection override GRC elements Jens Axboe (2): io_uring: backport io_should_terminate_tw() io_uring: include dying ring in task_work "should cancel" state Johan Hovold (1): phy: ti: omap-usb2: fix device leak at unbind Krzysztof Kozlowski (2): phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Kuniyuki Iwashima (1): tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Lachlan Hodges (1): wifi: mac80211: increase scan_ies_len for S1G Liao Yuanhong (1): wifi: mac80211: fix incorrect type for ret Loic Poulain (1): drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Maciej Fijalkowski (1): i40e: remove redundant memory barrier when cleaning Tx descs Maciej S. Szmigiero (1): KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Mathias Nyman (2): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects Matthieu Baerts (NGI0) (6): mptcp: set remote_deny_join_id0 on SYN recv selftests: mptcp: avoid spurious errors on TCP disconnect mptcp: pm: nl: announce deny-join-id0 flag selftests: mptcp: userspace pm: validate deny-join-id0 flag mptcp: propagate shutdown to subflows when possible selftests: mptcp: connect: catch IO errors on listen side Miaoqian Lin (1): um: virtio_uml: Fix use-after-free after put_device in probe Mohammad Rafi Shaik (2): ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Namjae Jeon (1): ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Nathan Chancellor (1): nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Philipp Zabel (1): net: rfkill: gpio: add DT support Praful Adiga (1): ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Qi Xi (1): drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Qu Wenruo (1): btrfs: tree-checker: fix the incorrect inode ref size check Rob Herring (1): phy: Use device_get_match_data() Srinivas Kandagatla (2): ASoC: qcom: q6apm-lpass-dai: close graphs before opening a new one ASoC: q6apm-lpass-dai: close graph on prepare errors Stefan Metzmacher (2): ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Takashi Sakamoto (1): ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Tao Cui (1): LoongArch: Check the return value when creating kobj Tariq Toukan (1): Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Thomas Fourier (1): mmc: mvsdio: Fix dma_unmap_sg() nents value Yeounsu Moon (1): net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure

1 week

1
1
0 0

[PATCH v2] fs/netfs: fix reference leak

by Max Kellermann

Commit 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") modified netfs_alloc_request() to initialize the reference counter to 2 instead of 1. The rationale was that the requet's "work" would release the second reference after completion (via netfs_{read,write}_collection_worker()). That works most of the time if all goes well. However, it leaks this additional reference if the request is released before the I/O operation has been submitted: the error code path only decrements the reference counter once and the work item will never be queued because there will never be a completion. This has caused outages of our whole server cluster today because tasks were blocked in netfs_wait_for_outstanding_io(), leading to deadlocks in Ceph (another bug that I will address soon in another patch). This was caused by a netfs_pgpriv2_begin_copy_to_cache() call which failed in fscache_begin_write_operation(). The leaked netfs_io_request was never completed, leaving `netfs_inode.io_count` with a positive value forever. All of this is super-fragile code. Finding out which code paths will lead to an eventual completion and which do not is hard to see: - Some functions like netfs_create_write_req() allocate a request, but will never submit any I/O. - netfs_unbuffered_read_iter_locked() calls netfs_unbuffered_read() and then netfs_put_request(); however, netfs_unbuffered_read() can also fail early before submitting the I/O request, therefore another netfs_put_request() call must be added there. A rule of thumb is that functions that return a `netfs_io_request` do not submit I/O, and all of their callers must be checked. For my taste, the whole netfs code needs an overhaul to make reference counting easier to understand and less fragile & obscure. But to fix this bug here and now and produce a patch that is adequate for a stable backport, I tried a minimal approach that quickly frees the request object upon early failure. I decided against adding a second netfs_put_request() each time because that would cause code duplication which obscures the code further. Instead, I added the function netfs_put_failed_request() which frees such a failed request synchronously under the assumption that the reference count is exactly 2 (as initially set by netfs_alloc_request() and never touched), verified by a WARN_ON_ONCE(). It then deinitializes the request object (without going through the "cleanup_work" indirection) and frees the allocation (with RCU protection to protect against concurrent access by netfs_requests_seq_start()). All code paths that fail early have been changed to call netfs_put_failed_request() instead of netfs_put_request(). Additionally, I have added a netfs_put_request() call to netfs_unbuffered_read() as explained above because the netfs_put_failed_request() approach does not work there. Fixes: 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- v1->v2: free the request with call_rcu() because a proc reader might be accessing it (suggested by David Howells) --- fs/netfs/buffered_read.c | 10 +++++----- fs/netfs/direct_read.c | 7 ++++++- fs/netfs/direct_write.c | 6 +++++- fs/netfs/internal.h | 1 + fs/netfs/objects.c | 28 +++++++++++++++++++++++++--- fs/netfs/read_pgpriv2.c | 2 +- fs/netfs/read_single.c | 2 +- fs/netfs/write_issue.c | 3 +-- 8 files changed, 45 insertions(+), 14 deletions(-) diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c index 18b3dc74c70e..37ab6f28b5ad 100644 --- a/fs/netfs/buffered_read.c +++ b/fs/netfs/buffered_read.c @@ -369,7 +369,7 @@ void netfs_readahead(struct readahead_control *ractl) return netfs_put_request(rreq, netfs_rreq_trace_put_return); cleanup_free: - return netfs_put_request(rreq, netfs_rreq_trace_put_failed); + return netfs_put_failed_request(rreq); } EXPORT_SYMBOL(netfs_readahead); @@ -472,7 +472,7 @@ static int netfs_read_gaps(struct file *file, struct folio *folio) return ret < 0 ? ret : 0; discard: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); alloc_error: folio_unlock(folio); return ret; @@ -532,7 +532,7 @@ int netfs_read_folio(struct file *file, struct folio *folio) return ret < 0 ? ret : 0; discard: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); alloc_error: folio_unlock(folio); return ret; @@ -699,7 +699,7 @@ int netfs_write_begin(struct netfs_inode *ctx, return 0; error_put: - netfs_put_request(rreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(rreq); error: if (folio) { folio_unlock(folio); @@ -754,7 +754,7 @@ int netfs_prefetch_for_write(struct file *file, struct folio *folio, return ret < 0 ? ret : 0; error_put: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); error: _leave(" = %d", ret); return ret; diff --git a/fs/netfs/direct_read.c b/fs/netfs/direct_read.c index a05e13472baf..a498ee8d6674 100644 --- a/fs/netfs/direct_read.c +++ b/fs/netfs/direct_read.c @@ -131,6 +131,7 @@ static ssize_t netfs_unbuffered_read(struct netfs_io_request *rreq, bool sync) if (rreq->len == 0) { pr_err("Zero-sized read [R=%x]\n", rreq->debug_id); + netfs_put_request(rreq, netfs_rreq_trace_put_discard); return -EIO; } @@ -205,7 +206,7 @@ ssize_t netfs_unbuffered_read_iter_locked(struct kiocb *iocb, struct iov_iter *i if (user_backed_iter(iter)) { ret = netfs_extract_user_iter(iter, rreq->len, &rreq->buffer.iter, 0); if (ret < 0) - goto out; + goto error_put; rreq->direct_bv = (struct bio_vec *)rreq->buffer.iter.bvec; rreq->direct_bv_count = ret; rreq->direct_bv_unpin = iov_iter_extract_will_pin(iter); @@ -238,6 +239,10 @@ ssize_t netfs_unbuffered_read_iter_locked(struct kiocb *iocb, struct iov_iter *i if (ret > 0) orig_count -= ret; return ret; + +error_put: + netfs_put_failed_request(rreq); + return ret; } EXPORT_SYMBOL(netfs_unbuffered_read_iter_locked); diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c index a16660ab7f83..a9d1c3b2c084 100644 --- a/fs/netfs/direct_write.c +++ b/fs/netfs/direct_write.c @@ -57,7 +57,7 @@ ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov_iter * n = netfs_extract_user_iter(iter, len, &wreq->buffer.iter, 0); if (n < 0) { ret = n; - goto out; + goto error_put; } wreq->direct_bv = (struct bio_vec *)wreq->buffer.iter.bvec; wreq->direct_bv_count = n; @@ -101,6 +101,10 @@ ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov_iter * out: netfs_put_request(wreq, netfs_rreq_trace_put_return); return ret; + +error_put: + netfs_put_failed_request(wreq); + return ret; } EXPORT_SYMBOL(netfs_unbuffered_write_iter_locked); diff --git a/fs/netfs/internal.h b/fs/netfs/internal.h index d4f16fefd965..4319611f5354 100644 --- a/fs/netfs/internal.h +++ b/fs/netfs/internal.h @@ -87,6 +87,7 @@ struct netfs_io_request *netfs_alloc_request(struct address_space *mapping, void netfs_get_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace what); void netfs_clear_subrequests(struct netfs_io_request *rreq); void netfs_put_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace what); +void netfs_put_failed_request(struct netfs_io_request *rreq); struct netfs_io_subrequest *netfs_alloc_subrequest(struct netfs_io_request *rreq); static inline void netfs_see_request(struct netfs_io_request *rreq, diff --git a/fs/netfs/objects.c b/fs/netfs/objects.c index e8c99738b5bb..39d5e13f7248 100644 --- a/fs/netfs/objects.c +++ b/fs/netfs/objects.c @@ -116,10 +116,8 @@ static void netfs_free_request_rcu(struct rcu_head *rcu) netfs_stat_d(&netfs_n_rh_rreq); } -static void netfs_free_request(struct work_struct *work) +static void netfs_deinit_request(struct netfs_io_request *rreq) { - struct netfs_io_request *rreq = - container_of(work, struct netfs_io_request, cleanup_work); struct netfs_inode *ictx = netfs_inode(rreq->inode); unsigned int i; @@ -149,6 +147,14 @@ static void netfs_free_request(struct work_struct *work) if (atomic_dec_and_test(&ictx->io_count)) wake_up_var(&ictx->io_count); +} + +static void netfs_free_request(struct work_struct *work) +{ + struct netfs_io_request *rreq = + container_of(work, struct netfs_io_request, cleanup_work); + + netfs_deinit_request(rreq); call_rcu(&rreq->rcu, netfs_free_request_rcu); } @@ -167,6 +173,22 @@ void netfs_put_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace } } +/* + * Free a request (synchronously) that was just allocated but has + * failed before it could be submitted. + */ +void netfs_put_failed_request(struct netfs_io_request *rreq) +{ + /* new requests have two references (see + * netfs_alloc_request(), and this function is only allowed on + * new request objects + */ + WARN_ON_ONCE(refcount_read(&rreq->ref) != 2); + + trace_netfs_rreq_ref(rreq->debug_id, 0, netfs_rreq_trace_put_failed); + netfs_free_request(&rreq->cleanup_work); +} + /* * Allocate and partially initialise an I/O request structure. */ diff --git a/fs/netfs/read_pgpriv2.c b/fs/netfs/read_pgpriv2.c index 8097bc069c1d..a1489aa29f78 100644 --- a/fs/netfs/read_pgpriv2.c +++ b/fs/netfs/read_pgpriv2.c @@ -118,7 +118,7 @@ static struct netfs_io_request *netfs_pgpriv2_begin_copy_to_cache( return creq; cancel_put: - netfs_put_request(creq, netfs_rreq_trace_put_return); + netfs_put_failed_request(creq); cancel: rreq->copy_to_cache = ERR_PTR(-ENOBUFS); clear_bit(NETFS_RREQ_FOLIO_COPY_TO_CACHE, &rreq->flags); diff --git a/fs/netfs/read_single.c b/fs/netfs/read_single.c index fa622a6cd56d..5c0dc4efc792 100644 --- a/fs/netfs/read_single.c +++ b/fs/netfs/read_single.c @@ -189,7 +189,7 @@ ssize_t netfs_read_single(struct inode *inode, struct file *file, struct iov_ite return ret; cleanup_free: - netfs_put_request(rreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(rreq); return ret; } EXPORT_SYMBOL(netfs_read_single); diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c index 0584cba1a043..dd8743bc8d7f 100644 --- a/fs/netfs/write_issue.c +++ b/fs/netfs/write_issue.c @@ -133,8 +133,7 @@ struct netfs_io_request *netfs_create_write_req(struct address_space *mapping, return wreq; nomem: - wreq->error = -ENOMEM; - netfs_put_request(wreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(wreq); return ERR_PTR(-ENOMEM); } -- 2.47.3

1 week

2
2
0 0

Re: it's Seven again for PCBA One-stop Service

by Seven

Hi , What would it mean to you if your business was able to reduce Expenses by 20% (Clients: Littelfuse, Corsair, BMB, Mercedes-Benz, Fantac) We are a PCBA factory with an area of 6,000 square meters. We have been in this industry for 18 years and have an experienced team of engineers. Help you reduce BOM Expenses Fast delivery (15 days for Demo) Competitive prices (10% lower than peers) Real factory processing fees are Fees Complete quality management system (ISO9001,ISO14001,ISO13485,IATF16949,UL)Given how well our pcba service suits your needs, I think we could do some Excellent work together. Seven LeeChief Technology Officer Business Department | Shenzhen STHL Technology Co,Ltd +8618569002840 Seven(a)pcba-china.com 在2025-06-04，Seven <seven(a)ems-sthi.com> 写道:-----原始邮件----- 发件人： Seven <seven(a)ems-sthi.com> 发件时间: 2025年06月04日周三收件人： [Linux-stable-mirror <linux-stable-mirror(a)lists.linaro.org>] 主题： Re:Jordan recommend me get in touch Hi, Glad to know you and your company from Jordan. I‘m Seven CTO of STHL We are a one-stop service provider for PCBA. We can help you with production from PCB to finished product assembly. Why Partner With Us? ✅ One-Stop Expertise: From PCB fabrication, PCBA (SMT & Through-Hole), custom cable harnesses, , to final product assembly – we eliminate multi-vendor coordination risks. ✅ Cost Efficiency: 40%+ clients reduce logistics/QC costs through our integrated service model (ISO 9001:2015 certified). ✅ Speed-to-Market: Average 15% faster lead times achieved via in-house vertical integration. Recent Success Case: Helped a German IoT startup scale from prototype to 50K-unit/month production within 6 months through our: PCB Design-for-Manufacturing (DFM) optimization Automated PCBA with 99.98% first-pass yield Mechanical housing CNC machining & IP67-rated assembly Seven Marcus CTO Shenzhen STHL Technology Co,Ltd +8618569002840 Seven(a)pcba-china.com

1 week

1
0
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022407-amplifier-catnip-6e14@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 week

2
1
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022405-surpass-stipend-ca02@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 week

2
1
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022404-rebuttal-laundry-1cf8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 week

2
1
0 0

[PATCH RESEND net v3] net: nfc: nci: Add parameter validation for packet data

by Deepak Sharma

Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers). Reported-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8 Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") Tested-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Deepak Sharma <deepak.sharma.472935(a)gmail.com> Reviewed-by: Vadim Fedorenko <vadim.fedorenko(a)linux.dev> --- v3: - Move the checks inside the packet data handlers - Improvements to the commit message v2: - Fix the release of skb in case of the early return v1: - Add checks in `nci_ntf_packet` on the skb->len and do early return on failure net/nfc/nci/ntf.c | 139 +++++++++++++++++++++++++++++++++------------- 1 file changed, 101 insertions(+), 38 deletions(-) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index a818eff27e6b..c0edf8242e22 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -27,11 +27,16 @@ /* Handle NCI Notification packets */ -static void nci_core_reset_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_reset_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { /* Handle NCI 2.x core reset notification */ - const struct nci_core_reset_ntf *ntf = (void *)skb->data; + const struct nci_core_reset_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_reset_ntf)) + return -EINVAL; + + ntf = (struct nci_core_reset_ntf *)skb->data; ndev->nci_ver = ntf->nci_ver; pr_debug("nci_ver 0x%x, config_status 0x%x\n", @@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(struct nci_dev *ndev, __le32_to_cpu(ntf->manufact_specific_info); nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_conn_credit_ntf *ntf = (void *) skb->data; + struct nci_core_conn_credit_ntf *ntf; struct nci_conn_info *conn_info; int i; + if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + return -EINVAL; + + ntf = (struct nci_core_conn_credit_ntf *)skb->data; + pr_debug("num_entries %d\n", ntf->num_entries); if (ntf->num_entries > NCI_MAX_NUM_CONN) @@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, conn_info = nci_get_conn_info_by_conn_id(ndev, ntf->conn_entries[i].conn_id); if (!conn_info) - return; + return 0; atomic_add(ntf->conn_entries[i].credits, &conn_info->credits_cnt); @@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, /* trigger the next tx */ if (!skb_queue_empty(&ndev->tx_q)) queue_work(ndev->tx_wq, &ndev->tx_work); + + return 0; } -static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { - __u8 status = skb->data[0]; + __u8 status; + + if (skb->len < 1) + return -EINVAL; + + status = skb->data[0]; pr_debug("status 0x%x\n", status); @@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, (the state remains the same) */ nci_req_complete(ndev, status); } + + return 0; } -static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_intf_error_ntf *ntf = (void *) skb->data; + struct nci_core_intf_error_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_intf_error_ntf)) + return -EINVAL; + + ntf = (struct nci_core_intf_error_ntf *)skb->data; ntf->conn_id = nci_conn_id(&ntf->conn_id); @@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, /* complete the data exchange transaction, if exists */ if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags)) nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO); + + return 0; } static const __u8 * @@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_dev *ndev) ndev->n_targets = 0; } -static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_rf_discover_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; bool add_target = true; + if (skb->len < sizeof(struct nci_rf_discover_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_protocol = *data++; ntf.rf_tech_and_mode = *data++; @@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets); } + + return 0; } static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, @@ -501,7 +536,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_POLL_MODE: case NCI_NFC_F_PASSIVE_POLL_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.poll_nfc_dep.atr_res_len + (ntf->activation_params.poll_nfc_dep.atr_res_len - NFC_ATR_RES_GT_OFFSET), NFC_ATR_RES_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -513,7 +548,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_LISTEN_MODE: case NCI_NFC_F_PASSIVE_LISTEN_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.listen_nfc_dep.atr_req_len + (ntf->activation_params.listen_nfc_dep.atr_req_len - NFC_ATR_REQ_GT_OFFSET), NFC_ATR_REQ_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -553,14 +588,19 @@ static int nci_store_ats_nfc_iso_dep(struct nci_dev *ndev, return NCI_STATUS_OK; } -static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_conn_info *conn_info; struct nci_rf_intf_activated_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; int err = NCI_STATUS_OK; + if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_interface = *data++; ntf.rf_protocol = *data++; @@ -667,7 +707,7 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, if (err == NCI_STATUS_OK) { conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size; conn_info->initial_num_credits = ntf.initial_num_credits; @@ -721,19 +761,26 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, pr_err("error when signaling tm activation\n"); } } + + return 0; } -static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { const struct nci_conn_info *conn_info; - const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data; + const struct nci_rf_deactivate_ntf *ntf; + + if (skb->len < sizeof(struct nci_rf_deactivate_ntf)) + return -EINVAL; + + ntf = (struct nci_rf_deactivate_ntf *)skb->data; pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason); conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; /* drop tx data queue */ skb_queue_purge(&ndev->tx_q); @@ -765,14 +812,20 @@ static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, } nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { u8 status = NCI_STATUS_OK; - const struct nci_nfcee_discover_ntf *nfcee_ntf = - (struct nci_nfcee_discover_ntf *)skb->data; + const struct nci_nfcee_discover_ntf *nfcee_ntf; + + if (skb->len < sizeof(struct nci_nfcee_discover_ntf)) + return -EINVAL; + + nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data; /* NFCForum NCI 9.2.1 HCI Network Specific Handling * If the NFCC supports the HCI Network, it SHALL return one, @@ -783,6 +836,8 @@ static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, ndev->cur_params.id = nfcee_ntf->nfcee_id; nci_req_complete(ndev, status); + + return 0; } void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) @@ -809,35 +864,43 @@ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) switch (ntf_opcode) { case NCI_OP_CORE_RESET_NTF: - nci_core_reset_ntf_packet(ndev, skb); + if (nci_core_reset_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_CONN_CREDITS_NTF: - nci_core_conn_credits_ntf_packet(ndev, skb); + if (nci_core_conn_credits_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_GENERIC_ERROR_NTF: - nci_core_generic_error_ntf_packet(ndev, skb); + if (nci_core_generic_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_INTF_ERROR_NTF: - nci_core_conn_intf_error_ntf_packet(ndev, skb); + if (nci_core_conn_intf_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DISCOVER_NTF: - nci_rf_discover_ntf_packet(ndev, skb); + if (nci_rf_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_INTF_ACTIVATED_NTF: - nci_rf_intf_activated_ntf_packet(ndev, skb); + if (nci_rf_intf_activated_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DEACTIVATE_NTF: - nci_rf_deactivate_ntf_packet(ndev, skb); + if (nci_rf_deactivate_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_NFCEE_DISCOVER_NTF: - nci_nfcee_discover_ntf_packet(ndev, skb); + if (nci_nfcee_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_NFCEE_ACTION_NTF: -- 2.51.0

1 week

2
1
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022402-footprint-usher-aa6e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 week

2
3
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022401-batting-december-cf51@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 week

2
3
0 0

[PATCH 6.16 1/2] wifi: iwlwifi: fix byte count table for old devices

by Johannes Berg

From: Johannes Berg <johannes.berg(a)intel.com> commit 586e3cb33ba6890054b95aa0ade0a165890efabd upstream. For devices handled by iwldvm, bc_table_dword was never set, but I missed that during the removal thereof. Change the logic to not treat the byte count table as dwords for devices older than 9000 series to fix that. Fixes: 6570ea227826 ("wifi: iwlwifi: remove bc_table_dword transport config") Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://patch.msgid.link/20250828095500.eccd7d3939f1.Ibaffa06d0b3aa5f35a945… --- drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c index eee55428749c..5ca9712dd7f0 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c @@ -2093,7 +2093,8 @@ static void iwl_txq_gen1_update_byte_cnt_tbl(struct iwl_trans *trans, break; } - if (trans->mac_cfg->device_family < IWL_DEVICE_FAMILY_AX210) + if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_9000 && + trans->mac_cfg->device_family < IWL_DEVICE_FAMILY_AX210) len = DIV_ROUND_UP(len, 4); if (WARN_ON(len > 0xFFF || write_ptr >= TFD_QUEUE_SIZE_MAX)) -- 2.51.0

1 week

1
1
0 0

[PATCH] afs: Fix potential null pointer dereference in afs_put_server

by Zhen Ni

afs_put_server() accessed server->debug_id before the NULL check, which could lead to a null pointer dereference. Move the debug_id assignment, ensuring we never dereference a NULL server pointer. Fixes: 2757a4dc1849 ("afs: Fix access after dec in put functions") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- fs/afs/server.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/afs/server.c b/fs/afs/server.c index a97562f831eb..c4428ebddb1d 100644 --- a/fs/afs/server.c +++ b/fs/afs/server.c @@ -331,13 +331,14 @@ struct afs_server *afs_use_server(struct afs_server *server, bool activate, void afs_put_server(struct afs_net *net, struct afs_server *server, enum afs_server_trace reason) { - unsigned int a, debug_id = server->debug_id; + unsigned int a, debug_id; bool zero; int r; if (!server) return; + debug_id = server->debug_id; a = atomic_read(&server->active); zero = __refcount_dec_and_test(&server->ref, &r); trace_afs_server(debug_id, r - 1, a, reason); -- 2.20.1

1 week

4
3
0 0

Re: Confirmation on EOL for Linux 5.4 Stable Kernel

by Joseph Salisbury

On 9/24/25 13:41, Joseph Salisbury wrote: > Hi Greg/Sasha, > > I am reaching out to confirm the projected EOL for the Linux 5.4 > stable kernel. > > According to the information listed on kernel.org [0], the EOL is > currently slated for December 2025. We are using this projection for > planning, so we would be grateful if you could confirm it is still > accurate. > > Thank you very much for your time and for all the work you do in > maintaining the stable kernel releases! > > Thanks, > > Joe Salisbury > > > [0] https://www.kernel.org/category/releases.html Sorry, I forgot to CC stable for the wider audience. Doing that now.

1 week

2
1
0 0

[PATCH v2] crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

by Eric Biggers

Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type. Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- v2: keep the bitfields and just change the type, as suggested by Linus include/crypto/if_alg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 0c70f3a555750..107b797c33ecf 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -150,11 +150,11 @@ struct af_alg_ctx { struct crypto_wait wait; size_t used; atomic_t rcvused; - u32 more:1, + bool more:1, merge:1, enc:1, write:1, init:1; base-commit: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe -- 2.51.0

1 week

3
2
0 0

[PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()

by Thorsten Blum

Replace kmalloc() followed by copy_from_user() with memdup_user() to fix a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using memdup_user() avoids this by freeing the memory internally. Since memdup_user() already allocates memory, use kzalloc() in the else branch instead of manually zeroing 'buff[sg_used]' using memset(0). Cc: stable(a)vger.kernel.org Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- drivers/scsi/hpsa.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index c73a71ac3c29..1c6161d0b85c 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -6522,18 +6522,21 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, while (left) { sz = (left > ioc->malloc_size) ? ioc->malloc_size : left; buff_size[sg_used] = sz; - buff[sg_used] = kmalloc(sz, GFP_KERNEL); - if (buff[sg_used] == NULL) { - status = -ENOMEM; - goto cleanup1; - } + if (ioc->Request.Type.Direction & XFER_WRITE) { - if (copy_from_user(buff[sg_used], data_ptr, sz)) { - status = -EFAULT; + buff[sg_used] = memdup_user(data_ptr, sz); + if (IS_ERR(buff[sg_used])) { + status = PTR_ERR(buff[sg_used]); goto cleanup1; } - } else - memset(buff[sg_used], 0, sz); + } else { + buff[sg_used] = kzalloc(sz, GFP_KERNEL); + if (!buff[sg_used]) { + status = -ENOMEM; + goto cleanup1; + } + } + left -= sz; data_ptr += sz; sg_used++; -- 2.51.0

1 week

3
2
0 0

WTF: patch "[PATCH] LoongArch: KVM: Remove unused returns and semicolons" was seriously submitted to be applied to the 6.16-stable tree?

by gregkh＠linuxfoundation.org

The patch below was submitted to be applied to the 6.16-stable tree. I fail to see how this patch meets the stable kernel rules as found at Documentation/process/stable-kernel-rules.rst. I could be totally wrong, and if so, please respond to <stable(a)vger.kernel.org> and let me know why this patch should be applied. Otherwise, it is now dropped from my patch queues, never to be seen again. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 091b29d53fe645781c5c1f405bc9fcd50ce5792b Mon Sep 17 00:00:00 2001 From: Tao Cui <cuitao(a)kylinos.cn> Date: Thu, 18 Sep 2025 19:44:22 +0800 Subject: [PATCH] LoongArch: KVM: Remove unused returns and semicolons The default branch has already handled all undefined cases, so the final return statement is redundant. Redundant semicolons are removed, too. Cc: stable(a)vger.kernel.org Reviewed-by: Bibo Mao <maobibo(a)loongson.cn> Signed-off-by: Tao Cui <cuitao(a)kylinos.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> diff --git a/arch/loongarch/kvm/exit.c b/arch/loongarch/kvm/exit.c index 2ce41f93b2a4..6c9c7de7226b 100644 --- a/arch/loongarch/kvm/exit.c +++ b/arch/loongarch/kvm/exit.c @@ -778,10 +778,8 @@ static long kvm_save_notify(struct kvm_vcpu *vcpu) return 0; default: return KVM_HCALL_INVALID_CODE; - }; - - return KVM_HCALL_INVALID_CODE; -}; + } +} /* * kvm_handle_lsx_disabled() - Guest used LSX while disabled in root.

1 week

2
1
0 0

[PATCH AUTOSEL 6.16-6.1] btrfs: ref-verify: handle damaged extent root tree

by Sasha Levin

From: David Sterba <dsterba(a)suse.com> [ Upstream commit ed4e6b5d644c4dd2bc2872ffec036b7da0ec2e27 ] Syzbot hits a problem with enabled ref-verify, ignorebadroots and a fuzzed/damaged extent tree. There's no fallback option like in other places that can deal with it so disable the whole ref-verify as it is just a debugging feature. Reported-by: syzbot+9c3e0cdfbfe351b0bc0e(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/all/0000000000001b6052062139be1c@google.com/ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my exhaustive analysis of the commit, code changes, and extensive research through multiple specialized agents, here is my determination: ## **Backport Status: YES** This commit should be backported to stable kernel trees v5.11 and later. ## Detailed Explanation ### Nature of the Fix The commit fixes a **NULL pointer dereference** that occurs when mounting a corrupted BTRFS filesystem with both `rescue=ignorebadroots` and `ref_verify` options enabled. The code change adds a critical IS_ERR() check: ```c + extent_root = btrfs_extent_root(fs_info, 0); + /* If the extent tree is damaged we cannot ignore it (IGNOREBADROOTS). */ + if (IS_ERR(extent_root)) { + btrfs_warn(fs_info, "ref-verify: extent tree not available, disabling"); + btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY); + return 0; + } ``` Previously, the code immediately used `extent_root` without checking if it was valid, causing a crash at line `eb = btrfs_read_lock_root_node(extent_root)`. ### Why It Qualifies for Stable Backport 1. **Fixes a Real Bug**: Prevents kernel panic during filesystem mount operations 2. **Small and Contained**: Only 7 lines of defensive code added 3. **No Side Effects**: Simply disables the debug feature gracefully instead of crashing 4. **Follows Stable Rules**: - Important bugfix (prevents crashes) - Minimal risk (simple NULL check) - Confined to subsystem (BTRFS ref-verify) ### Specific Code Analysis The fix properly handles the interaction between two features introduced at different times: - **ref-verify**: Debug feature from v4.15 (2017) - **IGNOREBADROOTS**: Recovery option from v5.11 (2020) The incompatibility wasn't caught until syzbot fuzzing discovered it. The fix: - Checks if `btrfs_extent_root()` returns an error (damaged extent tree) - Gracefully disables ref-verify with a warning message - Allows mount to proceed for recovery purposes - Returns success (0) to continue mounting ### Risk Assessment **Extremely Low Risk**: - Pattern already exists in 7+ other places in BTRFS for IGNOREBADROOTS handling - ref-verify is a debug feature (`CONFIG_BTRFS_FS_REF_VERIFY=n` by default) - Not enabled in production kernels (Ubuntu, RHEL, SUSE) - Clean cherry-pick expected to v5.11+ - Syzbot tested and verified the fix ### Comparison with Similar Commits My research found similar BTRFS NULL-check fixes routinely backported: - Commit 6aecd91a5c5b: Similar fix for scrub with IGNOREBADROOTS - Multiple IS_ERR() checks added throughout disk-io.c for root tree handling - Pattern of "disable debug feature on error" is established in ref- verify.c ### Conclusion While this primarily affects debug configurations, it meets all criteria for stable backporting: - Prevents kernel crashes (primary stable criterion) - Simple, obviously correct fix - Helps filesystem recovery operations - Zero regression risk - Follows established BTRFS error handling patterns The commit should be backported to **stable kernels v5.11 through v6.5** (kernels where both IGNOREBADROOTS and ref-verify coexist). fs/btrfs/ref-verify.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/ref-verify.c b/fs/btrfs/ref-verify.c index 2928abf7eb827..fc46190d26c8e 100644 --- a/fs/btrfs/ref-verify.c +++ b/fs/btrfs/ref-verify.c @@ -998,11 +998,18 @@ int btrfs_build_ref_tree(struct btrfs_fs_info *fs_info) if (!btrfs_test_opt(fs_info, REF_VERIFY)) return 0; + extent_root = btrfs_extent_root(fs_info, 0); + /* If the extent tree is damaged we cannot ignore it (IGNOREBADROOTS). */ + if (IS_ERR(extent_root)) { + btrfs_warn(fs_info, "ref-verify: extent tree not available, disabling"); + btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY); + return 0; + } + path = btrfs_alloc_path(); if (!path) return -ENOMEM; - extent_root = btrfs_extent_root(fs_info, 0); eb = btrfs_read_lock_root_node(extent_root); level = btrfs_header_level(eb); path->nodes[level] = eb; -- 2.51.0

1 week

2
13
0 0

+ lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: lib/genalloc: fix device leak in of_gen_pool_get() has been added to the -mm mm-nonmm-unstable branch. Its filename is lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Johan Hovold <johan(a)kernel.org> Subject: lib/genalloc: fix device leak in of_gen_pool_get() Date: Wed, 24 Sep 2025 10:02:07 +0200 Make sure to drop the reference taken when looking up the genpool platform device in of_gen_pool_get() before returning the pool. Note that holding a reference to a device does typically not prevent its devres managed resources from being released so there is no point in keeping the reference. Link: https://lkml.kernel.org/r/20250924080207.18006-1-johan@kernel.org Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device") Signed-off-by: Johan Hovold <johan(a)kernel.org> Cc: Philipp Zabel <p.zabel(a)pengutronix.de> Cc: Vladimir Zapolskiy <vz(a)mleia.com> Cc: <stable(a)vger.kernel.org> [3.10+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/genalloc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/lib/genalloc.c~lib-genalloc-fix-device-leak-in-of_gen_pool_get +++ a/lib/genalloc.c @@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct if (!name) name = of_node_full_name(np_pool); } - if (pdev) + if (pdev) { pool = gen_pool_get(&pdev->dev, name); + put_device(&pdev->dev); + } + of_node_put(np_pool); return pool; _ Patches currently in -mm which might be from johan(a)kernel.org are lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch

1 week

1
0
0 0

+ mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm/memblock: correct totalram_pages accounting with KMSAN has been added to the -mm mm-new branch. Its filename is mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Alexander Potapenko <glider(a)google.com> Subject: mm/memblock: correct totalram_pages accounting with KMSAN Date: Wed, 24 Sep 2025 12:03:01 +0200 When KMSAN is enabled, `kmsan_memblock_free_pages()` can hold back pages for metadata instead of returning them to the early allocator. The callers, however, would unconditionally increment `totalram_pages`, assuming the pages were always freed. This resulted in an incorrect calculation of the total available RAM, causing the kernel to believe it had more memory than it actually did. This patch refactors `memblock_free_pages()` to return the number of pages it successfully frees. If KMSAN stashes the pages, the function now returns 0; otherwise, it returns the number of pages in the block. The callers in `memblock.c` have been updated to use this return value, ensuring that `totalram_pages` is incremented only by the number of pages actually returned to the allocator. This corrects the total RAM accounting when KMSAN is active. Link: https://lkml.kernel.org/r/20250924100301.1558645-1-glider@google.com Fixes: 3c2065098260 ("init: kmsan: call KMSAN initialization routines") Signed-off-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Aleksandr Nogikh <nogikh(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Markus Elfring <Markus.Elfring(a)web.de> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 4 ++-- mm/memblock.c | 21 +++++++++++---------- mm/mm_init.c | 9 +++++---- 3 files changed, 18 insertions(+), 16 deletions(-) --- a/mm/internal.h~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/internal.h @@ -742,8 +742,8 @@ static inline void clear_zone_contiguous extern int __isolate_free_page(struct page *page, unsigned int order); extern void __putback_isolated_page(struct page *page, unsigned int order, int mt); -extern void memblock_free_pages(struct page *page, unsigned long pfn, - unsigned int order); +unsigned long memblock_free_pages(struct page *page, unsigned long pfn, + unsigned int order); extern void __free_pages_core(struct page *page, unsigned int order, enum meminit_context context); --- a/mm/memblock.c~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/memblock.c @@ -1826,6 +1826,7 @@ void *__init __memblock_alloc_or_panic(p void __init memblock_free_late(phys_addr_t base, phys_addr_t size) { phys_addr_t cursor, end; + unsigned long freed_pages = 0; end = base + size - 1; memblock_dbg("%s: [%pa-%pa] %pS\n", @@ -1834,10 +1835,9 @@ void __init memblock_free_late(phys_addr cursor = PFN_UP(base); end = PFN_DOWN(base + size); - for (; cursor < end; cursor++) { - memblock_free_pages(pfn_to_page(cursor), cursor, 0); - totalram_pages_inc(); - } + for (; cursor < end; cursor++) + freed_pages += memblock_free_pages(pfn_to_page(cursor), cursor, 0); + totalram_pages_add(freed_pages); } /* @@ -2259,9 +2259,11 @@ static void __init free_unused_memmap(vo #endif } -static void __init __free_pages_memory(unsigned long start, unsigned long end) +static unsigned long __init __free_pages_memory(unsigned long start, + unsigned long end) { int order; + unsigned long freed = 0; while (start < end) { /* @@ -2279,14 +2281,15 @@ static void __init __free_pages_memory(u while (start + (1UL << order) > end) order--; - memblock_free_pages(pfn_to_page(start), start, order); + freed += memblock_free_pages(pfn_to_page(start), start, order); start += (1UL << order); } + return freed; } static unsigned long __init __free_memory_core(phys_addr_t start, - phys_addr_t end) + phys_addr_t end) { unsigned long start_pfn = PFN_UP(start); unsigned long end_pfn = PFN_DOWN(end); @@ -2297,9 +2300,7 @@ static unsigned long __init __free_memor if (start_pfn >= end_pfn) return 0; - __free_pages_memory(start_pfn, end_pfn); - - return end_pfn - start_pfn; + return __free_pages_memory(start_pfn, end_pfn); } static void __init memmap_init_reserved_pages(void) --- a/mm/mm_init.c~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/mm_init.c @@ -2547,24 +2547,25 @@ void *__init alloc_large_system_hash(con return table; } -void __init memblock_free_pages(struct page *page, unsigned long pfn, - unsigned int order) +unsigned long __init memblock_free_pages(struct page *page, unsigned long pfn, + unsigned int order) { if (IS_ENABLED(CONFIG_DEFERRED_STRUCT_PAGE_INIT)) { int nid = early_pfn_to_nid(pfn); if (!early_page_initialised(pfn, nid)) - return; + return 0; } if (!kmsan_memblock_free_pages(page, order)) { /* KMSAN will take care of these pages. */ - return; + return 0; } /* pages were reserved and not allocated */ clear_page_tag_ref(page); __free_pages_core(page, order, MEMINIT_EARLY); + return 1UL << order; } DEFINE_STATIC_KEY_MAYBE(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, init_on_alloc); _ Patches currently in -mm which might be from glider(a)google.com are mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch

1 week

1
0
0 0

+ mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: check for stable address space before operating on the VMA has been added to the -mm mm-new branch. Its filename is mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Charan Teja Kalla <charan.kalla(a)oss.qualcomm.com> Subject: mm: swap: check for stable address space before operating on the VMA Date: Wed, 24 Sep 2025 23:41:38 +0530 It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000446--> Loading the memory from offset 0x40 on the XA_ZERO_ENTRY as address. Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault The issue is manifested from the below race between the fork() on a process and swapoff: fork(dup_mmap()) swapoff(unuse_mm) --------------- ----------------- 1) Identical mtree is built using __mt_dup(). 2) copy_pte_range()--> copy_nonpresent_pte(): The dst mm is added into the mmlist to be visible to the swapoff operation. 3) Fatal signal is sent to the parent process(which is the current during the fork) thus skip the duplication of the vmas and mark the vma range with XA_ZERO_ENTRY as a marker for this process that helps during exit_mmap(). 4) swapoff is tried on the 'mm' added to the 'mmlist' as part of the 2. 5) unuse_mm(), that iterates through the vma's of this 'mm' will hit the non-NULL zero entry and operating on this zero entry as a vma is resulting into the oops. The proper fix would be around not exposing this partially-valid tree to others when droping the mmap lock, which is being solved with [1]. A simpler solution would be checking for MMF_UNSTABLE, as it is set if mm_struct is not fully initialized in dup_mmap(). Thanks to Liam/Lorenzo/David for all the suggestions in fixing this issue. Link: https://lkml.kernel.org/r/20250924181138.1762750-1-charan.kalla@oss.qualcom… Link: https://lore.kernel.org/all/20250815191031.3769540-1-Liam.Howlett@oracle.co… [1] Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") Signed-off-by: Charan Teja Kalla <charan.kalla(a)oss.qualcomm.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Kairui Song <kasong(a)tencent.com> Cc: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Peng Zhang <zhangpeng.00(a)bytedance.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/swapfile.c~mm-swap-check-for-stable-address-space-before-operating-on-the-vma +++ a/mm/swapfile.c @@ -2389,6 +2389,8 @@ static int unuse_mm(struct mm_struct *mm VMA_ITERATOR(vmi, mm, 0); mmap_read_lock(mm); + if (check_stable_address_space(mm)) + goto unlock; for_each_vma(vmi, vma) { if (vma->anon_vma && !is_vm_hugetlb_page(vma)) { ret = unuse_vma(vma, type); @@ -2398,6 +2400,7 @@ static int unuse_mm(struct mm_struct *mm cond_resched(); } +unlock: mmap_read_unlock(mm); return ret; } _ Patches currently in -mm which might be from charan.kalla(a)oss.qualcomm.com are mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch

1 week, 1 day

1
0
0 0

[PATCH] crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

by Eric Biggers

Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfield instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type. Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- include/crypto/if_alg.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 0c70f3a55575..02fb7c1d9ef7 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -150,15 +150,15 @@ struct af_alg_ctx { struct crypto_wait wait; size_t used; atomic_t rcvused; - u32 more:1, - merge:1, - enc:1, - write:1, - init:1; + bool more; + bool merge; + bool enc; + bool write; + bool init; unsigned int len; unsigned int inflight; }; base-commit: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe -- 2.51.0.536.g15c5d4f767-goog

1 week, 1 day

2
3
0 0

[PATCH 0/2] PCI: Fix ACS enablement for Root Ports in DT platforms

by Manivannan Sadhasivam via B4 Relay

Hi, This series fixes the long standing issue with ACS in DT platforms. There are two fixes in this series, both fixing independent issues on their own, but both are needed to properly enable ACS on DT platforms (well, patch 1 is only needed for Juno board, but that was a blocker for patch 2, more below...). Issue(s) background =================== Back in 2024, Xingang Wang first noted a failure in attaching the HiSilicon SEC device to QEMU ARM64 pci-root-port device [1]. He then tracked down the issue to ACS not being enabled for the QEMU Root Port device and he proposed a patch to fix it [2]. Once the patch got applied, people reported PCIe issues with linux-next on the ARM Juno Development boards, where they saw failure in enumerating the endpoint devices [3][4]. So soon, the patch got dropped, but the actual issue with the ARM Juno boards was left behind. Fast forward to 2024, Pavan resubmitted the same fix [5] for his own usecase, hoping that someone in the community would fix the issue with ARM Juno boards. But the patch was rightly rejected, as a patch that was known to cause issues should not be merged to the kernel. But again, no one investigated the Juno issue and it was left behind again. Now it ended up in my plate and I managed to track down the issue with the help of Naresh who got access to the Juno boards in LKFT. The Juno issue is with the PCIe switch from Microsemi/IDT, which triggers ACS Source Validation error on Completions received for the Configuration Read Request from a device connected to the downstream port that has not yet captured the PCIe bus number. As per the PCIe spec r6.0 sec 2.2.6.2, "Functions must capture the Bus and Device Numbers supplied with all Type 0 Configuration Write Requests completed by the Function and supply these numbers in the Bus and Device Number fields of the Requester ID for all Requests". So during the first Configuration Read Request issued by the switch downstream port during enumeration (for reading Vendor ID), Bus and Device numbers will be unknown to the device. So it responds to the Read Request with Completion having Bus and Device number as 0. The switch interprets the Completion as an ACS Source Validation error and drops the completion, leading to the failure in detecting the endpoint device. Though the PCIe spec r6.0, sec 6.12.1.1, states that "Completions are never affected by ACS Source Validation". This behavior is in violation of the spec. This issue was already found and addressed with a quirk for a different device from Microsemi with 'commit, aa667c6408d2 ("PCI: Workaround IDT switch ACS Source Validation erratum")'. Apparently, this issue seems to be documented in the erratum #36 of IDT 89H32H8G3-YC, which is not publicly available. Solution for Juno issue ======================= To fix this issue, I've extended the quirk to the Device ID of the switch found in Juno R2 boards. I believe the same switch is also present in Juno R1 board as well. With Patch 1, the Juno R2 boards can now detect the endpoints even with ACS enabled for the Switch downstream ports. Finally, I added patch 2 that properly enables ACS for all the PCI devices on DT platforms. It should be noted that even without patch 2 which enables ACS for the Root Port, the Juno boards were failing since 'commit, bcb81ac6ae3c ("iommu: Get DT/ACPI parsing into the proper probe path")' as reported in LKFT [6]. I believe, this commit made sure pci_request_acs() gets called before the enumeration of the switch downstream ports. The LKFT team ended up disabling ACS using cmdline param 'pci=config_acs=000000@pci:0:0'. So I added the above mentioned commit as a Fixes tag for patch 1. Also, to mitigate this issue, one could enumerate all the PCIe devices in bootloader without enabling ACS (as also noted by Robin in the LKFT thread). This will make sure that the endpoint device has a valid bus number when it responds to the first Configuration Read Request from the switch downstream port. So the ACS Source Validation error doesn't get triggered. Solution for ACS issue ====================== To fix this issue, I've kept the patch from Xingang as is (with rewording of the patch subject/description). This patch moves the pci_request_acs() call to devm_of_pci_bridge_init(), which gets called during the host bridge registration. This makes sure that the 'pci_acs_enable' flag set by pci_request_acs() is getting set before the enumeration of the Root Port device. So now, ACS will be enabled for all ACS capable devices of DT platforms. [1] https://lore.kernel.org/all/038397a6-57e2-b6fc-6e1c-7c03b7be9d96@huawei.com [2] https://lore.kernel.org/all/1621566204-37456-1-git-send-email-wangxingang5@… [3] https://lore.kernel.org/all/01314d70-41e6-70f9-e496-84091948701a@samsung.com [4] https://lore.kernel.org/all/CADYN=9JWU3CMLzMEcD5MSQGnaLyDRSKc5SofBFHUax6YuT… [5] https://lore.kernel.org/linux-pci/20241107-pci_acs_fix-v1-1-185a2462a571@qu… [6] https://lists.linaro.org/archives/list/lkft-triage@lists.linaro.org/message… Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)oss.qualcomm.com> --- Manivannan Sadhasivam (1): PCI: Extend pci_idt_bus_quirk() for IDT switch with Device ID 0x8090 Xingang Wang (1): iommu/of: Call pci_request_acs() before enumerating the Root Port device drivers/iommu/of_iommu.c | 1 - drivers/pci/of.c | 8 +++++++- drivers/pci/probe.c | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) --- base-commit: 8f5ae30d69d7543eee0d70083daf4de8fe15d585 change-id: 20250910-pci-acs-cb4fa3983a2c Best regards, -- Manivannan Sadhasivam <manivannan.sadhasivam(a)oss.qualcomm.com>

1 week, 1 day

7
12
0 0

[PATCH CANDIDATE 5.15, 6.1, 6.6] xfs: Increase XFS_QM_TRANS_MAXDQS to 5

by Amir Goldstein

From: Allison Henderson <allison.henderson(a)oracle.com> [ Upstream commit f103df763563ad6849307ed5985d1513acc586dd ] With parent pointers enabled, a rename operation can update up to 5 inodes: src_dp, target_dp, src_ip, target_ip and wip. This causes their dquots to a be attached to the transaction chain, so we need to increase XFS_QM_TRANS_MAXDQS. This patch also add a helper function xfs_dqlockn to lock an arbitrary number of dquots. Signed-off-by: Allison Henderson <allison.henderson(a)oracle.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> [amir: backport to kernels prior to parent pointers to fix an old bug] A rename operation of a directory (i.e. mv A/C/ B/) may end up changing three different dquot accounts under the following conditions: 1. user (or group) quotas are enabled 2. A/ B/ and C/ have different owner uids (or gids) 3. A/ blocks shrinks after remove of entry C/ 4. B/ blocks grows before adding of entry C/ 5. A/ ino <= XFS_DIR2_MAX_SHORT_INUM 6. B/ ino > XFS_DIR2_MAX_SHORT_INUM 7. C/ is converted from sf to block format, because its parent entry needs to be stored as 8 bytes (see xfs_dir2_sf_replace_needblock) When all conditions are met (observed in the wild) we get this assertion: XFS: Assertion failed: qtrx, file: fs/xfs/xfs_trans_dquot.c, line: 207 The upstream commit fixed this bug as a side effect, so decided to apply it as is rather than changing XFS_QM_TRANS_MAXDQS to 3 in stable kernels. The Fixes commit below is NOT the commit that introduced the bug, but for some reason, which is not explained in the commit message, it fixes the comment to state that highest number of dquots of one type is 3 and not 2 (which leads to the assertion), without actually fixing it. The change of wording from "usr, grp OR prj" to "usr, grp and prj" suggests that there may have been a confusion between "the number of dquote of one type" and "the number of dquot types" (which is also 3), so the comment change was only accidentally correct. Fixes: 10f73d27c8e9 ("xfs: fix the comment explaining xfs_trans_dqlockedjoin") Cc: stable(a)vger.kernel.org Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> --- Christoph, This is a cognitive challenge. can you say what you where thinking in 2013 when making the comment change in the Fixes commit? Is my speculation above correct? Catherine and Leah, I decided that cherry-pick this upstream commit as is with a commit message addendum was the best stable tree strategy. The commit applies cleanly to 5.15.y, so I assume it does for 6.6 and 6.1 as well. I ran my tests on 5.15.y and nothing fell out, but did not try to reproduce these complex assertion in a test. Could you take this candidate backport patch to a spin on your test branch? What do you all think about this? Thanks, Amir. fs/xfs/xfs_dquot.c | 41 ++++++++++++++++++++++++++++++++++++++++ fs/xfs/xfs_dquot.h | 1 + fs/xfs/xfs_qm.h | 2 +- fs/xfs/xfs_trans_dquot.c | 15 ++++++++++----- 4 files changed, 53 insertions(+), 6 deletions(-) diff --git a/fs/xfs/xfs_dquot.c b/fs/xfs/xfs_dquot.c index c15d61d47a06..6b05d47aa19b 100644 --- a/fs/xfs/xfs_dquot.c +++ b/fs/xfs/xfs_dquot.c @@ -1360,6 +1360,47 @@ xfs_dqlock2( } } +static int +xfs_dqtrx_cmp( + const void *a, + const void *b) +{ + const struct xfs_dqtrx *qa = a; + const struct xfs_dqtrx *qb = b; + + if (qa->qt_dquot->q_id > qb->qt_dquot->q_id) + return 1; + if (qa->qt_dquot->q_id < qb->qt_dquot->q_id) + return -1; + return 0; +} + +void +xfs_dqlockn( + struct xfs_dqtrx *q) +{ + unsigned int i; + + BUILD_BUG_ON(XFS_QM_TRANS_MAXDQS > MAX_LOCKDEP_SUBCLASSES); + + /* Sort in order of dquot id, do not allow duplicates */ + for (i = 0; i < XFS_QM_TRANS_MAXDQS && q[i].qt_dquot != NULL; i++) { + unsigned int j; + + for (j = 0; j < i; j++) + ASSERT(q[i].qt_dquot != q[j].qt_dquot); + } + if (i == 0) + return; + + sort(q, i, sizeof(struct xfs_dqtrx), xfs_dqtrx_cmp, NULL); + + mutex_lock(&q[0].qt_dquot->q_qlock); + for (i = 1; i < XFS_QM_TRANS_MAXDQS && q[i].qt_dquot != NULL; i++) + mutex_lock_nested(&q[i].qt_dquot->q_qlock, + XFS_QLOCK_NESTED + i - 1); +} + int __init xfs_qm_init(void) { diff --git a/fs/xfs/xfs_dquot.h b/fs/xfs/xfs_dquot.h index 6b5e3cf40c8b..0e954f88811f 100644 --- a/fs/xfs/xfs_dquot.h +++ b/fs/xfs/xfs_dquot.h @@ -231,6 +231,7 @@ int xfs_qm_dqget_uncached(struct xfs_mount *mp, void xfs_qm_dqput(struct xfs_dquot *dqp); void xfs_dqlock2(struct xfs_dquot *, struct xfs_dquot *); +void xfs_dqlockn(struct xfs_dqtrx *q); void xfs_dquot_set_prealloc_limits(struct xfs_dquot *); diff --git a/fs/xfs/xfs_qm.h b/fs/xfs/xfs_qm.h index 442a0f97a9d4..f75c12c4c6a0 100644 --- a/fs/xfs/xfs_qm.h +++ b/fs/xfs/xfs_qm.h @@ -121,7 +121,7 @@ enum { XFS_QM_TRANS_PRJ, XFS_QM_TRANS_DQTYPES }; -#define XFS_QM_TRANS_MAXDQS 2 +#define XFS_QM_TRANS_MAXDQS 5 struct xfs_dquot_acct { struct xfs_dqtrx dqs[XFS_QM_TRANS_DQTYPES][XFS_QM_TRANS_MAXDQS]; }; diff --git a/fs/xfs/xfs_trans_dquot.c b/fs/xfs/xfs_trans_dquot.c index 955c457e585a..99a03acd4488 100644 --- a/fs/xfs/xfs_trans_dquot.c +++ b/fs/xfs/xfs_trans_dquot.c @@ -268,24 +268,29 @@ xfs_trans_mod_dquot( /* * Given an array of dqtrx structures, lock all the dquots associated and join - * them to the transaction, provided they have been modified. We know that the - * highest number of dquots of one type - usr, grp and prj - involved in a - * transaction is 3 so we don't need to make this very generic. + * them to the transaction, provided they have been modified. */ STATIC void xfs_trans_dqlockedjoin( struct xfs_trans *tp, struct xfs_dqtrx *q) { + unsigned int i; ASSERT(q[0].qt_dquot != NULL); if (q[1].qt_dquot == NULL) { xfs_dqlock(q[0].qt_dquot); xfs_trans_dqjoin(tp, q[0].qt_dquot); - } else { - ASSERT(XFS_QM_TRANS_MAXDQS == 2); + } else if (q[2].qt_dquot == NULL) { xfs_dqlock2(q[0].qt_dquot, q[1].qt_dquot); xfs_trans_dqjoin(tp, q[0].qt_dquot); xfs_trans_dqjoin(tp, q[1].qt_dquot); + } else { + xfs_dqlockn(q); + for (i = 0; i < XFS_QM_TRANS_MAXDQS; i++) { + if (q[i].qt_dquot == NULL) + break; + xfs_trans_dqjoin(tp, q[i].qt_dquot); + } } } -- 2.47.1

1 week, 1 day

4
7
0 0

[PATCH v2] PCI/sysfs: Ensure devices are powered for config reads

by Brian Norris

From: Brian Norris <briannorris(a)google.com> max_link_width, current_link_speed, current_link_width, secondary_bus_number, and subordinate_bus_number all access config registers, but they don't check the runtime PM state. If the device is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus values, or worse, depending on implementation details. Wrap these access in pci_config_pm_runtime_{get,put}() like most of the rest of the similar sysfs attributes. Notably, max_link_speed does not access config registers; it returns a cached value [1]. So it needs no changes. [1] Caching was added to pcie_get_speed_cap() in v6.13 via commit d2bd39c0456b ("PCI: Store all PCIe Supported Link Speeds"). Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") Cc: stable(a)vger.kernel.org Signed-off-by: Brian Norris <briannorris(a)google.com> Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- Changes in v2: * Don't touch max_link_speed; it's cached, so we don't actually touch the hardware * Improve commit message drivers/pci/pci-sysfs.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index f28fdf6dfa02..af74cf02bb90 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -209,8 +209,14 @@ static ssize_t max_link_width_show(struct device *dev, struct device_attribute *attr, char *buf) { struct pci_dev *pdev = to_pci_dev(dev); + ssize_t ret; - return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ + pci_config_pm_runtime_get(pdev); + ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + pci_config_pm_runtime_put(pdev); + + return ret; } static DEVICE_ATTR_RO(max_link_width); @@ -222,7 +228,10 @@ static ssize_t current_link_speed_show(struct device *dev, int err; enum pci_bus_speed speed; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -239,7 +248,10 @@ static ssize_t current_link_width_show(struct device *dev, u16 linkstat; int err; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -255,7 +267,10 @@ static ssize_t secondary_bus_number_show(struct device *dev, u8 sec_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -271,7 +286,10 @@ static ssize_t subordinate_bus_number_show(struct device *dev, u8 sub_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; -- 2.51.0.536.g15c5d4f767-goog

1 week, 1 day

2
1
0 0

ETIHAD PARTNERSHIP VENDOR REGISTRATION 2025/2026.

by Ahmad - Etihad Aviation Group

1 week, 1 day

1
0
0 0

[PATCH] xen: take system_transition_mutex on suspend

by Marek Marczykowski-Górecki

Xen's do_suspend() calls dpm_suspend_start() without taking required system_transition_mutex. Since 12ffc3b1513eb moved the pm_restrict_gfp_mask() call, not taking that mutex results in a WARN. Take the mutex in do_suspend(), and use mutex_trylock() to follow how enter_state() does this. Suggested-by: Jürgen Groß <jgross(a)suse.com> Fixes: 12ffc3b1513eb "PM: Restrict swap use to later in the suspend sequence" Link: https://lore.kernel.org/xen-devel/aKiBJeqsYx_4Top5@mail-itl/ Signed-off-by: Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com> Cc: stable(a)vger.kernel.org # v6.16+ --- drivers/xen/manage.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c index b4b4ebed68daf..f78d970949c0a 100644 --- a/drivers/xen/manage.c +++ b/drivers/xen/manage.c @@ -11,6 +11,7 @@ #include <linux/reboot.h> #include <linux/sysrq.h> #include <linux/stop_machine.h> +#include <linux/suspend.h> #include <linux/freezer.h> #include <linux/syscore_ops.h> #include <linux/export.h> @@ -101,10 +102,16 @@ static void do_suspend(void) shutting_down = SHUTDOWN_SUSPEND; + if (!mutex_trylock(&system_transition_mutex)) + { + pr_err("%s: failed to take system_transition_mutex\n", __func__); + goto out; + } + err = freeze_processes(); if (err) { pr_err("%s: freeze processes failed %d\n", __func__, err); - goto out; + goto out_unlock; } err = freeze_kernel_threads(); @@ -160,6 +167,8 @@ static void do_suspend(void) out_thaw: thaw_processes(); +out_unlock: + mutex_unlock(&system_transition_mutex); out: shutting_down = SHUTDOWN_INVALID; } -- 2.51.0

1 week, 1 day

3
2
0 0

Re: [PATCH v2] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Ira Weiny

Guangshuo Li wrote: > Hi Alison, Dave, and all, > > Thanks for the feedback. I’ve adopted your suggestions. Below is what I > plan to take in v3. I would just post v3. The review tags given on that version will be picked up when the patch is merged if it is ok. Thanks, Ira [snip]

1 week, 1 day

1
0
0 0

[PATCH 01/15] serial: sc16is7xx: remove useless enable of enhanced features

by Hugo Villeneuve

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Commit 43c51bb573aa ("sc16is7xx: make sure device is in suspend once probed") permanently enabled access to the enhanced features in sc16is7xx_probe(), and it is never disabled after that. Therefore, remove useless re-enable of enhanced features in sc16is7xx_set_baud(). Fixes: 43c51bb573aa ("sc16is7xx: make sure device is in suspend once probed") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- drivers/tty/serial/sc16is7xx.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 1a2c4c14f6aac..c7435595dce13 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -588,13 +588,6 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) div /= prescaler; } - /* Enable enhanced features */ - sc16is7xx_efr_lock(port); - sc16is7xx_port_update(port, SC16IS7XX_EFR_REG, - SC16IS7XX_EFR_ENABLE_BIT, - SC16IS7XX_EFR_ENABLE_BIT); - sc16is7xx_efr_unlock(port); - /* If bit MCR_CLKSEL is set, the divide by 4 prescaler is activated. */ sc16is7xx_port_update(port, SC16IS7XX_MCR_REG, SC16IS7XX_MCR_CLKSEL_BIT, -- 2.39.5

1 week, 1 day

1
0
0 0

Re: [PATCH v2] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Dave Jiang

On 9/24/25 12:42 AM, Guangshuo Li wrote: > Hi Alison, Dave, and all, > > Thanks for the feedback. I’ve adopted your suggestions. Below is what I plan to take in v3. > > - p->dcr_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > - p->label_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > - p->dimm_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > > + p->dcr_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->dcr_dma) { > + rc = -ENOMEM; > + goto err; > + } > + > + p->label_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->label_dma) { > + rc = -ENOMEM; > + goto err; > + } > + > + p->dimm_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->dimm_dma) { > + rc = -ENOMEM; > + goto err; > + } You'll need to create new goto labels because you'll have to free previously allocated memory in the error path. Diff below is uncompiled and untested. diff --git a/tools/testing/nvdimm/test/ndtest.c b/tools/testing/nvdimm/test/ndtest.c index 68a064ce598c..49d326819ea9 100644 --- a/tools/testing/nvdimm/test/ndtest.c +++ b/tools/testing/nvdimm/test/ndtest.c @@ -841,6 +841,7 @@ static void ndtest_remove(struct platform_device *pdev) static int ndtest_probe(struct platform_device *pdev) { + struct device *dev = &pdev->dev; struct ndtest_priv *p; int rc; @@ -848,12 +849,23 @@ static int ndtest_probe(struct platform_device *pdev) if (ndtest_bus_register(p)) return -ENOMEM; - p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); - p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); - p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); + p->dcr_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->dcr_dma) + return -ENOMEM; + + p->label_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), + GFP_KERNEL); + if (!p->label_dma) { + rc = -ENOMEM; + goto err_label_dma; + } + + p->dimm_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), + GFP_KERNEL); + if (!p->dimm_dma) { + rc = -ENOMEM; + goto err_dimm_dma; + } rc = ndtest_nvdimm_init(p); if (rc) @@ -863,7 +875,7 @@ static int ndtest_probe(struct platform_device *pdev) if (rc) goto err; - rc = devm_add_action_or_reset(&pdev->dev, put_dimms, p); + rc = devm_add_action_or_reset(dev, put_dimms, p); if (rc) goto err; @@ -872,6 +884,11 @@ static int ndtest_probe(struct platform_device *pdev) return 0; err: + devm_kfree(dev, p->dimm_dma); +err_dimm_dma: + devm_kfree(dev, p->label_dma); +err_label_dma: + devm_kfree(dev, p->dcr_dma); pr_err("%s:%d Failed nvdimm init\n", __func__, __LINE__); return rc; } > > If this looks good, I’ll send v3 accordingly. Also, if you’re comfortable with the changes, may I add your Reviewed-by tags? Please don't add review tags until they are given. > > Best regards, > Guangshuo

1 week, 1 day

1
0
0 0

[PATCH v4 1/7] efi: Add missing static initializer for efi_mm::cpus_allowed_lock

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> Initialize the cpus_allowed_lock struct member of efi_mm. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ce428e2ac8a..fc407d891348 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -74,6 +74,9 @@ struct mm_struct efi_mm = { .page_table_lock = __SPIN_LOCK_UNLOCKED(efi_mm.page_table_lock), .mmlist = LIST_HEAD_INIT(efi_mm.mmlist), .cpu_bitmap = { [BITS_TO_LONGS(NR_CPUS)] = 0}, +#ifdef CONFIG_SCHED_MM_CID + .cpus_allowed_lock = __RAW_SPIN_LOCK_UNLOCKED(efi_mm.cpus_allowed_lock), +#endif }; struct workqueue_struct *efi_rts_wq; -- 2.51.0.534.gc79095c0ca-goog

1 week, 1 day

1
0
0 0

[PATCH] asm-generic/io.h: Skip trace helpers if rwmmio events are disabled

by Varad Gautam

With `CONFIG_TRACE_MMIO_ACCESS=y`, the `{read,write}{b,w,l,q}{_relaxed}()` mmio accessors unconditionally call `log_{post_}{read,write}_mmio()` helpers, which in turn call the ftrace ops for `rwmmio` trace events This adds a performance penalty per mmio accessor call, even when `rwmmio` events are disabled at runtime (~80% overhead on local measurement). Guard these with `tracepoint_enabled()`. Signed-off-by: Varad Gautam <varadgautam(a)google.com> Fixes: 210031971cdd ("asm-generic/io: Add logging support for MMIO accessors") Cc: <stable(a)vger.kernel.org> --- include/asm-generic/io.h | 98 +++++++++++++++++++++++++++------------- 1 file changed, 66 insertions(+), 32 deletions(-) diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h index 3c61c29ff6ab..a9b5da547523 100644 --- a/include/asm-generic/io.h +++ b/include/asm-generic/io.h @@ -75,6 +75,7 @@ #if IS_ENABLED(CONFIG_TRACE_MMIO_ACCESS) && !(defined(__DISABLE_TRACE_MMIO__)) #include <linux/tracepoint-defs.h> +#define rwmmio_tracepoint_enabled(tracepoint) tracepoint_enabled(tracepoint) DECLARE_TRACEPOINT(rwmmio_write); DECLARE_TRACEPOINT(rwmmio_post_write); DECLARE_TRACEPOINT(rwmmio_read); @@ -91,6 +92,7 @@ void log_post_read_mmio(u64 val, u8 width, const volatile void __iomem *addr, #else +#define rwmmio_tracepoint_enabled(tracepoint) false static inline void log_write_mmio(u64 val, u8 width, volatile void __iomem *addr, unsigned long caller_addr, unsigned long caller_addr0) {} static inline void log_post_write_mmio(u64 val, u8 width, volatile void __iomem *addr, @@ -189,11 +191,13 @@ static inline u8 readb(const volatile void __iomem *addr) { u8 val; - log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __raw_readb(addr); __io_ar(val); - log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -204,11 +208,13 @@ static inline u16 readw(const volatile void __iomem *addr) { u16 val; - log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le16_to_cpu((__le16 __force)__raw_readw(addr)); __io_ar(val); - log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -219,11 +225,13 @@ static inline u32 readl(const volatile void __iomem *addr) { u32 val; - log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le32_to_cpu((__le32 __force)__raw_readl(addr)); __io_ar(val); - log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -235,11 +243,13 @@ static inline u64 readq(const volatile void __iomem *addr) { u64 val; - log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le64_to_cpu((__le64 __force)__raw_readq(addr)); __io_ar(val); - log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -249,11 +259,13 @@ static inline u64 readq(const volatile void __iomem *addr) #define writeb writeb static inline void writeb(u8 value, volatile void __iomem *addr) { - log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writeb(value, addr); __io_aw(); - log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); } #endif @@ -261,11 +273,13 @@ static inline void writeb(u8 value, volatile void __iomem *addr) #define writew writew static inline void writew(u16 value, volatile void __iomem *addr) { - log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writew((u16 __force)cpu_to_le16(value), addr); __io_aw(); - log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); } #endif @@ -273,11 +287,13 @@ static inline void writew(u16 value, volatile void __iomem *addr) #define writel writel static inline void writel(u32 value, volatile void __iomem *addr) { - log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writel((u32 __force)__cpu_to_le32(value), addr); __io_aw(); - log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); } #endif @@ -286,11 +302,13 @@ static inline void writel(u32 value, volatile void __iomem *addr) #define writeq writeq static inline void writeq(u64 value, volatile void __iomem *addr) { - log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writeq((u64 __force)__cpu_to_le64(value), addr); __io_aw(); - log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); } #endif #endif /* CONFIG_64BIT */ @@ -306,9 +324,11 @@ static inline u8 readb_relaxed(const volatile void __iomem *addr) { u8 val; - log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); val = __raw_readb(addr); - log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -319,9 +339,11 @@ static inline u16 readw_relaxed(const volatile void __iomem *addr) { u16 val; - log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); val = __le16_to_cpu((__le16 __force)__raw_readw(addr)); - log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -332,9 +354,11 @@ static inline u32 readl_relaxed(const volatile void __iomem *addr) { u32 val; - log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); val = __le32_to_cpu((__le32 __force)__raw_readl(addr)); - log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -345,9 +369,11 @@ static inline u64 readq_relaxed(const volatile void __iomem *addr) { u64 val; - log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); val = __le64_to_cpu((__le64 __force)__raw_readq(addr)); - log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -356,9 +382,11 @@ static inline u64 readq_relaxed(const volatile void __iomem *addr) #define writeb_relaxed writeb_relaxed static inline void writeb_relaxed(u8 value, volatile void __iomem *addr) { - log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); __raw_writeb(value, addr); - log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); } #endif @@ -366,9 +394,11 @@ static inline void writeb_relaxed(u8 value, volatile void __iomem *addr) #define writew_relaxed writew_relaxed static inline void writew_relaxed(u16 value, volatile void __iomem *addr) { - log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); __raw_writew((u16 __force)cpu_to_le16(value), addr); - log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); } #endif @@ -376,9 +406,11 @@ static inline void writew_relaxed(u16 value, volatile void __iomem *addr) #define writel_relaxed writel_relaxed static inline void writel_relaxed(u32 value, volatile void __iomem *addr) { - log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); __raw_writel((u32 __force)__cpu_to_le32(value), addr); - log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); } #endif @@ -386,9 +418,11 @@ static inline void writel_relaxed(u32 value, volatile void __iomem *addr) #define writeq_relaxed writeq_relaxed static inline void writeq_relaxed(u64 value, volatile void __iomem *addr) { - log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); __raw_writeq((u64 __force)__cpu_to_le64(value), addr); - log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); } #endif -- 2.49.0.472.ge94155a9ec-goog

1 week, 1 day

2
7
0 0

[PATCH 6.16 000/149] 6.16.9-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.9 release. There are 149 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.9-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.9-rc1 SeongJae Park <sj(a)kernel.org> samples/damon/prcl: avoid starting DAMON before initialization Chen-Yu Tsai <wens(a)csie.org> clk: sunxi-ng: mp: Fix dual-divider clock rate readback SeongJae Park <sj(a)kernel.org> samples/damon/mtier: avoid starting DAMON before initialization Honggyu Kim <honggyu.kim(a)sk.com> samples/damon: change enable parameters to enabled SeongJae Park <sj(a)kernel.org> samples/damon/prcl: fix boot time enable crash Alex Elder <elder(a)riscstar.com> dt-bindings: serial: 8250: move a constraint Yixun Lan <dlan(a)gentoo.org> dt-bindings: serial: 8250: spacemit: set clocks property as required Frank Li <Frank.Li(a)nxp.com> dt-bindings: serial: 8250: allow clock 'uartclk' and 'reg' for nxp,lpc1850-uart Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 Yang Xiuwei <yangxiuwei(a)kylinos.cn> io_uring: fix incorrect io_kiocb reference in io_link_skb Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Paulo Alcantara <pc(a)manguebit.org> smb: client: fix file open check in __cifs_unlink() Jens Axboe <axboe(a)kernel.dk> io_uring/msg_ring: kill alloc_cache for io_kiocb allocations Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg Stefan Metzmacher <metze(a)samba.org> smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) Stefan Metzmacher <metze(a)samba.org> smb: client: use disable[_delayed]_work_sync in smbdirect.c Paulo Alcantara <pc(a)manguebit.org> smb: client: fix filename matching of deferred files Stefan Metzmacher <metze(a)samba.org> smb: client: let recv_done verify data_offset, data_length and remaining_data_length Stefan Metzmacher <metze(a)samba.org> smb: client: make use of struct smbdirect_recv_io Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: introduce struct smbdirect_recv_io Stefan Metzmacher <metze(a)samba.org> smb: client: make use of smbdirect_socket->recv_io.expected Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: introduce smbdirect_socket.recv_io.expected Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe/guc: Set RCS/CCS yield policy Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe/guc: Enable extended CAT error reporting Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: Fix error handling if PXP fails to start Takashi Iwai <tiwai(a)suse.de> ALSA: usb: qcom: Fix false-positive address space check Dan Carpenter <dan.carpenter(a)linaro.org> drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Drop rounddown_pow_of_two fair LMEM limitation Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/tile: Release kobject for the failure path Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Fix incorrect retrival of acp_chip_info Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd: Fix alias device DTE setting Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> ASoC: Intel: catpt: Expose correct bit depth to userspace Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: SDCA: Fix return value in sdca_regmap_mbq_size() Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Dan Carpenter <dan.carpenter(a)linaro.org> ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded() Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct PLL rate rounding Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Borislav Petkov (AMD) <bp(a)alien8.de> crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> gpiolib: acpi: initialize acpi_gpio_info struct Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Max Kellermann <max.kellermann(a)ionos.com> io_uring/io-wq: fix `max_workers` breakage and `nr_workers` underflow Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Only restore cached manual clock settings in restore if OD enabled Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: suspend KFD and KGD user queues for S0ix Alex Deucher <alexander.deucher(a)amd.com> drm/amdkfd: add proper handling for S0ix Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Tom Lendacky <thomas.lendacky(a)amd.com> x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-uhs2: Fix calling incorrect sdhci_set_clock() function Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9767: Fix initializing the UHS-II interface during a power-on Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci: Move the code related to setting the clock from sdhci_set_ios_common() into sdhci_set_ios() Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Maciej Strozek <mstrozek(a)opensource.cirrus.com> ASoC: SDCA: Add quirk for incorrect function types for 3 systems Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Niklas Schnelle <schnelle(a)linux.ibm.com> iommu/s390: Make attach succeed when the device was surprise removed Matthew Rosato <mjrosato(a)linux.ibm.com> iommu/s390: Fix memory corruption when using identity domain Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd/pgtbl: Fix possible race while increase page table level Zhen Ni <zhen.ni(a)easystack.cn> iommu/amd: Fix ivrs_base memleak in early_amd_iommu_init() Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix VM migration failure with PTW enabled Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_pch_pic_regs_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_sw_status_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_regs_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_ctrl_access() Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Handle jump tables options for RUST Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Make LTO case independent in Makefile Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Guangshuo Li <202321181(a)mail.sdu.edu.cn> LoongArch: vDSO: Check kcalloc() result in init_vdso() Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Fix unreliable stack for live patching Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark special atomic instruction as INSN_BUG type Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark types based on break immediate code Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Update help info of ARCH_STRICT_ALIGN Hugh Dickins <hughd(a)google.com> mm: folio_may_be_lru_cached() unless folio_test_large() Hugh Dickins <hughd(a)google.com> mm: revert "mm: vmscan.c: fix OOM on swap stress test" Hugh Dickins <hughd(a)google.com> mm/gup: local lru_add_drain() to avoid lru_add_drain_all() Li Zhe <lizhe.67(a)bytedance.com> gup: optimize longterm pin_user_pages() for large folio Hugh Dickins <hughd(a)google.com> mm: revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" Hugh Dickins <hughd(a)google.com> mm/gup: check ref_count instead of lru before migration Mikulas Patocka <mpatocka(a)redhat.com> dm-stripe: fix a possible integer overflow Mikulas Patocka <mpatocka(a)redhat.com> dm-raid: don't set io_min and io_opt for raid1 austinchang <austinchang(a)synology.com> btrfs: initialize inode::file_extent_tree after i_mode has been set Andrea Righi <arighi(a)nvidia.com> Revert "sched_ext: Skip per-CPU tasks in scx_bpf_reenqueue_local()" H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Sergey Senozhatsky <senozhatsky(a)chromium.org> zram: fix slot write race condition Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Eric Dumazet <edumazet(a)google.com> net: clear sk->sk_ino in sk_set_socket(sk, NULL) Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Sathesh B Edara <sedara(a)marvell.com> octeon_ep: fix VF MAC address lifecycle handling Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Lama Kayal <lkayal(a)nvidia.com> net/mlx5e: Add a miss level for ipsec crypto offload Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Harden uplink netdev access against device unbind Remy D. Farley <one-d-wide(a)protonmail.com> doc/netlink: Fix typos in operation attributes Kohei Enju <enjuk(a)amazon.com> igc: don't fail igc_probe() on LED setup error Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: destroy aci.lock later within ixgbe_remove path Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: initialize aci.lock before it's used Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix Rx page leak on multi-buffer frames Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Geliang Tang <geliang(a)kernel.org> selftests: mptcp: sockopt: fix error messages Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: tfo: record 'deny join id0' info Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Hangbin Liu <liuhangbin(a)gmail.com> bonding: set random address only when slaves already exist Ilya Maximets <i.maximets(a)ovn.org> net: dst_metadata: fix IP_DF bit not extracted from tunnel headers Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Kamal Heib <kheib(a)redhat.com> octeon_ep: Validate the VF ID David Howells <dhowells(a)redhat.com> rxrpc: Fix untrusted unsigned subtract David Howells <dhowells(a)redhat.com> rxrpc: Fix unhandled errors in rxgk_verify_packet_integrity() Ivan Vecera <ivecera(a)redhat.com> dpll: fix clock quality level reporting Anderson Nascimento <anderson(a)allelesecurity.com> net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Li Tian <litian(a)redhat.com> net/mlx5: Not returning mlx5_link_info table when speed is unknown Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix FD copy size in os_rcv_fd_msg() Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Stefan Metzmacher <metze(a)samba.org> smb: server: let smb_direct_writev() respect SMB_DIRECT_MAX_SEND_SGES Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Felix Fietkau <nbd(a)nbd.name> wifi: mt76: do not add non-sta wcid entries to the poll list Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Christoph Hellwig <hch(a)lst.de> nvme: fix PI insert on write Ajay.Kathat(a)microchip.com <Ajay.Kathat(a)microchip.com> wifi: wilc1000: avoid buffer overflow in WID string configuration Ian Rogers <irogers(a)google.com> perf maps: Ensure kmap is set up for all inserts Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix incorrect ASSERT in btrfs_zoned_reserve_data_reloc_bg() Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues ------------- Diffstat: Documentation/devicetree/bindings/serial/8250.yaml | 77 ++++++--- Documentation/netlink/specs/conntrack.yaml | 9 +- Documentation/netlink/specs/mptcp_pm.yaml | 4 +- Makefile | 4 +- arch/loongarch/Kconfig | 12 +- arch/loongarch/Makefile | 15 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/include/asm/kvm_mmu.h | 20 ++- arch/loongarch/kernel/env.c | 2 + arch/loongarch/kernel/stacktrace.c | 3 +- arch/loongarch/kernel/vdso.c | 3 + arch/loongarch/kvm/intc/eiointc.c | 87 ++++++---- arch/loongarch/kvm/intc/pch_pic.c | 21 ++- arch/loongarch/kvm/mmu.c | 8 +- arch/s390/include/asm/pci_insn.h | 10 +- arch/um/drivers/virtio_uml.c | 6 +- arch/um/os-Linux/file.c | 2 +- arch/x86/include/asm/sev.h | 38 ++--- arch/x86/kvm/svm/svm.c | 3 +- crypto/af_alg.c | 10 +- drivers/block/zram/zram_drv.c | 8 +- drivers/clk/sunxi-ng/ccu_mp.c | 2 +- drivers/crypto/ccp/sev-dev.c | 2 +- drivers/dpll/dpll_netlink.c | 4 +- drivers/gpio/gpiolib-acpi-core.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 16 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 12 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 24 ++- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 36 ++++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 ++++- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 2 +- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/gpu/drm/xe/abi/guc_actions_abi.h | 5 + drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 40 +++++ drivers/gpu/drm/xe/xe_exec_queue.c | 22 ++- drivers/gpu/drm/xe/xe_exec_queue_types.h | 8 +- drivers/gpu/drm/xe/xe_execlist.c | 25 ++- drivers/gpu/drm/xe/xe_execlist_types.h | 2 +- drivers/gpu/drm/xe/xe_gt.c | 3 +- drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 1 - drivers/gpu/drm/xe/xe_guc.c | 62 ++++++- drivers/gpu/drm/xe/xe_guc.h | 1 + drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 4 +- drivers/gpu/drm/xe/xe_guc_submit.c | 141 +++++++++++++--- drivers/gpu/drm/xe/xe_guc_submit.h | 2 + drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 +- drivers/gpu/drm/xe/xe_uc.c | 4 + drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/init.c | 9 +- drivers/iommu/amd/io_pgtable.c | 25 ++- drivers/iommu/intel/iommu.c | 7 +- drivers/iommu/s390-iommu.c | 29 +++- drivers/md/dm-raid.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/mmc/host/sdhci-pci-gli.c | 68 +++++++- drivers/mmc/host/sdhci-uhs2.c | 3 +- drivers/mmc/host/sdhci.c | 34 ++-- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++++----- drivers/net/ethernet/intel/ice/ice_txrx.h | 1 - drivers/net/ethernet/intel/igc/igc.h | 1 + drivers/net/ethernet/intel/igc/igc_main.c | 12 +- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 22 +-- .../net/ethernet/marvell/octeon_ep/octep_main.c | 16 ++ .../ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 + .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 1 + .../ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 + .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 ++- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 +- drivers/net/ethernet/mellanox/mlx5/core/port.c | 6 +- drivers/net/ethernet/natsemi/ns83820.c | 13 +- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 39 +++-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 +- drivers/nvme/host/core.c | 18 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/platform/x86/asus-nb-wmi.c | 25 ++- drivers/platform/x86/asus-wmi.h | 3 +- drivers/power/supply/bq27xxx_battery.c | 4 +- fs/btrfs/delayed-inode.c | 3 - fs/btrfs/inode.c | 11 +- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/btrfs/zoned.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/cifsproto.h | 4 +- fs/smb/client/inode.c | 23 ++- fs/smb/client/misc.c | 36 ++-- fs/smb/client/smbdirect.c | 132 +++++++++------ fs/smb/client/smbdirect.h | 23 --- fs/smb/common/smbdirect/smbdirect_socket.h | 29 ++++ fs/smb/server/transport_rdma.c | 185 ++++++++++++++------- include/crypto/if_alg.h | 10 +- include/linux/io_uring_types.h | 3 - include/linux/mlx5/driver.h | 1 + include/linux/swap.h | 10 ++ include/net/dst_metadata.h | 11 +- include/net/sock.h | 5 +- include/sound/sdca.h | 1 + include/uapi/linux/mptcp.h | 2 + include/uapi/linux/mptcp_pm.h | 4 +- io_uring/io-wq.c | 6 +- io_uring/io_uring.c | 10 +- io_uring/io_uring.h | 4 +- io_uring/msg_ring.c | 24 +-- io_uring/notif.c | 2 +- io_uring/poll.c | 2 +- io_uring/timeout.c | 2 +- io_uring/uring_cmd.c | 2 +- kernel/cgroup/cgroup.c | 43 ++++- kernel/sched/ext.c | 6 +- mm/gup.c | 52 ++++-- mm/mlock.c | 6 +- mm/swap.c | 50 +++--- mm/vmscan.c | 2 +- net/ipv4/tcp.c | 5 + net/ipv4/tcp_ao.c | 4 +- net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 16 ++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 ++- net/rfkill/rfkill-gpio.c | 4 +- net/rxrpc/rxgk.c | 18 +- net/rxrpc/rxgk_app.c | 29 +++- net/rxrpc/rxgk_common.h | 14 +- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 +- samples/damon/mtier.c | 25 +-- samples/damon/prcl.c | 31 +++- samples/damon/wsse.c | 22 +-- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/acp/acp-i2s.c | 11 +- sound/soc/codecs/sma1307.c | 7 +- sound/soc/codecs/wm8940.c | 9 +- sound/soc/codecs/wm8974.c | 8 +- sound/soc/intel/catpt/pcm.c | 23 ++- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 +- sound/soc/sdca/sdca_device.c | 20 +++ sound/soc/sdca/sdca_functions.c | 13 +- sound/soc/sdca/sdca_regmap.c | 2 +- sound/soc/sof/intel/hda-stream.c | 2 +- sound/usb/qcom/qc_audio_offload.c | 92 +++++----- tools/arch/loongarch/include/asm/inst.h | 12 ++ tools/objtool/arch/loongarch/decode.c | 33 +++- tools/perf/util/maps.c | 9 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 169 files changed, 1797 insertions(+), 824 deletions(-)

1 week, 1 day

17
165
0 0

[PATCH 2/3] media: mediatek: mdp: fix device leak on probe

by Johan Hovold

Make sure to drop the reference taken when looking up the VPU firmware device during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: c8eb2d7e8202 ("[media] media: Add Mediatek MDP Driver") Cc: stable(a)vger.kernel.org # 4.10 Cc: Minghsiu Tsai <minghsiu.tsai(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/media/platform/mediatek/mdp/mtk_mdp_core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c index 80fdc6ff57e0..5c7dcf4090f4 100644 --- a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c +++ b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c @@ -198,7 +198,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) VPU_RST_MDP); if (ret) { dev_err(&pdev->dev, "Failed to register reset handler\n"); - goto err_m2m_register; + goto err_put_vpu; } platform_set_drvdata(pdev, mdp); @@ -206,7 +206,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) ret = vb2_dma_contig_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32)); if (ret) { dev_err(&pdev->dev, "Failed to set vb2 dma mag seg size\n"); - goto err_m2m_register; + goto err_put_vpu; } pm_runtime_enable(dev); @@ -214,6 +214,8 @@ static int mtk_mdp_probe(struct platform_device *pdev) return 0; +err_put_vpu: + put_device(&mdp->vpu_dev->dev); err_m2m_register: v4l2_device_unregister(&mdp->v4l2_dev); @@ -241,6 +243,7 @@ static void mtk_mdp_remove(struct platform_device *pdev) struct mtk_mdp_comp *comp, *comp_temp; pm_runtime_disable(&pdev->dev); + put_device(&mdp->vpu_dev->dev); vb2_dma_contig_clear_max_seg_size(&pdev->dev); mtk_mdp_unregister_m2m_device(mdp); v4l2_device_unregister(&mdp->v4l2_dev); -- 2.49.1

1 week, 1 day

1
0
0 0

[PATCH 1/3] media: mediatek: vcodec: fix device leak on codec init

by Johan Hovold

Make sure to drop the reference taken when looking up the VPU firmware device during codec init on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") Cc: stable(a)vger.kernel.org # 4.8 Cc: Tiffany Lin <tiffany.lin(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- .../mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c index d7027d600208..9237738d7632 100644 --- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c +++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c @@ -83,12 +83,20 @@ static const struct mtk_vcodec_fw_ops mtk_vcodec_vpu_msg = { .release = mtk_vcodec_vpu_release, }; +static void mtk_vcodec_vpu_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_init(void *priv, enum mtk_vcodec_fw_use fw_use) { struct platform_device *fw_pdev; struct platform_device *plat_dev; struct mtk_vcodec_fw *fw; enum rst_id rst_id; + int ret; if (fw_use == ENCODER) { struct mtk_vcodec_enc_dev *enc_dev = priv; @@ -111,6 +119,11 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_init(void *priv, enum mtk_vcodec_fw_use return ERR_PTR(-EINVAL); } + ret = devm_add_action_or_reset(&plat_dev->dev, mtk_vcodec_vpu_put_device, + &fw_pdev->dev); + if (ret) + return ERR_PTR(ret); + if (fw_use == DECODER) vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_dec_handler, priv, rst_id); else -- 2.49.1

1 week, 1 day

1
0
0 0

[PATCH 6.12.y 1/3] drm/sched: Optimise drm_sched_entity_push_job

by Jules Maselbas

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> commit d42a254633c773921884a19e8a1a0f53a31150c3 upstream. In FIFO mode (which is the default), both drm_sched_entity_push_job() and drm_sched_rq_update_fifo(), where the latter calls the former, are currently taking and releasing the same entity->rq_lock. We can avoid that design inelegance, and also have a miniscule efficiency improvement on the submit from idle path, by introducing a new drm_sched_rq_update_fifo_locked() helper and pulling up the lock taking to its callers. v2: * Remove drm_sched_rq_update_fifo() altogether. (Christian) v3: * Improved commit message. (Philipp) Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Luben Tuikov <ltuikov89(a)gmail.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Philipp Stanner <pstanner(a)redhat.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241016122013.7857-2-tursuli… (cherry picked from commit d42a254633c773921884a19e8a1a0f53a31150c3) Signed-off-by: Jules Maselbas <jmaselbas(a)zdiv.net> --- drivers/gpu/drm/scheduler/sched_entity.c | 13 +++++++++---- drivers/gpu/drm/scheduler/sched_main.c | 6 +++--- include/drm/gpu_scheduler.h | 2 +- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index 3e75fc1f6607..9dbae7b08bc9 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -505,8 +505,12 @@ struct drm_sched_job *drm_sched_entity_pop_job(struct drm_sched_entity *entity) struct drm_sched_job *next; next = to_drm_sched_job(spsc_queue_peek(&entity->job_queue)); - if (next) - drm_sched_rq_update_fifo(entity, next->submit_ts); + if (next) { + spin_lock(&entity->rq_lock); + drm_sched_rq_update_fifo_locked(entity, + next->submit_ts); + spin_unlock(&entity->rq_lock); + } } /* Jobs and entities might have different lifecycles. Since we're @@ -606,10 +610,11 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) sched = rq->sched; drm_sched_rq_add_entity(rq, entity); - spin_unlock(&entity->rq_lock); if (drm_sched_policy == DRM_SCHED_POLICY_FIFO) - drm_sched_rq_update_fifo(entity, submit_ts); + drm_sched_rq_update_fifo_locked(entity, submit_ts); + + spin_unlock(&entity->rq_lock); drm_sched_wakeup(sched); } diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 416590ea0dc3..3609d5a8fecd 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -169,14 +169,15 @@ static inline void drm_sched_rq_remove_fifo_locked(struct drm_sched_entity *enti } } -void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts) +void drm_sched_rq_update_fifo_locked(struct drm_sched_entity *entity, ktime_t ts) { /* * Both locks need to be grabbed, one to protect from entity->rq change * for entity from within concurrent drm_sched_entity_select_rq and the * other to update the rb tree structure. */ - spin_lock(&entity->rq_lock); + lockdep_assert_held(&entity->rq_lock); + spin_lock(&entity->rq->lock); drm_sched_rq_remove_fifo_locked(entity); @@ -187,7 +188,6 @@ void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts) drm_sched_entity_compare_before); spin_unlock(&entity->rq->lock); - spin_unlock(&entity->rq_lock); } /** diff --git a/include/drm/gpu_scheduler.h b/include/drm/gpu_scheduler.h index 9c437a057e5d..346a3c261b43 100644 --- a/include/drm/gpu_scheduler.h +++ b/include/drm/gpu_scheduler.h @@ -593,7 +593,7 @@ void drm_sched_rq_add_entity(struct drm_sched_rq *rq, void drm_sched_rq_remove_entity(struct drm_sched_rq *rq, struct drm_sched_entity *entity); -void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts); +void drm_sched_rq_update_fifo_locked(struct drm_sched_entity *entity, ktime_t ts); int drm_sched_entity_init(struct drm_sched_entity *entity, enum drm_sched_priority priority, -- 2.51.0

1 week, 1 day

4
11
0 0

[PATCH v2] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- v2: Merged the chanlist_len check with existing early return check as suggested by Ian Abbott --- drivers/comedi/comedi_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..c7c262a2d8ca 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -317,7 +317,7 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, unsigned int count = 0; const unsigned int num_sample_bytes = comedi_bytes_per_sample(s); - if (!s->munge || (async->cmd.flags & CMDF_RAWDATA)) { + if (!s->munge || (async->cmd.flags & CMDF_RAWDATA) || async->cmd.chanlist_len == 0) { async->munge_count += num_bytes; return num_bytes; } -- 2.43.0

1 week, 1 day

2
1
0 0

دعوة لنشر الأبحاث والمقالات العلمية

by journal

###**🌟 فرصتك للنشر في مجلات علمية محكمة دوليًا – دعوة مفتوحة للباحثين والأكاديميين** **انضم إلى النخبة العلمية… وانشر أبحاثك معنا.** **انطلاقًا من إيماننا بأن البحث العلمي هو الركيزة الأساسية لنهضة المجتمعات وتقدمها،** يسر*فكر للدراسات والتطوير* أن تتشرف بدعوتكم للنشر في مجلاتها العلمية المحكمة، التي تمثل منبرًا أكاديميًا رصينًا لاحتضان الأفكار الأصيلة، والمشاريع البحثية الجادة، والرؤى التي تسهم في إنتاج معرفة تطبيقية تخدم قضايا الإنسان والمجتمع. إن دعوتنا هذه تأتي ضمن رؤيتنا في تمكين الباحثين والكتّاب في العالم العربي والإسلامي من إيصال أبحاثهم إلى أوسع نطاق، والمساهمة الفاعلة في الحراك العلمي محليًا ودوليًا، عبر منصات نشر معتمدة وموثوقة. ➡️ **قدّم مخطوطتك الآن:** [https://7m8ue.r.ag.d.sendibm3.com/mk/cl/f/sh/WCPzyXJTZ7nvI8YYc4qB1knr1PmTmi… ####عامل تأثير عربي=2.7 مجلة ريحان للنشر العلمي ----------------------- (Rihan Journal for Scientific Publishing) ###$50 *مجلة علمية دولية، محكّمة، شهرية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN-E: 2709-2097** تستقبل المجلة الأبحاث والمقالات العلمية بثلاث لغات: **العربية، الإنجليزية، والتركية**، في مختلف التخصصات، وتخضع جميع المواد المقدمة لعملية تحكيم علمي صارمة، تضمن جودة المحتوى وموثوقيته الأكاديمية. ####عامل تأثير عربي=1.7 مجلة ايبرس للنشر الطبي ---------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN-E: 2959-5371** تأسست مجلة إيبرس للنشر الطبي عام 2022، لتكون منصة علمية رصينة في مجال العلوم الطبية والصحية، ووجهة موثوقة للباحثين والطلبة وأعضاء الهيئات التدريسية والأكاديميين لنشر أبحاثهم الأصيلة، ومراجعاتهم العلمية، ومشاركتهم في تطوير المعرفة الطبية الحديثة. تستقبل المجلة الدراسات والأبحاث باللغة **العربية، الإنجليزية، والتركية**، وتخضع جميع المواد لعملية تحكيم علمي دقيقة، وفق أعلى المعايير الأكاديمية الدولية. مجلة طُوى للعلوم الاجتماعية --------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN: 3104-7211** **مجلة طُوى** هي منصة أكاديمية تُعنى بنشر البحوث والدراسات الأصيلة في **مجالات العلوم الاجتماعية المتداخلة**، بما يسهم في إنتاج معرفة تحليلية معمقة حول قضايا الإنسان والمجتمع. تلتزم المجلة بمعايير **التحكيم العلمي الرصين**، وتُرحّب بالأعمال المقدّمة باللغات: **العربية، الإنجليزية، والتركية**. جاء اختيار اسم "طُوى" استلهامًا من **الوادي المقدّس طُوى**، تعبيرًا عن قدسية المعرفة، وإيمانًا بأن الفكر العلمي رسالة إنسانية لا تقل أثرًا وعمقًا عن أي رسالة تغيير أو بناء مجتمعي. مجلة زنوبيا لدراسات المرأة والطفل والاسرة ----------------------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير* بالتعاون مع **المنتدى الثقافي النسائي السوري** رقم التسلسل المعياري الدولي: **ISSN: 3104-7874** تُعنى **مجلة زنوبيا** بنشر البحوث والدراسات الأكاديمية التي تتناول قضايا **المرأة، والطفل، والأسرة** من زوايا علمية، اجتماعية، وثقافية متعددة، مع التركيز على التحديات والتحولات المعاصرة التي تمس هذه الفئات داخل السياقات العربية والعالمية. وتوفّر المجلة منبرًا أكاديميًا موثوقًا يعزز التفكير النقدي والتحليل العلمي البنّاء، ويسعى لإبراز التجارب والرؤى التي تدعم التمكين المجتمعي. مجلة زكا للعلوم المالية والاقتصادية والإدارية --------------------------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي **ISSN: 3104-7289** تُعنى **مجلة زكا** بنشر أبحاث علمية أصيلة وعالية الجودة في مجالات: **إدارة الأعمال، الاقتصاد، المحاسبة، العلوم المالية، التسويق، الاقتصاد الإسلامي، الإدارة العامة، والتمويل**. وتمثل المجلة منصة أكاديمية رصينة تستهدف الباحثين، الأكاديميين، وطلبة الدراسات العليا في التخصصات المالية والإدارية، وتسعى إلى الإسهام الفعّال في تطوير المعرفة الاقتصادية والإدارية، وفقًا لأحدث المعايير العلمية والمنهجيات البحثية الحديثة. مجلة روح للعلوم الإنسانية ------------------------- ###$50 **(RUH Journal of Humanities)** *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN: 3105-2436** تهدف **مجلة روح للعلوم الإنسانية** إلى نشر الأبحاث العلمية المتميزة في مختلف مجالات العلوم الإنسانية، وتعزيز الفكر الأكاديمي والنقاش العلمي المتخصص في القضايا الإنسانية المعاصرة على المستويين العربي والعالمي. تُعد المجلة منصة أكاديمية رصينة تجمع الباحثين من تخصصات متعددة لتبادل المعرفة، وتحفيز الدراسات الرصينة ذات الأثر المجتمعي والثقافي، وتوسيع دائرة الحوار العلمي حول الإنسان والمجتمع. جاء اختيار اسم **"روح"** ليعكس جوهر العلوم الإنسانية، التي تنطلق من فهم الإنسان: مشاعره، ثقافته، سلوكه، وتاريخه. تشير الكلمة إلى **العنصر الحيوي** الذي يمنح الإنسان والمجتمع معناهما، مما يرسّخ رؤية المجلة في أن **العلوم الإنسانية هي الروح النابضة لفهم المجتمعات وتطورها**. دعوة للتبرع ------------ ###$10 ###🎓 ساهم في نهضة العلم في سوريا – كن جزءًا من التغيير الحقيقي! إذا كنت تؤمن بقوة المعرفة وأهمية دعم البحث العلمي في سوريا، فقد حان الوقت لتشارك في صناعة الأمل. **تبرعك اليوم لا يُقدَّر بثمن…** إنه استثمار في العقول، وفي جيل جديد من الباحثين والمفكرين الذين يسعون لإعادة بناء المجتمع على أسس علمية وإنسانية. 📢 **ساهم في صناعة الأمل… تبرعك اليوم يصنع فرقاً حقيقياً غداً!** المؤتمرات العلمية ----------------- ###$100 ###🏛️ **مركز فكر للمؤتمرات العلمية** **مركز فكر للمؤتمرات العلمية** هو أحد برامج مركز فكر للدراسات والتطوير، يُعنى بتنظيم المؤتمرات والملتقيات العلمية المتخصصة، بهدف دعم البحث الأكاديمي وتوسيع دائرة الحوار المعرفي حول القضايا المعاصرة التي تهم المجتمعات العربية والعالمية. ينطلق المركز من رؤية تؤمن بأن **المؤتمر العلمي ليس مجرد حدث أكاديمي، بل هو منصة استراتيجية لإنتاج المعرفة، وتبادل الخبرات، وصياغة حلول مستندة إلى البحث العلمي**. ###📚 **مجالات المؤتمرات:** العلوم الإنسانية والاجتماعية العلوم الطبية والصحية الدراسات الاقتصادية والمالية دراسات المرأة والطفل والأسرة البيئة والتنمية المستدامة التكنولوجيا والتحول الرقمي التعليم والتربية **مع خالص الشكر والتقدير،** ============================ **نثمّن وقتكم واهتمامكم، ونتطلع إلى تعاون مثمر يجمعنا في خدمة البحث العلمي والمجتمع.** ====================================================================================== **نؤمن أن العمل المشترك هو مفتاح التغيير الحقيقي، ونرحّب بكم دائمًا ضمن شبكتنا العلمية والمجتمعية.** ==================================================================================================== ➡️ **قدّم مخطوطتك الآن:** [https://forms.gle/g7McfPrkaYYDFC2N6](https://forms.gle/g7McfPrkaYYDFC2N6) Maria Abdel Rahim [pr@rjsp.org](mailto:ahmet@rjsp.org) rihanjournal(a)gmail.com [00905306359001](https://) gazimuhtarpas 29600,gazantap [Unsubscribe](https://7m8ue.r.ag.d.sendibm3.com/mk/un/v2/sh/7nVTPdbLJ2bPbEmD…

1 week, 1 day

1
0
0 0

[PATCH 1/1] mm/thp: fix MTE tag mismatch when replacing zero-filled subpages

by Lance Yang

From: Lance Yang <lance.yang(a)linux.dev> When both THP and MTE are enabled, splitting a THP and replacing its zero-filled subpages with the shared zeropage can cause MTE tag mismatch faults in userspace. Remapping zero-filled subpages to the shared zeropage is unsafe, as the zeropage has a fixed tag of zero, which may not match the tag expected by the userspace pointer. KSM already avoids this problem by using memcmp_pages(), which on arm64 intentionally reports MTE-tagged pages as non-identical to prevent unsafe merging. As suggested by David[1], this patch adopts the same pattern, replacing the memchr_inv() byte-level check with a call to pages_identical(). This leverages existing architecture-specific logic to determine if a page is truly identical to the shared zeropage. Having both the THP shrinker and KSM rely on pages_identical() makes the design more future-proof, IMO. Instead of handling quirks in generic code, we just let the architecture decide what makes two pages identical. [1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com Cc: <stable(a)vger.kernel.org> Reported-by: Qun-wei Lin <Qun-wei.Lin(a)mediatek.com> Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@… Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Suggested-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Lance Yang <lance.yang(a)linux.dev> --- Tested on x86_64 and on QEMU for arm64 (with and without MTE support), and the fix works as expected. mm/huge_memory.c | 15 +++------------ mm/migrate.c | 8 +------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 32e0ec2dde36..28d4b02a1aa5 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -4104,29 +4104,20 @@ static unsigned long deferred_split_count(struct shrinker *shrink, static bool thp_underused(struct folio *folio) { int num_zero_pages = 0, num_filled_pages = 0; - void *kaddr; int i; for (i = 0; i < folio_nr_pages(folio); i++) { - kaddr = kmap_local_folio(folio, i * PAGE_SIZE); - if (!memchr_inv(kaddr, 0, PAGE_SIZE)) { - num_zero_pages++; - if (num_zero_pages > khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { + if (++num_zero_pages > khugepaged_max_ptes_none) return true; - } } else { /* * Another path for early exit once the number * of non-zero filled pages exceeds threshold. */ - num_filled_pages++; - if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) return false; - } } - kunmap_local(kaddr); } return false; } diff --git a/mm/migrate.c b/mm/migrate.c index aee61a980374..ce83c2c3c287 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -300,9 +300,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, unsigned long idx) { struct page *page = folio_page(folio, idx); - bool contains_data; pte_t newpte; - void *addr; if (PageCompound(page)) return false; @@ -319,11 +317,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, * this subpage has been non present. If the subpage is only zero-filled * then map it to the shared zeropage. */ - addr = kmap_local_page(page); - contains_data = memchr_inv(addr, 0, PAGE_SIZE); - kunmap_local(addr); - - if (contains_data) + if (!pages_identical(page, ZERO_PAGE(0))) return false; newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), -- 2.49.0

1 week, 1 day

6
21
0 0

Check this out at Amazon

by Votre Expert

THE HOUSEMAID UNDER CONTRACT https://rb.gy/2xfnv3

1 week, 1 day

1
0
0 0

Undelivered Mail Returned to Sender

by MAILER-DAEMON＠zihnyunrui.com

This is the mail system at host zihnyunrui.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <linux-stable-mirror(a)lists.linaro.org>: host lists.linaro.org[3.208.193.21] said: 554 5.7.1 Spam message rejected (in reply to end of DATA command)

1 week, 1 day

1
0
0 0

[PATCH] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- drivers/comedi/comedi_buf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..786f888299ce 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -321,6 +321,11 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, async->munge_count += num_bytes; return num_bytes; } + + if (async->cmd.chanlist_len == 0) { + async->munge_count += num_bytes; + return num_bytes; + } /* don't munge partial samples */ num_bytes -= num_bytes % num_sample_bytes; -- 2.43.0

1 week, 1 day

2
1
0 0

[PATCH v4] arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()

by Kaushlendra Kumar

Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq") Cc: stable(a)vger.kernel.org Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> --- Changes in v4: - recipient list adjustment as per kernel patch review process Changes in v3: - Used accurate "function call properties" terminology in commit description (suggested by Markus Elfring) - Added stable backport justification - Removed duplicate marker line per kernel documentation Changes in v2: - Refined description based on documented macro properties (suggested by Markus Elfring) - Added proper Fixes drivers/base/arch_topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/arch_topology.c b/drivers/base/arch_topology.c index 1037169abb45..e1eff05bea4a 100644 --- a/drivers/base/arch_topology.c +++ b/drivers/base/arch_topology.c @@ -292,7 +292,7 @@ bool __init topology_parse_cpu_capacity(struct device_node *cpu_node, int cpu) * frequency (by keeping the initial capacity_freq_ref value). */ cpu_clk = of_clk_get(cpu_node, 0); - if (!PTR_ERR_OR_ZERO(cpu_clk)) { + if (!IS_ERR_OR_NULL(cpu_clk)) { per_cpu(capacity_freq_ref, cpu) = clk_get_rate(cpu_clk) / HZ_PER_KHZ; clk_put(cpu_clk); -- 2.34.1

1 week, 1 day

2
1
0 0

[PATCH v3] arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()

by Kaushlendra Kumar

Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq") Cc: stable(a)vger.kernel.org Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> --- Changes in v3: - Used accurate "function call properties" terminology in commit description (suggested by Markus Elfring) - Added stable backport justification - Removed duplicate marker line per kernel documentation Changes in v2: - Refined description based on documented macro properties (suggested by Markus Elfring) - Added proper Fixes drivers/base/arch_topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/arch_topology.c b/drivers/base/arch_topology.c index 1037169abb45..e1eff05bea4a 100644 --- a/drivers/base/arch_topology.c +++ b/drivers/base/arch_topology.c @@ -292,7 +292,7 @@ bool __init topology_parse_cpu_capacity(struct device_node *cpu_node, int cpu) * frequency (by keeping the initial capacity_freq_ref value). */ cpu_clk = of_clk_get(cpu_node, 0); - if (!PTR_ERR_OR_ZERO(cpu_clk)) { + if (!IS_ERR_OR_NULL(cpu_clk)) { per_cpu(capacity_freq_ref, cpu) = clk_get_rate(cpu_clk) / HZ_PER_KHZ; clk_put(cpu_clk); -- 2.34.1

1 week, 1 day

3
3
0 0

[PATCH 6.6 00/70] 6.6.108-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.108 release. There are 70 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.108-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.108-rc1 Eric Hagberg <ehagberg(a)janestreet.com> Revert "loop: Avoid updating block size under exclusive owner" Linus Torvalds <torvalds(a)linux-foundation.org> minmax: add a few more MIN_T/MAX_T users Linus Torvalds <torvalds(a)linux-foundation.org> minmax: simplify and clarify min_t()/max_t() implementation Linus Torvalds <torvalds(a)linux-foundation.org> minmax: avoid overly complicated constant expressions in VM code Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Bruno Thomsen <bruno.thomsen(a)gmail.com> rtc: pcf2127: fix SPI command byte for PCF2131 backport Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd/pgtbl: Fix possible race while increase page table level Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Johan Hovold <johan(a)kernel.org> phy: ti: omap-usb2: fix device leak at unbind Rob Herring <robh(a)kernel.org> phy: Use device_get_match_data() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Sankararaman Jayaraman <sankararaman.jayaraman(a)broadcom.com> vmxnet3: unregister xdp rxq info in the reset path Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct PLL rate rounding Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Jens Axboe <axboe(a)kernel.dk> io_uring: backport io_should_terminate_tw() Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Update help info of ARCH_STRICT_ALIGN H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Harden uplink netdev access against device unbind Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Consider aggregated port speed during rate configuration Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Geliang Tang <tanggeliang(a)kylinos.cn> selftests: mptcp: sockopt: fix error messages Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: tfo: record 'deny join id0' info Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Hangbin Liu <liuhangbin(a)gmail.com> bonding: set random address only when slaves already exist Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Ajay.Kathat(a)microchip.com <Ajay.Kathat(a)microchip.com> wifi: wilc1000: avoid buffer overflow in WID string configuration ------------- Diffstat: Makefile | 4 +- arch/loongarch/Kconfig | 8 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/kernel/env.c | 2 + arch/um/drivers/virtio_uml.c | 6 +- arch/x86/kvm/svm/svm.c | 3 +- arch/x86/mm/pgtable.c | 2 +- crypto/af_alg.c | 10 ++- drivers/block/loop.c | 38 ++------- drivers/edac/sb_edac.c | 4 +- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 26 +++++- drivers/iommu/intel/iommu.c | 7 +- drivers/md/dm-integrity.c | 6 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 +++++-- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 85 ++++++++++++++++--- drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 +++- drivers/net/ethernet/natsemi/ns83820.c | 13 ++- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/vmxnet3/vmxnet3_drv.c | 10 +-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 39 ++++++--- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/phy/broadcom/phy-bcm-ns-usb3.c | 9 +-- drivers/phy/marvell/phy-berlin-usb.c | 7 +- drivers/phy/ralink/phy-ralink-usb.c | 10 +-- drivers/phy/rockchip/phy-rockchip-pcie.c | 11 +-- drivers/phy/rockchip/phy-rockchip-usb.c | 10 +-- drivers/phy/ti/phy-omap-control.c | 9 +-- drivers/phy/ti/phy-omap-usb2.c | 24 ++++-- drivers/phy/ti/phy-ti-pipe3.c | 14 +--- drivers/power/supply/bq27xxx_battery.c | 4 +- drivers/rtc/rtc-pcf2127.c | 10 +-- drivers/usb/host/xhci-dbgcap.c | 94 +++++++++++++++------- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/smbdirect.c | 4 +- fs/smb/server/transport_rdma.c | 26 ++++-- include/crypto/if_alg.h | 10 ++- include/linux/minmax.h | 26 ++++-- include/linux/mlx5/driver.h | 1 + include/linux/pageblock-flags.h | 2 +- include/uapi/linux/mptcp.h | 6 +- io_uring/io_uring.c | 7 +- io_uring/io_uring.h | 13 +++ io_uring/poll.c | 3 +- io_uring/timeout.c | 2 +- kernel/cgroup/cgroup.c | 43 ++++++++-- net/ipv4/proc.c | 2 +- net/ipv4/tcp.c | 5 ++ net/ipv6/proc.c | 2 +- net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 7 ++ net/mptcp/protocol.c | 16 ++++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 +++-- net/rfkill/rfkill-gpio.c | 4 +- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 ++-- net/tls/tls_sw.c | 3 +- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/wm8940.c | 9 ++- sound/soc/codecs/wm8974.c | 8 +- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 +- sound/soc/sof/intel/hda-stream.c | 2 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +-- tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 ++-- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 ++ tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +++- 87 files changed, 601 insertions(+), 300 deletions(-)

1 week, 1 day

10
79
0 0

[PATCH net RESEND] net/core : fix KMSAN: uninit value in tipc_rcv

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")' Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed. Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO". Reported-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> # 6.16 Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- RESEND: - added Cc stable as suggested from kernel test robot net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj; obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, -- 2.43.0

1 week, 1 day

2
1
0 0

[PATCH v2] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Tested-by: Masami Ichikawa <masami256(a)gmail.com> Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- Changes from v1 - Refactor the if statement as requested by Sumit - Adding Tested-by: Masami Ichikawa <masami256(a)gmail.com - Link to v1: https://lore.kernel.org/op-tee/20250919124217.2934718-1-jens.wiklander@lina… --- drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..76c54e1dc98c 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -319,6 +319,14 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, if (unlikely(len <= 0)) { ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; + } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + /* + * If we only got a few pages, update to release the + * correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; } /* -- 2.43.0

1 week, 1 day

2
2
0 0

[PATCH] lib/genalloc: fix device leak in of_gen_pool_get()

by Johan Hovold

Make sure to drop the reference taken when looking up the genpool platform device in of_gen_pool_get() before returning the pool. Note that holding a reference to a device does typically not prevent its devres managed resources from being released so there is no point in keeping the reference. Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device") Cc: stable(a)vger.kernel.org # 3.10 Cc: Philipp Zabel <p.zabel(a)pengutronix.de> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- lib/genalloc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/genalloc.c b/lib/genalloc.c index 4fa5635bf81b..841f29783833 100644 --- a/lib/genalloc.c +++ b/lib/genalloc.c @@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct device_node *np, if (!name) name = of_node_full_name(np_pool); } - if (pdev) + if (pdev) { pool = gen_pool_get(&pdev->dev, name); + put_device(&pdev->dev); + } + of_node_put(np_pool); return pool; -- 2.49.1

1 week, 1 day

1
0
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092154-unnoticed-collide-5621@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 week, 1 day

2
1
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092111-hedging-brunch-bdeb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 week, 1 day

2
1
0 0

[PATCH v6 4/4] PCI: dwc: Don't return error when wait for link up in dw_pcie_resume_noirq()

by Richard Zhu

When waiting for the PCIe link to come up, both link up and link down are valid results depending on the device state. Since the link may come up later and to get rid of the following mis-reported PM errors. Do not return an -ETIMEDOUT error, as the outcome has already been reported in dw_pcie_wait_for_link(). PM error logs introduced by the -ETIMEDOUT error return. imx6q-pcie 33800000.pcie: Phy link never came up imx6q-pcie 33800000.pcie: PM: dpm_run_callback(): genpd_resume_noirq returns -110 imx6q-pcie 33800000.pcie: PM: failed to resume noirq: error -110 Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index b303a74b0fd7..c4386be38a07 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1084,10 +1084,9 @@ int dw_pcie_resume_noirq(struct dw_pcie *pci) if (ret) return ret; - ret = dw_pcie_wait_for_link(pci); - if (ret) - return ret; + /* Ignore errors, the link may come up later */ + dw_pcie_wait_for_link(pci); - return ret; + return 0; } EXPORT_SYMBOL_GPL(dw_pcie_resume_noirq); -- 2.37.1

1 week, 1 day

1
0
0 0

[PATCH v6 2/4] PCI: dwc: Don't poll L2 if QUIRK_NOL2POLL_IN_PM is existing in suspend

by Richard Zhu

Refer to PCIe r6.0, sec 5.2, fig 5-1 Link Power Management State Flow Diagram. Both L0 and L2/L3 Ready can be transferred to LDn directly. It's harmless to let dw_pcie_suspend_noirq() proceed suspend after the PME_Turn_Off is sent out, whatever the LTSSM state is in L2 or L3 after a recommended 10ms max wait refer to PCIe r6.0, sec 5.3.3.2.1 PME Synchronization. The LTSSM states are inaccessible on i.MX6QP and i.MX7D after the PME_Turn_Off is sent out. To support this case, don't poll L2 state and apply a simple delay of PCIE_PME_TO_L2_TIMEOUT_US(10ms) if the QUIRK_NOL2POLL_IN_PM flag is set in suspend. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pci-imx6.c | 4 +++ .../pci/controller/dwc/pcie-designware-host.c | 34 +++++++++++++------ drivers/pci/controller/dwc/pcie-designware.h | 4 +++ 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index 80e48746bbaf..a59b5282c3cc 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -125,6 +125,7 @@ struct imx_pcie_drvdata { enum imx_pcie_variants variant; enum dw_pcie_device_mode mode; u32 flags; + u32 quirk; int dbi_length; const char *gpr; const u32 ltssm_off; @@ -1765,6 +1766,7 @@ static int imx_pcie_probe(struct platform_device *pdev) if (ret) return ret; + pci->quirk_flag = imx_pcie->drvdata->quirk; pci->use_parent_dt_ranges = true; if (imx_pcie->drvdata->mode == DW_PCIE_EP_TYPE) { ret = imx_add_pcie_ep(imx_pcie, pdev); @@ -1849,6 +1851,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .enable_ref_clk = imx6q_pcie_enable_ref_clk, .core_reset = imx6qp_pcie_core_reset, .ops = &imx_pcie_host_ops, + .quirk = QUIRK_NOL2POLL_IN_PM, }, [IMX7D] = { .variant = IMX7D, @@ -1860,6 +1863,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .mode_mask[0] = IMX6Q_GPR12_DEVICE_TYPE, .enable_ref_clk = imx7d_pcie_enable_ref_clk, .core_reset = imx7d_pcie_core_reset, + .quirk = QUIRK_NOL2POLL_IN_PM, }, [IMX8MQ] = { .variant = IMX8MQ, diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 9d46d1f0334b..57a1ba08c427 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1016,15 +1016,29 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) return ret; } - ret = read_poll_timeout(dw_pcie_get_ltssm, val, - val == DW_PCIE_LTSSM_L2_IDLE || - val <= DW_PCIE_LTSSM_DETECT_WAIT, - PCIE_PME_TO_L2_TIMEOUT_US/10, - PCIE_PME_TO_L2_TIMEOUT_US, false, pci); - if (ret) { - /* Only log message when LTSSM isn't in DETECT or POLL */ - dev_err(pci->dev, "Timeout waiting for L2 entry! LTSSM: 0x%x\n", val); - return ret; + if (dwc_quirk(pci, QUIRK_NOL2POLL_IN_PM)) { + /* + * Add the QUIRK_NOL2_POLL_IN_PM case to avoid the read hang, + * when LTSSM is not powered in L2/L3/LDn properly. + * + * Refer to PCIe r6.0, sec 5.2, fig 5-1 Link Power Management + * State Flow Diagram. Both L0 and L2/L3 Ready can be + * transferred to LDn directly. On the LTSSM states poll broken + * platforms, add a max 10ms delay refer to PCIe r6.0, + * sec 5.3.3.2.1 PME Synchronization. + */ + mdelay(PCIE_PME_TO_L2_TIMEOUT_US/1000); + } else { + ret = read_poll_timeout(dw_pcie_get_ltssm, val, + val == DW_PCIE_LTSSM_L2_IDLE || + val <= DW_PCIE_LTSSM_DETECT_WAIT, + PCIE_PME_TO_L2_TIMEOUT_US/10, + PCIE_PME_TO_L2_TIMEOUT_US, false, pci); + if (ret) { + /* Only log message when LTSSM isn't in DETECT or POLL */ + dev_err(pci->dev, "Timeout waiting for L2 entry! LTSSM: 0x%x\n", val); + return ret; + } } /* @@ -1040,7 +1054,7 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) pci->suspended = true; - return ret; + return 0; } EXPORT_SYMBOL_GPL(dw_pcie_suspend_noirq); diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h index 00f52d472dcd..4e5bf6cb6ce8 100644 --- a/drivers/pci/controller/dwc/pcie-designware.h +++ b/drivers/pci/controller/dwc/pcie-designware.h @@ -295,6 +295,9 @@ /* Default eDMA LLP memory size */ #define DMA_LLP_MEM_SIZE PAGE_SIZE +#define QUIRK_NOL2POLL_IN_PM BIT(0) +#define dwc_quirk(pci, val) (pci->quirk_flag & val) + struct dw_pcie; struct dw_pcie_rp; struct dw_pcie_ep; @@ -504,6 +507,7 @@ struct dw_pcie { const struct dw_pcie_ops *ops; u32 version; u32 type; + u32 quirk_flag; unsigned long caps; int num_lanes; int max_link_speed; -- 2.37.1

1 week, 1 day

1
0
0 0

[PATCH v4 0/2] dc395x: fix compiler warnings and improve formatting of the macros

by Xinhui Yang

This series of patches clears the compiler warnings for the dc395x driver. The first patch introduces a new macro that casts the value returned by a read operation to void, since some values returned by some specific read operations (which just simply clears the FIFO buffer or resets the interrupt status) can be ignored. Creating a new macro that casts the return value to void to fix the warning. During the fix, checkpatch.pl complained about missing white space between macro arguments and missing parentheses around complex expressions. To align with the changes in the first patch, the formatting of macros above and below the introduced macro are also fixed. Since in Patch v2 [2] Bart pointed out that such change can't be made to the stable tree, the patch is split to two parts. --- Changes since v3 [1]: - Undo some mistakes in the patch 2 of the patch v2 where extra parentheses are added around function calls. - Remove the unnecessary casts from the inb(), inw() and inl() calls, so that extra parentheses are no longer required. They are now returns the type it was being casted to, as James pointed out. Changes since v2 [2]: - Split the patch into two parts, the first one fixes the warning, and the second one improves the formatting of the surrounding macros. - Make the description of the formatting changes more clear. Changes since v1 [3]: - Add Cc: tag to include this patch to the stable tree. - Add additional description about the formatting changes. [1]: https://lore.kernel.org/linux-scsi/20250923125226.1883391-1-cyan@cyano.uk/ [2]: https://lore.kernel.org/linux-scsi/20250922152609.827311-1-cyan@cyano.uk/ [3]: https://lore.kernel.org/linux-scsi/20250922143619.824129-1-cyan@cyano.uk/ --- Xinhui Yang (2): scsi: dc395x: correctly discard the return value in certain reads scsi: dc395x: improve code formatting for the macros drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) --- Xinhui Yang (2): scsi: dc395x: correctly discard the return value in certain reads scsi: dc395x: improve code formatting for the macros drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) -- 2.51.0

1 week, 1 day

2
3
0 0

[PATCH v2] crypto: zero initialize memory allocated via sock_kmalloc

by Shivani Agarwal

Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations") Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support") Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code") Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Cc: stable(a)vger.kernel.org Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- Changes in v2: - Dropped algif_skcipher_export changes, The ctx->state will immediately be overwritten by crypto_skcipher_export. - No other changes. --- crypto/af_alg.c | 5 ++--- crypto/algif_hash.c | 3 +-- crypto/algif_rng.c | 3 +-- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index ca6fdcc6c54a..6c271e55f44d 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -1212,15 +1212,14 @@ struct af_alg_async_req *af_alg_alloc_areq(struct sock *sk, if (unlikely(!areq)) return ERR_PTR(-ENOMEM); + memset(areq, 0, areqlen); + ctx->inflight = true; areq->areqlen = areqlen; areq->sk = sk; areq->first_rsgl.sgl.sgt.sgl = areq->first_rsgl.sgl.sgl; - areq->last_rsgl = NULL; INIT_LIST_HEAD(&areq->rsgl_list); - areq->tsgl = NULL; - areq->tsgl_entries = 0; return areq; } diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index e3f1a4852737..4d3dfc60a16a 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -416,9 +416,8 @@ static int hash_accept_parent_nokey(void *private, struct sock *sk) if (!ctx) return -ENOMEM; - ctx->result = NULL; + memset(ctx, 0, len); ctx->len = len; - ctx->more = false; crypto_init_wait(&ctx->wait); ask->private = ctx; diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c index 10c41adac3b1..1a86e40c8372 100644 --- a/crypto/algif_rng.c +++ b/crypto/algif_rng.c @@ -248,9 +248,8 @@ static int rng_accept_parent(void *private, struct sock *sk) if (!ctx) return -ENOMEM; + memset(ctx, 0, len); ctx->len = len; - ctx->addtl = NULL; - ctx->addtl_len = 0; /* * No seeding done at that point -- if multiple accepts are -- 2.40.4

1 week, 1 day

1
0
0 0

ASSET TRANSFER

by Eslam Mohamed

Good day, I hope this email finds you well. Mr. Kostyantyn a Ukrainian Businessman and a Philanthropist, has asked me to reach out to you because he is in difficult situation and seeking to relocate some asset sum of US$41.5M out of Ukraine to overseas for safe keeping due to the current ongoing crisis (WAR) in Ukraine. He is looking for someone to help him receive and manage this asset into any business project over a period of 5-10 years till the crisis is over. Please reply to this email with your contact number for further discussion on this urgent matter.

1 week, 1 day

1
0
0 0

[PATCH] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- drivers/comedi/comedi_buf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..786f888299ce 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -321,6 +321,11 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, async->munge_count += num_bytes; return num_bytes; } + + if (async->cmd.chanlist_len == 0) { + async->munge_count += num_bytes; + return num_bytes; + } /* don't munge partial samples */ num_bytes -= num_bytes % num_sample_bytes; -- 2.43.0

1 week, 1 day

2
1
0 0

[PATCH] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- drivers/comedi/comedi_buf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..786f888299ce 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -321,6 +321,11 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, async->munge_count += num_bytes; return num_bytes; } + + if (async->cmd.chanlist_len == 0) { + async->munge_count += num_bytes; + return num_bytes; + } /* don't munge partial samples */ num_bytes -= num_bytes % num_sample_bytes; -- 2.43.0

1 week, 1 day

2
1
0 0

[PATCH 1/1] nouveau: On nvc0 membar between semaphore write and interrupt

by Mel Henning

This takes the fix from 2cb66ae604 ("nouveau: Membar before between semaphore writes and the interrupt") and applies it to nvc0_fence.c. If I force my ampere system down the nvc0_fence path then I reproduce the same issues with transfer queues + The Talos Principle that were fixed by the above commit. This fixes that issue in exactly the same way for the old code path. Fixes: 60cdadace320 ("drm/nouveau/fence: use NVIDIA's headers for emit()") Signed-off-by: Mel Henning <mhenning(a)darkrefraction.com> Cc: stable(a)vger.kernel.org --- .../drm/nouveau/include/nvhw/class/cl906f.h | 23 +++++ .../drm/nouveau/include/nvhw/class/clb06f.h | 54 +++++++++++ .../drm/nouveau/include/nvhw/class/clc06f.h | 93 +++++++++++++++++++ .../gpu/drm/nouveau/include/nvif/push906f.h | 2 + drivers/gpu/drm/nouveau/nvc0_fence.c | 31 ++++++- 5 files changed, 200 insertions(+), 3 deletions(-) create mode 100644 drivers/gpu/drm/nouveau/include/nvhw/class/clb06f.h create mode 100644 drivers/gpu/drm/nouveau/include/nvhw/class/clc06f.h diff --git a/drivers/gpu/drm/nouveau/include/nvhw/class/cl906f.h b/drivers/gpu/drm/nouveau/include/nvhw/class/cl906f.h index 673d668885bb..529c785b4651 100644 --- a/drivers/gpu/drm/nouveau/include/nvhw/class/cl906f.h +++ b/drivers/gpu/drm/nouveau/include/nvhw/class/cl906f.h @@ -47,6 +47,29 @@ #define NV906F_SEMAPHORED_RELEASE_SIZE_4BYTE 0x00000001 #define NV906F_NON_STALL_INTERRUPT (0x00000020) #define NV906F_NON_STALL_INTERRUPT_HANDLE 31:0 +#define NV906F_MEM_OP_A (0x00000028) +#define NV906F_MEM_OP_A_OPERAND_LOW 31:2 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_ADDR 29:2 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_TARGET 31:30 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_TARGET_VID_MEM 0x00000000 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_TARGET_SYS_MEM_COHERENT 0x00000002 +#define NV906F_MEM_OP_A_TLB_INVALIDATE_TARGET_SYS_MEM_NONCOHERENT 0x00000003 +#define NV906F_MEM_OP_B (0x0000002c) +#define NV906F_MEM_OP_B_OPERAND_HIGH 7:0 +#define NV906F_MEM_OP_B_OPERATION 31:27 +#define NV906F_MEM_OP_B_OPERATION_SYSMEMBAR_FLUSH 0x00000005 +#define NV906F_MEM_OP_B_OPERATION_SOFT_FLUSH 0x00000006 +#define NV906F_MEM_OP_B_OPERATION_MMU_TLB_INVALIDATE 0x00000009 +#define NV906F_MEM_OP_B_OPERATION_L2_PEERMEM_INVALIDATE 0x0000000d +#define NV906F_MEM_OP_B_OPERATION_L2_SYSMEM_INVALIDATE 0x0000000e +#define NV906F_MEM_OP_B_OPERATION_L2_CLEAN_COMPTAGS 0x0000000f +#define NV906F_MEM_OP_B_OPERATION_L2_FLUSH_DIRTY 0x00000010 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_PDB 0:0 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_PDB_ONE 0x00000000 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_PDB_ALL 0x00000001 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_GPC 1:1 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_GPC_ENABLE 0x00000000 +#define NV906F_MEM_OP_B_MMU_TLB_INVALIDATE_GPC_DISABLE 0x00000001 #define NV906F_SET_REFERENCE (0x00000050) #define NV906F_SET_REFERENCE_COUNT 31:0 diff --git a/drivers/gpu/drm/nouveau/include/nvhw/class/clb06f.h b/drivers/gpu/drm/nouveau/include/nvhw/class/clb06f.h new file mode 100644 index 000000000000..15edc9d8dcbe --- /dev/null +++ b/drivers/gpu/drm/nouveau/include/nvhw/class/clb06f.h @@ -0,0 +1,54 @@ +/******************************************************************************* + Copyright (c) 2020, NVIDIA CORPORATION. All rights reserved. + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. + +*******************************************************************************/ +#ifndef _clb06f_h_ +#define _clb06f_h_ + +/* fields and values */ +// NOTE - MEM_OP_A and MEM_OP_B have been removed for gm20x to make room for +// possible future MEM_OP features. MEM_OP_C/D have identical functionality +// to the previous MEM_OP_A/B methods. +#define NVB06F_MEM_OP_C (0x00000030) +#define NVB06F_MEM_OP_C_OPERAND_LOW 31:2 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_PDB 0:0 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_PDB_ONE 0x00000000 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_PDB_ALL 0x00000001 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_GPC 1:1 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_GPC_ENABLE 0x00000000 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_GPC_DISABLE 0x00000001 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_TARGET 11:10 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_TARGET_VID_MEM 0x00000000 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_TARGET_SYS_MEM_COHERENT 0x00000002 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_TARGET_SYS_MEM_NONCOHERENT 0x00000003 +#define NVB06F_MEM_OP_C_TLB_INVALIDATE_ADDR_LO 31:12 +#define NVB06F_MEM_OP_D (0x00000034) +#define NVB06F_MEM_OP_D_OPERAND_HIGH 7:0 +#define NVB06F_MEM_OP_D_OPERATION 31:27 +#define NVB06F_MEM_OP_D_OPERATION_MEMBAR 0x00000005 +#define NVB06F_MEM_OP_D_OPERATION_MMU_TLB_INVALIDATE 0x00000009 +#define NVB06F_MEM_OP_D_OPERATION_L2_PEERMEM_INVALIDATE 0x0000000d +#define NVB06F_MEM_OP_D_OPERATION_L2_SYSMEM_INVALIDATE 0x0000000e +#define NVB06F_MEM_OP_D_OPERATION_L2_CLEAN_COMPTAGS 0x0000000f +#define NVB06F_MEM_OP_D_OPERATION_L2_FLUSH_DIRTY 0x00000010 +#define NVB06F_MEM_OP_D_TLB_INVALIDATE_ADDR_HI 7:0 + +#endif /* _clb06f_h_ */ diff --git a/drivers/gpu/drm/nouveau/include/nvhw/class/clc06f.h b/drivers/gpu/drm/nouveau/include/nvhw/class/clc06f.h new file mode 100644 index 000000000000..4d0f13f79c17 --- /dev/null +++ b/drivers/gpu/drm/nouveau/include/nvhw/class/clc06f.h @@ -0,0 +1,93 @@ +/******************************************************************************* + Copyright (c) 2020, NVIDIA CORPORATION. All rights reserved. + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. + +*******************************************************************************/ +#ifndef _clc06f_h_ +#define _clc06f_h_ + +/* fields and values */ +// NOTE - MEM_OP_A and MEM_OP_B have been replaced in gp100 with methods for +// specifying the page address for a targeted TLB invalidate and the uTLB for +// a targeted REPLAY_CANCEL for UVM. +// The previous MEM_OP_A/B functionality is in MEM_OP_C/D, with slightly +// rearranged fields. +#define NVC06F_MEM_OP_A (0x00000028) +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_CANCEL_TARGET_CLIENT_UNIT_ID 5:0 // only relevant for REPLAY_CANCEL_TARGETED +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_CANCEL_TARGET_GPC_ID 10:6 // only relevant for REPLAY_CANCEL_TARGETED +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR 11:11 +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR_EN 0x00000001 +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR_DIS 0x00000000 +#define NVC06F_MEM_OP_A_TLB_INVALIDATE_TARGET_ADDR_LO 31:12 +#define NVC06F_MEM_OP_B (0x0000002c) +#define NVC06F_MEM_OP_B_TLB_INVALIDATE_TARGET_ADDR_HI 31:0 +#define NVC06F_MEM_OP_C (0x00000030) +#define NVC06F_MEM_OP_C_MEMBAR_TYPE 2:0 +#define NVC06F_MEM_OP_C_MEMBAR_TYPE_SYS_MEMBAR 0x00000000 +#define NVC06F_MEM_OP_C_MEMBAR_TYPE_MEMBAR 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB 0:0 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_ONE 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_ALL 0x00000001 // Probably nonsensical for MMU_TLB_INVALIDATE_TARGETED +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_GPC 1:1 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_GPC_ENABLE 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_GPC_DISABLE 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY 4:2 // only relevant if GPC ENABLE +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_NONE 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_START 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_START_ACK_ALL 0x00000002 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_CANCEL_TARGETED 0x00000003 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_REPLAY_CANCEL_GLOBAL 0x00000004 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE 6:5 // only relevant if GPC ENABLE +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_NONE 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_GLOBALLY 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_INTRANODE 0x00000002 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL 9:7 // Invalidate affects this level and all below +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_ALL 0x00000000 // Invalidate tlb caches at all levels of the page table +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_PTE_ONLY 0x00000001 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE0 0x00000002 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE1 0x00000003 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE2 0x00000004 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE3 0x00000005 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE4 0x00000006 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE5 0x00000007 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE 11:10 // only relevant if PDB_ONE +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_VID_MEM 0x00000000 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_SYS_MEM_COHERENT 0x00000002 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_SYS_MEM_NONCOHERENT 0x00000003 +#define NVC06F_MEM_OP_C_TLB_INVALIDATE_PDB_ADDR_LO 31:12 // only relevant if PDB_ONE +// MEM_OP_D MUST be preceded by MEM_OPs A-C. +#define NVC06F_MEM_OP_D (0x00000034) +#define NVC06F_MEM_OP_D_TLB_INVALIDATE_PDB_ADDR_HI 26:0 // only relevant if PDB_ONE +#define NVC06F_MEM_OP_D_OPERATION 31:27 +#define NVC06F_MEM_OP_D_OPERATION_MEMBAR 0x00000005 +#define NVC06F_MEM_OP_D_OPERATION_MMU_TLB_INVALIDATE 0x00000009 +#define NVC06F_MEM_OP_D_OPERATION_MMU_TLB_INVALIDATE_TARGETED 0x0000000a +#define NVC06F_MEM_OP_D_OPERATION_L2_PEERMEM_INVALIDATE 0x0000000d +#define NVC06F_MEM_OP_D_OPERATION_L2_SYSMEM_INVALIDATE 0x0000000e +// CLEAN_LINES is an alias for Tegra/GPU IP usage +#define NVC06F_MEM_OP_D_OPERATION_L2_INVALIDATE_CLEAN_LINES 0x0000000e +// This B alias is confusing but it was missed as part of the update. Left here +// for compatibility. +#define NVC06F_MEM_OP_B_OPERATION_L2_INVALIDATE_CLEAN_LINES 0x0000000e +#define NVC06F_MEM_OP_D_OPERATION_L2_CLEAN_COMPTAGS 0x0000000f +#define NVC06F_MEM_OP_D_OPERATION_L2_FLUSH_DIRTY 0x00000010 +#define NVC06F_MEM_OP_D_OPERATION_L2_WAIT_FOR_SYS_PENDING_READS 0x00000015 + +#endif /* _clc06f_h_ */ diff --git a/drivers/gpu/drm/nouveau/include/nvif/push906f.h b/drivers/gpu/drm/nouveau/include/nvif/push906f.h index 79df71de98d2..3d506f4dc2c9 100644 --- a/drivers/gpu/drm/nouveau/include/nvif/push906f.h +++ b/drivers/gpu/drm/nouveau/include/nvif/push906f.h @@ -7,6 +7,8 @@ #ifndef PUSH906F_SUBC // Host methods #define PUSH906F_SUBC_NV906F 0 +#define PUSH906F_SUBC_NVB06F 0 +#define PUSH906F_SUBC_NVC06F 0 #define PUSH906F_SUBC_NVC36F 0 // Twod diff --git a/drivers/gpu/drm/nouveau/nvc0_fence.c b/drivers/gpu/drm/nouveau/nvc0_fence.c index a5e98d0d4217..8b36deaaf8cf 100644 --- a/drivers/gpu/drm/nouveau/nvc0_fence.c +++ b/drivers/gpu/drm/nouveau/nvc0_fence.c @@ -27,15 +27,18 @@ #include "nv50_display.h" +#include <nvif/class.h> #include <nvif/push906f.h> #include <nvhw/class/cl906f.h> +#include <nvhw/class/clb06f.h> +#include <nvhw/class/clc06f.h> static int nvc0_fence_emit32(struct nouveau_channel *chan, u64 virtual, u32 sequence) { struct nvif_push *push = &chan->chan.push; - int ret = PUSH_WAIT(push, 6); + int ret = PUSH_WAIT(push, 12); if (ret == 0) { PUSH_MTHD(push, NV906F, SEMAPHOREA, NVVAL(NV906F, SEMAPHOREA, OFFSET_UPPER, upper_32_bits(virtual)), @@ -46,9 +49,31 @@ nvc0_fence_emit32(struct nouveau_channel *chan, u64 virtual, u32 sequence) SEMAPHORED, NVDEF(NV906F, SEMAPHORED, OPERATION, RELEASE) | NVDEF(NV906F, SEMAPHORED, RELEASE_WFI, EN) | - NVDEF(NV906F, SEMAPHORED, RELEASE_SIZE, 16BYTE), + NVDEF(NV906F, SEMAPHORED, RELEASE_SIZE, 16BYTE)); + + if (chan->user.oclass >= PASCAL_CHANNEL_GPFIFO_A) { + PUSH_MTHD(push, NVC06F, MEM_OP_A, 0, + MEM_OP_B, 0, + + MEM_OP_C, + NVDEF(NVC06F, MEM_OP_C, MEMBAR_TYPE, SYS_MEMBAR), + + MEM_OP_D, + NVDEF(NVC06F, MEM_OP_D, OPERATION, MEMBAR)); + } else if (chan->user.oclass >= MAXWELL_CHANNEL_GPFIFO_A) { + PUSH_MTHD(push, NVB06F, MEM_OP_C, 0, + + MEM_OP_D, + NVDEF(NVC06F, MEM_OP_D, OPERATION, MEMBAR)); + } else { + PUSH_MTHD(push, NV906F, MEM_OP_A, 0, + + MEM_OP_B, + NVDEF(NV906F, MEM_OP_B, OPERATION, SYSMEMBAR_FLUSH)); + } + + PUSH_MTHD(push, NV906F, NON_STALL_INTERRUPT, 0); - NON_STALL_INTERRUPT, 0); PUSH_KICK(push); } return ret; -- 2.51.0

1 week, 1 day

1
0
0 0

[PATCH] PCI/sysfs: Ensure devices are powered for config reads

by Brian Norris

From: Brian Norris <briannorris(a)google.com> max_link_speed, max_link_width, current_link_speed, current_link_width, secondary_bus_number, and subordinate_bus_number all access config registers, but they don't check the runtime PM state. If the device is in D3cold, we may see -EINVAL or even bogus values. Wrap these access in pci_config_pm_runtime_{get,put}() like most of the rest of the similar sysfs attributes. Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") Cc: stable(a)vger.kernel.org Signed-off-by: Brian Norris <briannorris(a)google.com> Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- drivers/pci/pci-sysfs.c | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 5eea14c1f7f5..160df897dc5e 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -191,9 +191,16 @@ static ssize_t max_link_speed_show(struct device *dev, struct device_attribute *attr, char *buf) { struct pci_dev *pdev = to_pci_dev(dev); + ssize_t ret; + + pci_config_pm_runtime_get(pdev); - return sysfs_emit(buf, "%s\n", - pci_speed_string(pcie_get_speed_cap(pdev))); + ret = sysfs_emit(buf, "%s\n", + pci_speed_string(pcie_get_speed_cap(pdev))); + + pci_config_pm_runtime_put(pdev); + + return ret; } static DEVICE_ATTR_RO(max_link_speed); @@ -201,8 +208,15 @@ static ssize_t max_link_width_show(struct device *dev, struct device_attribute *attr, char *buf) { struct pci_dev *pdev = to_pci_dev(dev); + ssize_t ret; + + pci_config_pm_runtime_get(pdev); + + ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); - return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + pci_config_pm_runtime_put(pdev); + + return ret; } static DEVICE_ATTR_RO(max_link_width); @@ -214,7 +228,10 @@ static ssize_t current_link_speed_show(struct device *dev, int err; enum pci_bus_speed speed; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -231,7 +248,10 @@ static ssize_t current_link_width_show(struct device *dev, u16 linkstat; int err; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -247,7 +267,10 @@ static ssize_t secondary_bus_number_show(struct device *dev, u8 sec_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -263,7 +286,10 @@ static ssize_t subordinate_bus_number_show(struct device *dev, u8 sub_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; -- 2.51.0.rc1.193.gad69d77794-goog

1 week, 1 day

4
10
0 0

[PATCH 6.1] softirq: Add trace points for tasklet entry/exit

by Sumanth Gavini

commit f4bf3ca2e5cba655824b6e0893a98dfb33ed24e5 upstream. Tasklets are supposed to finish their work quickly and should not block the current running process, but it is not guaranteed that they do so. Currently softirq_entry/exit can be used to analyse the total tasklets execution time, but that's not helpful to track individual tasklets execution time. That makes it hard to identify tasklet functions, which take more time than expected. Add tasklet_entry/exit trace point support to track individual tasklet execution. Trivial usage example: # echo 1 > /sys/kernel/debug/tracing/events/irq/tasklet_entry/enable # echo 1 > /sys/kernel/debug/tracing/events/irq/tasklet_exit/enable # cat /sys/kernel/debug/tracing/trace # tracer: nop # # entries-in-buffer/entries-written: 4/4 #P:4 # # _-----=> irqs-off/BH-disabled # / _----=> need-resched # | / _---=> hardirq/softirq # || / _--=> preempt-depth # ||| / _-=> migrate-disable # |||| / delay # TASK-PID CPU# ||||| TIMESTAMP FUNCTION # | | | ||||| | | <idle>-0 [003] ..s1. 314.011428: tasklet_entry: tasklet=0xffffa01ef8db2740 function=tcp_tasklet_func <idle>-0 [003] ..s1. 314.011432: tasklet_exit: tasklet=0xffffa01ef8db2740 function=tcp_tasklet_func <idle>-0 [003] ..s1. 314.017369: tasklet_entry: tasklet=0xffffa01ef8db2740 function=tcp_tasklet_func <idle>-0 [003] ..s1. 314.017371: tasklet_exit: tasklet=0xffffa01ef8db2740 function=tcp_tasklet_func Signed-off-by: Lingutla Chandrasekhar <clingutla(a)codeaurora.org> Signed-off-by: J. Avila <elavila(a)google.com> Signed-off-by: John Stultz <jstultz(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Link: https://lore.kernel.org/r/20230407230526.1685443-1-jstultz@google.com [elavila: Port to android-mainline] [jstultz: Rebased to upstream, cut unused trace points, added comments for the tracepoints, reworded commit] Signed-off-by: Sumanth Gavini <sumanth.gavini(a)yahoo.com> --- include/trace/events/irq.h | 47 ++++++++++++++++++++++++++++++++++++++ kernel/softirq.c | 9 ++++++-- 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/include/trace/events/irq.h b/include/trace/events/irq.h index eeceafaaea4c..a07b4607b663 100644 --- a/include/trace/events/irq.h +++ b/include/trace/events/irq.h @@ -160,6 +160,53 @@ DEFINE_EVENT(softirq, softirq_raise, TP_ARGS(vec_nr) ); +DECLARE_EVENT_CLASS(tasklet, + + TP_PROTO(struct tasklet_struct *t, void *func), + + TP_ARGS(t, func), + + TP_STRUCT__entry( + __field( void *, tasklet) + __field( void *, func) + ), + + TP_fast_assign( + __entry->tasklet = t; + __entry->func = func; + ), + + TP_printk("tasklet=%ps function=%ps", __entry->tasklet, __entry->func) +); + +/** + * tasklet_entry - called immediately before the tasklet is run + * @t: tasklet pointer + * @func: tasklet callback or function being run + * + * Used to find individual tasklet execution time + */ +DEFINE_EVENT(tasklet, tasklet_entry, + + TP_PROTO(struct tasklet_struct *t, void *func), + + TP_ARGS(t, func) +); + +/** + * tasklet_exit - called immediately after the tasklet is run + * @t: tasklet pointer + * @func: tasklet callback or function being run + * + * Used to find individual tasklet execution time + */ +DEFINE_EVENT(tasklet, tasklet_exit, + + TP_PROTO(struct tasklet_struct *t, void *func), + + TP_ARGS(t, func) +); + #endif /* _TRACE_IRQ_H */ /* This part must be outside protection */ diff --git a/kernel/softirq.c b/kernel/softirq.c index 9ab5ca399a99..fadc6bbda27b 100644 --- a/kernel/softirq.c +++ b/kernel/softirq.c @@ -822,10 +822,15 @@ static void tasklet_action_common(struct softirq_action *a, if (tasklet_trylock(t)) { if (!atomic_read(&t->count)) { if (tasklet_clear_sched(t)) { - if (t->use_callback) + if (t->use_callback) { + trace_tasklet_entry(t, t->callback); t->callback(t); - else + trace_tasklet_exit(t, t->callback); + } else { + trace_tasklet_entry(t, t->func); t->func(t->data); + trace_tasklet_exit(t, t->func); + } } tasklet_unlock(t); continue; -- 2.43.0

1 week, 2 days

4
8
0 0

+ mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm/ksm: fix incorrect KSM counter handling in mm_struct during fork has been added to the -mm mm-unstable branch. Its filename is mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Donet Tom <donettom(a)linux.ibm.com> Subject: mm/ksm: fix incorrect KSM counter handling in mm_struct during fork Date: Wed, 24 Sep 2025 00:16:59 +0530 Patch series "mm/ksm: Fix incorrect accounting of KSM counters during fork", v3. The first patch in this series fixes the incorrect accounting of KSM counters such as ksm_merging_pages, ksm_rmap_items, and the global ksm_zero_pages during fork. The following patch add a selftest to verify the ksm_merging_pages counter was updated correctly during fork. Test Results ============ Without the first patch ----------------------- # [RUN] test_fork_ksm_merging_page_count not ok 10 ksm_merging_page in child: 32 With the first patch -------------------- # [RUN] test_fork_ksm_merging_page_count ok 10 ksm_merging_pages is not inherited after fork This patch (of 2): Currently, the KSM-related counters in `mm_struct`, such as `ksm_merging_pages`, `ksm_rmap_items`, and `ksm_zero_pages`, are inherited by the child process during fork. This results in inconsistent accounting. When a process uses KSM, identical pages are merged and an rmap item is created for each merged page. The `ksm_merging_pages` and `ksm_rmap_items` counters are updated accordingly. However, after a fork, these counters are copied to the child while the corresponding rmap items are not. As a result, when the child later triggers an unmerge, there are no rmap items present in the child, so the counters remain stale, leading to incorrect accounting. A similar issue exists with `ksm_zero_pages`, which maintains both a global counter and a per-process counter. During fork, the per-process counter is inherited by the child, but the global counter is not incremented. Since the child also references zero pages, the global counter should be updated as well. Otherwise, during zero-page unmerge, both the global and per-process counters are decremented, causing the global counter to become inconsistent. To fix this, ksm_merging_pages and ksm_rmap_items are reset to 0 during fork, and the global ksm_zero_pages counter is updated with the per-process ksm_zero_pages value inherited by the child. This ensures that KSM statistics remain accurate and reflect the activity of each process correctly. Link: https://lkml.kernel.org/r/cover.1758648700.git.donettom@linux.ibm.com Link: https://lkml.kernel.org/r/7b9870eb67ccc0d79593940d9dbd4a0b39b5d396.17586487… Fixes: 7609385337a4 ("ksm: count ksm merging pages for each process") Fixes: cb4df4cae4f2 ("ksm: count allocated ksm rmap_items for each process") Fixes: e2942062e01d ("ksm: count all zero pages placed by KSM") Signed-off-by: Donet Tom <donettom(a)linux.ibm.com> Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Aboorva Devarajan <aboorvad(a)linux.ibm.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Donet Tom <donettom(a)linux.ibm.com> Cc: "Ritesh Harjani (IBM)" <ritesh.list(a)gmail.com> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: xu xin <xu.xin16(a)zte.com.cn> Cc: <stable(a)vger.kernel.org> [6.6+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/ksm.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/include/linux/ksm.h~mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork +++ a/include/linux/ksm.h @@ -56,8 +56,14 @@ static inline long mm_ksm_zero_pages(str static inline void ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) { /* Adding mm to ksm is best effort on fork. */ - if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) + if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) { + long nr_ksm_zero_pages = atomic_long_read(&mm->ksm_zero_pages); + + mm->ksm_merging_pages = 0; + mm->ksm_rmap_items = 0; + atomic_long_add(nr_ksm_zero_pages, &ksm_zero_pages); __ksm_enter(mm); + } } static inline int ksm_execve(struct mm_struct *mm) _ Patches currently in -mm which might be from donettom(a)linux.ibm.com are drivers-base-node-fix-double-free-in-register_one_node.patch mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch selftests-mm-added-fork-inheritance-test-for-ksm_merging_pages-counter.patch

1 week, 2 days

1
0
0 0

[PATCH] drm/imx/tve: fix probe device leak

by Johan Hovold

Make sure to drop the reference taken to the DDC device during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") Cc: stable(a)vger.kernel.org # 3.10 Cc: Philipp Zabel <p.zabel(a)pengutronix.de> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/imx/ipuv3/imx-tve.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/gpu/drm/imx/ipuv3/imx-tve.c b/drivers/gpu/drm/imx/ipuv3/imx-tve.c index c5629e155d25..895413d26113 100644 --- a/drivers/gpu/drm/imx/ipuv3/imx-tve.c +++ b/drivers/gpu/drm/imx/ipuv3/imx-tve.c @@ -525,6 +525,13 @@ static const struct component_ops imx_tve_ops = { .bind = imx_tve_bind, }; +static void imx_tve_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int imx_tve_probe(struct platform_device *pdev) { struct device *dev = &pdev->dev; @@ -546,6 +553,11 @@ static int imx_tve_probe(struct platform_device *pdev) if (ddc_node) { tve->ddc = of_find_i2c_adapter_by_node(ddc_node); of_node_put(ddc_node); + + ret = devm_add_action_or_reset(dev, imx_tve_put_device, + &tve->ddc->dev); + if (ret) + return ret; } tve->mode = of_get_tve_mode(np); -- 2.49.1

1 week, 2 days

2
1
0 0

[PATCH v2] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Guangshuo Li

devm_kcalloc() may fail. ndtest_probe() allocates three DMA address arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses them in ndtest_nvdimm_init(), which can lead to a NULL pointer dereference under low-memory conditions. Check all three allocations and return -ENOMEM if any allocation fails. Do not emit an extra error message since the allocator already warns on allocation failure. Fixes: 9399ab61ad82 ("ndtest: Add dimms to the two buses") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- Changes in v2: - Drop pr_err() on allocation failure; only NULL-check and return -ENOMEM. - No other changes. --- tools/testing/nvdimm/test/ndtest.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/testing/nvdimm/test/ndtest.c b/tools/testing/nvdimm/test/ndtest.c index 68a064ce598c..abdbe0c1cb63 100644 --- a/tools/testing/nvdimm/test/ndtest.c +++ b/tools/testing/nvdimm/test/ndtest.c @@ -855,6 +855,9 @@ static int ndtest_probe(struct platform_device *pdev) p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->dcr_dma || !p->label_dma || !p->dimm_dma) + return -ENOMEM; + rc = ndtest_nvdimm_init(p); if (rc) goto err; -- 2.43.0

1 week, 2 days

3
2
0 0

[PATCH v3 1/2] mm/ksm: Fix incorrect KSM counter handling in mm_struct during fork

by Donet Tom

Currently, the KSM-related counters in `mm_struct`, such as `ksm_merging_pages`, `ksm_rmap_items`, and `ksm_zero_pages`, are inherited by the child process during fork. This results in inconsistent accounting. When a process uses KSM, identical pages are merged and an rmap item is created for each merged page. The `ksm_merging_pages` and `ksm_rmap_items` counters are updated accordingly. However, after a fork, these counters are copied to the child while the corresponding rmap items are not. As a result, when the child later triggers an unmerge, there are no rmap items present in the child, so the counters remain stale, leading to incorrect accounting. A similar issue exists with `ksm_zero_pages`, which maintains both a global counter and a per-process counter. During fork, the per-process counter is inherited by the child, but the global counter is not incremented. Since the child also references zero pages, the global counter should be updated as well. Otherwise, during zero-page unmerge, both the global and per-process counters are decremented, causing the global counter to become inconsistent. To fix this, ksm_merging_pages and ksm_rmap_items are reset to 0 during fork, and the global ksm_zero_pages counter is updated with the per-process ksm_zero_pages value inherited by the child. This ensures that KSM statistics remain accurate and reflect the activity of each process correctly. Fixes: 7609385337a4 ("ksm: count ksm merging pages for each process") Fixes: cb4df4cae4f2 ("ksm: count allocated ksm rmap_items for each process") Fixes: e2942062e01d ("ksm: count all zero pages placed by KSM") cc: stable(a)vger.kernel.org # v6.6 Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Donet Tom <donettom(a)linux.ibm.com> --- include/linux/ksm.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/linux/ksm.h b/include/linux/ksm.h index 22e67ca7cba3..067538fc4d58 100644 --- a/include/linux/ksm.h +++ b/include/linux/ksm.h @@ -56,8 +56,14 @@ static inline long mm_ksm_zero_pages(struct mm_struct *mm) static inline void ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) { /* Adding mm to ksm is best effort on fork. */ - if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) + if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) { + long nr_ksm_zero_pages = atomic_long_read(&mm->ksm_zero_pages); + + mm->ksm_merging_pages = 0; + mm->ksm_rmap_items = 0; + atomic_long_add(nr_ksm_zero_pages, &ksm_zero_pages); __ksm_enter(mm); + } } static inline int ksm_execve(struct mm_struct *mm) -- 2.51.0

1 week, 2 days

1
0
0 0

[PATCH] remoteproc: Fix potential null pointer dereference in pru_rproc_set_ctable()

by Zhen Ni

pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL check, which could lead to a null pointer dereference. Move the pru assignment, ensuring we never dereference a NULL rproc pointer. Fixes: 102853400321 ("remoteproc: pru: Add pru_rproc_set_ctable() function") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- drivers/remoteproc/pru_rproc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/remoteproc/pru_rproc.c b/drivers/remoteproc/pru_rproc.c index 842e4b6cc5f9..5e3eb7b86a0e 100644 --- a/drivers/remoteproc/pru_rproc.c +++ b/drivers/remoteproc/pru_rproc.c @@ -340,7 +340,7 @@ EXPORT_SYMBOL_GPL(pru_rproc_put); */ int pru_rproc_set_ctable(struct rproc *rproc, enum pru_ctable_idx c, u32 addr) { - struct pru_rproc *pru = rproc->priv; + struct pru_rproc *pru; unsigned int reg; u32 mask, set; u16 idx; @@ -352,6 +352,7 @@ int pru_rproc_set_ctable(struct rproc *rproc, enum pru_ctable_idx c, u32 addr) if (!rproc->dev.parent || !is_pru_rproc(rproc->dev.parent)) return -ENODEV; + pru = rproc->priv; /* pointer is 16 bit and index is 8-bit so mask out the rest */ idx_mask = (c >= PRU_C28) ? 0xFFFF : 0xFF; -- 2.20.1

1 week, 2 days

3
5
0 0

[v2 PATCH] arm64: kprobes: call set_memory_rox() for kprobe page

by Yang Shi

The kprobe page is allocated by execmem allocator with ROX permission. It needs to call set_memory_rox() to set proper permission for the direct map too. It was missed. Fixes: 10d5e97c1bf8 ("arm64: use PAGE_KERNEL_ROX directly in alloc_insn_page") Cc: <stable(a)vger.kernel.org> Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> --- v2: Separated the patch from BBML2 series since it is an orthogonal bug fix per Ryan. Fixed the variable name nit per Catalin. Collected R-bs from Catalin. arch/arm64/kernel/probes/kprobes.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c index 0c5d408afd95..8ab6104a4883 100644 --- a/arch/arm64/kernel/probes/kprobes.c +++ b/arch/arm64/kernel/probes/kprobes.c @@ -10,6 +10,7 @@ #define pr_fmt(fmt) "kprobes: " fmt +#include <linux/execmem.h> #include <linux/extable.h> #include <linux/kasan.h> #include <linux/kernel.h> @@ -41,6 +42,17 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); static void __kprobes post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *); +void *alloc_insn_page(void) +{ + void *addr; + + addr = execmem_alloc(EXECMEM_KPROBES, PAGE_SIZE); + if (!addr) + return NULL; + set_memory_rox((unsigned long)addr, 1); + return addr; +} + static void __kprobes arch_prepare_ss_slot(struct kprobe *p) { kprobe_opcode_t *addr = p->ainsn.xol_insn; -- 2.47.0

1 week, 2 days

4
5
0 0

[PATCH v2] ACPI: battery: prevent sysfs_add_battery re-entry on rapid events

by GuangFei Luo

v2: - Fix missing mutex_unlock in acpi_battery_update() (Reported-by: kernel test robot) When removing and reinserting the laptop battery, ACPI can trigger two notifications in quick succession: - ACPI_BATTERY_NOTIFY_STATUS (0x80) - ACPI_BATTERY_NOTIFY_INFO (0x81) Both notifications call acpi_battery_update(). Because the events happen very close in time, sysfs_add_battery() can be re-entered before battery->bat is set, causing a duplicate sysfs entry error. This patch ensures that sysfs_add_battery() is not re-entered when battery->bat is already non-NULL, preventing the duplicate sysfs creation and stabilizing battery hotplug handling. [ 476.117945] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 476.118896] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 476.118903] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 476.118906] Workqueue: kacpi_notify acpi_os_execute_deferred [ 476.118917] Call Trace: [ 476.118922] <TASK> [ 476.118929] dump_stack_lvl+0x5d/0x80 [ 476.118938] sysfs_warn_dup.cold+0x17/0x23 [ 476.118943] sysfs_create_dir_ns+0xce/0xe0 [ 476.118952] kobject_add_internal+0xba/0x250 [ 476.118959] kobject_add+0x96/0xc0 [ 476.118964] ? get_device_parent+0xde/0x1e0 [ 476.118970] device_add+0xe2/0x870 [ 476.118975] __power_supply_register.part.0+0x20f/0x3f0 [ 476.118981] ? wake_up_q+0x4e/0x90 [ 476.118990] sysfs_add_battery+0xa4/0x1d0 [battery] [ 476.118998] acpi_battery_update+0x19e/0x290 [battery] [ 476.119002] acpi_battery_notify+0x50/0x120 [battery] [ 476.119006] acpi_ev_notify_dispatch+0x49/0x70 [ 476.119012] acpi_os_execute_deferred+0x1a/0x30 [ 476.119015] process_one_work+0x177/0x330 [ 476.119022] worker_thread+0x251/0x390 [ 476.119026] ? __pfx_worker_thread+0x10/0x10 [ 476.119030] kthread+0xd2/0x100 [ 476.119033] ? __pfx_kthread+0x10/0x10 [ 476.119035] ret_from_fork+0x34/0x50 [ 476.119040] ? __pfx_kthread+0x10/0x10 [ 476.119042] ret_from_fork_asm+0x1a/0x30 [ 476.119049] </TASK> [ 476.142552] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. [ 476.415022] ata1.00: unexpected _GTF length (8) [ 476.428076] sd 0:0:0:0: [sda] Starting disk [ 476.835035] ata1.00: unexpected _GTF length (8) [ 476.839720] ata1.00: configured for UDMA/133 [ 491.328831] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 491.329720] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 491.329727] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 491.329731] Workqueue: kacpi_notify acpi_os_execute_deferred [ 491.329741] Call Trace: [ 491.329745] <TASK> [ 491.329751] dump_stack_lvl+0x5d/0x80 [ 491.329758] sysfs_warn_dup.cold+0x17/0x23 [ 491.329762] sysfs_create_dir_ns+0xce/0xe0 [ 491.329770] kobject_add_internal+0xba/0x250 [ 491.329775] kobject_add+0x96/0xc0 [ 491.329779] ? get_device_parent+0xde/0x1e0 [ 491.329784] device_add+0xe2/0x870 [ 491.329790] __power_supply_register.part.0+0x20f/0x3f0 [ 491.329797] sysfs_add_battery+0xa4/0x1d0 [battery] [ 491.329805] acpi_battery_update+0x19e/0x290 [battery] [ 491.329809] acpi_battery_notify+0x50/0x120 [battery] [ 491.329812] acpi_ev_notify_dispatch+0x49/0x70 [ 491.329817] acpi_os_execute_deferred+0x1a/0x30 [ 491.329820] process_one_work+0x177/0x330 [ 491.329826] worker_thread+0x251/0x390 [ 491.329830] ? __pfx_worker_thread+0x10/0x10 [ 491.329833] kthread+0xd2/0x100 [ 491.329836] ? __pfx_kthread+0x10/0x10 [ 491.329838] ret_from_fork+0x34/0x50 [ 491.329842] ? __pfx_kthread+0x10/0x10 [ 491.329844] ret_from_fork_asm+0x1a/0x30 [ 491.329850] </TASK> [ 491.329855] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/r/202509101620.yI0HZ5gT-lkp@intel.com/ Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202509101620.yI0HZ5gT-lkp@intel.com/ Fixes: 508df92d1f8d ("ACPI: battery: register power_supply subdevice only when battery is present") Signed-off-by: GuangFei Luo <luogf2025(a)163.com> Cc: stable(a)vger.kernel.org --- drivers/acpi/battery.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 6905b56bf3e4..649185f7a3b1 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -1026,11 +1026,15 @@ static int acpi_battery_update(struct acpi_battery *battery, bool resume) return result; acpi_battery_quirks(battery); + mutex_lock(&battery->sysfs_lock); if (!battery->bat) { result = sysfs_add_battery(battery); - if (result) + if (result) { + mutex_unlock(&battery->sysfs_lock); return result; + } } + mutex_unlock(&battery->sysfs_lock); /* * Wakeup the system if battery is critical low -- 2.43.0

1 week, 2 days

3
14
0 0

[PATCH] tty: serial: sh-sci: fix RSCI FIFO overrun handling

by Cosmin Tanislav

The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]--- Cc: stable(a)vger.kernel.org Fixes: 0666e3fe95ab ("serial: sh-sci: Add support for RZ/T2H SCI") Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa(a)renesas.com> --- drivers/tty/serial/sh-sci.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c index 538b2f991609..62bb62b82cbe 100644 --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -1014,16 +1014,18 @@ static int sci_handle_fifo_overrun(struct uart_port *port) struct sci_port *s = to_sci_port(port); const struct plat_sci_reg *reg; int copied = 0; - u16 status; + u32 status; - reg = sci_getreg(port, s->params->overrun_reg); - if (!reg->size) - return 0; + if (s->type != SCI_PORT_RSCI) { + reg = sci_getreg(port, s->params->overrun_reg); + if (!reg->size) + return 0; + } - status = sci_serial_in(port, s->params->overrun_reg); + status = s->ops->read_reg(port, s->params->overrun_reg); if (status & s->params->overrun_mask) { status &= ~s->params->overrun_mask; - sci_serial_out(port, s->params->overrun_reg, status); + s->ops->write_reg(port, s->params->overrun_reg, status); port->icount.overrun++; -- 2.51.0

1 week, 2 days

1
0
0 0

[PATCH 5/5] drm/mediatek: ovl_adaptor: fix probe device leaks

by Johan Hovold

Make sure to drop the references taken to the component devices by of_find_device_by_node() during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 453c3364632a ("drm/mediatek: Add ovl_adaptor support for MT8195") Cc: stable(a)vger.kernel.org # 6.4 Cc: Nancy.Lin <nancy.lin(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c b/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c index fe97bb97e004..c0af3e3b51d5 100644 --- a/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c +++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c @@ -527,6 +527,13 @@ bool mtk_ovl_adaptor_is_comp_present(struct device_node *node) type == OVL_ADAPTOR_TYPE_PADDING; } +static void ovl_adaptor_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int ovl_adaptor_comp_init(struct device *dev, struct component_match **match) { struct mtk_disp_ovl_adaptor *priv = dev_get_drvdata(dev); @@ -560,6 +567,11 @@ static int ovl_adaptor_comp_init(struct device *dev, struct component_match **ma if (!comp_pdev) return -EPROBE_DEFER; + ret = devm_add_action_or_reset(dev, ovl_adaptor_put_device, + &comp_pdev->dev); + if (ret) + return ret; + priv->ovl_adaptor_comp[id] = &comp_pdev->dev; drm_of_component_match_add(dev, match, component_compare_of, node); -- 2.49.1

1 week, 2 days

1
0
0 0

[PATCH 4/5] drm/mediatek: mtk_hdmi: fix probe device leaks

by Johan Hovold

Make sure to drop the references to the DDC adapter and CEC device taken during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") Cc: stable(a)vger.kernel.org # 4.8 Cc: Jie Qiu <jie.qiu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_hdmi.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c index b766dd5e6c8d..306e2c907311 100644 --- a/drivers/gpu/drm/mediatek/mtk_hdmi.c +++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c @@ -1345,6 +1345,13 @@ static const struct drm_bridge_funcs mtk_hdmi_bridge_funcs = { .edid_read = mtk_hdmi_bridge_edid_read, }; +static void mtk_hdmi_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int mtk_hdmi_get_cec_dev(struct mtk_hdmi *hdmi, struct device *dev, struct device_node *np) { struct platform_device *cec_pdev; @@ -1369,6 +1376,10 @@ static int mtk_hdmi_get_cec_dev(struct mtk_hdmi *hdmi, struct device *dev, struc } of_node_put(cec_np); + ret = devm_add_action_or_reset(dev, mtk_hdmi_put_device, &cec_pdev->dev); + if (ret) + return ret; + /* * The mediatek,syscon-hdmi property contains a phandle link to the * MMSYS_CONFIG device and the register offset of the HDMI_SYS_CFG @@ -1423,6 +1434,10 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi, if (!hdmi->ddc_adpt) return dev_err_probe(dev, -EINVAL, "Failed to get ddc i2c adapter by node\n"); + ret = devm_add_action_or_reset(dev, mtk_hdmi_put_device, &hdmi->ddc_adpt->dev); + if (ret) + return ret; + ret = mtk_hdmi_get_cec_dev(hdmi, dev, np); if (ret) return ret; -- 2.49.1

1 week, 2 days

1
0
0 0

[PATCH 3/5] drm/mediatek: fix probe device leaks

by Johan Hovold

Make sure to drop the reference taken to each component device during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 6ea6f8276725 ("drm/mediatek: Use correct device pointer to get CMDQ client register") Cc: stable(a)vger.kernel.org # 5.12 Cc: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index 31d67a131c50..9672ea1f91a2 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -621,6 +621,13 @@ int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev) return ret; } +static void mtk_ddp_comp_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static void mtk_ddp_comp_clk_put(void *_clk) { struct clk *clk = _clk; @@ -656,6 +663,10 @@ int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_d } comp->dev = &comp_pdev->dev; + ret = devm_add_action_or_reset(dev, mtk_ddp_comp_put_device, comp->dev); + if (ret) + return ret; + if (type == MTK_DISP_AAL || type == MTK_DISP_BLS || type == MTK_DISP_CCORR || -- 2.49.1

1 week, 2 days

1
0
0 0

[PATCH 2/5] drm/mediatek: fix probe memory leak

by Johan Hovold

The Mediatek DRM driver allocates private data for components without a platform driver but as the lifetime is tied to each component device, the memory is never freed. Tie the allocation lifetime to the DRM platform device so that the memory is released on probe failure (e.g. probe deferral) and when the driver is unbound. Fixes: c0d36de868a6 ("drm/mediatek: Move clk info from struct mtk_ddp_comp to sub driver private data") Cc: stable(a)vger.kernel.org # 5.12 Cc: CK Hu <ck.hu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index 0264017806ad..31d67a131c50 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -671,7 +671,7 @@ int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_d type == MTK_DSI) return 0; - priv = devm_kzalloc(comp->dev, sizeof(*priv), GFP_KERNEL); + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); if (!priv) return -ENOMEM; -- 2.49.1

1 week, 2 days

1
0
0 0

[PATCH 1/5] drm/mediatek: fix probe resource leaks

by Johan Hovold

Make sure to unmap and release the component iomap and clock on probe failure (e.g. probe deferral) and on driver unbind. Note that unlike of_iomap(), devm_of_iomap() also checks whether the region is already mapped. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Cc: stable(a)vger.kernel.org # 4.7 Cc: CK Hu <ck.hu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 20 ++++++++++++++++---- drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 2 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 ++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index ac6620e10262..0264017806ad 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -621,15 +621,20 @@ int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev) return ret; } -int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp, +static void mtk_ddp_comp_clk_put(void *_clk) +{ + struct clk *clk = _clk; + + clk_put(clk); +} + +int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_ddp_comp *comp, unsigned int comp_id) { struct platform_device *comp_pdev; enum mtk_ddp_comp_type type; struct mtk_ddp_comp_dev *priv; -#if IS_REACHABLE(CONFIG_MTK_CMDQ) int ret; -#endif if (comp_id >= DDP_COMPONENT_DRM_ID_MAX) return -EINVAL; @@ -670,11 +675,18 @@ int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp, if (!priv) return -ENOMEM; - priv->regs = of_iomap(node, 0); + priv->regs = devm_of_iomap(dev, node, 0, NULL); + if (IS_ERR(priv->regs)) + return PTR_ERR(priv->regs); + priv->clk = of_clk_get(node, 0); if (IS_ERR(priv->clk)) return PTR_ERR(priv->clk); + ret = devm_add_action_or_reset(dev, mtk_ddp_comp_clk_put, priv->clk); + if (ret) + return ret; + #if IS_REACHABLE(CONFIG_MTK_CMDQ) ret = cmdq_dev_get_client_reg(comp->dev, &priv->cmdq_reg, 0); if (ret) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h index 7289b3dcf22f..3f3d43f4330d 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h @@ -350,7 +350,7 @@ static inline void mtk_ddp_comp_encoder_index_set(struct mtk_ddp_comp *comp) int mtk_ddp_comp_get_id(struct device_node *node, enum mtk_ddp_comp_type comp_type); int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev); -int mtk_ddp_comp_init(struct device_node *comp_node, struct mtk_ddp_comp *comp, +int mtk_ddp_comp_init(struct device *dev, struct device_node *comp_node, struct mtk_ddp_comp *comp, unsigned int comp_id); enum mtk_ddp_comp_type mtk_ddp_comp_get_type(unsigned int comp_id); void mtk_ddp_write(struct cmdq_pkt *cmdq_pkt, unsigned int value, diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index eb5537f0ac90..384b0510272c 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -1133,7 +1133,7 @@ static int mtk_drm_probe(struct platform_device *pdev) (void *)private->mmsys_dev, sizeof(*private->mmsys_dev)); private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR].dev = &ovl_adaptor->dev; - mtk_ddp_comp_init(NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR], + mtk_ddp_comp_init(dev, NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR], DDP_COMPONENT_DRM_OVL_ADAPTOR); component_match_add(dev, &match, compare_dev, &ovl_adaptor->dev); } @@ -1199,7 +1199,7 @@ static int mtk_drm_probe(struct platform_device *pdev) node); } - ret = mtk_ddp_comp_init(node, &private->ddp_comp[comp_id], comp_id); + ret = mtk_ddp_comp_init(dev, node, &private->ddp_comp[comp_id], comp_id); if (ret) { of_node_put(node); goto err_node; -- 2.49.1

1 week, 2 days

1
0
0 0

[PATCH] fbcon: fix buffer overflow in fbcon_set_font

by Simon Richter

Commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe introduced overflow checking for the font allocation size calculation, but in doing so moved the addition of the size for font housekeeping data out of the kmalloc call. As a result, the calculated size now includes those extra bytes, which marks the same number of bytes beyond the allocation as valid font data. The crc32() call and the later memcmp() in fbcon_set_font() already perform an out-of-bounds read, the latter is flagged on ppc64el: memcmp: detected buffer overflow: 4112 byte read of buffer size 4096 when loading Lat15-Fixed16.psf.gz. Since the addition of the extra size should only go into the kmalloc() call, calculate this size in a separate variable. Signed-off-by: Simon Richter <Simon.Richter(a)hogyros.de> Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") Cc: stable <stable(a)vger.kernel.org> #v5.9+ --- drivers/video/fbdev/core/fbcon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 5fade44931b8..a3fbf42c57d9 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, unsigned charcount = font->charcount; int w = font->width; int h = font->height; - int size; + int size, allocsize; int i, csum; u8 *new_data, *data = font->data; int pitch = PITCH(font->width); @@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, return -EINVAL; /* Check for overflow in allocation size calculation */ - if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &allocsize)) return -EINVAL; - new_data = kmalloc(size, GFP_USER); + new_data = kmalloc(allocsize, GFP_USER); if (!new_data) return -ENOMEM; -- 2.47.3

1 week, 2 days

2
1
0 0

[PATCH] media: c8sectpfe: fix probe device leaks

by Johan Hovold

Make sure to drop the references taken to the I2C adapters during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support") Cc: stable(a)vger.kernel.org # 4.3 Cc: Peter Griffin <peter.griffin(a)linaro.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- .../media/platform/st/sti/c8sectpfe/c8sectpfe-core.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c index 89bd15a4d26a..3f94d9b4ef1e 100644 --- a/drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c +++ b/drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c @@ -655,6 +655,13 @@ static irqreturn_t c8sectpfe_error_irq_handler(int irq, void *priv) return IRQ_HANDLED; } +static void c8sectpfe_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int c8sectpfe_probe(struct platform_device *pdev) { struct device *dev = &pdev->dev; @@ -799,6 +806,11 @@ static int c8sectpfe_probe(struct platform_device *pdev) return -ENODEV; } + ret = devm_add_action_or_reset(dev, c8sectpfe_put_device, + &tsin->i2c_adapter->dev); + if (ret) + return ret; + /* Acquire reset GPIO and activate it */ tsin->rst_gpio = devm_fwnode_gpiod_get(dev, of_fwnode_handle(child), -- 2.49.1

1 week, 2 days

1
0
0 0

[PATCH v2] irqchip/sifive-plic: avoid interrupt ID 0 handling during suspend/resume

by Lucas Zampieri

According to the PLIC specification[1], global interrupt sources are assigned small unsigned integer identifiers beginning at the value 1. An interrupt ID of 0 is reserved to mean "no interrupt". The current plic_irq_resume() and plic_irq_suspend() functions incorrectly start the loop from index 0, which accesses the register space for the reserved interrupt ID 0. Change the loop to start from index 1, skipping the reserved interrupt ID 0 as per the PLIC specification. This prevents potential undefined behavior when accessing the reserved register space during suspend/resume cycles. Link: https://github.com/riscv/riscv-plic-spec/releases/tag/1.0.0 Fixes: e80f0b6a2cf3 ("irqchip/irq-sifive-plic: Add syscore callbacks for hibernation") Co-developed-by: Jia Wang <wangjia(a)ultrarisc.com> Signed-off-by: Jia Wang <wangjia(a)ultrarisc.com> Co-developed-by: Charles Mirabile <cmirabil(a)redhat.com> Signed-off-by: Charles Mirabile <cmirabil(a)redhat.com> Signed-off-by: Lucas Zampieri <lzampier(a)redhat.com> --- drivers/irqchip/irq-sifive-plic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c index bf69a4802b71e..9c4af7d588463 100644 --- a/drivers/irqchip/irq-sifive-plic.c +++ b/drivers/irqchip/irq-sifive-plic.c @@ -252,7 +252,8 @@ static int plic_irq_suspend(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + /* irq ID 0 is reserved */ + for (i = 1; i < priv->nr_irqs; i++) { __assign_bit(i, priv->prio_save, readl(priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID)); } @@ -283,7 +284,8 @@ static void plic_irq_resume(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + /* irq ID 0 is reserved */ + for (i = 1; i < priv->nr_irqs; i++) { index = BIT_WORD(i); writel((priv->prio_save[index] & BIT_MASK(i)) ? 1 : 0, priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID); -- 2.51.0

1 week, 2 days

2
1
0 0

[PATCH] tpm: Use -EPERM as fallback error code in tpm_ret_to_err

by Jarkko Sakkinen

From: Jarkko Sakkinen <jarkko.sakkinen(a)opinsys.com> Using -EFAULT here was not the best idea for tpm_ret_to_err as the fallback error code as it is no concise with trusted keys. Change the fallback as -EPERM, process TPM_RC_HASH also in tpm_ret_to_err, and by these changes make the helper applicable for trusted keys. Cc: stable(a)vger.kernel.org # v6.15+ Fixes: 539fbab37881 ("tpm: Mask TPM RC in tpm2_start_auth_session()") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)opinsys.com> --- include/linux/tpm.h | 9 +++++--- security/keys/trusted-keys/trusted_tpm2.c | 26 ++++++----------------- 2 files changed, 13 insertions(+), 22 deletions(-) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index dc0338a783f3..667d290789ca 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -449,13 +449,16 @@ static inline ssize_t tpm_ret_to_err(ssize_t ret) if (ret < 0) return ret; - switch (tpm2_rc_value(ret)) { - case TPM2_RC_SUCCESS: + if (!ret) return 0; + + switch (tpm2_rc_value(ret)) { case TPM2_RC_SESSION_MEMORY: return -ENOMEM; + case TPM2_RC_HASH: + return -EINVAL; default: - return -EFAULT; + return -EPERM; } } diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 024be262702f..e165b117bbca 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -348,25 +348,19 @@ int tpm2_seal_trusted(struct tpm_chip *chip, } blob_len = tpm2_key_encode(payload, options, &buf.data[offset], blob_len); + if (blob_len < 0) + rc = blob_len; out: tpm_buf_destroy(&sized); tpm_buf_destroy(&buf); - if (rc > 0) { - if (tpm2_rc_value(rc) == TPM2_RC_HASH) - rc = -EINVAL; - else - rc = -EPERM; - } - if (blob_len < 0) - rc = blob_len; - else + if (!rc) payload->blob_len = blob_len; out_put: tpm_put_ops(chip); - return rc; + return tpm_ret_to_err(rc); } /** @@ -468,10 +462,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, kfree(blob); tpm_buf_destroy(&buf); - if (rc > 0) - rc = -EPERM; - - return rc; + return tpm_ret_to_err(rc); } /** @@ -534,8 +525,6 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, tpm_buf_fill_hmac_session(chip, &buf); rc = tpm_transmit_cmd(chip, &buf, 6, "unsealing"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); - if (rc > 0) - rc = -EPERM; if (!rc) { data_len = be16_to_cpup( @@ -568,7 +557,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, out: tpm_buf_destroy(&buf); - return rc; + return tpm_ret_to_err(rc); } /** @@ -600,6 +589,5 @@ int tpm2_unseal_trusted(struct tpm_chip *chip, out: tpm_put_ops(chip); - - return rc; + return tpm_ret_to_err(rc); } -- 2.39.5

1 week, 2 days

2
2
0 0

[PATCH v3] powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org Reviewed-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- changelog: v3: - Move Signed-off-by above the '---' separator. - No code changes. changelog: v2: - Return -ENOMEM directly on allocation failure. --- arch/powerpc/kernel/smp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..cfccb9389760 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,8 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

1 week, 2 days

1
0
0 0

[PATCH v3 0/2] dc395x: fix compiler warnings and improve formatting of the macros

by Xinhui Yang

This series of patches clears the compiler warnings for the dc395x driver. The first patch introduces a new macro that casts the value returned by a read operation to void, since some values returned by some specific read operations (which just simply clears the FIFO buffer or resets the interrupt status) can be ignored. Creating a new macro that casts the return value to void to fix the warning. During the fix, checkpatch.pl complained about missing whitespace between macro arguments and missing parentheses around complex expressions. To align with the changes in the first patch, the formatting of macros above and below the introduced macro are also fixed. Since in Patch v2 [1] Bart pointed out that such change can't be made to the stable tree, the patch is splitted to two parts. --- Changes since v2 [1]: - Split the patch into two parts, the first one fixes the warning, and the second one improves the formatting of the surrounding macros. - Make the description of the formatting changes more clear. Changes since v1 [2]: - Add Cc: tag to include this patch to the stable tree. - Add additional description about the formatting changes. [1]: https://lore.kernel.org/linux-scsi/20250922152609.827311-1-cyan@cyano.uk/ [2]: https://lore.kernel.org/linux-scsi/20250922143619.824129-1-cyan@cyano.uk/ --- Xinhui Yang (2): scsi: dc395x: correctly discard the return value in certain reads scsi: dc395x: improve code formatting for the macros drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) -- 2.51.0

1 week, 2 days

3
5
0 0

[PATCH v4] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data() and add devm_add_action_or_reset() in the probe function, which ensures that the reference count of the device is correctly managed. Memory leak in regmap_init_slimbus() as the allocated regmap is not released when the device is removed. Using devm_regmap_init_slimbus() instead of regmap_init_slimbus() to ensure automatic regmap cleanup on device removal. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v4: - removed the redundant NULL check as put_device() can handle the NULL dev; Changes in v3: - added a wrapper function due to the warning report from kernel test robot; Changes in v2: - modified the handling in the success path and fixed the memory leak for regmap as suggestions. --- sound/soc/codecs/wcd934x.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..e92939068bf7 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5831,6 +5831,13 @@ static const struct snd_soc_component_driver wcd934x_component_drv = { .endianness = 1, }; +static void wcd934x_put_device_action(void *data) +{ + struct device *dev = data; + + put_device(dev); +} + static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) { struct device *dev = &wcd->sdev->dev; @@ -5847,11 +5854,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) return dev_err_probe(dev, -EINVAL, "Unable to get SLIM Interface device\n"); slim_get_logical_addr(wcd->sidev); - wcd->if_regmap = regmap_init_slimbus(wcd->sidev, + wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); @@ -5893,6 +5902,10 @@ static int wcd934x_codec_probe(struct platform_device *pdev) if (ret) return ret; + ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev); + if (ret) + return ret; + /* set default rate 9P6MHz */ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, -- 2.17.1

1 week, 2 days

3
2
0 0

[PATCH 0/2] media: verisilicon: Fix Hantro G2 handling of invalid DPB index

by Nicolas Dufresne

First patch hardens the IRQ handler so the driver can resume after hitting bus errors (presumably AXI errors). This will reduce the risk of having to reboot the system in order to recover. The second patch actually fix the issue, ensuring the decoder won't be instructed to use address 0x0 as a reference anymore. The issues was discovered using GStreamer. A bug in the userspace lead to skippable (RASL) frames not being skipped if its past reference are missing. This will happen when seeking inside a video that makes use of this GOP configuration. The probably could also have been hit in lossy streaming use cases, such as WebRTC. The JCT-VC-HEVC_V1 ITU tests still results in 141/147 with two concurrent decoders. Signed-off-by: Nicolas Dufresne <nicolas.dufresne(a)collabora.com> --- Nicolas Dufresne (2): media: verisilicon: Fix CPU stalls on G2 bus error media: verisilicon: Protect G2 HEVC decoder against invalid DPB index drivers/media/platform/verisilicon/hantro_g2.c | 88 +++++++++++++++++----- .../platform/verisilicon/hantro_g2_hevc_dec.c | 17 ++++- .../media/platform/verisilicon/hantro_g2_regs.h | 13 ++++ .../media/platform/verisilicon/hantro_g2_vp9_dec.c | 2 - drivers/media/platform/verisilicon/hantro_hw.h | 1 + drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 + 6 files changed, 98 insertions(+), 25 deletions(-) --- base-commit: 40b7a19f321e65789612ebaca966472055dab48c change-id: 20250919-imx8mq-hantro-g2-hang-cb04dcd07a84 Best regards, -- Nicolas Dufresne <nicolas.dufresne(a)collabora.com>

1 week, 2 days

2
4
0 0

[PATCH v3] crypto: caam: Add check for kcalloc() in test_len()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing the buffer to rng->read(). On allocation failure, log the error and return since test_len() returns void. Fixes: 2be0d806e25e ("crypto: caam - add a test for the RNG") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- changelog: v3: - Fix build error: test_len() returns void; return without a value. - No functional changes beyond the allocation failure path. v2: - Return on allocation failure to avoid possible NULL dereference. --- drivers/crypto/caam/caamrng.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c index b3d14a7f4dd1..0eb43c862516 100644 --- a/drivers/crypto/caam/caamrng.c +++ b/drivers/crypto/caam/caamrng.c @@ -181,7 +181,9 @@ static inline void test_len(struct hwrng *rng, size_t len, bool wait) struct device *dev = ctx->ctrldev; buf = kcalloc(CAAM_RNG_MAX_FIFO_STORE_SIZE, sizeof(u8), GFP_KERNEL); - + if (!buf) { + return; + } while (len > 0) { read_len = rng->read(rng, buf, len, wait); -- 2.43.0

1 week, 2 days

1
0
0 0

[PATCH v3] ASoC: mediatek: mt8365: Add check for devm_kcalloc() in mt8365_afe_suspend()

by Guangshuo Li

devm_kcalloc() may fail. mt8365_afe_suspend() uses afe->reg_back_up unconditionally after allocation and writes afe->reg_back_up[i], which can lead to a NULL pointer dereference under low-memory conditions. Add a NULL check and bail out with -ENOMEM, making sure to disable the main clock before returning to keep clock state balanced. Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- changelog: v3: - Move the Signed-off-by line above the '---' separator. - Restore the original spacing/indentation in the devm_kcalloc() continuation line. - No functional changes. v2: - Return -ENOMEM directly on allocation failure without goto/label. - Disable the main clock before returning to keep clock state balanced. --- sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c index 10793bbe9275..570fb10c306d 100644 --- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c @@ -1975,11 +1975,15 @@ static int mt8365_afe_suspend(struct device *dev) mt8365_afe_enable_main_clk(afe); - if (!afe->reg_back_up) + if (!afe->reg_back_up) { afe->reg_back_up = devm_kcalloc(dev, afe->reg_back_up_list_num, sizeof(unsigned int), GFP_KERNEL); - + if (!afe->reg_back_up) { + mt8365_afe_disable_main_clk(afe); + return -ENOMEM; + } + } for (i = 0; i < afe->reg_back_up_list_num; i++) regmap_read(regmap, afe->reg_back_up_list[i], &afe->reg_back_up[i]); -- 2.43.0

1 week, 2 days

1
0
0 0

patch "iio: imu: inv_icm42600: Avoid configuring if already pm_runtime" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Avoid configuring if already pm_runtime to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev); -- 2.51.0

1 week, 2 days

1
0
0 0

patch "iio: imu: inv_icm42600: Simplify pm_runtime setup" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Simplify pm_runtime setup to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- .../iio/imu/inv_icm42600/inv_icm42600_core.c | 24 ++++++------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600"); -- 2.51.0

1 week, 2 days

1
0
0 0

patch "iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From a95a0b4e471a6d8860f40c6ac8f1cad9dde3189a Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:14 +0200 Subject: iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume Remove unnecessary calls to pm_runtime_disable(), pm_runtime_set_active(), and pm_runtime_enable() from the resume path. These operations are not required here and can interfere with proper pm_runtime state handling, especially when resuming from a pm_runtime suspended state. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-2-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 76d8e4f14d87..41b275ecc7e2 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -917,10 +917,6 @@ static int inv_icm42600_resume(struct device *dev) goto out_unlock; } - pm_runtime_disable(dev); - pm_runtime_set_active(dev); - pm_runtime_enable(dev); - /* restore sensors state */ ret = inv_icm42600_set_pwr_mgmt0(st, st->suspended.gyro, st->suspended.accel, -- 2.51.0

1 week, 2 days

1
0
0 0

patch "iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From a95a0b4e471a6d8860f40c6ac8f1cad9dde3189a Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:14 +0200 Subject: iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume Remove unnecessary calls to pm_runtime_disable(), pm_runtime_set_active(), and pm_runtime_enable() from the resume path. These operations are not required here and can interfere with proper pm_runtime state handling, especially when resuming from a pm_runtime suspended state. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-2-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 76d8e4f14d87..41b275ecc7e2 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -917,10 +917,6 @@ static int inv_icm42600_resume(struct device *dev) goto out_unlock; } - pm_runtime_disable(dev); - pm_runtime_set_active(dev); - pm_runtime_enable(dev); - /* restore sensors state */ ret = inv_icm42600_set_pwr_mgmt0(st, st->suspended.gyro, st->suspended.accel, -- 2.51.0

1 week, 2 days

1
0
0 0

patch "iio: imu: inv_icm42600: Avoid configuring if already pm_runtime" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Avoid configuring if already pm_runtime to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev); -- 2.51.0

1 week, 2 days

1
0
0 0

patch "iio: imu: inv_icm42600: Simplify pm_runtime setup" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: inv_icm42600: Simplify pm_runtime setup to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- .../iio/imu/inv_icm42600/inv_icm42600_core.c | 24 ++++++------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600"); -- 2.51.0

1 week, 2 days

1
0
0 0

[PATCHSET RFC v5 1/8] fuse: general bug fixes

by Darrick J. Wong

Hi all, Here's a collection of fixes that I *think* are bugs in fuse, along with some scattered improvements. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. This has been running on the djcloud for months with no problems. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=fu… --- Commits in this patchset: * fuse: fix livelock in synchronous file put from fuseblk workers * fuse: flush pending fuse events before aborting the connection * fuse: capture the unique id of fuse commands being sent * fuse: signal that a fuse filesystem should exhibit local fs behaviors * fuse: implement file attributes mask for statx * fuse: update file mode when updating acls * fuse: propagate default and file acls on creation * fuse: enable FUSE_SYNCFS for all fuseblk servers --- fs/fuse/fuse_i.h | 55 +++++++++++++++++++++++++++ fs/fuse/acl.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++ fs/fuse/dev.c | 60 +++++++++++++++++++++++++++-- fs/fuse/dev_uring.c | 4 +- fs/fuse/dir.c | 96 +++++++++++++++++++++++++++++++++++------------ fs/fuse/file.c | 8 +++- fs/fuse/inode.c | 17 ++++++++ fs/fuse/virtio_fs.c | 3 - 8 files changed, 314 insertions(+), 34 deletions(-)

1 week, 2 days

2
2
0 0

[PATCH v2] crypto: caam: Add check for kcalloc() in test_len()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing the buffer to rng->read(). Fixes: 2be0d806e25e ("crypto: caam - add a test for the RNG") Cc: stable(a)vger.kernel.org --- changelog: v2: - Return -ENOMEM directly on allocation failure. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- drivers/crypto/caam/caamrng.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c index b3d14a7f4dd1..357860ee532c 100644 --- a/drivers/crypto/caam/caamrng.c +++ b/drivers/crypto/caam/caamrng.c @@ -182,6 +182,9 @@ static inline void test_len(struct hwrng *rng, size_t len, bool wait) buf = kcalloc(CAAM_RNG_MAX_FIFO_STORE_SIZE, sizeof(u8), GFP_KERNEL); + if (!buf) { + return -ENOMEM; + } while (len > 0) { read_len = rng->read(rng, buf, len, wait); -- 2.43.0

1 week, 2 days

2
2
0 0

[PATCH] crypto: zero initialize memory allocated via sock_kmalloc

by Shivani Agarwal

Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations") Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support") Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code") Fixes: 99bd99d3e3a7 ("crypto: algif_skcipher - Fix stream cipher chaining") Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Cc: stable(a)vger.kernel.org Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- crypto/af_alg.c | 5 ++--- crypto/algif_hash.c | 3 +-- crypto/algif_rng.c | 3 +-- crypto/algif_skcipher.c | 1 + 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index ca6fdcc6c54a..6c271e55f44d 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -1212,15 +1212,14 @@ struct af_alg_async_req *af_alg_alloc_areq(struct sock *sk, if (unlikely(!areq)) return ERR_PTR(-ENOMEM); + memset(areq, 0, areqlen); + ctx->inflight = true; areq->areqlen = areqlen; areq->sk = sk; areq->first_rsgl.sgl.sgt.sgl = areq->first_rsgl.sgl.sgl; - areq->last_rsgl = NULL; INIT_LIST_HEAD(&areq->rsgl_list); - areq->tsgl = NULL; - areq->tsgl_entries = 0; return areq; } diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index e3f1a4852737..4d3dfc60a16a 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -416,9 +416,8 @@ static int hash_accept_parent_nokey(void *private, struct sock *sk) if (!ctx) return -ENOMEM; - ctx->result = NULL; + memset(ctx, 0, len); ctx->len = len; - ctx->more = false; crypto_init_wait(&ctx->wait); ask->private = ctx; diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c index 10c41adac3b1..1a86e40c8372 100644 --- a/crypto/algif_rng.c +++ b/crypto/algif_rng.c @@ -248,9 +248,8 @@ static int rng_accept_parent(void *private, struct sock *sk) if (!ctx) return -ENOMEM; + memset(ctx, 0, len); ctx->len = len; - ctx->addtl = NULL; - ctx->addtl_len = 0; /* * No seeding done at that point -- if multiple accepts are diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 125d395c5e00..f4ce5473324f 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -70,6 +70,7 @@ static int algif_skcipher_export(struct sock *sk, struct skcipher_request *req) if (!ctx->state) return -ENOMEM; + memset(ctx->state, 0, statesize); err = crypto_skcipher_export(req, ctx->state); if (err) { sock_kzfree_s(sk, ctx->state, statesize); -- 2.40.4

1 week, 2 days

2
1
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092142-easiness-blatancy-23af@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 week, 2 days

5
6
0 0

[PATCH v5 1/3] drm/buddy: Optimize free block management with RB tree

by Arunpravin Paneer Selvam

Replace the freelist (O(n)) used for free block management with a red-black tree, providing more efficient O(log n) search, insert, and delete operations. This improves scalability and performance when managing large numbers of free blocks per order (e.g., hundreds or thousands). In the VK-CTS memory stress subtest, the buddy manager merges fragmented memory and inserts freed blocks into the freelist. Since freelist insertion is O(n), this becomes a bottleneck as fragmentation increases. Benchmarking shows list_insert_sorted() consumes ~52.69% CPU with the freelist, compared to just 0.03% with the RB tree (rbtree_insert.isra.0), despite performing the same sorted insert. This also improves performance in heavily fragmented workloads, such as games or graphics tests that stress memory. As the buddy allocator evolves with new features such as clear-page tracking, the resulting fragmentation and complexity have grown. These RB-tree based design changes are introduced to address that growth and ensure the allocator continues to perform efficiently under fragmented conditions. The RB tree implementation with separate clear/dirty trees provides: - O(n log n) aggregate complexity for all operations instead of O(n^2) - Elimination of soft lockups and system instability - Improved code maintainability and clarity - Better scalability for large memory systems - Predictable performance under fragmentation v3(Matthew): - Remove RB_EMPTY_NODE check in force_merge function. - Rename rb for loop macros to have less generic names and move to .c file. - Make the rb node rb and link field as union. v4(Jani Nikula): - The kernel-doc comment should be "/**" - Move all the rbtree macros to rbtree.h and add parens to ensure correct precedence. v5: - Remove the inline in a .c file (Jani Nikula). Cc: stable(a)vger.kernel.org Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 142 ++++++++++++++++++++++-------------- include/drm/drm_buddy.h | 9 ++- include/linux/rbtree.h | 56 ++++++++++++++ 3 files changed, 152 insertions(+), 55 deletions(-) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a94061f373de..8b340f47f73d 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -31,6 +31,8 @@ static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm, block->header |= order; block->parent = parent; + RB_CLEAR_NODE(&block->rb); + BUG_ON(block->header & DRM_BUDDY_HEADER_UNUSED); return block; } @@ -41,23 +43,53 @@ static void drm_block_free(struct drm_buddy *mm, kmem_cache_free(slab_blocks, block); } -static void list_insert_sorted(struct drm_buddy *mm, - struct drm_buddy_block *block) +static void rbtree_insert(struct drm_buddy *mm, + struct drm_buddy_block *block) { + struct rb_root *root = &mm->free_tree[drm_buddy_block_order(block)]; + struct rb_node **link = &root->rb_node; + struct rb_node *parent = NULL; struct drm_buddy_block *node; - struct list_head *head; + u64 offset; + + offset = drm_buddy_block_offset(block); - head = &mm->free_list[drm_buddy_block_order(block)]; - if (list_empty(head)) { - list_add(&block->link, head); - return; + while (*link) { + parent = *link; + node = rb_entry(parent, struct drm_buddy_block, rb); + + if (offset < drm_buddy_block_offset(node)) + link = &parent->rb_left; + else + link = &parent->rb_right; } - list_for_each_entry(node, head, link) - if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node)) - break; + rb_link_node(&block->rb, parent, link); + rb_insert_color(&block->rb, root); +} + +static void rbtree_remove(struct drm_buddy *mm, + struct drm_buddy_block *block) +{ + struct rb_root *root; + + root = &mm->free_tree[drm_buddy_block_order(block)]; + rb_erase(&block->rb, root); + + RB_CLEAR_NODE(&block->rb); +} + +static struct drm_buddy_block * +rbtree_last_entry(struct drm_buddy *mm, unsigned int order) +{ + struct rb_node *node = rb_last(&mm->free_tree[order]); - __list_add(&block->link, node->link.prev, &node->link); + return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL; +} + +static bool rbtree_is_empty(struct drm_buddy *mm, unsigned int order) +{ + return RB_EMPTY_ROOT(&mm->free_tree[order]); } static void clear_reset(struct drm_buddy_block *block) @@ -70,12 +102,13 @@ static void mark_cleared(struct drm_buddy_block *block) block->header |= DRM_BUDDY_HEADER_CLEAR; } -static void mark_allocated(struct drm_buddy_block *block) +static void mark_allocated(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_ALLOCATED; - list_del(&block->link); + rbtree_remove(mm, block); } static void mark_free(struct drm_buddy *mm, @@ -84,15 +117,16 @@ static void mark_free(struct drm_buddy *mm, block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_FREE; - list_insert_sorted(mm, block); + rbtree_insert(mm, block); } -static void mark_split(struct drm_buddy_block *block) +static void mark_split(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_SPLIT; - list_del(&block->link); + rbtree_remove(mm, block); } static inline bool overlaps(u64 s1, u64 e1, u64 s2, u64 e2) @@ -148,7 +182,7 @@ static unsigned int __drm_buddy_free(struct drm_buddy *mm, mark_cleared(parent); } - list_del(&buddy->link); + rbtree_remove(mm, buddy); if (force_merge && drm_buddy_block_is_clear(buddy)) mm->clear_avail -= drm_buddy_block_size(mm, buddy); @@ -179,9 +213,11 @@ static int __force_merge(struct drm_buddy *mm, return -EINVAL; for (i = min_order - 1; i >= 0; i--) { - struct drm_buddy_block *block, *prev; + struct drm_buddy_block *block, *prev_block, *first_block; + + first_block = rb_entry(rb_first(&mm->free_tree[i]), struct drm_buddy_block, rb); - list_for_each_entry_safe_reverse(block, prev, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry_safe(block, prev_block, &mm->free_tree[i], rb) { struct drm_buddy_block *buddy; u64 block_start, block_end; @@ -206,10 +242,14 @@ static int __force_merge(struct drm_buddy *mm, * block in the next iteration as we would free the * buddy block as part of the free function. */ - if (prev == buddy) - prev = list_prev_entry(prev, link); + if (prev_block && prev_block == buddy) { + if (prev_block != first_block) + prev_block = rb_entry(rb_prev(&prev_block->rb), + struct drm_buddy_block, + rb); + } - list_del(&block->link); + rbtree_remove(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -258,14 +298,14 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) BUG_ON(mm->max_order > DRM_BUDDY_MAX_ORDER); - mm->free_list = kmalloc_array(mm->max_order + 1, - sizeof(struct list_head), + mm->free_tree = kmalloc_array(mm->max_order + 1, + sizeof(struct rb_root), GFP_KERNEL); - if (!mm->free_list) + if (!mm->free_tree) return -ENOMEM; for (i = 0; i <= mm->max_order; ++i) - INIT_LIST_HEAD(&mm->free_list[i]); + mm->free_tree[i] = RB_ROOT; mm->n_roots = hweight64(size); @@ -273,7 +313,7 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) sizeof(struct drm_buddy_block *), GFP_KERNEL); if (!mm->roots) - goto out_free_list; + goto out_free_tree; offset = 0; i = 0; @@ -312,8 +352,8 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) while (i--) drm_block_free(mm, mm->roots[i]); kfree(mm->roots); -out_free_list: - kfree(mm->free_list); +out_free_tree: + kfree(mm->free_tree); return -ENOMEM; } EXPORT_SYMBOL(drm_buddy_init); @@ -323,7 +363,7 @@ EXPORT_SYMBOL(drm_buddy_init); * * @mm: DRM buddy manager to free * - * Cleanup memory manager resources and the freelist + * Cleanup memory manager resources and the freetree */ void drm_buddy_fini(struct drm_buddy *mm) { @@ -350,7 +390,7 @@ void drm_buddy_fini(struct drm_buddy *mm) WARN_ON(mm->avail != mm->size); kfree(mm->roots); - kfree(mm->free_list); + kfree(mm->free_tree); } EXPORT_SYMBOL(drm_buddy_fini); @@ -383,7 +423,7 @@ static int split_block(struct drm_buddy *mm, clear_reset(block); } - mark_split(block); + mark_split(mm, block); return 0; } @@ -412,7 +452,7 @@ EXPORT_SYMBOL(drm_get_buddy); * @is_clear: blocks clear state * * Reset the clear state based on @is_clear value for each block - * in the freelist. + * in the freetree. */ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) { @@ -433,7 +473,7 @@ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) for (i = 0; i <= mm->max_order; ++i) { struct drm_buddy_block *block; - list_for_each_entry_reverse(block, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry(block, &mm->free_tree[i], rb) { if (is_clear != drm_buddy_block_is_clear(block)) { if (is_clear) { mark_cleared(block); @@ -641,7 +681,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, for (i = order; i <= mm->max_order; ++i) { struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[i], rb) { if (block_incompatible(tmp_block, flags)) continue; @@ -667,7 +707,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, } static struct drm_buddy_block * -alloc_from_freelist(struct drm_buddy *mm, +alloc_from_freetree(struct drm_buddy *mm, unsigned int order, unsigned long flags) { @@ -684,7 +724,7 @@ alloc_from_freelist(struct drm_buddy *mm, for (tmp = order; tmp <= mm->max_order; ++tmp) { struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[tmp], link) { + rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[tmp], rb) { if (block_incompatible(tmp_block, flags)) continue; @@ -700,10 +740,8 @@ alloc_from_freelist(struct drm_buddy *mm, if (!block) { /* Fallback method */ for (tmp = order; tmp <= mm->max_order; ++tmp) { - if (!list_empty(&mm->free_list[tmp])) { - block = list_last_entry(&mm->free_list[tmp], - struct drm_buddy_block, - link); + if (!rbtree_is_empty(mm, tmp)) { + block = rbtree_last_entry(mm, tmp); if (block) break; } @@ -771,7 +809,7 @@ static int __alloc_range(struct drm_buddy *mm, if (contains(start, end, block_start, block_end)) { if (drm_buddy_block_is_free(block)) { - mark_allocated(block); + mark_allocated(mm, block); total_allocated += drm_buddy_block_size(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) @@ -849,7 +887,6 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, { u64 rhs_offset, lhs_offset, lhs_size, filled; struct drm_buddy_block *block; - struct list_head *list; LIST_HEAD(blocks_lhs); unsigned long pages; unsigned int order; @@ -862,11 +899,10 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, if (order == 0) return -ENOSPC; - list = &mm->free_list[order]; - if (list_empty(list)) + if (rbtree_is_empty(mm, order)) return -ENOSPC; - list_for_each_entry_reverse(block, list, link) { + rbtree_reverse_for_each_entry(block, &mm->free_tree[order], rb) { /* Allocate blocks traversing RHS */ rhs_offset = drm_buddy_block_offset(block); err = __drm_buddy_alloc_range(mm, rhs_offset, size, @@ -976,7 +1012,7 @@ int drm_buddy_block_trim(struct drm_buddy *mm, list_add(&block->tmp_link, &dfs); err = __alloc_range(mm, &dfs, new_start, new_size, blocks, NULL); if (err) { - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -999,8 +1035,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, return __drm_buddy_alloc_range_bias(mm, start, end, order, flags); else - /* Allocate from freelist */ - return alloc_from_freelist(mm, order, flags); + /* Allocate from freetree */ + return alloc_from_freetree(mm, order, flags); } /** @@ -1017,8 +1053,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, * alloc_range_bias() called on range limitations, which traverses * the tree and returns the desired block. * - * alloc_from_freelist() called when *no* range restrictions - * are enforced, which picks the block from the freelist. + * alloc_from_freetree() called when *no* range restrictions + * are enforced, which picks the block from the freetree. * * Returns: * 0 on success, error code on failure. @@ -1120,7 +1156,7 @@ int drm_buddy_alloc_blocks(struct drm_buddy *mm, } } while (1); - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -1204,7 +1240,7 @@ void drm_buddy_print(struct drm_buddy *mm, struct drm_printer *p) struct drm_buddy_block *block; u64 count = 0, free; - list_for_each_entry(block, &mm->free_list[order], link) { + rbtree_for_each_entry(block, &mm->free_tree[order], rb) { BUG_ON(!drm_buddy_block_is_free(block)); count++; } diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 513837632b7d..091823592034 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -10,6 +10,7 @@ #include <linux/list.h> #include <linux/slab.h> #include <linux/sched.h> +#include <linux/rbtree.h> #include <drm/drm_print.h> @@ -53,7 +54,11 @@ struct drm_buddy_block { * a list, if so desired. As soon as the block is freed with * drm_buddy_free* ownership is given back to the mm. */ - struct list_head link; + union { + struct rb_node rb; + struct list_head link; + }; + struct list_head tmp_link; }; @@ -68,7 +73,7 @@ struct drm_buddy_block { */ struct drm_buddy { /* Maintain a free list for each order. */ - struct list_head *free_list; + struct rb_root *free_tree; /* * Maintain explicit binary tree(s) to track the allocation of the diff --git a/include/linux/rbtree.h b/include/linux/rbtree.h index 8d2ba3749866..17190bb4837c 100644 --- a/include/linux/rbtree.h +++ b/include/linux/rbtree.h @@ -79,6 +79,62 @@ static inline void rb_link_node_rcu(struct rb_node *node, struct rb_node *parent ____ptr ? rb_entry(____ptr, type, member) : NULL; \ }) +/** + * rbtree_for_each_entry - iterate in-order over rb_root of given type + * + * @pos: the 'type *' to use as a loop cursor. + * @root: 'rb_root *' of the rbtree. + * @member: the name of the rb_node field within 'type'. + */ +#define rbtree_for_each_entry(pos, root, member) \ + for ((pos) = rb_entry_safe(rb_first(root), typeof(*(pos)), member); \ + (pos); \ + (pos) = rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member)) + +/** + * rbtree_reverse_for_each_entry - iterate in reverse in-order over rb_root + * of given type + * + * @pos: the 'type *' to use as a loop cursor. + * @root: 'rb_root *' of the rbtree. + * @member: the name of the rb_node field within 'type'. + */ +#define rbtree_reverse_for_each_entry(pos, root, member) \ + for ((pos) = rb_entry_safe(rb_last(root), typeof(*(pos)), member); \ + (pos); \ + (pos) = rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member)) + +/** + * rbtree_for_each_entry_safe - iterate in-order over rb_root safe against removal + * + * @pos: the 'type *' to use as a loop cursor + * @n: another 'type *' to use as temporary storage + * @root: 'rb_root *' of the rbtree + * @member: the name of the rb_node field within 'type' + */ +#define rbtree_for_each_entry_safe(pos, n, root, member) \ + for ((pos) = rb_entry_safe(rb_first(root), typeof(*(pos)), member), \ + (n) = (pos) ? rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member) : NULL; \ + (pos); \ + (pos) = (n), \ + (n) = (pos) ? rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member) : NULL) + +/** + * rbtree_reverse_for_each_entry_safe - iterate in reverse in-order over rb_root + * safe against removal + * + * @pos: the struct type * to use as a loop cursor. + * @n: another struct type * to use as temporary storage. + * @root: pointer to struct rb_root to iterate. + * @member: name of the rb_node field within the struct. + */ +#define rbtree_reverse_for_each_entry_safe(pos, n, root, member) \ + for ((pos) = rb_entry_safe(rb_last(root), typeof(*(pos)), member), \ + (n) = (pos) ? rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member) : NULL; \ + (pos); \ + (pos) = (n), \ + (n) = (pos) ? rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member) : NULL) + /** * rbtree_postorder_for_each_entry_safe - iterate in post-order over rb_root of * given type allowing the backing memory of @pos to be invalidated base-commit: 7156602d56e5ad689ae11e03680ab6326238b5e3 -- 2.34.1

1 week, 2 days

4
7
0 0

[PATCH] ASoC: mediatek: mt8365: Add check for devm_kcalloc() in mt8365_afe_suspend()

by Guangshuo Li

devm_kcalloc() may fail. mt8365_afe_suspend() uses afe->reg_back_up unconditionally after allocation and writes afe->reg_back_up[i], which can lead to a NULL pointer dereference under low-memory conditions. Add a NULL check and bail out with -ENOMEM, making sure to disable the main clock via the existing error path to keep clock state balanced. Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c index 10793bbe9275..eaeb14e1fce9 100644 --- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c @@ -1979,6 +1979,10 @@ static int mt8365_afe_suspend(struct device *dev) afe->reg_back_up = devm_kcalloc(dev, afe->reg_back_up_list_num, sizeof(unsigned int), GFP_KERNEL); + if (!afe->reg_back_up) { + mt8365_afe_disable_main_clk(afe); + return -ENOMEM; + } for (i = 0; i < afe->reg_back_up_list_num; i++) regmap_read(regmap, afe->reg_back_up_list[i], -- 2.43.0

1 week, 2 days

3
3
0 0

[PATCH v3] staging: gpib: Fix device reference leak in fmh_gpib driver

by Ma Ke

The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - deleted the redundant put_device() to avoid double free as suggestions; Changes in v2: - modified the free operations as suggestions. Thanks for dan carpenter's instructions. --- drivers/staging/gpib/fmh_gpib/fmh_gpib.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c index 4138f3d2bae7..efce01b39b9b 100644 --- a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c +++ b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c @@ -1517,6 +1517,11 @@ void fmh_gpib_detach(struct gpib_board *board) resource_size(e_priv->gpib_iomem_res)); } fmh_gpib_generic_detach(board); + + if (board->dev) { + put_device(board->dev); + board->dev = NULL; + } } static int fmh_gpib_pci_attach_impl(struct gpib_board *board, -- 2.17.1

1 week, 2 days

2
1
0 0

[PATCH v3] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data() and add devm_add_action_or_reset() in the probe function, which ensures that the reference count of the device is correctly managed. Memory leak in regmap_init_slimbus() as the allocated regmap is not released when the device is removed. Using devm_regmap_init_slimbus() instead of regmap_init_slimbus() to ensure automatic regmap cleanup on device removal. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - added a wrapper function due to the warning report from kernel test robot; Changes in v2: - modified the handling in the success path and fixed the memory leak for regmap as suggestions. --- sound/soc/codecs/wcd934x.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..d9d8cf64977a 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5831,6 +5831,15 @@ static const struct snd_soc_component_driver wcd934x_component_drv = { .endianness = 1, }; +static void wcd934x_put_device_action(void *data) +{ + struct device *dev = data; + + if (dev) { + put_device(dev); + } +} + static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) { struct device *dev = &wcd->sdev->dev; @@ -5847,11 +5856,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) return dev_err_probe(dev, -EINVAL, "Unable to get SLIM Interface device\n"); slim_get_logical_addr(wcd->sidev); - wcd->if_regmap = regmap_init_slimbus(wcd->sidev, + wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); @@ -5893,6 +5904,10 @@ static int wcd934x_codec_probe(struct platform_device *pdev) if (ret) return ret; + ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev); + if (ret) + return ret; + /* set default rate 9P6MHz */ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, -- 2.17.1

1 week, 2 days

2
1
0 0

[merged mm-stable] selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is disabled has been removed from the -mm tree. Its filename was selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lance Yang <lance.yang(a)linux.dev> Subject: selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is disabled Date: Wed, 17 Sep 2025 21:31:37 +0800 The madv_populate and soft-dirty kselftests currently fail on systems where CONFIG_MEM_SOFT_DIRTY is disabled. Introduce a new helper softdirty_supported() into vm_util.c/h to ensure tests are properly skipped when the feature is not enabled. Link: https://lkml.kernel.org/r/20250917133137.62802-1-lance.yang@linux.dev Fixes: 9f3265db6ae8 ("selftests: vm: add test for Soft-Dirty PTE bit") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Acked-by: David Hildenbrand <david(a)redhat.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Gabriel Krisman Bertazi <krisman(a)collabora.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/madv_populate.c | 21 +------------------ tools/testing/selftests/mm/soft-dirty.c | 5 +++- tools/testing/selftests/mm/vm_util.c | 17 +++++++++++++++ tools/testing/selftests/mm/vm_util.h | 1 4 files changed, 24 insertions(+), 20 deletions(-) --- a/tools/testing/selftests/mm/madv_populate.c~selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled +++ a/tools/testing/selftests/mm/madv_populate.c @@ -264,23 +264,6 @@ static void test_softdirty(void) munmap(addr, SIZE); } -static int system_has_softdirty(void) -{ - /* - * There is no way to check if the kernel supports soft-dirty, other - * than by writing to a page and seeing if the bit was set. But the - * tests are intended to check that the bit gets set when it should, so - * doing that check would turn a potentially legitimate fail into a - * skip. Fortunately, we know for sure that arm64 does not support - * soft-dirty. So for now, let's just use the arch as a corse guide. - */ -#if defined(__aarch64__) - return 0; -#else - return 1; -#endif -} - int main(int argc, char **argv) { int nr_tests = 16; @@ -288,7 +271,7 @@ int main(int argc, char **argv) pagesize = getpagesize(); - if (system_has_softdirty()) + if (softdirty_supported()) nr_tests += 5; ksft_print_header(); @@ -300,7 +283,7 @@ int main(int argc, char **argv) test_holes(); test_populate_read(); test_populate_write(); - if (system_has_softdirty()) + if (softdirty_supported()) test_softdirty(); err = ksft_get_fail_cnt(); --- a/tools/testing/selftests/mm/soft-dirty.c~selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled +++ a/tools/testing/selftests/mm/soft-dirty.c @@ -200,8 +200,11 @@ int main(int argc, char **argv) int pagesize; ksft_print_header(); - ksft_set_plan(15); + if (!softdirty_supported()) + ksft_exit_skip("soft-dirty is not support\n"); + + ksft_set_plan(15); pagemap_fd = open(PAGEMAP_FILE_PATH, O_RDONLY); if (pagemap_fd < 0) ksft_exit_fail_msg("Failed to open %s\n", PAGEMAP_FILE_PATH); --- a/tools/testing/selftests/mm/vm_util.c~selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled +++ a/tools/testing/selftests/mm/vm_util.c @@ -449,6 +449,23 @@ bool check_vmflag_pfnmap(void *addr) return check_vmflag(addr, "pf"); } +bool softdirty_supported(void) +{ + char *addr; + bool supported = false; + const size_t pagesize = getpagesize(); + + /* New mappings are expected to be marked with VM_SOFTDIRTY (sd). */ + addr = mmap(0, pagesize, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); + if (!addr) + ksft_exit_fail_msg("mmap failed\n"); + + supported = check_vmflag(addr, "sd"); + munmap(addr, pagesize); + return supported; +} + /* * Open an fd at /proc/$pid/maps and configure procmap_out ready for * PROCMAP_QUERY query. Returns 0 on success, or an error code otherwise. --- a/tools/testing/selftests/mm/vm_util.h~selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled +++ a/tools/testing/selftests/mm/vm_util.h @@ -104,6 +104,7 @@ bool find_vma_procmap(struct procmap_fd int close_procmap(struct procmap_fd *procmap); int write_sysfs(const char *file_path, unsigned long val); int read_sysfs(const char *file_path, unsigned long *val); +bool softdirty_supported(void); static inline int open_self_procmap(struct procmap_fd *procmap_out) { _ Patches currently in -mm which might be from lance.yang(a)linux.dev are hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch

1 week, 2 days

1
0
0 0

[merged mm-nonmm-stable] fix-the-racy-usage-of-task_locktsk-group_leader-in-sys_prlimit64-paths.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths has been removed from the -mm tree. Its filename was fix-the-racy-usage-of-task_locktsk-group_leader-in-sys_prlimit64-paths.patch This patch was dropped because it was merged into the mm-nonmm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oleg Nesterov <oleg(a)redhat.com> Subject: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths Date: Mon, 15 Sep 2025 14:09:17 +0200 The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock(). Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don't see a better fix for -stable. Link: https://lkml.kernel.org/r/20250915120917.GA27702@redhat.com Fixes: 18c91bb2d872 ("prlimit: do not grab the tasklist_lock") Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jiri Slaby <jirislaby(a)kernel.org> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/sys.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) --- a/kernel/sys.c~fix-the-racy-usage-of-task_locktsk-group_leader-in-sys_prlimit64-paths +++ a/kernel/sys.c @@ -1734,6 +1734,7 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, u struct rlimit old, new; struct task_struct *tsk; unsigned int checkflags = 0; + bool need_tasklist; int ret; if (old_rlim) @@ -1760,8 +1761,25 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, u get_task_struct(tsk); rcu_read_unlock(); - ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, - old_rlim ? &old : NULL); + need_tasklist = !same_thread_group(tsk, current); + if (need_tasklist) { + /* + * Ensure we can't race with group exit or de_thread(), + * so tsk->group_leader can't be freed or changed until + * read_unlock(tasklist_lock) below. + */ + read_lock(&tasklist_lock); + if (!pid_alive(tsk)) + ret = -ESRCH; + } + + if (!ret) { + ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, + old_rlim ? &old : NULL); + } + + if (need_tasklist) + read_unlock(&tasklist_lock); if (!ret && old_rlim) { rlim_to_rlim64(&old, &old64); _ Patches currently in -mm which might be from oleg(a)redhat.com are

1 week, 2 days

1
0
0 0

[PATCH] fbcon: Fix OOB access in font allocation

by Thomas Zimmermann

Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") introduced an out-of-bounds access by storing data and allocation sizes in the same variable. Restore the old size calculation and use the new variable 'alloc_size' for the allocation. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") Reported-by: Jani Nikula <jani.nikula(a)linux.intel.com> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020 Cc: Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: George Kennedy <george.kennedy(a)oracle.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Simona Vetter <simona(a)ffwll.ch> Cc: Helge Deller <deller(a)gmx.de> Cc: "Ville Syrjälä" <ville.syrjala(a)linux.intel.com> Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Qianqiang Liu <qianqiang.liu(a)163.com> Cc: Shixiong Ou <oushixiong(a)kylinos.cn> Cc: Kees Cook <kees(a)kernel.org> Cc: <stable(a)vger.kernel.org> # v5.9+ Cc: Zsolt Kajtar <soci(a)c64.rulez.org> --- drivers/video/fbdev/core/fbcon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 5fade44931b8..c1c0cdd7597c 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, unsigned charcount = font->charcount; int w = font->width; int h = font->height; - int size; + int size, alloc_size; int i, csum; u8 *new_data, *data = font->data; int pitch = PITCH(font->width); @@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, return -EINVAL; /* Check for overflow in allocation size calculation */ - if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size)) return -EINVAL; - new_data = kmalloc(size, GFP_USER); + new_data = kmalloc(alloc_size, GFP_USER); if (!new_data) return -ENOMEM; -- 2.51.0

1 week, 2 days

3
2
0 0

[PATCH v3] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again

by Muhammad Usama Anjum

Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Clear essential fields as they may have stale data Changes since v2: - Add comment and reviewed by tag --- drivers/net/wireless/ath/ath11k/core.c | 6 +----- drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++ drivers/net/wireless/ath/ath11k/hal.h | 1 + 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index 4488e4cdc5e9e..34b27711ed00f 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2213,14 +2213,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index b32de563d453a..e8ebf963f195c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1359,6 +1359,22 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + /* No need to memset rdp and wrp memory since each individual + * segment would get cleared ath11k_hal_srng_src_hw_init() and + * ath11k_hal_srng_dst_hw_init(). + */ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c752..839095af9267e 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len); -- 2.39.5

1 week, 2 days

3
6
0 0

[PATCH net 0/8][pull request] i40e: virtchnl improvements

by Tony Nguyen

Przemek Kitszel says: Improvements hardening PF-VF communication for i40e driver. This patchset targets several issues that can cause undefined behavior or be exploited in some other way. --- IWL: https://lore.kernel.org/intel-wired-lan/20250813104552.61027-1-przemyslaw.k… The following are changes since commit cbf658dd09419f1ef9de11b9604e950bdd5c170b: Merge tag 'net-6.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net and are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue 40GbE Lukasz Czapnik (8): i40e: add validation for ring_len param i40e: fix idx validation in i40e_validate_queue_map i40e: fix idx validation in config queues msg i40e: fix input validation logic for action_meta i40e: fix validation of VF state in get resources i40e: add max boundary check for VF filters i40e: add mask to apply valid bits for itr_idx i40e: improve VF MAC filters accounting drivers/net/ethernet/intel/i40e/i40e.h | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 26 ++++- .../ethernet/intel/i40e/i40e_virtchnl_pf.c | 110 ++++++++++-------- .../ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 +- 4 files changed, 90 insertions(+), 52 deletions(-) -- 2.47.1

1 week, 2 days

2
9
0 0

[PATCH stable 6.6] ARM: bcm: Select ARM_GIC_V3 for ARCH_BRCMSTB

by Florian Fainelli

commit 2b28fe75c7dbe7ec322e706eed4622964409e21d upstream A number of recent Broadcom STB SoCs utilize a GIC-600 interrupt controller thus requiring the use of the GICv3 driver. Link: https://lore.kernel.org/r/20240726233414.2305526-1-florian.fainelli@broadco… Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> --- While technically not a bug fix, this allows me to properly build test 6.6 on additional platforms within our test rack. Thanks! arch/arm/mach-bcm/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/mach-bcm/Kconfig b/arch/arm/mach-bcm/Kconfig index 8789d93a7c04..c705bec1410c 100644 --- a/arch/arm/mach-bcm/Kconfig +++ b/arch/arm/mach-bcm/Kconfig @@ -186,6 +186,7 @@ config ARCH_BRCMSTB select ARCH_HAS_RESET_CONTROLLER select ARM_AMBA select ARM_GIC + select ARM_GIC_V3 select ARM_ERRATA_798181 if SMP select HAVE_ARM_ARCH_TIMER select ZONE_DMA if ARM_LPAE -- 2.34.1

1 week, 2 days

1
0
0 0

+ mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Akinobu Mita <akinobu.mita(a)gmail.com> Subject: mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() Date: Sat, 20 Sep 2025 22:25:46 +0900 The callback return value is ignored in damon_sysfs_damon_call(), which means that it is not possible to detect invalid user input when writing commands such as 'commit' to /sys/kernel/mm/damon/admin/kdamonds/<K>/state. Fix it. Link: https://lkml.kernel.org/r/20250920132546.5822-1-akinobu.mita@gmail.com Fixes: f64539dcdb87 ("mm/damon/sysfs: use damon_call() for update_schemes_stats") Signed-off-by: Akinobu Mita <akinobu.mita(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/sysfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/damon/sysfs.c~mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call +++ a/mm/damon/sysfs.c @@ -1592,12 +1592,14 @@ static int damon_sysfs_damon_call(int (* struct damon_sysfs_kdamond *kdamond) { struct damon_call_control call_control = {}; + int err; if (!kdamond->damon_ctx) return -EINVAL; call_control.fn = fn; call_control.data = kdamond; - return damon_call(kdamond->damon_ctx, &call_control); + err = damon_call(kdamond->damon_ctx, &call_control); + return err ? err : call_control.return_code; } struct damon_sysfs_schemes_walk_data { _ Patches currently in -mm which might be from akinobu.mita(a)gmail.com are mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch

1 week, 2 days

1
0
0 0

+ mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/thp: fix MTE tag mismatch when replacing zero-filled subpages has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lance Yang <lance.yang(a)linux.dev> Subject: mm/thp: fix MTE tag mismatch when replacing zero-filled subpages Date: Mon, 22 Sep 2025 10:14:58 +0800 When both THP and MTE are enabled, splitting a THP and replacing its zero-filled subpages with the shared zeropage can cause MTE tag mismatch faults in userspace. Remapping zero-filled subpages to the shared zeropage is unsafe, as the zeropage has a fixed tag of zero, which may not match the tag expected by the userspace pointer. KSM already avoids this problem by using memcmp_pages(), which on arm64 intentionally reports MTE-tagged pages as non-identical to prevent unsafe merging. As suggested by David[1], this patch adopts the same pattern, replacing the memchr_inv() byte-level check with a call to pages_identical(). This leverages existing architecture-specific logic to determine if a page is truly identical to the shared zeropage. Having both the THP shrinker and KSM rely on pages_identical() makes the design more future-proof, IMO. Instead of handling quirks in generic code, we just let the architecture decide what makes two pages identical. [1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com Link: https://lkml.kernel.org/r/20250922021458.68123-1-lance.yang@linux.dev Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Reported-by: Qun-wei Lin <Qun-wei.Lin(a)mediatek.com> Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@… Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Usama Arif <usamaarif642(a)gmail.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: andrew.yang <andrew.yang(a)mediatek.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Charlie Jenkins <charlie(a)rivosinc.com> Cc: Chinwen Chang <chinwen.chang(a)mediatek.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Domenico Cerasuolo <cerasuolodomenico(a)gmail.com> Cc: Gregory Price <gourry(a)gourry.net> Cc: "Huang, Ying" <ying.huang(a)linux.alibaba.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: Kairui Song <ryncsn(a)gmail.com> Cc: Kalesh Singh <kaleshsingh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Mathew Brost <matthew.brost(a)intel.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Palmer Dabbelt <palmer(a)rivosinc.com> Cc: Rakie Kim <rakie.kim(a)sk.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Samuel Holland <samuel.holland(a)sifive.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 15 +++------------ mm/migrate.c | 8 +------- 2 files changed, 4 insertions(+), 19 deletions(-) --- a/mm/huge_memory.c~mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages +++ a/mm/huge_memory.c @@ -4115,32 +4115,23 @@ static unsigned long deferred_split_coun static bool thp_underused(struct folio *folio) { int num_zero_pages = 0, num_filled_pages = 0; - void *kaddr; int i; if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1) return false; for (i = 0; i < folio_nr_pages(folio); i++) { - kaddr = kmap_local_folio(folio, i * PAGE_SIZE); - if (!memchr_inv(kaddr, 0, PAGE_SIZE)) { - num_zero_pages++; - if (num_zero_pages > khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { + if (++num_zero_pages > khugepaged_max_ptes_none) return true; - } } else { /* * Another path for early exit once the number * of non-zero filled pages exceeds threshold. */ - num_filled_pages++; - if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) return false; - } } - kunmap_local(kaddr); } return false; } --- a/mm/migrate.c~mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages +++ a/mm/migrate.c @@ -301,9 +301,7 @@ static bool try_to_map_unused_to_zeropag unsigned long idx) { struct page *page = folio_page(folio, idx); - bool contains_data; pte_t newpte; - void *addr; if (PageCompound(page)) return false; @@ -320,11 +318,7 @@ static bool try_to_map_unused_to_zeropag * this subpage has been non present. If the subpage is only zero-filled * then map it to the shared zeropage. */ - addr = kmap_local_page(page); - contains_data = memchr_inv(addr, 0, PAGE_SIZE); - kunmap_local(addr); - - if (contains_data) + if (!pages_identical(page, ZERO_PAGE(0))) return false; newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), _ Patches currently in -mm which might be from lance.yang(a)linux.dev are hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled.patch

1 week, 2 days

1
0
0 0

+ fs-proc-task_mmu-check-p-vec_buf-for-null.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/proc/task_mmu: check p->vec_buf for NULL has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-proc-task_mmu-check-p-vec_buf-for-null.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jakub Acs <acsjakub(a)amazon.de> Subject: fs/proc/task_mmu: check p->vec_buf for NULL Date: Mon, 22 Sep 2025 08:22:05 +0000 When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Link: https://lkml.kernel.org/r/20250922082206.6889-1-acsjakub@amazon.de Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Reviewed-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Micha�� Miros��aw" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-check-p-vec_buf-for-null +++ a/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(s { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else _ Patches currently in -mm which might be from acsjakub(a)amazon.de are fs-proc-task_mmu-check-p-vec_buf-for-null.patch

1 week, 2 days

1
0
0 0

[PATCH 6.6 ONLY] s390/cpum_cf: Fix uninitialized warning after backport of ce971233242b

by Nathan Chancellor

Upstream commit ce971233242b ("s390/cpum_cf: Deny all sampling events by counter PMU"), backported to 6.6 as commit d660c8d8142e ("s390/cpum_cf: Deny all sampling events by counter PMU"), implicitly depends on the unconditional initialization of err to -ENOENT added by upstream commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()"). The latter change is missing from 6.6, resulting in an instance of -Wuninitialized, which is fairly obvious from looking at the actual diff. arch/s390/kernel/perf_cpum_cf.c:858:10: warning: variable 'err' is uninitialized when used here [-Wuninitialized] 858 | return err; | ^~~ Commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()") depends on commit c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path"), which is a part of a much larger series unsuitable for stable. Extract the unconditional initialization of err to -ENOENT from commit aa1ac98268cd ("s390/cpumf: Fix double free on error in cpumf_pmu_event_init()") and apply it to 6.6 as a standalone change to resolve the warning. Fixes: d660c8d8142e ("s390/cpum_cf: Deny all sampling events by counter PMU") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- This was reported on 6.1 and the offending commit was dropped but 6.6 suffered from the same issue (I am surprised LKFT's testing caught it in the 6.1 case but not 6.6...): https://lore.kernel.org/CADYN=9Li3gHMJ+weE0khMBmpS1Wcj-XaUeaUZg2Nxdz0qY9sdg… As it is already released, I figured I would just submit a fixup patch, which could also be used to fix the issue in 6.1. --- arch/s390/kernel/perf_cpum_cf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c index 771e1cb17540..e590b4c09625 100644 --- a/arch/s390/kernel/perf_cpum_cf.c +++ b/arch/s390/kernel/perf_cpum_cf.c @@ -852,7 +852,7 @@ static int cpumf_pmu_event_type(struct perf_event *event) static int cpumf_pmu_event_init(struct perf_event *event) { unsigned int type = event->attr.type; - int err; + int err = -ENOENT; if (is_sampling_event(event)) /* No sampling support */ return err; @@ -861,8 +861,6 @@ static int cpumf_pmu_event_init(struct perf_event *event) else if (event->pmu->type == type) /* Registered as unknown PMU */ err = __hw_perf_event_init(event, cpumf_pmu_event_type(event)); - else - return -ENOENT; if (unlikely(err) && event->destroy) event->destroy(event); --- base-commit: af1544b5d072514b219695b0a9fba0b1e0d5e289 change-id: 20250922-6-6-s390-cpum_cf-fix-uninit-err-010876c3d58c Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 week, 2 days

1
0
0 0

[tip: x86/urgent] x86/topology: Implement topology_is_core_online() to address SMT regression

by tip-bot2 for Thomas Gleixner

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 2066f00e5b2dc061fb6d8c88fadaebc97f11feaa Gitweb: https://git.kernel.org/tip/2066f00e5b2dc061fb6d8c88fadaebc97f11feaa Author: Thomas Gleixner <tglx(a)linutronix.de> AuthorDate: Sun, 21 Sep 2025 10:56:40 +02:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Mon, 22 Sep 2025 21:25:36 +02:00 x86/topology: Implement topology_is_core_online() to address SMT regression Christian reported that commit a430c11f4015 ("intel_idle: Rescan "dead" SMT siblings during initialization") broke the use case in which both 'nosmt' and 'maxcpus' are on the kernel command line because it onlines primary threads, which were offline due to the maxcpus limit. The initially proposed fix to skip primary threads in the loop is inconsistent. While it prevents the primary thread to be onlined, it then onlines the corresponding hyperthread(s), which does not really make sense. The CPU iterator in cpuhp_smt_enable() contains a check which excludes all threads of a core, when the primary thread is offline. The default implementation is a NOOP and therefore not effective on x86. Implement topology_is_core_online() on x86 to address this issue. This makes the behaviour consistent between x86 and PowerPC. Fixes: a430c11f4015 ("intel_idle: Rescan "dead" SMT siblings during initialization") Fixes: f694481b1d31 ("ACPI: processor: Rescan "dead" SMT siblings during initialization") Closes: https://lore.kernel.org/linux-pm/724616a2-6374-4ba3-8ce3-ea9c45e2ae3b@arm.c… Reported-by: Christian Loehle <christian.loehle(a)arm.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Rafael J. Wysocki (Intel) <rafael(a)kernel.org> Tested-by: Christian Loehle <christian.loehle(a)arm.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/12740505.O9o76ZdvQC@rafael.j.wysocki --- arch/x86/include/asm/topology.h | 10 ++++++++++ arch/x86/kernel/cpu/topology.c | 13 +++++++++++++ 2 files changed, 23 insertions(+) diff --git a/arch/x86/include/asm/topology.h b/arch/x86/include/asm/topology.h index 6c79ee7..2104189 100644 --- a/arch/x86/include/asm/topology.h +++ b/arch/x86/include/asm/topology.h @@ -231,6 +231,16 @@ static inline bool topology_is_primary_thread(unsigned int cpu) } #define topology_is_primary_thread topology_is_primary_thread +int topology_get_primary_thread(unsigned int cpu); + +static inline bool topology_is_core_online(unsigned int cpu) +{ + int pcpu = topology_get_primary_thread(cpu); + + return pcpu >= 0 ? cpu_online(pcpu) : false; +} +#define topology_is_core_online topology_is_core_online + #else /* CONFIG_SMP */ static inline int topology_phys_to_logical_pkg(unsigned int pkg) { return 0; } static inline int topology_max_smt_threads(void) { return 1; } diff --git a/arch/x86/kernel/cpu/topology.c b/arch/x86/kernel/cpu/topology.c index e35ccdc..6073a16 100644 --- a/arch/x86/kernel/cpu/topology.c +++ b/arch/x86/kernel/cpu/topology.c @@ -372,6 +372,19 @@ unsigned int topology_unit_count(u32 apicid, enum x86_topology_domains which_uni return topo_unit_count(lvlid, at_level, apic_maps[which_units].map); } +#ifdef CONFIG_SMP +int topology_get_primary_thread(unsigned int cpu) +{ + u32 apic_id = cpuid_to_apicid[cpu]; + + /* + * Get the core domain level APIC id, which is the primary thread + * and return the CPU number assigned to it. + */ + return topo_lookup_cpuid(topo_apicid(apic_id, TOPO_CORE_DOMAIN)); +} +#endif + #ifdef CONFIG_ACPI_HOTPLUG_CPU /** * topology_hotplug_apic - Handle a physical hotplugged APIC after boot

1 week, 3 days

1
0
0 0

[PATCH] of: unittest: Fix device reference count leak in of_unittest_pci_node_verify

by Ma Ke

In of_unittest_pci_node_verify(), when the add parameter is false, device_find_any_child() obtains a reference to a child device. This function implicitly calls get_device() to increment the device's reference count before returning the pointer. However, the caller fails to properly release this reference by calling put_device(), leading to a device reference count leak. As the comment of device_find_any_child states: "NOTE: you will need to drop the reference with put_device() after use". Cc: stable(a)vger.kernel.org Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/of/unittest.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c index e3503ec20f6c..d225e73781fe 100644 --- a/drivers/of/unittest.c +++ b/drivers/of/unittest.c @@ -4271,7 +4271,7 @@ static struct platform_driver unittest_pci_driver = { static int of_unittest_pci_node_verify(struct pci_dev *pdev, bool add) { struct device_node *pnp, *np = NULL; - struct device *child_dev; + struct device *child_dev = NULL; char *path = NULL; const __be32 *reg; int rc = 0; @@ -4306,6 +4306,8 @@ static int of_unittest_pci_node_verify(struct pci_dev *pdev, bool add) kfree(path); if (np) of_node_put(np); + if (child_dev) + put_device(child_dev); return rc; } -- 2.17.1

1 week, 3 days

2
1
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092107-making-cough-9671@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

1 week, 3 days

2
2
0 0

[PATCH v6] ACPI: battery: prevent sysfs_add_battery re-entry on rapid events

by GuangFei Luo

When removing and reinserting the laptop battery, ACPI can trigger two notifications in quick succession: - ACPI_BATTERY_NOTIFY_STATUS (0x80) - ACPI_BATTERY_NOTIFY_INFO (0x81) Both notifications call acpi_battery_update(). Because the events happen very close in time, sysfs_add_battery() can be re-entered before battery->bat is set, causing a duplicate sysfs entry error. When the ACPI battery driver uses acpi_dev_install_notify_handler() to register acpi_battery_notify, the callback may be triggered twice in a very short period of time. This patch ensures that sysfs_add_battery() is not re-entered when battery->bat is already non-NULL, preventing the duplicate sysfs creation and stabilizing battery hotplug handling. [ 476.117945] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 476.118896] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 476.118903] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 476.118906] Workqueue: kacpi_notify acpi_os_execute_deferred [ 476.118917] Call Trace: [ 476.118922] <TASK> [ 476.118929] dump_stack_lvl+0x5d/0x80 [ 476.118938] sysfs_warn_dup.cold+0x17/0x23 [ 476.118943] sysfs_create_dir_ns+0xce/0xe0 [ 476.118952] kobject_add_internal+0xba/0x250 [ 476.118959] kobject_add+0x96/0xc0 [ 476.118964] ? get_device_parent+0xde/0x1e0 [ 476.118970] device_add+0xe2/0x870 [ 476.118975] __power_supply_register.part.0+0x20f/0x3f0 [ 476.118981] ? wake_up_q+0x4e/0x90 [ 476.118990] sysfs_add_battery+0xa4/0x1d0 [battery] [ 476.118998] acpi_battery_update+0x19e/0x290 [battery] [ 476.119002] acpi_battery_notify+0x50/0x120 [battery] [ 476.119006] acpi_ev_notify_dispatch+0x49/0x70 [ 476.119012] acpi_os_execute_deferred+0x1a/0x30 [ 476.119015] process_one_work+0x177/0x330 [ 476.119022] worker_thread+0x251/0x390 [ 476.119026] ? __pfx_worker_thread+0x10/0x10 [ 476.119030] kthread+0xd2/0x100 [ 476.119033] ? __pfx_kthread+0x10/0x10 [ 476.119035] ret_from_fork+0x34/0x50 [ 476.119040] ? __pfx_kthread+0x10/0x10 [ 476.119042] ret_from_fork_asm+0x1a/0x30 [ 476.119049] </TASK> [ 476.142552] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. [ 476.415022] ata1.00: unexpected _GTF length (8) [ 476.428076] sd 0:0:0:0: [sda] Starting disk [ 476.835035] ata1.00: unexpected _GTF length (8) [ 476.839720] ata1.00: configured for UDMA/133 [ 491.328831] sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT1' [ 491.329720] CPU: 1 UID: 0 PID: 185 Comm: kworker/1:4 Kdump: loaded Not tainted 6.12.38+deb13-amd64 #1 Debian 6.12.38-1 [ 491.329727] Hardware name: Gateway NV44 /SJV40-MV , BIOS V1.3121 04/08/2009 [ 491.329731] Workqueue: kacpi_notify acpi_os_execute_deferred [ 491.329741] Call Trace: [ 491.329745] <TASK> [ 491.329751] dump_stack_lvl+0x5d/0x80 [ 491.329758] sysfs_warn_dup.cold+0x17/0x23 [ 491.329762] sysfs_create_dir_ns+0xce/0xe0 [ 491.329770] kobject_add_internal+0xba/0x250 [ 491.329775] kobject_add+0x96/0xc0 [ 491.329779] ? get_device_parent+0xde/0x1e0 [ 491.329784] device_add+0xe2/0x870 [ 491.329790] __power_supply_register.part.0+0x20f/0x3f0 [ 491.329797] sysfs_add_battery+0xa4/0x1d0 [battery] [ 491.329805] acpi_battery_update+0x19e/0x290 [battery] [ 491.329809] acpi_battery_notify+0x50/0x120 [battery] [ 491.329812] acpi_ev_notify_dispatch+0x49/0x70 [ 491.329817] acpi_os_execute_deferred+0x1a/0x30 [ 491.329820] process_one_work+0x177/0x330 [ 491.329826] worker_thread+0x251/0x390 [ 491.329830] ? __pfx_worker_thread+0x10/0x10 [ 491.329833] kthread+0xd2/0x100 [ 491.329836] ? __pfx_kthread+0x10/0x10 [ 491.329838] ret_from_fork+0x34/0x50 [ 491.329842] ? __pfx_kthread+0x10/0x10 [ 491.329844] ret_from_fork_asm+0x1a/0x30 [ 491.329850] </TASK> [ 491.329855] kobject: kobject_add_internal failed for BAT1 with -EEXIST, don't try to register things with the same name in the same directory. Fixes: 10666251554c ("ACPI: battery: Install Notify() handler directly") Signed-off-by: GuangFei Luo <luogf2025(a)163.com> Cc: stable(a)vger.kernel.org --- v6: - Update Fixes tag: point to commit 10666251554c ("ACPI: battery: Install Notify() handler directly"), which introduced the sysfs_add_battery() re-entry issue when acpi_battery_notify is registered via acpi_dev_install_notify_handler(). The problem does not occur with acpi_bus_register_driver(). v5: - Move changelog above the '---' line as per submission guidelines. v4: - Uses guard(mutex) for battery->sysfs_lock in sysfs_add_battery(). - Since sysfs_add_battery() now handles the battery->bat check with proper locking,the extra if (!battery->bat) check at the call site has become redundant. v3: - Modified the earlier approach: since sysfs_add_battery() is invoked from multiple places, the most reliable way is to add the lock inside the function itself. - sysfs_remove_battery() had a similar race issue in the past, which was fixed by adding a lock as well. Reference: https://lore.kernel.org/all/9c921c22a7f33397a6774d7fa076db9b6a0fd669 .1312318300.git.len.brown(a)intel.com/ v2: - Fix missing mutex_unlock in acpi_battery_update() (Reported-by: kernel test robot) v1: - Initial patch to handle race when hotplugging battery, preventing duplicate sysfs entries. --- drivers/acpi/battery.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 6905b56bf3e4..20d68f3e881f 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -850,6 +850,10 @@ static void __exit battery_hook_exit(void) static int sysfs_add_battery(struct acpi_battery *battery) { + guard(mutex)(&battery->sysfs_lock); + if (battery->bat) + return 0; + struct power_supply_config psy_cfg = { .drv_data = battery, .attr_grp = acpi_battery_groups, @@ -1026,11 +1030,9 @@ static int acpi_battery_update(struct acpi_battery *battery, bool resume) return result; acpi_battery_quirks(battery); - if (!battery->bat) { - result = sysfs_add_battery(battery); - if (result) - return result; - } + result = sysfs_add_battery(battery); + if (result) + return result; /* * Wakeup the system if battery is critical low @@ -1112,12 +1114,12 @@ static int battery_notify(struct notifier_block *nb, result = acpi_battery_get_info(battery); if (result) return result; - - result = sysfs_add_battery(battery); - if (result) - return result; } + result = sysfs_add_battery(battery); + if (result) + return result; + acpi_battery_init_alarm(battery); acpi_battery_get_state(battery); break; -- 2.43.0

1 week, 3 days

2
1
0 0

[PATCH] Revert "loop: Avoid updating block size under exclusive owner"

by Eric Hagberg

This reverts commit ce8da5d13d8c ("loop: Avoid updating block size under exclusive owner") for the 6.6 kernel, because if the LTP ioctl_loop06 test is run with this patch in place, the test will fail, it leaves the host unable to kexec into the kernel again (hangs forever) and "losetup -a" will hang on attempting to access the /dev/loopN device that the test has set up. The patch doesn't need to be reverted from 6.12, as it works fine there. Cc: stable(a)vger.kernel.org # 6.6.x Signed-off-by: Eric Hagberg <ehagberg(a)janestreet.com> --- --- b/drivers/block/loop.c +++ a/drivers/block/loop.c @@ -1472,36 +1472,19 @@ return error; } +static int loop_set_block_size(struct loop_device *lo, unsigned long arg) -static int loop_set_block_size(struct loop_device *lo, blk_mode_t mode, - struct block_device *bdev, unsigned long arg) { int err = 0; + if (lo->lo_state != Lo_bound) + return -ENXIO; - /* - * If we don't hold exclusive handle for the device, upgrade to it - * here to avoid changing device under exclusive owner. - */ - if (!(mode & BLK_OPEN_EXCL)) { - err = bd_prepare_to_claim(bdev, loop_set_block_size, NULL); - if (err) - return err; - } - - err = mutex_lock_killable(&lo->lo_mutex); - if (err) - goto abort_claim; - - if (lo->lo_state != Lo_bound) { - err = -ENXIO; - goto unlock; - } err = blk_validate_block_size(arg); if (err) return err; if (lo->lo_queue->limits.logical_block_size == arg) + return 0; - goto unlock; sync_blockdev(lo->lo_device); invalidate_bdev(lo->lo_device); @@ -1513,11 +1496,6 @@ loop_update_dio(lo); blk_mq_unfreeze_queue(lo->lo_queue); -unlock: - mutex_unlock(&lo->lo_mutex); -abort_claim: - if (!(mode & BLK_OPEN_EXCL)) - bd_abort_claiming(bdev, loop_set_block_size); return err; } @@ -1536,6 +1514,9 @@ case LOOP_SET_DIRECT_IO: err = loop_set_dio(lo, arg); break; + case LOOP_SET_BLOCK_SIZE: + err = loop_set_block_size(lo, arg); + break; default: err = -EINVAL; } @@ -1590,12 +1571,9 @@ break; case LOOP_GET_STATUS64: return loop_get_status64(lo, argp); - case LOOP_SET_BLOCK_SIZE: - if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN)) - return -EPERM; - return loop_set_block_size(lo, mode, bdev, arg); case LOOP_SET_CAPACITY: case LOOP_SET_DIRECT_IO: + case LOOP_SET_BLOCK_SIZE: if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN)) return -EPERM; fallthrough;

1 week, 3 days

1
0
0 0

[PATCH v2] scsi: dc395x: correctly discard the return value in certain reads

by Xinhui Yang

There are certain read operations performed in this code which doesn't really don't need its return value. Those read operations either clears the FIFO buffer, or clears the interruption status. However, unused read triggers compiler warnings. With CONFIG_WERROR on, these warnings get converted into errors: drivers/scsi/dc395x.c: In function ‘__dc395x_eh_bus_reset’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:1003:9: note: in expansion of macro ‘DC395x_read8’ 1003 | DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); | ^~~~~~~~~~~~ drivers/scsi/dc395x.c: In function ‘data_io_transfer’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:2032:33: note: in expansion of macro ‘DC395x_read8’ 2032 | DC395x_read8(acb, TRM_S1040_SCSI_FIFO); Create a new macro DC395x_peek8() to deliberately cast the return value to void, which tells the compiler we really don't need the return value of such read operations. Other changes: * Also slightly modify the formatting of the DC395x_* macros. Cc: stable(a)vger.kernel.org Signed-off-by: Xinhui Yang <cyan(a)cyano.uk> --- Changes since v1 [1]: - Add Cc: tag to include this patch to the stable tree. - Add additional description about the formatting changes. [1]: https://lore.kernel.org/linux-scsi/20250922143619.824129-1-cyan@cyano.uk --- drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c index 386c8359e1cc..013d0d5277d6 100644 --- a/drivers/scsi/dc395x.c +++ b/drivers/scsi/dc395x.c @@ -91,15 +91,21 @@ #endif -#define DC395x_LOCK_IO(dev,flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_UNLOCK_IO(dev,flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_LOCK_IO(dev, flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_UNLOCK_IO(dev, flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) -#define DC395x_read16(acb,address) (u16)(inw(acb->io_port_base + (address))) -#define DC395x_read32(acb,address) (u32)(inl(acb->io_port_base + (address))) -#define DC395x_write8(acb,address,value) outb((value), acb->io_port_base + (address)) -#define DC395x_write16(acb,address,value) outw((value), acb->io_port_base + (address)) -#define DC395x_write32(acb,address,value) outl((value), acb->io_port_base + (address)) +/* + * read operations that may trigger side effects in the hardware, + * but the value can or should be discarded. + */ +#define DC395x_peek8(acb, address) ((void)(inb(acb->io_port_base + (address)))) +/* Normal read write operations goes here. */ +#define DC395x_read8(acb, address) ((u8) (inb(acb->io_port_base + (address)))) +#define DC395x_read16(acb, address) ((u16) (inw(acb->io_port_base + (address)))) +#define DC395x_read32(acb, address) ((u32) (inl(acb->io_port_base + (address)))) +#define DC395x_write8(acb, address, value) (outb((value), acb->io_port_base + (address))) +#define DC395x_write16(acb, address, value) (outw((value), acb->io_port_base + (address))) +#define DC395x_write32(acb, address, value) (outl((value), acb->io_port_base + (address))) #define TAG_NONE 255 @@ -1000,7 +1006,7 @@ static int __dc395x_eh_bus_reset(struct scsi_cmnd *cmd) DC395x_write8(acb, TRM_S1040_DMA_CONTROL, CLRXFIFO); clear_fifo(acb, "eh_bus_reset"); /* Delete pending IRQ */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); set_basic_config(acb); reset_dev_param(acb); @@ -2029,8 +2035,8 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, DC395x_write8(acb, TRM_S1040_SCSI_CONFIG2, CFG2_WIDEFIFO); if (io_dir & DMACMD_DIR) { - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); } else { /* Danger, Robinson: If you find KGs * scattered over the wide disk, the driver @@ -2044,7 +2050,7 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, /* Danger, Robinson: If you find a collection of Ks on your disk * something broke :-( */ if (io_dir & DMACMD_DIR) - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); else DC395x_write8(acb, TRM_S1040_SCSI_FIFO, 'K'); } @@ -2892,7 +2898,7 @@ static void set_basic_config(struct AdapterCtlBlk *acb) DMA_FIFO_HALF_HALF | DMA_ENHANCE /*| DMA_MEM_MULTI_READ */ ; DC395x_write16(acb, TRM_S1040_DMA_CONFIG, wval); /* Clear pending interrupt status */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); /* Enable SCSI interrupt */ DC395x_write8(acb, TRM_S1040_SCSI_INTEN, 0x7F); DC395x_write8(acb, TRM_S1040_DMA_INTEN, EN_SCSIINTR | EN_DMAXFERERROR @@ -3799,7 +3805,7 @@ static void adapter_uninit_chip(struct AdapterCtlBlk *acb) reset_scsi_bus(acb); /* clear any pending interrupt state */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); } -- 2.51.0

1 week, 3 days

2
1
0 0

[PATCH v2] powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org --- changelog: v2: - Return -ENOMEM directly on allocation failure. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- arch/powerpc/kernel/smp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..cfccb9389760 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,8 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

1 week, 3 days

3
4
0 0

[PATCH 6.17 REGRESSION FIX] gpiolib: acpi: Make set debounce errors non fatal

by Hans de Goede

Commit 16c07342b542 ("gpiolib: acpi: Program debounce when finding GPIO") adds a gpio_set_debounce_timeout() call to acpi_find_gpio() and makes acpi_find_gpio() fail if this fails. But gpio_set_debounce_timeout() failing is a somewhat normal occurrence, since not all debounce values are supported on all GPIO/pinctrl chips. Making this an error for example break getting the card-detect GPIO for the micro-sd slot found on many Bay Trail tablets, breaking support for the micro-sd slot on these tablets. acpi_request_own_gpiod() already treats gpio_set_debounce_timeout() failures as non-fatal, just warning about them. Add a acpi_gpio_set_debounce_timeout() helper which wraps gpio_set_debounce_timeout() and warns on failures and replace both existing gpio_set_debounce_timeout() calls with the helper. Since the helper only warns on failures this fixes the card-detect issue. Fixes: 16c07342b542 ("gpiolib: acpi: Program debounce when finding GPIO") Cc: stable(a)vger.kernel.org Cc: Mario Limonciello <superm1(a)kernel.org> Signed-off-by: Hans de Goede <hansg(a)kernel.org> --- drivers/gpio/gpiolib-acpi-core.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c index 284e762d92c4..67c4c38afb86 100644 --- a/drivers/gpio/gpiolib-acpi-core.c +++ b/drivers/gpio/gpiolib-acpi-core.c @@ -291,6 +291,19 @@ acpi_gpio_to_gpiod_flags(const struct acpi_resource_gpio *agpio, int polarity) return GPIOD_ASIS; } +static void acpi_gpio_set_debounce_timeout(struct gpio_desc *desc, + unsigned int acpi_debounce) +{ + int ret; + + /* ACPI uses hundredths of milliseconds units */ + acpi_debounce *= 10; + ret = gpio_set_debounce_timeout(desc, acpi_debounce); + if (ret) + gpiod_warn(desc, "Failed to set debounce-timeout %u: %d\n", + acpi_debounce, ret); +} + static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip, struct acpi_resource_gpio *agpio, unsigned int index, @@ -300,18 +313,12 @@ static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip, enum gpiod_flags flags = acpi_gpio_to_gpiod_flags(agpio, polarity); unsigned int pin = agpio->pin_table[index]; struct gpio_desc *desc; - int ret; desc = gpiochip_request_own_desc(chip, pin, label, polarity, flags); if (IS_ERR(desc)) return desc; - /* ACPI uses hundredths of milliseconds units */ - ret = gpio_set_debounce_timeout(desc, agpio->debounce_timeout * 10); - if (ret) - dev_warn(chip->parent, - "Failed to set debounce-timeout for pin 0x%04X, err %d\n", - pin, ret); + acpi_gpio_set_debounce_timeout(desc, agpio->debounce_timeout); return desc; } @@ -944,7 +951,6 @@ struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode, bool can_fallback = acpi_can_fallback_to_crs(adev, con_id); struct acpi_gpio_info info = {}; struct gpio_desc *desc; - int ret; desc = __acpi_find_gpio(fwnode, con_id, idx, can_fallback, &info); if (IS_ERR(desc)) @@ -959,10 +965,7 @@ struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode, acpi_gpio_update_gpiod_flags(dflags, &info); acpi_gpio_update_gpiod_lookup_flags(lookupflags, &info); - /* ACPI uses hundredths of milliseconds units */ - ret = gpio_set_debounce_timeout(desc, info.debounce * 10); - if (ret) - return ERR_PTR(ret); + acpi_gpio_set_debounce_timeout(desc, info.debounce); return desc; } -- 2.51.0

1 week, 3 days

4
6
0 0

[PATCH] drm: sti: fix device leaks at component probe

by Johan Hovold

Make sure to drop the references taken to the vtg devices by of_find_device_by_node() when looking up their driver data during component probe. Note that holding a reference to a platform device does not prevent its driver data from going away so there is no point in keeping the reference after the lookup helper returns. Fixes: cc6b741c6f63 ("drm: sti: remove useless fields from vtg structure") Cc: stable(a)vger.kernel.org # 4.16 Cc: Benjamin Gaignard <benjamin.gaignard(a)collabora.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/sti/sti_vtg.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/sti/sti_vtg.c b/drivers/gpu/drm/sti/sti_vtg.c index ee81691b3203..ce6bc7e7b135 100644 --- a/drivers/gpu/drm/sti/sti_vtg.c +++ b/drivers/gpu/drm/sti/sti_vtg.c @@ -143,12 +143,17 @@ struct sti_vtg { struct sti_vtg *of_vtg_find(struct device_node *np) { struct platform_device *pdev; + struct sti_vtg *vtg; pdev = of_find_device_by_node(np); if (!pdev) return NULL; - return (struct sti_vtg *)platform_get_drvdata(pdev); + vtg = platform_get_drvdata(pdev); + + put_device(&pdev->dev); + + return vtg; } static void vtg_reset(struct sti_vtg *vtg) -- 2.49.1

1 week, 3 days

2
1
0 0

[PATCH v2] ASoC: mediatek: mt8365: Add check for devm_kcalloc() in mt8365_afe_suspend()

by Guangshuo Li

devm_kcalloc() may fail. mt8365_afe_suspend() uses afe->reg_back_up unconditionally after allocation and writes afe->reg_back_up[i], which can lead to a NULL pointer dereference under low-memory conditions. Add a NULL check and bail out with -ENOMEM, making sure to disable the main clock via the existing error path to keep clock state balanced. Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support") Cc: stable(a)vger.kernel.org --- changelog: v2: - Return -ENOMEM directly on allocation failure without goto/label. - Disable the main clock before returning to keep clock state balanced. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c index 10793bbe9275..55d832e05072 100644 --- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c @@ -1975,11 +1975,15 @@ static int mt8365_afe_suspend(struct device *dev) mt8365_afe_enable_main_clk(afe); - if (!afe->reg_back_up) + if (!afe->reg_back_up) { afe->reg_back_up = devm_kcalloc(dev, afe->reg_back_up_list_num, - sizeof(unsigned int), GFP_KERNEL); - + sizeof(unsigned int), GFP_KERNEL); + if (!afe->reg_back_up) { + mt8365_afe_disable_main_clk(afe); + return -ENOMEM; + } + } for (i = 0; i < afe->reg_back_up_list_num; i++) regmap_read(regmap, afe->reg_back_up_list[i], &afe->reg_back_up[i]); -- 2.43.0

1 week, 3 days

2
1
0 0

[tip: x86/urgent] x86/Kconfig: Reenable PTDUMP on i386

by tip-bot2 for Alexander Popov

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 4f115596133fa168bac06bb34c6efd8f4d84c22e Gitweb: https://git.kernel.org/tip/4f115596133fa168bac06bb34c6efd8f4d84c22e Author: Alexander Popov <alex.popov(a)linux.com> AuthorDate: Sun, 21 Sep 2025 23:58:15 +03:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Mon, 22 Sep 2025 14:40:17 +02:00 x86/Kconfig: Reenable PTDUMP on i386 The commit f9aad622006bd64c ("mm: rename GENERIC_PTDUMP and PTDUMP_CORE") has broken PTDUMP and the Kconfig options that use it on ARCH=i386, including CONFIG_DEBUG_WX. CONFIG_GENERIC_PTDUMP was renamed into CONFIG_ARCH_HAS_PTDUMP, but it was mistakenly moved from "config X86" to "config X86_64". That made PTDUMP unavailable for i386. Move CONFIG_ARCH_HAS_PTDUMP back to "config X86" to fix it. [ bp: Massage commit message. ] Fixes: f9aad622006bd64c ("mm: rename GENERIC_PTDUMP and PTDUMP_CORE") Signed-off-by: Alexander Popov <alex.popov(a)linux.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org --- arch/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 52c8910..0588030 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -26,7 +26,6 @@ config X86_64 depends on 64BIT # Options that are inherently 64-bit kernel only: select ARCH_HAS_GIGANTIC_PAGE - select ARCH_HAS_PTDUMP select ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS select ARCH_SUPPORTS_INT128 if CC_HAS_INT128 select ARCH_SUPPORTS_PER_VMA_LOCK @@ -99,6 +98,7 @@ config X86 select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE select ARCH_HAS_PMEM_API if X86_64 select ARCH_HAS_PREEMPT_LAZY + select ARCH_HAS_PTDUMP select ARCH_HAS_PTE_SPECIAL select ARCH_HAS_HW_PTE_YOUNG select ARCH_HAS_NONLEAF_PMD_YOUNG if PGTABLE_LEVELS > 2

1 week, 3 days

1
0
0 0

[PATCH] powerpc/smp: Add check for kcalloc() in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- arch/powerpc/kernel/smp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..2da064e00d0d 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,9 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; + ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

1 week, 3 days

1
0
0 0

[PATCH] scsi: dc395x: correctly discard the return value in certain reads

by Xinhui Yang

There are certain read operations performed in this code which doesn't really don't need its return value. Those read operations either clears the FIFO buffer, or clears the interruption status. However, unused read triggers compiler warnings. With CONFIG_WERROR on, these warnings get converted into errors: drivers/scsi/dc395x.c: In function ‘__dc395x_eh_bus_reset’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:1003:9: note: in expansion of macro ‘DC395x_read8’ 1003 | DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); | ^~~~~~~~~~~~ drivers/scsi/dc395x.c: In function ‘data_io_transfer’: drivers/scsi/dc395x.c:97:49: error: value computed is not used [-Werror=unused-value] 97 | #define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/dc395x.c:2032:33: note: in expansion of macro ‘DC395x_read8’ 2032 | DC395x_read8(acb, TRM_S1040_SCSI_FIFO); Create a new macro DC395x_peek8() to deliberately cast the return value to void, which tells the compiler we really don't need the return value of such read operations. Signed-off-by: Xinhui Yang <cyan(a)cyano.uk> --- drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c index 386c8359e1cc..013d0d5277d6 100644 --- a/drivers/scsi/dc395x.c +++ b/drivers/scsi/dc395x.c @@ -91,15 +91,21 @@ #endif -#define DC395x_LOCK_IO(dev,flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_UNLOCK_IO(dev,flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_LOCK_IO(dev, flags) spin_lock_irqsave(((struct Scsi_Host *)dev)->host_lock, flags) +#define DC395x_UNLOCK_IO(dev, flags) spin_unlock_irqrestore(((struct Scsi_Host *)dev)->host_lock, flags) -#define DC395x_read8(acb,address) (u8)(inb(acb->io_port_base + (address))) -#define DC395x_read16(acb,address) (u16)(inw(acb->io_port_base + (address))) -#define DC395x_read32(acb,address) (u32)(inl(acb->io_port_base + (address))) -#define DC395x_write8(acb,address,value) outb((value), acb->io_port_base + (address)) -#define DC395x_write16(acb,address,value) outw((value), acb->io_port_base + (address)) -#define DC395x_write32(acb,address,value) outl((value), acb->io_port_base + (address)) +/* + * read operations that may trigger side effects in the hardware, + * but the value can or should be discarded. + */ +#define DC395x_peek8(acb, address) ((void)(inb(acb->io_port_base + (address)))) +/* Normal read write operations goes here. */ +#define DC395x_read8(acb, address) ((u8) (inb(acb->io_port_base + (address)))) +#define DC395x_read16(acb, address) ((u16) (inw(acb->io_port_base + (address)))) +#define DC395x_read32(acb, address) ((u32) (inl(acb->io_port_base + (address)))) +#define DC395x_write8(acb, address, value) (outb((value), acb->io_port_base + (address))) +#define DC395x_write16(acb, address, value) (outw((value), acb->io_port_base + (address))) +#define DC395x_write32(acb, address, value) (outl((value), acb->io_port_base + (address))) #define TAG_NONE 255 @@ -1000,7 +1006,7 @@ static int __dc395x_eh_bus_reset(struct scsi_cmnd *cmd) DC395x_write8(acb, TRM_S1040_DMA_CONTROL, CLRXFIFO); clear_fifo(acb, "eh_bus_reset"); /* Delete pending IRQ */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); set_basic_config(acb); reset_dev_param(acb); @@ -2029,8 +2035,8 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, DC395x_write8(acb, TRM_S1040_SCSI_CONFIG2, CFG2_WIDEFIFO); if (io_dir & DMACMD_DIR) { - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); } else { /* Danger, Robinson: If you find KGs * scattered over the wide disk, the driver @@ -2044,7 +2050,7 @@ static void data_io_transfer(struct AdapterCtlBlk *acb, /* Danger, Robinson: If you find a collection of Ks on your disk * something broke :-( */ if (io_dir & DMACMD_DIR) - DC395x_read8(acb, TRM_S1040_SCSI_FIFO); + DC395x_peek8(acb, TRM_S1040_SCSI_FIFO); else DC395x_write8(acb, TRM_S1040_SCSI_FIFO, 'K'); } @@ -2892,7 +2898,7 @@ static void set_basic_config(struct AdapterCtlBlk *acb) DMA_FIFO_HALF_HALF | DMA_ENHANCE /*| DMA_MEM_MULTI_READ */ ; DC395x_write16(acb, TRM_S1040_DMA_CONFIG, wval); /* Clear pending interrupt status */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); /* Enable SCSI interrupt */ DC395x_write8(acb, TRM_S1040_SCSI_INTEN, 0x7F); DC395x_write8(acb, TRM_S1040_DMA_INTEN, EN_SCSIINTR | EN_DMAXFERERROR @@ -3799,7 +3805,7 @@ static void adapter_uninit_chip(struct AdapterCtlBlk *acb) reset_scsi_bus(acb); /* clear any pending interrupt state */ - DC395x_read8(acb, TRM_S1040_SCSI_INTSTATUS); + DC395x_peek8(acb, TRM_S1040_SCSI_INTSTATUS); } -- 2.51.0

1 week, 3 days

2
1
0 0

[PATCH v2] gpiolib: Extend software-node support to support secondary software-nodes

by Hans de Goede

When a software-node gets added to a device which already has another fwnode as primary node it will become the secondary fwnode for that device. Currently if a software-node with GPIO properties ends up as the secondary fwnode then gpiod_find_by_fwnode() will fail to find the GPIOs. Add a new gpiod_fwnode_lookup() helper which falls back to calling gpiod_find_by_fwnode() with the secondary fwnode if the GPIO was not found in the primary fwnode. Fixes: e7f9ff5dc90c ("gpiolib: add support for software nodes") Cc: stable(a)vger.kernel.org Cc: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> --- Changes in v2: - Add a new gpiod_fwnode_lookup() helper instead of putting the secondary fwnode check inside gpiod_find_by_fwnode() --- drivers/gpio/gpiolib.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 0d2b470a252e..74d54513730a 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -4604,6 +4604,23 @@ static struct gpio_desc *gpiod_find_by_fwnode(struct fwnode_handle *fwnode, return desc; } +static struct gpio_desc *gpiod_fwnode_lookup(struct fwnode_handle *fwnode, + struct device *consumer, + const char *con_id, + unsigned int idx, + enum gpiod_flags *flags, + unsigned long *lookupflags) +{ + struct gpio_desc *desc; + + desc = gpiod_find_by_fwnode(fwnode, consumer, con_id, idx, flags, lookupflags); + if (gpiod_not_found(desc) && !IS_ERR_OR_NULL(fwnode)) + desc = gpiod_find_by_fwnode(fwnode->secondary, consumer, con_id, + idx, flags, lookupflags); + + return desc; +} + struct gpio_desc *gpiod_find_and_request(struct device *consumer, struct fwnode_handle *fwnode, const char *con_id, @@ -4622,8 +4639,8 @@ struct gpio_desc *gpiod_find_and_request(struct device *consumer, int ret = 0; scoped_guard(srcu, &gpio_devices_srcu) { - desc = gpiod_find_by_fwnode(fwnode, consumer, con_id, idx, - &flags, &lookupflags); + desc = gpiod_fwnode_lookup(fwnode, consumer, con_id, idx, + &flags, &lookupflags); if (gpiod_not_found(desc) && platform_lookup_allowed) { /* * Either we are not using DT or ACPI, or their lookup -- 2.51.0

1 week, 3 days

4
4
0 0

Re: "loop: Avoid updating block size under exclusive owner" breaks on 6.6.103

by Jan Kara

On Wed 17-09-25 11:18:50, Eric Hagberg wrote: > I stumbled across a problem where the 6.6.103 kernel will fail when > running the ioctl_loop06 test from the LTP test suite... and worse > than failing the test, it leaves the system in a state where you can't > run "losetup -a" again because the /dev/loopN device that the test > created and failed the test on... hangs in a LOOP_GET_STATUS64 ioctl. > > It also leaves the system in a state where you can't re-kexec into a > copy of the kernel as it gets completely hung at the point where it > says "starting Reboot via kexec"... Thanks for the report! Please report issues with stable kernels to stable(a)vger.kernel.org (CCed now) because they can act on them. > If I revert just that patch from 6.6.103 (or newer) kernels, then the > test succeeds and doesn't leave the host in a bad state. The patch > applied to 6.12 doesn't cause this problem, but I also see that there > are quite a few other changes to the loop subsystem in 6.12 that never > made it to 6.6. > > For now, I'll probably just revert your patch in my 6.6 kernel builds, > but I wouldn't be surprised if others stumble across this issue as > well, so maybe it should be reverted or fixed some other way. Yes, I think revert from 6.6 stable kernel is warranted (unless somebody has time to figure out what else is missing to make the patch work with that stable branch). Honza -- Jan Kara <jack(a)suse.com> SUSE Labs, CR

1 week, 3 days

3
3
0 0

Check this out at Amazon

by Info Marketing

THE HOUSEMAID UNDER CONTRACT https://rb.gy/2xfnv3

1 week, 3 days

1
0
0 0

Re: Patch "x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" has been added to the 6.12-stable tree

by Tom Lendacky

On 9/22/25 00:52, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag to indicate that the patch only applied to 6.16 and above. Before 6.16, there isn't a stub version of the function, so all off those releases are fine. So this patch doesn't need to be part of the 6.12 stable tree. Thanks, Tom > > > From stable+bounces-180849-greg=kroah.com(a)vger.kernel.org Mon Sep 22 01:18:07 2025 > From: Sasha Levin <sashal(a)kernel.org> > Date: Sun, 21 Sep 2025 19:17:59 -0400 > Subject: x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT > To: stable(a)vger.kernel.org > Cc: Tom Lendacky <thomas.lendacky(a)amd.com>, "Borislav Petkov (AMD)" <bp(a)alien8.de>, stable(a)kernel.org, Sasha Levin <sashal(a)kernel.org> > Message-ID: <20250921231759.3033314-1-sashal(a)kernel.org> > > From: Tom Lendacky <thomas.lendacky(a)amd.com> > > [ Upstream commit 7f830e126dc357fc086905ce9730140fd4528d66 ] > > The sev_evict_cache() is guest-related code and should be guarded by > CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. > > CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP > guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub > function of sev_evict_cache() instead of the version that performs the actual > eviction. Move the function declarations under the appropriate #ifdef. > > Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") > Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> > Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> > Cc: stable(a)kernel.org # 6.16.x > Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… > [ Move sev_evict_cache() out of shared.c ] > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > arch/x86/coco/sev/shared.c | 18 ------------------ > arch/x86/include/asm/sev.h | 19 +++++++++++++++++++ > 2 files changed, 19 insertions(+), 18 deletions(-) > > --- a/arch/x86/coco/sev/shared.c > +++ b/arch/x86/coco/sev/shared.c > @@ -1243,24 +1243,6 @@ static void svsm_pval_terminate(struct s > __pval_terminate(pfn, action, page_size, ret, svsm_ret); > } > > -static inline void sev_evict_cache(void *va, int npages) > -{ > - volatile u8 val __always_unused; > - u8 *bytes = va; > - int page_idx; > - > - /* > - * For SEV guests, a read from the first/last cache-lines of a 4K page > - * using the guest key is sufficient to cause a flush of all cache-lines > - * associated with that 4K page without incurring all the overhead of a > - * full CLFLUSH sequence. > - */ > - for (page_idx = 0; page_idx < npages; page_idx++) { > - val = bytes[page_idx * PAGE_SIZE]; > - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; > - } > -} > - > static void svsm_pval_4k_page(unsigned long paddr, bool validate) > { > struct svsm_pvalidate_call *pc; > --- a/arch/x86/include/asm/sev.h > +++ b/arch/x86/include/asm/sev.h > @@ -400,6 +400,24 @@ u64 sev_get_status(void); > void sev_show_status(void); > void snp_update_svsm_ca(void); > > +static inline void sev_evict_cache(void *va, int npages) > +{ > + volatile u8 val __always_unused; > + u8 *bytes = va; > + int page_idx; > + > + /* > + * For SEV guests, a read from the first/last cache-lines of a 4K page > + * using the guest key is sufficient to cause a flush of all cache-lines > + * associated with that 4K page without incurring all the overhead of a > + * full CLFLUSH sequence. > + */ > + for (page_idx = 0; page_idx < npages; page_idx++) { > + val = bytes[page_idx * PAGE_SIZE]; > + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; > + } > +} > + > #else /* !CONFIG_AMD_MEM_ENCRYPT */ > > #define snp_vmpl 0 > @@ -435,6 +453,7 @@ static inline u64 snp_get_unsupported_fe > static inline u64 sev_get_status(void) { return 0; } > static inline void sev_show_status(void) { } > static inline void snp_update_svsm_ca(void) { } > +static inline void sev_evict_cache(void *va, int npages) {} > > #endif /* CONFIG_AMD_MEM_ENCRYPT */ > > > > Patches currently in stable-queue which might be from sashal(a)kernel.org are > > queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch > queue-6.12/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch > queue-6.12/asoc-wm8940-correct-pll-rate-rounding.patch > queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch > queue-6.12/x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch > queue-6.12/mptcp-pm-nl-announce-deny-join-id0-flag.patch > queue-6.12/drm-bridge-anx7625-fix-null-pointer-dereference-with.patch > queue-6.12/asoc-sof-intel-hda-stream-fix-incorrect-variable-use.patch > queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch > queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch > queue-6.12/nvme-fix-pi-insert-on-write.patch > queue-6.12/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch > queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch > queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch > queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch > queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch > queue-6.12/usb-xhci-remove-option-to-change-a-default-ring-s-trb-cycle-bit.patch > queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch > queue-6.12/io_uring-fix-incorrect-io_kiocb-reference-in-io_link.patch > queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch > queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch > queue-6.12/drm-xe-tile-release-kobject-for-the-failure-path.patch > queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch > queue-6.12/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch > queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch > queue-6.12/usb-xhci-introduce-macro-for-ring-segment-list-iteration.patch > queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch > queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch > queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch > queue-6.12/drm-bridge-cdns-mhdp8546-fix-missing-mutex-unlock-on.patch > queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch > queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch > queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch > queue-6.12/drm-xe-fix-a-null-vs-is_err-in-xe_vm_add_compute_exe.patch > queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch > queue-6.12/mm-gup-check-ref_count-instead-of-lru-before-migration.patch > queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch > queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch > queue-6.12/smb-client-let-smbd_destroy-call-disable_work_sync-i.patch > queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch > queue-6.12/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch > queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch > queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch > queue-6.12/smb-client-fix-filename-matching-of-deferred-files.patch > queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch > queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch > queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch > queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch > queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch > queue-6.12/asoc-wm8974-correct-pll-rate-rounding.patch > queue-6.12/mm-add-folio_expected_ref_count-for-reference-count-calculation.patch > queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch > queue-6.12/asoc-intel-catpt-expose-correct-bit-depth-to-userspa.patch > queue-6.12/asoc-wm8940-correct-typo-in-control-name.patch > queue-6.12/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch

1 week, 3 days

2
1
0 0

[PATCH v2 3/3] PCI: tegra194: Handle errors in BPMP response

by Niklas Cassel

From: Vidya Sagar <vidyas(a)nvidia.com> The return value from tegra_bpmp_transfer() indicates the success or failure of the IPC transaction with BPMP. If the transaction succeeded, we also need to check the actual command's result code. If we don't have error handling for tegra_bpmp_transfer(), we will set the pcie->ep_state to EP_STATE_ENABLED (even though the tegra_bpmp_transfer() command failed). Thus, the pcie->ep_state will get out of sync with reality, and any further PERST# assert + deassert will be a no-op (will not trigger the hardware initialization sequence). This is because pex_ep_event_pex_rst_deassert() checks the current pcie->ep_state, and does nothing if the current state is already EP_STATE_ENABLED. Thus, it is important to have error handling for tegra_bpmp_transfer(), such that the pcie->ep_state can not get out of sync with reality, so that we will try to initialize the hardware not only during the first PERST# assert + deassert, but also during any succeeding PERST# assert + deassert. One example where this fix is needed is when using a rock5b as host. During the initial PERST# assert + deassert (triggered by the bootloader on the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails. Once Linux has been loaded on the rock5b, the PCIe driver will once again assert + deassert PERST#. However, without tegra_bpmp_transfer() error handling, this second PERST# assert + deassert will not trigger the hardware initialization sequence. With tegra_bpmp_transfer() error handling, the second PERST# assert + deassert will once again trigger the hardware to be initialized and this time the tegra_bpmp_transfer() succeeds. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Vidya Sagar <vidyas(a)nvidia.com> [cassel: improve commit log] Reviewed-by: Jon Hunter <jonathanh(a)nvidia.com> Acked-by: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 7eb48cc13648e..c4265b3f72048 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1223,6 +1223,7 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; /* * Controller-5 doesn't need to have its state set by BPMP-FW in @@ -1245,7 +1246,13 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, @@ -1254,6 +1261,7 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; memset(&req, 0, sizeof(req)); memset(&resp, 0, sizeof(resp)); @@ -1273,7 +1281,13 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie) -- 2.51.0

1 week, 3 days

1
0
0 0

[PATCH v2 2/3] PCI: tegra194: Reset BARs when running in PCIe endpoint mode

by Niklas Cassel

Tegra already defines all BARs expect for BAR0 as BAR_RESERVED. This is sufficient for pci-epf-test to not allocate backing memory and to not call set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not mean that the BAR get disabled. The host side driver, pci_endpoint_test, simply does an ioremap for all enabled BARs, and will run tests against all enabled BARs. (I.e. it will run tests also against the BARs marked as BAR_RESERVED.) After running the BARs tests (which will write to all enabled BARs), the inbound address translation is broken. This is because the tegra controller exposes the ATU Port Logic Structure in BAR4. So when BAR4 is written, the inbound address translation settings get overwritten. To avoid this, implement the dw_pcie_ep_ops .init() callback and start off by disabling all BARs (pci-epf-test will later enable/configure BARs that are not defined as BAR_RESERVED). This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6, layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep. With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which was specifically made to detect address translation issues) passes. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 63d310e5335f4..7eb48cc13648e 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1955,6 +1955,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst_irq(int irq, void *arg) return IRQ_HANDLED; } +static void tegra_pcie_ep_init(struct dw_pcie_ep *ep) +{ + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + enum pci_barno bar; + + for (bar = 0; bar < PCI_STD_NUM_BARS; bar++) + dw_pcie_ep_reset_bar(pci, bar); +}; + static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) { /* Tegra194 supports only INTA */ @@ -2030,6 +2039,7 @@ tegra_pcie_ep_get_features(struct dw_pcie_ep *ep) } static const struct dw_pcie_ep_ops pcie_ep_ops = { + .init = tegra_pcie_ep_init, .raise_irq = tegra_pcie_ep_raise_irq, .get_features = tegra_pcie_ep_get_features, }; -- 2.51.0

1 week, 3 days

1
0
0 0

[PATCH] powerpc/Makefile: use $(objtree) for crtsavres.o

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> ... otherwise it could be problematic to build external modules: make[2]: Entering directory '.../kernel-module-hello-world' | CC [M] hello-world.o | MODPOST Module.symvers | CC [M] hello-world.mod.o | CC [M] .module-common.o | LD [M] hello-world.ko | powerpc-poky-linux-ld.bfd: cannot find arch/powerpc/lib/crtsavres.o: No such file or directory Fixes: da3de6df33f5 ("[POWERPC] Fix -Os kernel builds with newer gcc versions") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- arch/powerpc/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile index 9753fb87217c3..a58b1029592ce 100644 --- a/arch/powerpc/Makefile +++ b/arch/powerpc/Makefile @@ -58,7 +58,7 @@ ifeq ($(CONFIG_PPC64)$(CONFIG_LD_IS_BFD),yy) # There is a corresponding test in arch/powerpc/lib/Makefile KBUILD_LDFLAGS_MODULE += --save-restore-funcs else -KBUILD_LDFLAGS_MODULE += arch/powerpc/lib/crtsavres.o +KBUILD_LDFLAGS_MODULE += $(objtree)/arch/powerpc/lib/crtsavres.o endif ifdef CONFIG_CPU_LITTLE_ENDIAN -- 2.51.0

1 week, 3 days

3
2
0 0

[PATCH v2] staging: gpib: Fix device reference leak in fmh_gpib driver

by Ma Ke

The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_attach_impl() and add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the free operations as suggestions. Thanks for dan carpenter's instructions. --- drivers/staging/gpib/fmh_gpib/fmh_gpib.c | 66 +++++++++++++++++++----- 1 file changed, 54 insertions(+), 12 deletions(-) diff --git a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c index 4138f3d2bae7..f5be24b44238 100644 --- a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c +++ b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c @@ -1396,7 +1396,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar retval = fmh_gpib_generic_attach(board); if (retval) - return retval; + goto err_put_device; e_priv = board->private_data; nec_priv = &e_priv->nec7210_priv; @@ -1404,14 +1404,16 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpib_control_status"); if (!res) { dev_err(board->dev, "Unable to locate mmio resource\n"); - return -ENODEV; + retval = -ENODEV; + goto err_generic_detach; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { dev_err(board->dev, "cannot claim registers\n"); - return -ENXIO; + retval = -ENXIO; + goto err_generic_detach; } e_priv->gpib_iomem_res = res; @@ -1419,7 +1421,8 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar resource_size(e_priv->gpib_iomem_res)); if (!nec_priv->mmiobase) { dev_err(board->dev, "Could not map I/O memory\n"); - return -ENOMEM; + retval = -ENOMEM; + goto err_release_mmio_region; } dev_dbg(board->dev, "iobase %pr remapped to %p\n", e_priv->gpib_iomem_res, nec_priv->mmiobase); @@ -1427,34 +1430,41 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dma_fifos"); if (!res) { dev_err(board->dev, "Unable to locate mmio resource for gpib dma port\n"); - return -ENODEV; + retval = -ENODEV; + goto err_iounmap_mmio; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { dev_err(board->dev, "cannot claim registers\n"); - return -ENXIO; + retval = -ENXIO; + goto err_iounmap_mmio; } e_priv->dma_port_res = res; + e_priv->fifo_base = ioremap(e_priv->dma_port_res->start, resource_size(e_priv->dma_port_res)); if (!e_priv->fifo_base) { dev_err(board->dev, "Could not map I/O memory for fifos\n"); - return -ENOMEM; + retval = -ENOMEM; + goto err_release_dma_region; } dev_dbg(board->dev, "dma fifos 0x%lx remapped to %p, length=%ld\n", (unsigned long)e_priv->dma_port_res->start, e_priv->fifo_base, (unsigned long)resource_size(e_priv->dma_port_res)); irq = platform_get_irq(pdev, 0); - if (irq < 0) - return -EBUSY; + if (irq < 0) { + retval = -EBUSY; + goto err_iounmap_fifo; + } + retval = request_irq(irq, fmh_gpib_interrupt, IRQF_SHARED, pdev->name, board); if (retval) { dev_err(board->dev, "cannot register interrupt handler err=%d\n", retval); - return retval; + goto err_iounmap_fifo; } e_priv->irq = irq; @@ -1462,9 +1472,11 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->dma_channel = dma_request_slave_channel(board->dev, "rxtx"); if (!e_priv->dma_channel) { dev_err(board->dev, "failed to acquire dma channel \"rxtx\".\n"); - return -EIO; + retval = -EIO; + goto err_free_irq; } } + /* * in the future we might want to know the half-fifo size * (dma_burst_length) even when not using dma, so go ahead an @@ -1473,7 +1485,32 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->dma_burst_length = fifos_read(e_priv, FIFO_MAX_BURST_LENGTH_REG) & fifo_max_burst_length_mask; - return fmh_gpib_init(e_priv, board, handshake_mode); + retval = fmh_gpib_init(e_priv, board, handshake_mode); + if (retval) + goto err_release_dma; + + return 0; + +err_release_dma: + if (acquire_dma && e_priv->dma_channel) + dma_release_channel(e_priv->dma_channel); +err_free_irq: + free_irq(irq, board); +err_iounmap_fifo: + iounmap(e_priv->fifo_base); +err_release_dma_region: + release_mem_region(e_priv->dma_port_res->start, + resource_size(e_priv->dma_port_res)); +err_iounmap_mmio: + iounmap(nec_priv->mmiobase); +err_release_mmio_region: + release_mem_region(e_priv->gpib_iomem_res->start, + resource_size(e_priv->gpib_iomem_res)); +err_generic_detach: + fmh_gpib_generic_detach(board); +err_put_device: + put_device(board->dev); + return retval; } int fmh_gpib_attach_holdoff_all(struct gpib_board *board, const struct gpib_board_config *config) @@ -1517,6 +1554,11 @@ void fmh_gpib_detach(struct gpib_board *board) resource_size(e_priv->gpib_iomem_res)); } fmh_gpib_generic_detach(board); + + if (board->dev) { + put_device(board->dev); + board->dev = NULL; + } } static int fmh_gpib_pci_attach_impl(struct gpib_board *board, -- 2.17.1

1 week, 3 days

2
2
0 0

[PATCH] fs: udf: fix OOB read in lengthAllocDescs handling

by Larshin Sergey

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8743fca924afed42f93e(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> --- fs/udf/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index f24aa98e6869..a79d73f28aa7 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2272,6 +2272,9 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos, if (check_add_overflow(sizeof(struct allocExtDesc), le32_to_cpu(header->lengthAllocDescs), &alen)) return -1; + + if (alen > epos->bh->b_size) + return -1; } switch (iinfo->i_alloc_type) { -- 2.39.5

1 week, 3 days

2
1
0 0

[PATCH 00/27 5.10.y] Backport minmax.h updates from v6.17-rc6

by Eliav Farber

This series includes a total of 27 patches, to align minmax.h of v5.15.y with v6.17-rc6. The set consists of 24 commits that directly update minmax.h: 1) 92d23c6e9415 ("overflow, tracing: Define the is_signed_type() macro once") 2) 5efcecd9a3b1 ("minmax: sanity check constant bounds when clamping") 3) 2122e2a4efc2 ("minmax: clamp more efficiently by avoiding extra comparison") 4) f9bff0e31881 ("minmax: add in_range() macro") 5) c952c748c7a9 ("minmax: Introduce {min,max}_array()") 6) 5e57418a2031 ("minmax: deduplicate __unconst_integer_typeof()") 7) f6e9d38f8eb0 ("minmax: fix header inclusions") 8) d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness.") 9) f4b84b2ff851 ("minmax: fix indentation of __cmp_once() and __clamp_once()") 10) 4ead534fba42 ("minmax: allow comparisons of 'int' against 'unsigned char/short'") 11) 867046cc7027 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") 12) 3a7e02c040b1 ("minmax: avoid overly complicated constant expressions in VM code") 14) 017fa3e89187 ("minmax: simplify and clarify min_t()/max_t() implementation") 15) 1a251f52cfdc ("minmax: make generic MIN() and MAX() macros available everywhere") 18) dc1c8034e31b ("minmax: simplify min()/max()/clamp() implementation") 19) 22f546873149 ("minmax: improve macro expansion and type checking") 20) 21b136cc63d2 ("minmax: fix up min3() and max3() too") 21) 71ee9b16251e ("minmax.h: add whitespace around operators and after commas") 22) 10666e992048 ("minmax.h: update some comments") 23) b280bb27a9f7 ("minmax.h: reduce the #define expansion of min(), max() and clamp()") 24) a5743f32baec ("minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()") 25) c3939872ee4a ("minmax.h: move all the clamp() definitions after the min/max() ones") 26) 495bba17cdf9 ("minmax.h: simplify the variants of clamp()") 27) 2b97aaf74ed5 ("minmax.h: remove some #defines that are only expanded once") 2 prerequisite commits that adjust users of MIN and MAX macros (to prevent compilation issues): 13) 4477b39c32fd ("minmax: add a few more MIN_T/MAX_T users") 17) cb04e8b1d2f2 ("minmax: don't use max() in situations that want a C constant expression") 1 additional commit introduced to resolve a build failures during the backport: 16) lib: zstd: drop local MIN/MAX macros in favor of generic ones The primary motivation is to bring in commit (8). In mainline, this change allows min()/max()/clamp() to accept mixed argument types when both share the same signedness. Backported patches to v5.10.y that use such forms trigger compiler warnings, which in turn cause build failures when -Werror is enabled. Originaly I aligned 5.10.y to 5.15.y, but David Laight commented that I need to pick up the later changes (from Linus) as well. Andy Shevchenko (2): minmax: deduplicate __unconst_integer_typeof() minmax: fix header inclusions Bart Van Assche (1): overflow, tracing: Define the is_signed_type() macro once David Laight (11): minmax: allow min()/max()/clamp() if the arguments have the same signedness. minmax: fix indentation of __cmp_once() and __clamp_once() minmax: allow comparisons of 'int' against 'unsigned char/short' minmax: relax check to allow comparison between unsigned arguments and signed constants minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once Eliav Farber (1): lib: zstd: drop local MIN/MAX macros in favor of generic ones Herve Codina (1): minmax: Introduce {min,max}_array() Jason A. Donenfeld (2): minmax: sanity check constant bounds when clamping minmax: clamp more efficiently by avoiding extra comparison Linus Torvalds (8): minmax: avoid overly complicated constant expressions in VM code minmax: add a few more MIN_T/MAX_T users minmax: simplify and clarify min_t()/max_t() implementation minmax: make generic MIN() and MAX() macros available everywhere minmax: don't use max() in situations that want a C constant expression minmax: simplify min()/max()/clamp() implementation minmax: improve macro expansion and type checking minmax: fix up min3() and max3() too Matthew Wilcox (Oracle) (1): minmax: add in_range() macro arch/arm/mm/pageattr.c | 6 +- arch/um/drivers/mconsole_user.c | 2 + arch/x86/mm/pgtable.c | 2 +- drivers/edac/sb_edac.c | 4 +- drivers/edac/skx_common.h | 1 - .../drm/amd/display/modules/hdcp/hdcp_ddc.c | 2 + .../drm/amd/pm/powerplay/hwmgr/ppevvmath.h | 14 +- .../drm/arm/display/include/malidp_utils.h | 2 +- .../display/komeda/komeda_pipeline_state.c | 24 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 6 - drivers/gpu/drm/radeon/evergreen_cs.c | 2 + drivers/hwmon/adt7475.c | 24 +- drivers/input/touchscreen/cyttsp4_core.c | 2 +- drivers/md/dm-integrity.c | 2 +- drivers/media/dvb-frontends/stv0367_priv.h | 3 + .../net/ethernet/chelsio/cxgb3/cxgb3_main.c | 18 +- .../net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/fjes/fjes_main.c | 4 +- drivers/nfc/pn544/i2c.c | 2 - drivers/platform/x86/sony-laptop.c | 1 - drivers/scsi/isci/init.c | 6 +- .../pci/hive_isp_css_include/math_support.h | 5 - fs/btrfs/misc.h | 2 - fs/btrfs/tree-checker.c | 2 +- fs/ext2/balloc.c | 2 - fs/ext4/ext4.h | 2 - fs/ufs/util.h | 6 - include/linux/compiler.h | 15 + include/linux/minmax.h | 267 ++++++++++++++---- include/linux/overflow.h | 1 - include/linux/trace_events.h | 2 - kernel/trace/preemptirq_delay_test.c | 2 - lib/btree.c | 1 - lib/decompress_unlzma.c | 2 + lib/logic_pio.c | 3 - lib/vsprintf.c | 2 +- lib/zstd/zstd_internal.h | 2 - mm/zsmalloc.c | 1 - net/ipv4/proc.c | 2 +- net/ipv6/proc.c | 2 +- net/netfilter/nf_nat_core.c | 6 +- net/tipc/core.h | 2 +- net/tipc/link.c | 10 +- 44 files changed, 306 insertions(+), 164 deletions(-) -- 2.47.3

1 week, 3 days

6
35
0 0

[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level

by Vasant Hegde

The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> --- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE; -- 2.31.1

1 week, 3 days

3
5
0 0

[PATCH 0/7 6.12.y] Backport minmax.h updates from v6.17-rc7

by Eliav Farber

This series backports 7 patches to update minmax.h in the 6.12.y branch, aligning it with v6.17-rc7. The ultimate goal is to synchronize all longterm branches so that they include the full set of minmax.h changes. The key motivation is to bring in commit d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness"), which is missing in older kernels. In mainline, this change enables min()/max()/clamp() to accept mixed argument types, provided both have the same signedness. Without it, backported patches that use these forms may trigger compiler warnings, which escalate to build failures when -Werror is enabled. David Laight (7): minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once include/linux/minmax.h | 205 +++++++++++++++++++---------------------- 1 file changed, 95 insertions(+), 110 deletions(-) -- 2.47.3

1 week, 3 days

2
9
0 0

FAILED: patch "[PATCH] x86/cpu/topology: Always try cpu_parse_topology_ext() on" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x cba4262a19afae21665ee242b3404bcede5a94d7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091431-craftily-size-46c6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cba4262a19afae21665ee242b3404bcede5a94d7 Mon Sep 17 00:00:00 2001 From: K Prateek Nayak <kprateek.nayak(a)amd.com> Date: Mon, 1 Sep 2025 17:04:15 +0000 Subject: [PATCH] x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon Support for parsing the topology on AMD/Hygon processors using CPUID leaf 0xb was added in 3986a0a805e6 ("x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available"). In an effort to keep all the topology parsing bits in one place, this commit also introduced a pseudo dependency on the TOPOEXT feature to parse the CPUID leaf 0xb. The TOPOEXT feature (CPUID 0x80000001 ECX[22]) advertises the support for Cache Properties leaf 0x8000001d and the CPUID leaf 0x8000001e EAX for "Extended APIC ID" however support for 0xb was introduced alongside the x2APIC support not only on AMD [1], but also historically on x86 [2]. Similar to 0xb, the support for extended CPU topology leaf 0x80000026 too does not depend on the TOPOEXT feature. The support for these leaves is expected to be confirmed by ensuring leaf <= {extended_}cpuid_level and then parsing the level 0 of the respective leaf to confirm EBX[15:0] (LogProcAtThisLevel) is non-zero as stated in the definition of "CPUID_Fn0000000B_EAX_x00 [Extended Topology Enumeration] (Core::X86::Cpuid::ExtTopEnumEax0)" in Processor Programming Reference (PPR) for AMD Family 19h Model 01h Rev B1 Vol1 [3] Sec. 2.1.15.1 "CPUID Instruction Functions". This has not been a problem on baremetal platforms since support for TOPOEXT (Fam 0x15 and later) predates the support for CPUID leaf 0xb (Fam 0x17[Zen2] and later), however, for AMD guests on QEMU, the "x2apic" feature can be enabled independent of the "topoext" feature where QEMU expects topology and the initial APICID to be parsed using the CPUID leaf 0xb (especially when number of cores > 255) which is populated independent of the "topoext" feature flag. Unconditionally call cpu_parse_topology_ext() on AMD and Hygon processors to first parse the topology using the XTOPOLOGY leaves (0x80000026 / 0xb) before using the TOPOEXT leaf (0x8000001e). While at it, break down the single large comment in parse_topology_amd() to better highlight the purpose of each CPUID leaf. Fixes: 3986a0a805e6 ("x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available") Suggested-by: Naveen N Rao (AMD) <naveen(a)kernel.org> Signed-off-by: K Prateek Nayak <kprateek.nayak(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org # Only v6.9 and above; depends on x86 topology rewrite Link: https://lore.kernel.org/lkml/1529686927-7665-1-git-send-email-suravee.suthi… [1] Link: https://lore.kernel.org/lkml/20080818181435.523309000@linux-os.sc.intel.com/ [2] Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 [3] diff --git a/arch/x86/kernel/cpu/topology_amd.c b/arch/x86/kernel/cpu/topology_amd.c index 827dd0dbb6e9..c79ebbb639cb 100644 --- a/arch/x86/kernel/cpu/topology_amd.c +++ b/arch/x86/kernel/cpu/topology_amd.c @@ -175,27 +175,30 @@ static void topoext_fixup(struct topo_scan *tscan) static void parse_topology_amd(struct topo_scan *tscan) { - bool has_topoext = false; - /* - * If the extended topology leaf 0x8000_001e is available - * try to get SMT, CORE, TILE, and DIE shifts from extended + * Try to get SMT, CORE, TILE, and DIE shifts from extended * CPUID leaf 0x8000_0026 on supported processors first. If * extended CPUID leaf 0x8000_0026 is not supported, try to - * get SMT and CORE shift from leaf 0xb first, then try to - * get the CORE shift from leaf 0x8000_0008. + * get SMT and CORE shift from leaf 0xb. If either leaf is + * available, cpu_parse_topology_ext() will return true. */ - if (cpu_feature_enabled(X86_FEATURE_TOPOEXT)) - has_topoext = cpu_parse_topology_ext(tscan); + bool has_xtopology = cpu_parse_topology_ext(tscan); if (cpu_feature_enabled(X86_FEATURE_AMD_HTR_CORES)) tscan->c->topo.cpu_type = cpuid_ebx(0x80000026); - if (!has_topoext && !parse_8000_0008(tscan)) + /* + * If XTOPOLOGY leaves (0x26/0xb) are not available, try to + * get the CORE shift from leaf 0x8000_0008 first. + */ + if (!has_xtopology && !parse_8000_0008(tscan)) return; - /* Prefer leaf 0x8000001e if available */ - if (parse_8000_001e(tscan, has_topoext)) + /* + * Prefer leaf 0x8000001e if available to get the SMT shift and + * the initial APIC ID if XTOPOLOGY leaves are not available. + */ + if (parse_8000_001e(tscan, has_xtopology)) return; /* Try the NODEID MSR */

1 week, 3 days

3
4
0 0

[PATCH v2] media: pci: intel: ivsc: fix error handling in mei_ace driver

by Ma Ke

The mei_ace driver contains a device reference count leak in mei_ace_setup_dev_link() where device_find_child_by_name() increases the reference count of the found device but this reference is not properly decreased in the success path. Add put_device() in mei_ace_setup_dev_link() and delete put_device() in mei_ace_remove(), which ensures that the reference count of the device is correctly managed regardless of whether the probe is successful or fails. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the put_device() operations and the patch title as suggestions. --- drivers/media/pci/intel/ivsc/mei_ace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/pci/intel/ivsc/mei_ace.c b/drivers/media/pci/intel/ivsc/mei_ace.c index 98310b8511b1..bb57656fc85a 100644 --- a/drivers/media/pci/intel/ivsc/mei_ace.c +++ b/drivers/media/pci/intel/ivsc/mei_ace.c @@ -420,6 +420,7 @@ static int mei_ace_setup_dev_link(struct mei_ace *ace) goto err_put; } + put_device(csi_dev); ace->csi_dev = csi_dev; return 0; @@ -522,7 +523,6 @@ static void mei_ace_remove(struct mei_cl_device *cldev) cancel_work_sync(&ace->work); device_link_del(ace->csi_link); - put_device(ace->csi_dev); pm_runtime_disable(&cldev->dev); pm_runtime_set_suspended(&cldev->dev); -- 2.17.1

1 week, 3 days

2
1
0 0

[PATCH 00/15 v6.6.y] Backport minmax.h updates from v6.17-rc7

by Eliav Farber

This series backports 15 patches to update minmax.h in the 6.6.y branch, aligning it with v6.17-rc7. The ultimate goal is to synchronize all longterm branches so that they include the full set of minmax.h changes. The key motivation is to bring in commit d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness"), which is missing in older kernels. In mainline, this change enables min()/max()/clamp() to accept mixed argument types, provided both have the same signedness. Without it, backported patches that use these forms may trigger compiler warnings, which escalate to build failures when -Werror is enabled. David Laight (7): minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once Linus Torvalds (8): minmax: avoid overly complicated constant expressions in VM code minmax: simplify and clarify min_t()/max_t() implementation minmax: add a few more MIN_T/MAX_T users minmax: make generic MIN() and MAX() macros available everywhere minmax: simplify min()/max()/clamp() implementation minmax: don't use max() in situations that want a C constant expression minmax: improve macro expansion and type checking minmax: fix up min3() and max3() too arch/um/drivers/mconsole_user.c | 2 + arch/x86/mm/pgtable.c | 2 +- drivers/edac/sb_edac.c | 4 +- drivers/edac/skx_common.h | 1 - .../drm/amd/display/modules/hdcp/hdcp_ddc.c | 2 + .../drm/amd/pm/powerplay/hwmgr/ppevvmath.h | 14 +- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/radeon/evergreen_cs.c | 2 + drivers/hwmon/adt7475.c | 24 +- drivers/input/touchscreen/cyttsp4_core.c | 2 +- drivers/irqchip/irq-sun6i-r.c | 2 +- drivers/md/dm-integrity.c | 6 +- drivers/media/dvb-frontends/stv0367_priv.h | 3 + .../net/can/usb/etas_es58x/es58x_devlink.c | 2 +- .../net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/fjes/fjes_main.c | 4 +- drivers/nfc/pn544/i2c.c | 2 - drivers/platform/x86/sony-laptop.c | 1 - drivers/scsi/isci/init.c | 6 +- .../pci/hive_isp_css_include/math_support.h | 5 - fs/btrfs/tree-checker.c | 2 +- include/linux/compiler.h | 9 + include/linux/minmax.h | 228 +++++++++++------- include/linux/pageblock-flags.h | 2 +- kernel/trace/preemptirq_delay_test.c | 2 - lib/btree.c | 1 - lib/decompress_unlzma.c | 2 + lib/vsprintf.c | 2 +- mm/zsmalloc.c | 2 - net/ipv4/proc.c | 2 +- net/ipv6/proc.c | 2 +- tools/testing/selftests/mm/mremap_test.c | 2 + tools/testing/selftests/seccomp/seccomp_bpf.c | 2 + 34 files changed, 202 insertions(+), 146 deletions(-) -- 2.47.3

1 week, 3 days

1
15
0 0

[PATCH v3] fs/proc/task_mmu: check p->vec_buf for NULL

by Jakub Acs

When PAGEMAP_SCAN ioctl invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Michał Mirosław" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: linux-kernel(a)vger.kernel.org Cc: linux-fsdevel(a)vger.kernel.org Cc: stable(a)vger.kernel.org --- v1 -> v2: check p->vec_buf instead of cur_buf v2 -> v3: fix commit title v1: https://lore.kernel.org/all/20250919142106.43527-1-acsjakub@amazon.de/ v2: https://lore.kernel.org/all/20250922081713.77303-1-acsjakub@amazon.de/ fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 29cca0e6d0ff..b26ae556b446 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(struct pagemap_scan_private *p, { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 week, 3 days

3
2
0 0

[PATCH] fs/proc/task_mmu: check cur_buf for NULL

by Jakub Acs

When PAGEMAP_SCAN ioctl invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking cur_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Michał Mirosław" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> linux-kernel(a)vger.kernel.org linux-fsdevel(a)vger.kernel.org Cc: stable(a)vger.kernel.org Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 29cca0e6d0ff..8c10a8135e74 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(struct pagemap_scan_private *p, { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!cur_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 week, 3 days

3
4
0 0

Fruit Attraction 2025 Contacts — Now 20% OFF

by Natalie Foster

Hi, We’re offering verified business contact data for the upcoming Fruit Attraction 2025 (FA), tailored for effective outreach before and after the event. Place:  Madrid, Spain Date:SEP 30 - OCT 02, 2025 Contact Overview: 1,01,351 Attendees 2,179 Exhibiting Companies 6,537 Verified Exhibitor Contacts Total: 107,885 Business Contacts Each entry includes: Name, Job Title, Company, Website, Address, Phone, Official Email, LinkedIn Profile, and more. 100% GDPR-compliant Data with 20% Off Now. If you'd like more details, just reply: “Send me pricing” Best regards, Natalie Foster Sr. Marketing Manager To opt out reply “Not Interested.”

1 week, 3 days

1
0
0 0

[PATCH v2] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data() and add devm_add_action_or_reset() in the probe function, which ensures that the reference count of the device is correctly managed. Memory leak in regmap_init_slimbus() as the allocated regmap is not released when the device is removed. Using devm_regmap_init_slimbus() instead of regmap_init_slimbus() to ensure automatic regmap cleanup on device removal. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the handling in the success path and fixed the memory leak for regmap as suggestions. --- sound/soc/codecs/wcd934x.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..b472320d1ca4 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5847,11 +5847,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) return dev_err_probe(dev, -EINVAL, "Unable to get SLIM Interface device\n"); slim_get_logical_addr(wcd->sidev); - wcd->if_regmap = regmap_init_slimbus(wcd->sidev, + wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); @@ -5893,6 +5895,10 @@ static int wcd934x_codec_probe(struct platform_device *pdev) if (ret) return ret; + ret = devm_add_action_or_reset(dev, (void (*)(void *))put_device, &wcd->sidev->dev); + if (ret) + return ret; + /* set default rate 9P6MHz */ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, -- 2.17.1

1 week, 3 days

2
1
0 0

[PATCH net v1 1/1] net: usb: asix: forbid runtime PM to avoid PM/MDIO + RTNL deadlock

by Oleksij Rempel

Forbid USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM by default in probe, so disabling it via the usb_driver flag is ineffective. For AX88772B, autosuspend shows no measurable power saving in my tests (no link partner, admin up/down). The ~0.453 W -> ~0.248 W reduction on 6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. With autosuspend active, resume paths may require calling phylink/phylib (caller must hold RTNL) and doing MDIO I/O. Taking RTNL from a USB PM resume can deadlock (RTNL may already be held), and MDIO can attempt a runtime-wake while the USB PM lock is held. Given the lack of benefit and poor test coverage (autosuspend is usually disabled by default in distros), forbid runtime PM here to avoid these hazards. This affects only AX88772* devices (per-interface in bind). System sleep/resume is unchanged. Fixes: 4a2c7217cd5a ("net: usb: asix: ax88772: manage PHY PM from MAC") Reported-by: Hubert Wiśniewski <hubert.wisniewski.25632(a)gmail.com> Closes: https://lore.kernel.org/all/20220622141638.GE930160@montezuma.acc.umu.se Reported-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Closes: https://lore.kernel.org/all/b5ea8296-f981-445d-a09a-2f389d7f6fdd@samsung.com Cc: stable(a)vger.kernel.org Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> --- Link to the measurement results: https://lore.kernel.org/all/aMkPMa650kfKfmF4@pengutronix.de/ --- drivers/net/usb/asix_devices.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c index 792ddda1ad49..0d341d7e6154 100644 --- a/drivers/net/usb/asix_devices.c +++ b/drivers/net/usb/asix_devices.c @@ -625,6 +625,22 @@ static void ax88772_suspend(struct usbnet *dev) asix_read_medium_status(dev, 1)); } +/* + * Notes on PM callbacks and locking context: + * + * - asix_suspend()/asix_resume() are invoked for both runtime PM and + * system-wide suspend/resume. For struct usb_driver the ->resume() + * callback does not receive pm_message_t, so the resume type cannot + * be distinguished here. + * + * - The MAC driver must hold RTNL when calling phylink interfaces such as + * phylink_suspend()/resume(). Those calls will also perform MDIO I/O. + * + * - Taking RTNL and doing MDIO from a runtime-PM resume callback (while + * the USB PM lock is held) is fragile. Since autosuspend brings no + * measurable power saving for this device with current driver version, it is + * disabled below. + */ static int asix_suspend(struct usb_interface *intf, pm_message_t message) { struct usbnet *dev = usb_get_intfdata(intf); @@ -919,6 +935,16 @@ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) if (ret) goto initphy_err; + /* Disable USB runtime PM (autosuspend) for this interface. + * Rationale: + * - No measurable power saving from autosuspend for this device. + * - phylink/phylib calls require caller-held RTNL and do MDIO I/O, + * which is unsafe from USB PM resume paths (possible RTNL already + * held, USB PM lock held). + * System suspend/resume is unaffected. + */ + pm_runtime_forbid(&intf->dev); + return 0; initphy_err: @@ -948,6 +974,10 @@ static void ax88772_unbind(struct usbnet *dev, struct usb_interface *intf) phylink_destroy(priv->phylink); ax88772_mdio_unregister(priv); asix_rx_fixup_common_free(dev->driver_priv); + /* Re-allow runtime PM on disconnect for tidiness. The interface + * goes away anyway, but this balances forbid for debug sanity. + */ + pm_runtime_allow(&intf->dev); } static void ax88178_unbind(struct usbnet *dev, struct usb_interface *intf) @@ -1600,6 +1630,10 @@ static struct usb_driver asix_driver = { .resume = asix_resume, .reset_resume = asix_resume, .disconnect = usbnet_disconnect, + /* usbnet will force supports_autosuspend=1; we explicitly forbid RPM + * per-interface in bind to keep autosuspend disabled for this driver + * by using pm_runtime_forbid(). + */ .supports_autosuspend = 1, .disable_hub_initiated_lpm = 1, }; -- 2.47.3

1 week, 3 days

5
9
0 0

[PATCH] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..6ed7d030f4ed 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -316,7 +316,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off); - if (unlikely(len <= 0)) { + if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + if (len > 0) { + /* + * If we only got a few pages, update to release + * the correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; + } ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; } -- 2.43.0

1 week, 3 days

3
3
0 0

[PATCH] staging: gpib: Fix device reference leak in fmh_gpib driver

by Ma Ke

The fmh_gpib driver contains a device reference count leak in fmh_gpib_attach_impl() where driver_find_device() increases the reference count of the device by get_device() when matching but this reference is not properly decreased. Add put_device() in fmh_gpib_attach_impl() and add put_device() in fmh_gpib_detach(), which ensures that the reference count of the device is correctly managed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8e4841a0888c ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/staging/gpib/fmh_gpib/fmh_gpib.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c index 4138f3d2bae7..245c8fe87eaa 100644 --- a/drivers/staging/gpib/fmh_gpib/fmh_gpib.c +++ b/drivers/staging/gpib/fmh_gpib/fmh_gpib.c @@ -1395,14 +1395,17 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar pdev = to_platform_device(board->dev); retval = fmh_gpib_generic_attach(board); - if (retval) + if (retval) { + put_device(board->dev); return retval; + } e_priv = board->private_data; nec_priv = &e_priv->nec7210_priv; res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpib_control_status"); if (!res) { + put_device(board->dev); dev_err(board->dev, "Unable to locate mmio resource\n"); return -ENODEV; } @@ -1410,6 +1413,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { + put_device(board->dev); dev_err(board->dev, "cannot claim registers\n"); return -ENXIO; } @@ -1418,6 +1422,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar nec_priv->mmiobase = ioremap(e_priv->gpib_iomem_res->start, resource_size(e_priv->gpib_iomem_res)); if (!nec_priv->mmiobase) { + put_device(board->dev); dev_err(board->dev, "Could not map I/O memory\n"); return -ENOMEM; } @@ -1426,12 +1431,14 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dma_fifos"); if (!res) { + put_device(board->dev); dev_err(board->dev, "Unable to locate mmio resource for gpib dma port\n"); return -ENODEV; } if (request_mem_region(res->start, resource_size(res), pdev->name) == NULL) { + put_device(board->dev); dev_err(board->dev, "cannot claim registers\n"); return -ENXIO; } @@ -1439,6 +1446,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar e_priv->fifo_base = ioremap(e_priv->dma_port_res->start, resource_size(e_priv->dma_port_res)); if (!e_priv->fifo_base) { + put_device(board->dev); dev_err(board->dev, "Could not map I/O memory for fifos\n"); return -ENOMEM; } @@ -1447,10 +1455,14 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar (unsigned long)resource_size(e_priv->dma_port_res)); irq = platform_get_irq(pdev, 0); - if (irq < 0) + if (irq < 0) { + put_device(board->dev); return -EBUSY; + } + retval = request_irq(irq, fmh_gpib_interrupt, IRQF_SHARED, pdev->name, board); if (retval) { + put_device(board->dev); dev_err(board->dev, "cannot register interrupt handler err=%d\n", retval); @@ -1461,6 +1473,7 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar if (acquire_dma) { e_priv->dma_channel = dma_request_slave_channel(board->dev, "rxtx"); if (!e_priv->dma_channel) { + put_device(board->dev); dev_err(board->dev, "failed to acquire dma channel \"rxtx\".\n"); return -EIO; } @@ -1517,6 +1530,12 @@ void fmh_gpib_detach(struct gpib_board *board) resource_size(e_priv->gpib_iomem_res)); } fmh_gpib_generic_detach(board); + + if (board->dev) { + dev_set_drvdata(board->dev, NULL); + put_device(board->dev); + board->dev = NULL; + } } static int fmh_gpib_pci_attach_impl(struct gpib_board *board, -- 2.17.1

1 week, 3 days

2
1
0 0

[PATCH 2/2] eventpoll: Fix epoll_wait() report false negative

by Nam Cao

ep_events_available() checks for available events by looking at ep->rdllist and ep->ovflist. However, this is done without a lock, therefore the returned value is not reliable. Because it is possible that both checks on ep->rdllist and ep->ovflist are false while ep_start_scan() or ep_done_scan() is being executed on other CPUs, despite events are available. This bug can be observed by: 1. Create an eventpoll with at least one ready level-triggered event 2. Create multiple threads who do epoll_wait() with zero timeout. The threads do not consume the events, therefore all epoll_wait() should return at least one event. If one thread is executing ep_events_available() while another thread is executing ep_start_scan() or ep_done_scan(), epoll_wait() may wrongly return no event for the former thread. This reproducer is implemented as TEST(epoll65) in tools/testing/selftests/filesystems/epoll/epoll_wakeup_test.c Fix it by skipping ep_events_available(), just call ep_try_send_events() directly. epoll_sendevents() (io_uring) suffers the same problem, fix that as well. There is still ep_busy_loop() who uses ep_events_available() without lock, but it is probably okay (?) for busy-polling. Fixes: c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") Fixes: e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") Fixes: ae3a4f1fdc2c ("eventpoll: add epoll_sendevents() helper") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- fs/eventpoll.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 0fbf5dfedb24..541481eafc20 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -2022,7 +2022,7 @@ static int ep_schedule_timeout(ktime_t *to) static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, int maxevents, struct timespec64 *timeout) { - int res, eavail, timed_out = 0; + int res, eavail = 1, timed_out = 0; u64 slack = 0; wait_queue_entry_t wait; ktime_t expires, *to = NULL; @@ -2041,16 +2041,6 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, timed_out = 1; } - /* - * This call is racy: We may or may not see events that are being added - * to the ready list under the lock (e.g., in IRQ callbacks). For cases - * with a non-zero timeout, this thread will check the ready list under - * lock and will add to the wait queue. For cases with a zero - * timeout, the user by definition should not care and will have to - * recheck again. - */ - eavail = ep_events_available(ep); - while (1) { if (eavail) { res = ep_try_send_events(ep, events, maxevents); @@ -2496,9 +2486,7 @@ int epoll_sendevents(struct file *file, struct epoll_event __user *events, * Racy call, but that's ok - it should get retried based on * poll readiness anyway. */ - if (ep_events_available(ep)) - return ep_try_send_events(ep, events, maxevents); - return 0; + return ep_try_send_events(ep, events, maxevents); } /* -- 2.39.5

1 week, 3 days

5
12
0 0

FAILED: patch "[PATCH] io_uring: include dying ring in task_work "should cancel"" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 3539b1467e94336d5854ebf976d9627bfb65d6c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092127-synthetic-squash-4d57@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3539b1467e94336d5854ebf976d9627bfb65d6c3 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 18 Sep 2025 10:21:14 -0600 Subject: [PATCH] io_uring: include dying ring in task_work "should cancel" state When running task_work for an exiting task, rather than perform the issue retry attempt, the task_work is canceled. However, this isn't done for a ring that has been closed. This can lead to requests being successfully completed post the ring being closed, which is somewhat confusing and surprising to an application. Rather than just check the task exit state, also include the ring ref state in deciding whether or not to terminate a given request when run from task_work. Cc: stable(a)vger.kernel.org # 6.1+ Link: https://github.com/axboe/liburing/discussions/1459 Reported-by: Benedek Thaler <thaler(a)thaler.hu> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 93633613a165..bcec12256f34 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1406,8 +1406,10 @@ static void io_req_task_cancel(struct io_kiocb *req, io_tw_token_t tw) void io_req_task_submit(struct io_kiocb *req, io_tw_token_t tw) { - io_tw_lock(req->ctx, tw); - if (unlikely(io_should_terminate_tw())) + struct io_ring_ctx *ctx = req->ctx; + + io_tw_lock(ctx, tw); + if (unlikely(io_should_terminate_tw(ctx))) io_req_defer_failed(req, -EFAULT); else if (req->flags & REQ_F_FORCE_ASYNC) io_queue_iowq(req); diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h index abc6de227f74..1880902be6fd 100644 --- a/io_uring/io_uring.h +++ b/io_uring/io_uring.h @@ -476,9 +476,9 @@ static inline bool io_allowed_run_tw(struct io_ring_ctx *ctx) * 2) PF_KTHREAD is set, in which case the invoker of the task_work is * our fallback task_work. */ -static inline bool io_should_terminate_tw(void) +static inline bool io_should_terminate_tw(struct io_ring_ctx *ctx) { - return current->flags & (PF_KTHREAD | PF_EXITING); + return (current->flags & (PF_KTHREAD | PF_EXITING)) || percpu_ref_is_dying(&ctx->refs); } static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) diff --git a/io_uring/poll.c b/io_uring/poll.c index c786e587563b..6090a26975d4 100644 --- a/io_uring/poll.c +++ b/io_uring/poll.c @@ -224,7 +224,7 @@ static int io_poll_check_events(struct io_kiocb *req, io_tw_token_t tw) { int v; - if (unlikely(io_should_terminate_tw())) + if (unlikely(io_should_terminate_tw(req->ctx))) return -ECANCELED; do { diff --git a/io_uring/timeout.c b/io_uring/timeout.c index 7f13bfa9f2b6..17e3aab0af36 100644 --- a/io_uring/timeout.c +++ b/io_uring/timeout.c @@ -324,7 +324,7 @@ static void io_req_task_link_timeout(struct io_kiocb *req, io_tw_token_t tw) int ret; if (prev) { - if (!io_should_terminate_tw()) { + if (!io_should_terminate_tw(req->ctx)) { struct io_cancel_data cd = { .ctx = req->ctx, .data = prev->cqe.user_data, diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index 053bac89b6c0..213716e10d70 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -118,7 +118,7 @@ static void io_uring_cmd_work(struct io_kiocb *req, io_tw_token_t tw) struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); unsigned int flags = IO_URING_F_COMPLETE_DEFER; - if (io_should_terminate_tw()) + if (io_should_terminate_tw(req->ctx)) flags |= IO_URING_F_TASK_DEAD; /* task_work executor checks the deffered list completion */

1 week, 3 days

3
4
0 0

[PATCH] media: pci: intel: ivsc: fix error handling in scan_one_device()

by Ma Ke

The mei_ace driver contains a device reference count leak in mei_ace_setup_dev_link() where device_find_child_by_name() increases the reference count of the found device but this reference is not properly decreased in the success path. Add put_device() in mei_ace_setup_dev_link() and delete put_device() in mei_ace_remove(), which ensures that the reference count of the device is correctly managed regardless of whether the probe is successful or fails. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/media/pci/intel/ivsc/mei_ace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/pci/intel/ivsc/mei_ace.c b/drivers/media/pci/intel/ivsc/mei_ace.c index 98310b8511b1..261b30788118 100644 --- a/drivers/media/pci/intel/ivsc/mei_ace.c +++ b/drivers/media/pci/intel/ivsc/mei_ace.c @@ -421,6 +421,7 @@ static int mei_ace_setup_dev_link(struct mei_ace *ace) } ace->csi_dev = csi_dev; + put_device(csi_dev); return 0; @@ -522,7 +523,6 @@ static void mei_ace_remove(struct mei_cl_device *cldev) cancel_work_sync(&ace->work); device_link_del(ace->csi_link); - put_device(ace->csi_dev); pm_runtime_disable(&cldev->dev); pm_runtime_set_suspended(&cldev->dev); -- 2.17.1

1 week, 3 days

2
1
0 0

[PATCH] riscv: Use an atomic xchg in pudp_huge_get_and_clear()

by Alexandre Ghiti

Make sure we return the right pud value and not a value that could have been overwritten in between by a different core. Fixes: c3cc2a4a3a23 ("riscv: Add support for PUD THP") Cc: stable(a)vger.kernel.org Signed-off-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> --- Note that this will conflict with https://lore.kernel.org/linux-riscv/20250625063753.77511-1-ajd@linux.ibm.co… if applied after 6.17. --- arch/riscv/include/asm/pgtable.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 91697fbf1f9013005800f713797e4b6b1fc8d312..e69346307e78608dd98d8b7a77b7063c333448ee 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -942,6 +942,17 @@ static inline int pudp_test_and_clear_young(struct vm_area_struct *vma, return ptep_test_and_clear_young(vma, address, (pte_t *)pudp); } +#define __HAVE_ARCH_PUDP_HUGE_GET_AND_CLEAR +static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm, + unsigned long address, pud_t *pudp) +{ + pud_t pud = __pud(atomic_long_xchg((atomic_long_t *)pudp, 0)); + + page_table_check_pud_clear(mm, pud); + + return pud; +} + static inline int pud_young(pud_t pud) { return pte_young(pud_pte(pud)); --- base-commit: 62950c35a515743739e3d863eac25c20a5bd1613 change-id: 20250814-dev-alex-thp_pud_xchg-8153c313d946 Best regards, -- Alexandre Ghiti <alexghiti(a)rivosinc.com>

1 week, 3 days

3
2
0 0

[PATCH rtw-next v5 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()

by Fedor Pchelkin

There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] Use-after-free write at 0x0000000020309d9d (in kfence-#251): rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): __alloc_skb net/core/skbuff.c:659 __netdev_alloc_skb net/core/skbuff.c:734 ieee80211_nullfunc_get net/mac80211/tx.c:5844 rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): ieee80211_tx_status_skb net/mac80211/status.c:1117 rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651 rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 __napi_poll net/core/dev.c:7495 net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 handle_softirqs kernel/softirq.c:580 do_softirq.part.0 kernel/softirq.c:480 __local_bh_enable_ip kernel/softirq.c:407 rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 irq_thread_fn kernel/irq/manage.c:1133 irq_thread kernel/irq/manage.c:1257 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 It is a consequence of a race between the waiting and the signaling side of the completion: Waiting thread Completing thread rtw89_core_tx_kick_off_and_wait() rcu_assign_pointer(skb_data->wait, wait) /* start waiting */ wait_for_completion_timeout() rtw89_pci_tx_status() rtw89_core_tx_wait_complete() rcu_read_lock() /* signals completion and * proceeds further */ complete(&wait->completion) rcu_read_unlock() ... /* frees skb_data */ ieee80211_tx_status_ni() /* returns (exit status doesn't matter) */ wait_for_completion_timeout() ... /* accesses the already freed skb_data */ rcu_assign_pointer(skb_data->wait, NULL) The completing side might proceed and free the underlying skb even before the waiting side is fully awoken and run to execution. Actually the race happens regardless of wait_for_completion_timeout() exit status, e.g. the waiting side may hit a timeout and the concurrent completing side is still able to free the skb. Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the driver. They don't come from core ieee80211 stack so no need to pass them to ieee80211_tx_status_ni() on completing side. Introduce a work function which will act as a garbage collector for rtw89_tx_wait_info objects and the associated skbs. Thus no potentially heavy locks are required on the completing side. Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Suggested-by: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v5: - use completion_done() and delayed work (Ping-Ke) v4: - fill wait's fields before publishing (Zong-Zhe) - leave dev_kfree_skb_any + kfree_rcu for tx_wait release (Zong-Zhe) v3: - decrease waiting timeout in rtw89_tx_wait_work() (Zong-Zhe) - clear tx_waits list from rtw89_hci_reset(), too (Zong-Zhe) - keep RCU updating for skb_data->wait (Zong-Zhe) - keep the old order of calls in rtw89_pci_tx_status() (Zong-Zhe) - drop wait->finished as complete_all() would make the completion be done permanently v2: - use a work function to manage release of tx_waits and associated skbs (Zong-Zhe) drivers/net/wireless/realtek/rtw89/core.c | 30 +++++++++++++++---- drivers/net/wireless/realtek/rtw89/core.h | 35 +++++++++++++++++++++-- drivers/net/wireless/realtek/rtw89/pci.c | 3 +- drivers/net/wireless/realtek/rtw89/ser.c | 2 ++ 4 files changed, 61 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index fe059c4a6b55..ec467ae0e9e6 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1135,6 +1135,14 @@ rtw89_core_tx_update_desc_info(struct rtw89_dev *rtwdev, } } +static void rtw89_tx_wait_work(struct wiphy *wiphy, struct wiphy_work *work) +{ + struct rtw89_dev *rtwdev = container_of(work, struct rtw89_dev, + tx_wait_work.work); + + rtw89_tx_wait_list_clear(rtwdev); +} + void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) { u8 ch_dma; @@ -1152,6 +1160,8 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk unsigned long time_left; int ret = 0; + lockdep_assert_wiphy(rtwdev->hw->wiphy); + wait = kzalloc(sizeof(*wait), GFP_KERNEL); if (!wait) { rtw89_core_tx_kick_off(rtwdev, qsel); @@ -1159,18 +1169,23 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk } init_completion(&wait->completion); + wait->skb = skb; rcu_assign_pointer(skb_data->wait, wait); rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); - if (time_left == 0) - ret = -ETIMEDOUT; - else if (!wait->tx_done) - ret = -EAGAIN; - rcu_assign_pointer(skb_data->wait, NULL); - kfree_rcu(wait, rcu_head); + if (time_left == 0) { + ret = -ETIMEDOUT; + list_add_tail(&wait->list, &rtwdev->tx_waits); + wiphy_delayed_work_queue(rtwdev->hw->wiphy, &rtwdev->tx_wait_work, + RTW89_TX_WAIT_WORK_TIMEOUT); + } else { + if (!wait->tx_done) + ret = -EAGAIN; + rtw89_tx_wait_release(wait); + } return ret; } @@ -5548,6 +5563,7 @@ void rtw89_core_stop(struct rtw89_dev *rtwdev) wiphy_work_cancel(wiphy, &btc->dhcp_notify_work); wiphy_work_cancel(wiphy, &btc->icmp_notify_work); cancel_delayed_work_sync(&rtwdev->txq_reinvoke_work); + wiphy_delayed_work_cancel(wiphy, &rtwdev->tx_wait_work); wiphy_delayed_work_cancel(wiphy, &rtwdev->track_work); wiphy_delayed_work_cancel(wiphy, &rtwdev->track_ps_work); wiphy_delayed_work_cancel(wiphy, &rtwdev->chanctx_work); @@ -5773,6 +5789,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) INIT_LIST_HEAD(&rtwdev->scan_info.pkt_list[band]); } INIT_LIST_HEAD(&rtwdev->scan_info.chan_list); + INIT_LIST_HEAD(&rtwdev->tx_waits); INIT_WORK(&rtwdev->ba_work, rtw89_core_ba_work); INIT_WORK(&rtwdev->txq_work, rtw89_core_txq_work); INIT_DELAYED_WORK(&rtwdev->txq_reinvoke_work, rtw89_core_txq_reinvoke_work); @@ -5784,6 +5801,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) wiphy_delayed_work_init(&rtwdev->coex_rfk_chk_work, rtw89_coex_rfk_chk_work); wiphy_delayed_work_init(&rtwdev->cfo_track_work, rtw89_phy_cfo_track_work); wiphy_delayed_work_init(&rtwdev->mcc_prepare_done_work, rtw89_mcc_prepare_done_work); + wiphy_delayed_work_init(&rtwdev->tx_wait_work, rtw89_tx_wait_work); INIT_DELAYED_WORK(&rtwdev->forbid_ba_work, rtw89_forbid_ba_work); wiphy_delayed_work_init(&rtwdev->antdiv_work, rtw89_phy_antdiv_work); rtwdev->txq_wq = alloc_workqueue("rtw89_tx_wq", WQ_UNBOUND | WQ_HIGHPRI, 0); diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index 3d4ad2ffb75c..d15fa70eb4dc 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -3507,9 +3507,12 @@ struct rtw89_phy_rate_pattern { bool enable; }; +#define RTW89_TX_WAIT_WORK_TIMEOUT msecs_to_jiffies(500) struct rtw89_tx_wait_info { struct rcu_head rcu_head; + struct list_head list; struct completion completion; + struct sk_buff *skb; bool tx_done; }; @@ -6000,6 +6003,9 @@ struct rtw89_dev { /* used to protect rpwm */ spinlock_t rpwm_lock; + struct list_head tx_waits; + struct wiphy_delayed_work tx_wait_work; + struct rtw89_cam_info cam_info; struct sk_buff_head c2h_queue; @@ -6256,6 +6262,26 @@ rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid) list_first_entry_or_null(&p->dlink_pool, typeof(*p->links_inst), dlink_schd); \ }) +static inline void rtw89_tx_wait_release(struct rtw89_tx_wait_info *wait) +{ + dev_kfree_skb_any(wait->skb); + kfree_rcu(wait, rcu_head); +} + +static inline void rtw89_tx_wait_list_clear(struct rtw89_dev *rtwdev) +{ + struct rtw89_tx_wait_info *wait, *tmp; + + lockdep_assert_wiphy(rtwdev->hw->wiphy); + + list_for_each_entry_safe(wait, tmp, &rtwdev->tx_waits, list) { + if (!completion_done(&wait->completion)) + continue; + list_del(&wait->list); + rtw89_tx_wait_release(wait); + } +} + static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, struct rtw89_core_tx_request *tx_req) { @@ -6265,6 +6291,7 @@ static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, static inline void rtw89_hci_reset(struct rtw89_dev *rtwdev) { rtwdev->hci.ops->reset(rtwdev); + rtw89_tx_wait_list_clear(rtwdev); } static inline int rtw89_hci_start(struct rtw89_dev *rtwdev) @@ -7345,11 +7372,12 @@ static inline struct sk_buff *rtw89_alloc_skb_for_rx(struct rtw89_dev *rtwdev, return dev_alloc_skb(length); } -static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, +static inline bool rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data, bool tx_done) { struct rtw89_tx_wait_info *wait; + bool ret = false; rcu_read_lock(); @@ -7357,11 +7385,14 @@ static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, if (!wait) goto out; + ret = true; wait->tx_done = tx_done; - complete(&wait->completion); + /* Don't access skb anymore after completion */ + complete_all(&wait->completion); out: rcu_read_unlock(); + return ret; } static inline bool rtw89_is_mlo_1_1(struct rtw89_dev *rtwdev) diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index c8286eb84276..8dd91d867ea6 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -464,7 +464,8 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct ieee80211_tx_info *info; - rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE); + if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE)) + return; info = IEEE80211_SKB_CB(skb); ieee80211_tx_info_clear_status(info); diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireless/realtek/rtw89/ser.c index bb39fdbcba0d..fe7beff8c424 100644 --- a/drivers/net/wireless/realtek/rtw89/ser.c +++ b/drivers/net/wireless/realtek/rtw89/ser.c @@ -502,7 +502,9 @@ static void ser_reset_trx_st_hdl(struct rtw89_ser *ser, u8 evt) } drv_stop_rx(ser); + wiphy_lock(wiphy); drv_trx_reset(ser); + wiphy_unlock(wiphy); /* wait m3 */ hal_send_m2_event(ser); -- 2.51.0

1 week, 3 days

2
2
0 0

[PATCH v3] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - also fixed the same problem in arch/sparc/kernel/of_device_32.c as suggestions. Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_32.c | 1 + arch/sparc/kernel/of_device_64.c | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/sparc/kernel/of_device_32.c b/arch/sparc/kernel/of_device_32.c index 06012e68bdca..284a4cafa432 100644 --- a/arch/sparc/kernel/of_device_32.c +++ b/arch/sparc/kernel/of_device_32.c @@ -387,6 +387,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.17.1

1 week, 3 days

2
1
0 0

FAILED: patch "[PATCH] ksmbd: smbdirect: verify remaining_data_length respects" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e1868ba37fd27c6a68e31565402b154beaa65df0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092135-estate-gander-564d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e1868ba37fd27c6a68e31565402b154beaa65df0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze(a)samba.org> Date: Thu, 11 Sep 2025 10:05:23 +0900 Subject: [PATCH] ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size This is inspired by the check for data_offset + data_length. Cc: Steve French <smfrench(a)gmail.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: linux-cifs(a)vger.kernel.org Cc: samba-technical(a)lists.samba.org Cc: stable(a)vger.kernel.org Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct") Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c index d52f37578276..6550bd9f002c 100644 --- a/fs/smb/server/transport_rdma.c +++ b/fs/smb/server/transport_rdma.c @@ -554,7 +554,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) case SMB_DIRECT_MSG_DATA_TRANSFER: { struct smb_direct_data_transfer *data_transfer = (struct smb_direct_data_transfer *)recvmsg->packet; - unsigned int data_offset, data_length; + u32 remaining_data_length, data_offset, data_length; int avail_recvmsg_count, receive_credits; if (wc->byte_len < @@ -564,6 +564,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) return; } + remaining_data_length = le32_to_cpu(data_transfer->remaining_data_length); data_length = le32_to_cpu(data_transfer->data_length); data_offset = le32_to_cpu(data_transfer->data_offset); if (wc->byte_len < data_offset || @@ -572,6 +573,14 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) smb_direct_disconnect_rdma_connection(t); return; } + if (remaining_data_length > t->max_fragmented_recv_size || + data_length > t->max_fragmented_recv_size || + (u64)remaining_data_length + (u64)data_length > + (u64)t->max_fragmented_recv_size) { + put_recvmsg(t, recvmsg); + smb_direct_disconnect_rdma_connection(t); + return; + } if (data_length) { if (t->full_packet_received)

1 week, 3 days

2
1
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092143-trench-expiring-9a2f@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 week, 3 days

2
1
0 0

[PATCH rtw-next v5 2/4] wifi: rtw89: avoid possible TX wait initialization race

by Fedor Pchelkin

The value of skb_data->wait indicates whether skb is passed on to the core mac80211 stack or released by the driver itself. Make sure that by the time skb is added to txwd queue and becomes visible to the completing side, it has already allocated and initialized TX wait related data (in case it's needed). This is found by code review and addresses a possible race scenario described below: Waiting thread Completing thread rtw89_core_send_nullfunc() rtw89_core_tx_write_link() ... rtw89_pci_txwd_submit() skb_data->wait = NULL /* add skb to the queue */ skb_queue_tail(&txwd->queue, skb) /* another thread (e.g. rtw89_ops_tx) performs TX kick off for the same queue */ rtw89_pci_napi_poll() ... rtw89_pci_release_txwd_skb() /* get skb from the queue */ skb_unlink(skb, &txwd->queue) rtw89_pci_tx_status() rtw89_core_tx_wait_complete() /* use incorrect skb_data->wait */ rtw89_core_tx_kick_off_and_wait() /* assign skb_data->wait but too late */ Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v5: - update the changelog to reflect that the potential race scenario was found by code review - pass wait as an argument to rtw89_core_tx_kick_off_and_wait() v4: - use wiphy_dereference (Zong-Zhe) - move wait->skb assignment place drivers/net/wireless/realtek/rtw89/core.c | 39 +++++++++++++---------- drivers/net/wireless/realtek/rtw89/core.h | 3 +- drivers/net/wireless/realtek/rtw89/pci.c | 2 -- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index ec467ae0e9e6..1f44c7fc1c5e 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1153,25 +1153,14 @@ void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) } int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, - int qsel, unsigned int timeout) + struct rtw89_tx_wait_info *wait, int qsel, + unsigned int timeout) { - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); - struct rtw89_tx_wait_info *wait; unsigned long time_left; int ret = 0; lockdep_assert_wiphy(rtwdev->hw->wiphy); - wait = kzalloc(sizeof(*wait), GFP_KERNEL); - if (!wait) { - rtw89_core_tx_kick_off(rtwdev, qsel); - return 0; - } - - init_completion(&wait->completion); - wait->skb = skb; - rcu_assign_pointer(skb_data->wait, wait); - rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); @@ -1234,10 +1223,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rtwvif_link, struct rtw89_sta_link *rtwsta_link, - struct sk_buff *skb, int *qsel, bool sw_mld) + struct sk_buff *skb, int *qsel, bool sw_mld, + struct rtw89_tx_wait_info *wait) { struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link); struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct rtw89_vif *rtwvif = rtwvif_link->rtwvif; struct rtw89_core_tx_request tx_req = {}; int ret; @@ -1254,6 +1245,8 @@ static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, rtw89_core_tx_update_desc_info(rtwdev, &tx_req); rtw89_core_tx_wake(rtwdev, &tx_req); + rcu_assign_pointer(skb_data->wait, wait); + ret = rtw89_hci_tx_write(rtwdev, &tx_req); if (ret) { rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); @@ -1290,7 +1283,8 @@ int rtw89_core_tx_write(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, } } - return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false); + return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false, + NULL); } static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) @@ -3928,6 +3922,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; struct rtw89_sta_link *rtwsta_link; + struct rtw89_tx_wait_info *wait; struct ieee80211_sta *sta; struct ieee80211_hdr *hdr; struct rtw89_sta *rtwsta; @@ -3937,6 +3932,12 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) return 0; + wait = kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) + return -ENOMEM; + + init_completion(&wait->completion); + rcu_read_lock(); sta = ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { @@ -3951,6 +3952,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } + wait->skb = skb; + hdr = (struct ieee80211_hdr *)skb->data; if (ps) hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); @@ -3961,7 +3964,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } - ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true); + ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true, + wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); dev_kfree_skb_any(skb); @@ -3970,10 +3974,11 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt rcu_read_unlock(); - return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, qsel, + return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, wait, qsel, timeout); out: rcu_read_unlock(); + kfree(wait); return ret; } diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index d15fa70eb4dc..928c8c84c964 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -7476,7 +7476,8 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, struct sk_buff *skb, bool fwdl); void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel); int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, - int qsel, unsigned int timeout); + struct rtw89_tx_wait_info *wait, int qsel, + unsigned int timeout); void rtw89_core_fill_txdesc(struct rtw89_dev *rtwdev, struct rtw89_tx_desc_info *desc_info, void *txdesc); diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index 8dd91d867ea6..0ee5f8579447 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1494,7 +1494,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, struct pci_dev *pdev = rtwpci->pdev; struct sk_buff *skb = tx_req->skb; struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb); - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); bool en_wd_info = desc_info->en_wd_info; u32 txwd_len; u32 txwp_len; @@ -1510,7 +1509,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, } tx_data->dma = dma; - rcu_assign_pointer(skb_data->wait, NULL); txwp_len = sizeof(*txwp_info); txwd_len = chip->txwd_body_size; -- 2.51.0

1 week, 3 days

2
1
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092143-detonator-snowcap-57d7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 week, 3 days

2
1
0 0

WTF: patch "[PATCH] LoongArch: Replace sprintf() with sysfs_emit()" was seriously submitted to be applied to the 6.16-stable tree?

by gregkh＠linuxfoundation.org

The patch below was submitted to be applied to the 6.16-stable tree. I fail to see how this patch meets the stable kernel rules as found at Documentation/process/stable-kernel-rules.rst. I could be totally wrong, and if so, please respond to <stable(a)vger.kernel.org> and let me know why this patch should be applied. Otherwise, it is now dropped from my patch queues, never to be seen again. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d6d69f0edde63b553345d4efaceb7daed89fe04c Mon Sep 17 00:00:00 2001 From: Tao Cui <cuitao(a)kylinos.cn> Date: Thu, 18 Sep 2025 19:44:04 +0800 Subject: [PATCH] LoongArch: Replace sprintf() with sysfs_emit() As Documentation/filesystems/sysfs.rst suggested, show() should only use sysfs_emit() or sysfs_emit_at() when formatting the value to be returned to user space. No functional change intended. Cc: stable(a)vger.kernel.org Signed-off-by: Tao Cui <cuitao(a)kylinos.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> diff --git a/arch/loongarch/kernel/env.c b/arch/loongarch/kernel/env.c index be309a71f204..23bd5ae2212c 100644 --- a/arch/loongarch/kernel/env.c +++ b/arch/loongarch/kernel/env.c @@ -86,7 +86,7 @@ late_initcall(fdt_cpu_clk_init); static ssize_t boardinfo_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) { - return sprintf(buf, + return sysfs_emit(buf, "BIOS Information\n" "Vendor\t\t\t: %s\n" "Version\t\t\t: %s\n"

1 week, 3 days

3
2
0 0