- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] usb: typec: ucsi: displayport: Fix deadlock" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 364618c89d4c57c85e5fc51a2446cd939bf57802 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051221-pacifist-liability-19cf@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 364618c89d4c57c85e5fc51a2446cd939bf57802 Mon Sep 17 00:00:00 2001 From: Andrei Kuchynski <akuchynski(a)chromium.org> Date: Thu, 24 Apr 2025 08:44:28 +0000 Subject: [PATCH] usb: typec: ucsi: displayport: Fix deadlock This patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock functions to the UCSI driver. ucsi_con_mutex_lock ensures the connector mutex is only locked if a connection is established and the partner pointer is valid. This resolves a deadlock scenario where ucsi_displayport_remove_partner holds con->mutex waiting for dp_altmode_work to complete while dp_altmode_work attempts to acquire it. Cc: stable <stable(a)kernel.org> Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode") Signed-off-by: Andrei Kuchynski <akuchynski(a)chromium.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250424084429.3220757-2-akuchynski@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/ucsi/displayport.c b/drivers/usb/typec/ucsi/displayport.c index 420af5139c70..acd053d4e38c 100644 --- a/drivers/usb/typec/ucsi/displayport.c +++ b/drivers/usb/typec/ucsi/displayport.c @@ -54,7 +54,8 @@ static int ucsi_displayport_enter(struct typec_altmode *alt, u32 *vdo) u8 cur = 0; int ret; - mutex_lock(&dp->con->lock); + if (!ucsi_con_mutex_lock(dp->con)) + return -ENOTCONN; if (!dp->override && dp->initialized) { const struct typec_altmode *p = typec_altmode_get_partner(alt); @@ -100,7 +101,7 @@ static int ucsi_displayport_enter(struct typec_altmode *alt, u32 *vdo) schedule_work(&dp->work); ret = 0; err_unlock: - mutex_unlock(&dp->con->lock); + ucsi_con_mutex_unlock(dp->con); return ret; } @@ -112,7 +113,8 @@ static int ucsi_displayport_exit(struct typec_altmode *alt) u64 command; int ret = 0; - mutex_lock(&dp->con->lock); + if (!ucsi_con_mutex_lock(dp->con)) + return -ENOTCONN; if (!dp->override) { const struct typec_altmode *p = typec_altmode_get_partner(alt); @@ -144,7 +146,7 @@ static int ucsi_displayport_exit(struct typec_altmode *alt) schedule_work(&dp->work); out_unlock: - mutex_unlock(&dp->con->lock); + ucsi_con_mutex_unlock(dp->con); return ret; } @@ -202,20 +204,21 @@ static int ucsi_displayport_vdm(struct typec_altmode *alt, int cmd = PD_VDO_CMD(header); int svdm_version; - mutex_lock(&dp->con->lock); + if (!ucsi_con_mutex_lock(dp->con)) + return -ENOTCONN; if (!dp->override && dp->initialized) { const struct typec_altmode *p = typec_altmode_get_partner(alt); dev_warn(&p->dev, "firmware doesn't support alternate mode overriding\n"); - mutex_unlock(&dp->con->lock); + ucsi_con_mutex_unlock(dp->con); return -EOPNOTSUPP; } svdm_version = typec_altmode_get_svdm_version(alt); if (svdm_version < 0) { - mutex_unlock(&dp->con->lock); + ucsi_con_mutex_unlock(dp->con); return svdm_version; } @@ -259,7 +262,7 @@ static int ucsi_displayport_vdm(struct typec_altmode *alt, break; } - mutex_unlock(&dp->con->lock); + ucsi_con_mutex_unlock(dp->con); return 0; } diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index e8c7e9dc4930..01ce858a1a2b 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -1922,6 +1922,40 @@ void ucsi_set_drvdata(struct ucsi *ucsi, void *data) } EXPORT_SYMBOL_GPL(ucsi_set_drvdata); +/** + * ucsi_con_mutex_lock - Acquire the connector mutex + * @con: The connector interface to lock + * + * Returns true on success, false if the connector is disconnected + */ +bool ucsi_con_mutex_lock(struct ucsi_connector *con) +{ + bool mutex_locked = false; + bool connected = true; + + while (connected && !mutex_locked) { + mutex_locked = mutex_trylock(&con->lock) != 0; + connected = UCSI_CONSTAT(con, CONNECTED); + if (connected && !mutex_locked) + msleep(20); + } + + connected = connected && con->partner; + if (!connected && mutex_locked) + mutex_unlock(&con->lock); + + return connected; +} + +/** + * ucsi_con_mutex_unlock - Release the connector mutex + * @con: The connector interface to unlock + */ +void ucsi_con_mutex_unlock(struct ucsi_connector *con) +{ + mutex_unlock(&con->lock); +} + /** * ucsi_create - Allocate UCSI instance * @dev: Device interface to the PPM (Platform Policy Manager) diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h index 3a2c1762bec1..9c5278a0c5d4 100644 --- a/drivers/usb/typec/ucsi/ucsi.h +++ b/drivers/usb/typec/ucsi/ucsi.h @@ -94,6 +94,8 @@ int ucsi_register(struct ucsi *ucsi); void ucsi_unregister(struct ucsi *ucsi); void *ucsi_get_drvdata(struct ucsi *ucsi); void ucsi_set_drvdata(struct ucsi *ucsi, void *data); +bool ucsi_con_mutex_lock(struct ucsi_connector *con); +void ucsi_con_mutex_unlock(struct ucsi_connector *con); void ucsi_connector_change(struct ucsi *ucsi, u8 num);

3 months, 3 weeks

3
4
0 0

My name is Hendrick John Neverett an International Trade Compliance Expert and Loan Facilitator for individual and corporate Loan Services. It is my pleasure to inform you of my intention to start a business investment in your country and I want you to be my partner/fiduciary agent.Respond for further

by Hendrick John Neverett

3 months, 3 weeks

1
0
0 0

[PATCH v2] dummycon: Trigger redraw when switching consoles with deferred takeover

by Thomas Zimmermann

Signal vt subsystem to redraw console when switching to dummycon with deferred takeover enabled. Makes the console switch to fbcon and displays the available output. With deferred takeover enabled, dummycon acts as the placeholder until the first output to the console happens. At that point, fbcon takes over. If the output happens while dummycon is not active, it cannot inform fbcon. This is the case if the vt subsystem runs in graphics mode. A typical graphical boot starts plymouth, a display manager and a compositor; all while leaving out dummycon. Switching to a text-mode console leaves the console with dummycon even if a getty terminal has been started. Returning true from dummycon's con_switch helper signals the vt subsystem to redraw the screen. If there's output available dummycon's con_putc{s} helpers trigger deferred takeover of fbcon, which sets a display mode and displays the output. If no output is available, dummycon remains active. v2: - make the comment slightly more verbose (Javier) Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reported-by: Andrei Borzenkov <arvidjaar(a)gmail.com> Closes: https://bugzilla.suse.com/show_bug.cgi?id=1242191 Tested-by: Andrei Borzenkov <arvidjaar(a)gmail.com> Acked-by: Javier Martinez Canillas <javierm(a)redhat.com> Fixes: 83d83bebf401 ("console/fbcon: Add support for deferred console takeover") Cc: Hans de Goede <hdegoede(a)redhat.com> Cc: linux-fbdev(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v4.19+ --- drivers/video/console/dummycon.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/video/console/dummycon.c b/drivers/video/console/dummycon.c index 139049368fdc..7d02470f19b9 100644 --- a/drivers/video/console/dummycon.c +++ b/drivers/video/console/dummycon.c @@ -85,6 +85,15 @@ static bool dummycon_blank(struct vc_data *vc, enum vesa_blank_mode blank, /* Redraw, so that we get putc(s) for output done while blanked */ return true; } + +static bool dummycon_switch(struct vc_data *vc) +{ + /* + * Redraw, so that we get putc(s) for output done while switched + * away. Informs deferred consoles to take over the display. + */ + return true; +} #else static void dummycon_putc(struct vc_data *vc, u16 c, unsigned int y, unsigned int x) { } @@ -95,6 +104,10 @@ static bool dummycon_blank(struct vc_data *vc, enum vesa_blank_mode blank, { return false; } +static bool dummycon_switch(struct vc_data *vc) +{ + return false; +} #endif static const char *dummycon_startup(void) @@ -124,11 +137,6 @@ static bool dummycon_scroll(struct vc_data *vc, unsigned int top, return false; } -static bool dummycon_switch(struct vc_data *vc) -{ - return false; -} - /* * The console `switch' structure for the dummy console * -- 2.49.0

3 months, 3 weeks

1
0
0 0

[PATCH] sched/eevdf: avoid pick_eevdf() returns NULL

by limingming3

pick_eevdf() may return NULL, which would triggers NULL pointer dereference and crash when best and curr are both NULL. There are two cases when curr would be NULL: 1) curr is NULL when enter pick_eevdf 2) we set it to NUll when curr is not on_rq or eligible. And when we went to the best = curr flow, the se should never be NULL, So when best and curr are both NULL, we'd better set best = se to avoid return NULL. Below crash is what I encounter very low probability on our server and I have not reproduce it, and I also found other people feedback some similar crash on lore. So believe the issue is really exit. <1>[ 8.607396] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 <1>[ 8.607399] Mem abort info: <1>[ 8.607400] ESR = 0x0000000096000004 <1>[ 8.607401] EC = 0x25: DABT (current EL), IL = 32 bits <1>[ 8.607402] SET = 0, FnV = 0 <1>[ 8.607403] EA = 0, S1PTW = 0 <1>[ 8.607403] FSC = 0x04: level 0 translation fault <1>[ 8.607404] Data abort info: <1>[ 8.607404] ISV = 0, ISS = 0x00000004 <1>[ 8.607404] CM = 0, WnR = 0 <1>[ 8.607405] user pgtable: 4k pages, 48-bit VAs, pgdp=000000011efef000 <1>[ 8.607406] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000 <0>[ 8.607409] Internal error: Oops: 0000000096000004 [#1] PREEMPT_RT SMP <4>[ 8.607412] Modules linked in: tegradisp(O) sch_ingress xt_tcpudp iptable_filter 8021q garp mrp um_heap(O) nvhost_isp5(O) spidev nvhost_vi5(O) bridge nvhost_nvcsi_t194(O) tegra_capture_isp(O) tegra210_adma stp llc nvhost_capture(O) tegra_aconnect watchdog_tegra_t18x(O) spi_tegra114 tegra_camera(O) v4l2_dv_timings v4l2_fwnode v4l2_async videobuf2_dma_contig tegra_drm(O) cpuidle_tegra_auto(O) nvhost_nvcsi(O) nvhost_nvdla(O) tegra_camera_platform(O) drm_dp_aux_bus camchar(O) capture_ivc(O) cec videobuf2_v4l2 camera_diagnostics(O) snd_soc_tegra_virt_t210ref_pcm(O) drm_display_helper videobuf2_memops rtcpu_debug(O) snd_soc_tegra210_virt_alt_adsp(O) videobuf2_common drm_kms_helper videodev nvadsp(O) cdi_mgr(O) nvhost_pva(O) cdi_pwm(O) isc_mgr(O) sha3_ce isc_pwm(O) sha3_generic cdi_dev(O) sha512_ce lm90 snd_soc_tegra210_virt_alt_admaif(O) tegra_bpmp_thermal sha512_arm64 tegra_hv_vcpu_yield(O) tegra_hv_pm_ctl(O) cam_fsync(O) cdi_gpio(O) ukl(O) isc_dev(O) mc tegra_camera_rtcpu(O) <4>[ 8.607458] board_id_driver(O) tegra_fsicom(O) isc_gpio(O) ivc_bus(O) hsp_mailbox_client(O) nvhwpm(O) host1x_nvhost(O) nvgpu(O) mc_utils(O) nvmap(O) hvc_sysfs(O) tegra_nvvse_cryptodev(O) tegra_hv_vse_safety(O) host1x_fence(O) host1x(O) nvsciipc(O) userspace_ivc_mempool(O) ivc_cdev(O) logger(O) drm fuse ip_tables x_tables nvme nvme_core hashed_ecid(O) oak_pci(O) nvethernet(O) nvpps(O) tegra_bpmp(O) tegra_vblk(O) li_osdump(O) tegra_hv_vblk_oops(O) <4>[ 8.607479] CPU: 9 PID: 1300 Comm: R000000007400 Tainted: G W O 6.1.119-rt45-prod-rt-tegra #1 <4>[ 8.607481] Hardware name: p3960-0010 (DT) <4>[ 8.607482] pstate: 224000c5 (nzCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) <4>[ 8.607483] pc : pick_next_task_fair+0x98/0x490 <4>[ 8.607490] lr : pick_next_task_fair+0x98/0x490 <4>[ 8.607490] sp : ffff800021bdb1b0 <4>[ 8.607491] x29: ffff800021bdb1b0 x28: ffff0000836205c0 x27: 0000000000001000 <4>[ 8.607492] x26: d8e0d16df7b8e848 x25: ffff000e881b6dc0 x24: ffff000e881b6dc0 <4>[ 8.607494] x23: ffff800021bdb268 x22: ffff000e881b6d40 x21: ffff000083620000 <4>[ 8.607495] x20: ffff000e881b6dc0 x19: ffff000e881b6d40 x18: 00000000000005c8 <4>[ 8.607496] x17: 0000000000000000 x16: ffffd16df7896b40 x15: 0000000000000000 <4>[ 8.607497] x14: 0000000000000014 x13: ffff800021bdba90 x12: ffff0000b052f300 <4>[ 8.607498] x11: 00000000c425686b x10: 00000002010a4ab3 x9 : ffffd16df6ca7778 <4>[ 8.607499] x8 : ffff800021bdb390 x7 : 0000000000000000 x6 : 0000000000000002 <4>[ 8.607500] x5 : 0000000000000003 x4 : 0000000000000003 x3 : 0ab3e2bc8934c987 <4>[ 8.607501] x2 : ffff000085241ec0 x1 : 0abe8499696457cc x0 : 0000000000000000 <4>[ 8.607503] Call trace: <4>[ 8.607503] pick_next_task_fair+0x98/0x490 <4>[ 8.607505] __schedule+0x16c/0x870 <4>[ 8.607511] schedule_rtlock+0x28/0x60 <4>[ 8.607513] rtlock_slowlock_locked+0x3a0/0xcf0 <4>[ 8.607515] rt_spin_lock+0xb0/0xe0 <4>[ 8.607516] __wake_up_common_lock+0x68/0xe0 <4>[ 8.607519] __wake_up_sync_key+0x28/0x50 <4>[ 8.607520] sock_def_readable+0x48/0xa0 <4>[ 8.607523] __udp_enqueue_schedule_skb+0x158/0x2e0 <4>[ 8.607527] udp_queue_rcv_one_skb+0x1f8/0x6f0 <4>[ 8.607529] udp_queue_rcv_skb+0x64/0x290 <4>[ 8.607531] __udp4_lib_rcv+0x654/0x980 <4>[ 8.607532] udp_rcv+0x28/0x40 <4>[ 8.607533] ip_protocol_deliver_rcu+0x40/0x1d0 <4>[ 8.607538] ip_local_deliver_finish+0x84/0xe0 <4>[ 8.607540] ip_local_deliver+0x84/0x130 <4>[ 8.607542] ip_rcv+0x78/0x150 <4>[ 8.607544] __netif_receive_skb_one_core+0x60/0xb0 <4>[ 8.607548] __netif_receive_skb+0x20/0x80 <4>[ 8.607549] process_backlog+0xcc/0x1a0 <4>[ 8.607551] __napi_poll.constprop.0+0x40/0x230 <4>[ 8.607552] net_rx_action+0x13c/0x310 <4>[ 8.607553] handle_softirqs.isra.0+0x118/0x3a0 <4>[ 8.607556] __local_bh_enable_ip+0x8c/0x110 <4>[ 8.607556] netif_rx+0xf4/0x1d0 <4>[ 8.607558] dev_loopback_xmit+0x88/0x170 <4>[ 8.607559] ip_mc_finish_output+0x7c/0x180 <4>[ 8.607561] ip_mc_output+0x338/0x350 <4>[ 8.607562] ip_send_skb+0x58/0x130 <4>[ 8.607563] udp_send_skb+0x11c/0x3d0 <4>[ 8.607564] udp_sendmsg+0x794/0x9d0 <4>[ 8.607566] inet_sendmsg+0x4c/0xa0 <4>[ 8.607568] __sock_sendmsg+0x64/0x80 <4>[ 8.607572] __sys_sendto+0x114/0x170 <4>[ 8.607573] __arm64_sys_sendto+0x30/0x50 <4>[ 8.607575] invoke_syscall+0x50/0x140 <4>[ 8.607579] el0_svc_common.constprop.0+0x4c/0x110 <4>[ 8.607581] do_el0_svc+0x2c/0x90 <4>[ 8.607583] el0_svc+0x2c/0xa0 <4>[ 8.607585] el0t_64_sync_handler+0x124/0x130 <4>[ 8.607586] el0t_64_sync+0x190/0x194 <0>[ 8.607589] Code: 97fff1ee 37000200 aa1403e0 97ffddc7 (f9405014) <4>[ 8.607596] ---[ end trace 0000000000000000 ]--- Signed-off-by: limingming3 <limingming3(a)lixiang.com> --- kernel/sched/fair.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 0fb9bf995a47..7fd867d6b62d 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -978,7 +978,7 @@ static struct sched_entity *pick_eevdf(struct cfs_rq *cfs_rq) } found: if (!best || (curr && entity_before(curr, best))) - best = curr; + best = curr ? curr : se; return best; } -- 2.48.1

3 months, 3 weeks

4
4
0 0

Linux 6.14.7

by Greg Kroah-Hartman

I'm announcing the release of the 6.14.7 kernel. All users of the 6.14 kernel series must upgrade. The updated 6.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.14.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ .clippy.toml | 2 Documentation/ABI/testing/sysfs-devices-system-cpu | 1 Documentation/admin-guide/hw-vuln/index.rst | 1 Documentation/admin-guide/hw-vuln/indirect-target-selection.rst | 168 ++++++++ Documentation/admin-guide/kernel-parameters.txt | 18 Makefile | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 - arch/arm64/include/asm/cputype.h | 2 arch/arm64/include/asm/insn.h | 1 arch/arm64/include/asm/spectre.h | 3 arch/arm64/kernel/cpufeature.c | 9 arch/arm64/kernel/proton-pack.c | 13 arch/arm64/kvm/mmu.c | 13 arch/arm64/lib/insn.c | 60 +- arch/arm64/net/bpf_jit_comp.c | 57 ++ arch/mips/include/asm/ptrace.h | 3 arch/riscv/kernel/process.c | 6 arch/riscv/kernel/traps.c | 64 +-- arch/riscv/kernel/traps_misaligned.c | 17 arch/s390/kernel/entry.S | 3 arch/s390/pci/pci_clp.c | 2 arch/x86/Kconfig | 12 arch/x86/entry/entry_64.S | 20 arch/x86/include/asm/alternative.h | 32 + arch/x86/include/asm/cpufeatures.h | 3 arch/x86/include/asm/microcode.h | 2 arch/x86/include/asm/msr-index.h | 8 arch/x86/include/asm/nospec-branch.h | 10 arch/x86/kernel/alternative.c | 208 +++++++++- arch/x86/kernel/cpu/bugs.c | 176 ++++++++ arch/x86/kernel/cpu/common.c | 72 ++- arch/x86/kernel/cpu/microcode/amd.c | 6 arch/x86/kernel/cpu/microcode/core.c | 58 +- arch/x86/kernel/cpu/microcode/intel.c | 2 arch/x86/kernel/cpu/microcode/internal.h | 1 arch/x86/kernel/ftrace.c | 2 arch/x86/kernel/head32.c | 4 arch/x86/kernel/module.c | 6 arch/x86/kernel/static_call.c | 4 arch/x86/kernel/vmlinux.lds.S | 10 arch/x86/kvm/mmu/mmu.c | 69 ++- arch/x86/kvm/smm.c | 1 arch/x86/kvm/svm/svm.c | 4 arch/x86/kvm/x86.c | 4 arch/x86/lib/retpoline.S | 39 + arch/x86/mm/tlb.c | 23 + arch/x86/net/bpf_jit_comp.c | 58 ++ drivers/accel/ivpu/ivpu_hw.c | 2 drivers/accel/ivpu/ivpu_job.c | 90 +++- drivers/base/cpu.c | 3 drivers/block/loop.c | 43 +- drivers/bluetooth/btmtk.c | 10 drivers/clocksource/i8253.c | 4 drivers/firmware/arm_scmi/driver.c | 13 drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 18 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 29 - drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 drivers/gpu/drm/amd/amdgpu/hdp_v7_0.c | 7 drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 + drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 14 drivers/gpu/drm/panel/panel-simple.c | 25 - drivers/gpu/drm/v3d/v3d_sched.c | 28 + drivers/gpu/drm/xe/tests/xe_mocs.c | 7 drivers/gpu/drm/xe/xe_gt_debugfs.c | 9 drivers/gpu/drm/xe/xe_gt_pagefault.c | 11 drivers/hv/hyperv_vmbus.h | 6 drivers/hv/vmbus_drv.c | 100 ++++ drivers/iio/accel/adis16201.c | 4 drivers/iio/accel/adxl355_core.c | 2 drivers/iio/accel/adxl367.c | 10 drivers/iio/adc/ad7266.c | 2 drivers/iio/adc/ad7606_spi.c | 2 drivers/iio/adc/ad7768-1.c | 2 drivers/iio/adc/dln2-adc.c | 2 drivers/iio/adc/rockchip_saradc.c | 17 drivers/iio/chemical/pms7003.c | 5 drivers/iio/chemical/sps30.c | 2 drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 drivers/iio/imu/bmi270/bmi270_core.c | 6 drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 drivers/iio/light/hid-sensor-prox.c | 22 - drivers/iio/light/opt3001.c | 5 drivers/iio/pressure/mprls0025pa.h | 17 drivers/iio/temperature/maxim_thermocouple.c | 2 drivers/input/joystick/xpad.c | 40 + drivers/input/keyboard/mtk-pmic-keys.c | 4 drivers/input/mouse/synaptics.c | 5 drivers/input/touchscreen/cyttsp5.c | 7 drivers/md/dm-table.c | 3 drivers/net/can/m_can/m_can.c | 3 drivers/net/can/rockchip/rockchip_canfd-core.c | 2 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +- drivers/net/dsa/b53/b53_common.c | 207 +++++++-- drivers/net/dsa/b53/b53_priv.h | 3 drivers/net/dsa/bcm_sf2.c | 1 drivers/net/ethernet/intel/ice/ice_adapter.c | 47 -- drivers/net/ethernet/intel/ice/ice_adapter.h | 6 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 drivers/net/ethernet/meta/fbnic/fbnic_csr.h | 2 drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 197 +++++---- drivers/net/ethernet/meta/fbnic/fbnic_mac.c | 6 drivers/net/virtio_net.c | 23 - drivers/nvme/host/core.c | 3 drivers/pci/hotplug/s390_pci_hpc.c | 1 drivers/staging/axis-fifo/axis-fifo.c | 14 drivers/staging/iio/adc/ad7816.c | 2 drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c | 1 drivers/uio/uio_hv_generic.c | 39 - drivers/usb/cdns3/cdnsp-gadget.c | 31 + drivers/usb/cdns3/cdnsp-gadget.h | 6 drivers/usb/cdns3/cdnsp-pci.c | 12 drivers/usb/cdns3/cdnsp-ring.c | 3 drivers/usb/cdns3/core.h | 3 drivers/usb/class/usbtmc.c | 59 +- drivers/usb/dwc3/core.h | 4 drivers/usb/dwc3/gadget.c | 60 +- drivers/usb/gadget/composite.c | 12 drivers/usb/gadget/function/f_ecm.c | 7 drivers/usb/gadget/udc/tegra-xudc.c | 4 drivers/usb/host/uhci-platform.c | 2 drivers/usb/host/xhci-dbgcap.c | 19 drivers/usb/host/xhci-dbgcap.h | 3 drivers/usb/host/xhci-tegra.c | 3 drivers/usb/misc/onboard_usb_dev.c | 10 drivers/usb/typec/tcpm/tcpm.c | 2 drivers/usb/typec/ucsi/displayport.c | 21 - drivers/usb/typec/ucsi/ucsi.c | 34 + drivers/usb/typec/ucsi/ucsi.h | 2 drivers/vfio/pci/vfio_pci_core.c | 12 drivers/xen/swiotlb-xen.c | 1 drivers/xen/xenbus/xenbus.h | 2 drivers/xen/xenbus/xenbus_comms.c | 9 drivers/xen/xenbus/xenbus_dev_frontend.c | 2 drivers/xen/xenbus/xenbus_xs.c | 18 fs/btrfs/volumes.c | 91 ---- fs/erofs/fileio.c | 4 fs/erofs/zdata.c | 31 - fs/namespace.c | 3 fs/ocfs2/alloc.c | 1 fs/ocfs2/journal.c | 80 ++- fs/ocfs2/journal.h | 1 fs/ocfs2/ocfs2.h | 17 fs/ocfs2/quota_local.c | 9 fs/ocfs2/suballoc.c | 38 + fs/ocfs2/suballoc.h | 1 fs/ocfs2/super.c | 3 fs/smb/client/cached_dir.c | 10 fs/smb/server/oplock.c | 7 fs/smb/server/smb2pdu.c | 5 fs/smb/server/vfs.c | 7 fs/smb/server/vfs_cache.c | 33 + fs/userfaultfd.c | 28 + include/linux/cpu.h | 2 include/linux/execmem.h | 3 include/linux/hyperv.h | 6 include/linux/ieee80211.h | 2 include/linux/module.h | 5 include/linux/timekeeper_internal.h | 8 include/linux/vmalloc.h | 1 include/net/netdev_queues.h | 6 init/Kconfig | 3 io_uring/io_uring.c | 58 +- io_uring/sqpoll.c | 2 kernel/params.c | 4 kernel/time/timekeeping.c | 50 ++ kernel/time/vsyscall.c | 4 mm/huge_memory.c | 11 mm/internal.h | 27 - mm/memblock.c | 9 mm/page_alloc.c | 161 ++++--- mm/vmalloc.c | 31 + net/can/gw.c | 149 ++++--- net/core/filter.c | 1 net/core/netdev-genl.c | 69 ++- net/ipv6/addrconf.c | 15 net/mac80211/mlme.c | 12 net/netfilter/ipset/ip_set_hash_gen.h | 2 net/netfilter/ipvs/ip_vs_xmit.c | 27 - net/openvswitch/actions.c | 3 net/sched/sch_htb.c | 15 net/wireless/scan.c | 2 rust/bindings/lib.rs | 1 rust/kernel/alloc/kvec.rs | 3 rust/kernel/list.rs | 3 rust/kernel/str.rs | 46 +- rust/macros/module.rs | 19 rust/macros/paste.rs | 2 rust/macros/pinned_drop.rs | 3 rust/uapi/lib.rs | 1 tools/objtool/check.c | 1 tools/testing/selftests/Makefile | 1 tools/testing/selftests/mm/compaction_test.c | 19 tools/testing/selftests/mm/pkey-powerpc.h | 14 tools/testing/selftests/mm/pkey_util.c | 1 tools/testing/selftests/x86/bugs/Makefile | 3 tools/testing/selftests/x86/bugs/common.py | 164 +++++++ tools/testing/selftests/x86/bugs/its_indirect_alignment.py | 150 +++++++ tools/testing/selftests/x86/bugs/its_permutations.py | 109 +++++ tools/testing/selftests/x86/bugs/its_ret_alignment.py | 139 ++++++ tools/testing/selftests/x86/bugs/its_sysfs.py | 65 +++ 215 files changed, 3564 insertions(+), 1212 deletions(-) Aditya Garg (3): Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Input: synaptics - enable InterTouch on Dell Precision M3800 Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Al Viro (1): do_umount(): add missing barrier before refcount checks in sync case Alex Deucher (7): Revert "drm/amd: Stop evicting resources on APUs in suspend" drm/amdgpu: fix pm notifier handling drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush Alex Williamson (1): vfio/pci: Align huge faults to order Alexander Duyck (7): fbnic: Fix initialization of mailbox descriptor rings fbnic: Gate AXI read/write enabling on FW mailbox fbnic: Actually flush_tx instead of stalling out fbnic: Cleanup handling of completions fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context fbnic: Do not allow mailbox to toggle to ready outside fbnic_mbx_poll_tx_ready Alexey Charkov (1): usb: uhci-platform: Make the clock really optional Andrei Kuchynski (2): usb: typec: ucsi: displayport: Fix deadlock usb: typec: ucsi: displayport: Fix NULL pointer access Angelo Dureghello (1): iio: adc: ad7606: fix serial register access Antonios Salios (1): can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe Aurabindo Pillai (1): drm/amd/display: more liberal vmin/vmax update for freesync Borislav Petkov (AMD) (1): x86/microcode: Consolidate the loader enablement checking Christoph Hellwig (1): loop: factor out a loop_assign_backing_file helper Clément Léger (2): riscv: misaligned: factorize trap handling riscv: misaligned: enable IRQs while handling misaligned accesses Cong Wang (1): sch_htb: make htb_deactivate() idempotent Cristian Marussi (1): firmware: arm_scmi: Fix timeout checks on polling path Dan Carpenter (1): dm: add missing unlock on in dm_keyslot_evict() Daniel Golle (1): net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Daniel Sneddon (2): x86/bpf: Call branch history clearing sequence on exit x86/bpf: Add IBHF call at end of classic BPF Daniel Wagner (1): nvme: unblock ctrl state transition for firmware update Dave Hansen (1): x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Dave Penkler (3): usb: usbtmc: Fix erroneous get_stb ioctl error returns usb: usbtmc: Fix erroneous wait_srq ioctl return usb: usbtmc: Fix erroneous generic_read ioctl return Dave Stevenson (1): staging: bcm2835-camera: Initialise dev in v4l2_dev David Lechner (4): iio: chemical: sps30: use aligned_s64 for timestamp iio: chemical: pms7003: use aligned_s64 for timestamp iio: imu: inv_mpu6050: align buffer for timestamp iio: pressure: mprls0025pa: use aligned_s64 for timestamp Dmitry Antipov (1): module: ensure that kobject_put() is safe for module type kobjects Dmitry Torokhov (1): Input: synaptics - enable SMBus for HP Elitebook 850 G1 Eelco Chaudron (1): openvswitch: Fix unsafe attribute parsing in output_userspace() Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Feng Tang (1): selftests/mm: compaction_test: support platform with huge mount of memory Frank Wunderlich (1): net: ethernet: mtk_eth_soc: do not reset PSE when setting FE Gabriel Krisman Bertazi (1): io_uring/sqpoll: Increase task_work submission batch size Gabriel Shahrouzi (4): staging: iio: adc: ad7816: Correct conditional logic for store mode staging: axis-fifo: Remove hardware resets for user errors staging: axis-fifo: Correct handling of tx_fifo_depth for size validation iio: adis16201: Correct inclinometer channel resolution Gao Xiang (1): erofs: ensure the extra temporary copy is valid for shortened bvecs Gary Bisson (1): Input: mtk-pmic-keys - fix possible null pointer dereference Gavin Guo (1): mm/huge_memory: fix dereferencing invalid pmd migration entry Greg Kroah-Hartman (1): Linux 6.14.7 Guillaume Nault (1): gre: Fix again IPv6 link-local address generation. Gustavo Silva (1): iio: imu: bmi270: fix initial sampling frequency configuration Hao Qin (1): Bluetooth: btmtk: Remove the resetting step before downloading the fw Heiko Carstens (1): s390/entry: Fix last breaking event handling in case of stack corruption Heming Zhao (1): ocfs2: fix the issue with discontiguous allocation in the global_bitmap Hugo Villeneuve (1): Input: cyttsp5 - ensure minimum reset pulse width Jacek Lawrynowicz (1): accel/ivpu: Increase state dump msg timeout Jakub Kicinski (4): virtio-net: don't re-enable refill work too early when NAPI is disabled virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() net: export a helper for adding up queue stats virtio-net: fix total qstat values James Morse (6): arm64: insn: Add support for encoding DSB arm64: proton-pack: Expose whether the platform is mitigated by firmware arm64: proton-pack: Expose whether the branchy loop k value arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users arm64: proton-pack: Add new CPUs 'k' values for branch mitigation Jan Kara (3): ocfs2: switch osb->disable_recovery to enum ocfs2: implement handshaking with ocfs2 recovery thread ocfs2: stop quota recovery before disabling quotas Jason Andryuk (1): xenbus: Use kref to track req lifetime Jens Axboe (2): io_uring: ensure deferred completions are flushed for multishot io_uring: always arm linked timeouts prior to issue Jim Lin (1): usb: host: tegra: Prevent host controller crash when OTG port is used Johannes Weiner (2): mm: page_alloc: don't steal single pages from biggest buddy mm: page_alloc: speed up fallbacks in rmqueue_bulk() John Ernberg (1): xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Jonas Gorski (11): net: dsa: b53: allow leaky reserved multicast net: dsa: b53: keep CPU port always tagged again net: dsa: b53: fix clearing PVID of a port net: dsa: b53: fix flushing old pvid VLAN on pvid change net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave net: dsa: b53: always rejoin default untagged VLAN on bridge leave net: dsa: b53: do not allow to configure VLAN 0 net: dsa: b53: do not program vlans when vlan filtering is off net: dsa: b53: fix toggling vlan_filtering net: dsa: b53: fix learning on VLAN unaware bridges net: dsa: b53: do not set learning and unicast/multicast on up Jonathan Cameron (5): iio: adc: ad7768-1: Fix insufficient alignment of timestamp. iio: adc: ad7266: Fix potential timestamp alignment issue. iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 iio: adc: dln2: Use aligned_s64 for timestamp Jozsef Kadlecsik (1): netfilter: ipset: fix region locking in hash types Julian Anastasov (1): ipvs: fix uninit-value for saddr in do_output_route4 Karol Wachowski (2): accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation accel/ivpu: Correct mutex unlock order in job submission Kees Cook (1): mm: vmalloc: support more granular vrealloc() sizing Kelsey Maes (1): can: mcp251xfd: fix TDC setting for low data bit rates Kevin Baker (1): drm/panel: simple: Update timings for AUO G101EVN010 Lizhi Xu (1): loop: Add sanity check for read/write_iter Lode Willems (1): Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Lothar Rubusch (1): iio: accel: adxl367: fix setting odr for activity time update Luca Ceresoli (1): iio: light: opt3001: fix deadlock due to concurrent flag access Lukasz Czechowski (1): usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs Madhavan Srinivasan (1): selftests/mm: fix build break when compiling pkey_util.c Manuel Fombuena (1): Input: synaptics - enable InterTouch on Dynabook Portege X30-D Marc Kleine-Budde (3): can: mcan: m_can_class_unregister(): fix order of unregistration calls can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls Mark Tinguely (1): ocfs2: fix panic in failed foilio allocation Mathias Nyman (1): xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive. Matthew Brost (1): drm/xe: Add page queue multiplier Max Kellermann (1): fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() Maíra Canal (1): drm/v3d: Add job to pending list if the reset was skipped Michael-CY Lee (1): wifi: mac80211: fix the type of status_code for negotiated TID to Link Mapping Miguel Ojeda (5): rust: clean Rust 1.88.0's `unnecessary_transmutes` lint objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0 rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros` configuration rust: allow Rust 1.87.0's `clippy::ptr_eq` lint rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint Mikael Gonella-Bolduc (1): Input: cyttsp5 - fix power control issue on wakeup Mikhail Lobanov (1): KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Nam Cao (1): riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL Naman Jain (1): uio_hv_generic: Fix sysfs creation path for ring buffer Namjae Jeon (1): ksmbd: prevent rename with empty string Niklas Schnelle (2): s390/pci: Fix missing check for zpci_create_device() error return s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs Norbert Szetei (1): ksmbd: prevent out-of-bounds stream writes by validating *pos Nylon Chen (1): riscv: misaligned: Add handling for ZCB instructions Nysal Jan K.A. (1): selftests/mm: fix a build failure on powerpc Oliver Hartkopp (1): can: gw: fix RCU/BH usage in cgw_create_job() Oliver Neukum (1): USB: usbtmc: use interruptible sleep in usbtmc_read Paul Aurich (1): smb: client: Avoid race in open_cached_dir with lease breaks Paul Chaignon (1): bpf: Scrub packet on bpf_redirect_peer Pawan Gupta (11): x86/bhi: Do not set BHI_DIS_S in 32-bit mode Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs x86/its: Add support for RSB stuffing mitigation x86/its: Align RETs in BHB clear sequence to avoid thunking x86/ibt: Keep IBT disabled during alternative patching selftest/x86/bugs: Add selftests for ITS Pawel Laszczak (2): usb: cdnsp: Fix issue with resuming from L1 usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Peter Xu (1): mm/userfaultfd: fix uninitialized output field for -EAGAIN race Peter Zijlstra (2): x86/its: Use dynamic thunks for indirect branches x86/its: FineIBT-paranoid vs ITS Petr Vaněk (1): mm: fix folio_pte_batch() on XEN PV Prashanth K (3): usb: dwc3: gadget: Make gadget_wakeup asynchronous usb: gadget: f_ecm: Add get_status callback usb: gadget: Use get_status callback to set remote wakeup capability Przemek Kitszel (1): ice: use DSN instead of PCI BDF for ice_adapter index Qu Wenruo (1): Revert "btrfs: canonicalize the device path before adding it" RD Babiera (1): usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Roman Li (1): drm/amd/display: Fix invalid context error in dml helper Ruijing Dong (1): drm/amdgpu/vcn: using separate VCN1_AON_SOC offset Samuel Holland (1): riscv: Disallow PR_GET_TAGGED_ADDR_CTRL without Supm Sean Christopherson (1): KVM: x86/mmu: Prevent installing hugepages when mem attributes are changing Sean Heelan (1): ksmbd: Fix UAF in __close_file_table_ids Sebastian Andrzej Siewior (1): clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Sebastian Ott (1): KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Shuicheng Lin (1): drm/xe: Release force wake first then runtime power Silvano Seva (2): iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Simon Xue (1): iio: adc: rockchip: Fix clock initialization sequence Tejas Upadhyay (1): drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs Thomas Gleixner (1): timekeeping: Prevent coarse clocks going backwards Thorsten Blum (1): MIPS: Fix MAX_REG_OFFSET Tom Lendacky (1): memblock: Accept allocated memory before use in memblock_double_array() Veerendranath Jakkam (1): wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Vicki Pfau (2): Input: xpad - fix Share button on Xbox One controllers Input: xpad - fix two controller table values Wang Zhaolong (1): ksmbd: fix memory leak in parse_lease_state() Wayne Chang (1): usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Wayne Lin (5): drm/amd/display: Shift DMUB AUX reply command if necessary drm/amd/display: Fix the checking condition in dmub aux handling drm/amd/display: Remove incorrect checking in dmub aux handler drm/amd/display: Fix wrong handling for AUX_DEFER case drm/amd/display: Copy AUX read reply data whenever length > 0 Wojciech Dubowik (1): arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Yeoreum Yun (1): arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to prevent wrong idmap generation Zhang Lixu (3): iio: hid-sensor-prox: Restore lost scale assignments iio: hid-sensor-prox: support multi-channel SCALE calculation iio: hid-sensor-prox: Fix incorrect OFFSET calculation

3 months, 3 weeks

2
2
0 0

[PATCH] crypto: powerpc/poly1305 - add depends on BROKEN for now

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> As discussed in the thread containing https://lore.kernel.org/linux-crypto/20250510053308.GB505731@sol/, the Power10-optimized Poly1305 code is currently not safe to call in softirq context. Disable it for now. It can be re-enabled once it is fixed. Fixes: ba8f8624fde2 ("crypto: poly1305-p10 - Glue code for optmized Poly1305 implementation for ppc64le") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- arch/powerpc/lib/crypto/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/powerpc/lib/crypto/Kconfig b/arch/powerpc/lib/crypto/Kconfig index ffa541ad6d5da..3f9e1bbd9905b 100644 --- a/arch/powerpc/lib/crypto/Kconfig +++ b/arch/powerpc/lib/crypto/Kconfig @@ -8,10 +8,11 @@ config CRYPTO_CHACHA20_P10 select CRYPTO_ARCH_HAVE_LIB_CHACHA config CRYPTO_POLY1305_P10 tristate depends on PPC64 && CPU_LITTLE_ENDIAN && VSX + depends on BROKEN # Needs to be fixed to work in softirq context default CRYPTO_LIB_POLY1305 select CRYPTO_ARCH_HAVE_LIB_POLY1305 select CRYPTO_LIB_POLY1305_GENERIC config CRYPTO_SHA256_PPC_SPE base-commit: 57999ed153ed7e651afecbabe0e998e75cf2d798 -- 2.49.0

3 months, 3 weeks

3
7
0 0

[PATCH 0/4 RESEND] crypto: octeontx2: Fix hang and address alignment issues

by Bharat Bhushan

First patch of the series fixes possible infinite loop. Remaining three patches fixes address alignment issue observed after "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the smaller cache_line_size()" Patch-2 and patch-3 applies to stable version 6.6 onwards. Patch-4 applies to stable version 6.12 onwards Bharat Bhushan (4): crypto: octeontx2: add timeout for load_fvc completion poll crypto: octeontx2: Fix address alignment issue on ucode loading crypto: octeontx2: Fix address alignment on CN10K A0/A1 and OcteonTX2 crypto: octeontx2: Fix address alignment on CN10KB and CN10KA-B0 .../marvell/octeontx2/otx2_cpt_reqmgr.h | 119 +++++++++++++----- .../marvell/octeontx2/otx2_cptpf_ucode.c | 46 ++++--- 2 files changed, 121 insertions(+), 44 deletions(-) -- 2.34.1

3 months, 3 weeks

4
9
0 0

[PATCH 1/1] Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests

by mhkelley58＠gmail.com

From: Michael Kelley <mhklinux(a)outlook.com> The Hyper-V host provides guest VMs with a range of MMIO addresses that guest VMBus drivers can use. The VMBus driver in Linux manages that MMIO space, and allocates portions to drivers upon request. As part of managing that MMIO space in a Generation 2 VM, the VMBus driver must reserve the portion of the MMIO space that Hyper-V has designated for the synthetic frame buffer, and not allocate this space to VMBus drivers other than graphics framebuffer drivers. The synthetic frame buffer MMIO area is described by the screen_info data structure that is passed to the Linux kernel at boot time, so the VMBus driver must access screen_info for Generation 2 VMs. (In Generation 1 VMs, the framebuffer MMIO space is communicated to the guest via a PCI pseudo-device, and access to screen_info is not needed.) In commit a07b50d80ab6 ("hyperv: avoid dependency on screen_info") the VMBus driver's access to screen_info is restricted to when CONFIG_SYSFB is enabled. CONFIG_SYSFB is typically enabled in kernels built for Hyper-V by virtue of having at least one of CONFIG_FB_EFI, CONFIG_FB_VESA, or CONFIG_SYSFB_SIMPLEFB enabled, so the restriction doesn't usually affect anything. But it's valid to have none of these enabled, in which case CONFIG_SYSFB is not enabled, and the VMBus driver is unable to properly reserve the framebuffer MMIO space for graphics framebuffer drivers. The framebuffer MMIO space may be assigned to some other VMBus driver, with undefined results. As an example, if a VM is using a PCI pass-thru NVMe controller to host the OS disk, the PCI NVMe controller is probed before any graphic devices, and the NVMe controller is assigned a portion of the framebuffer MMIO space. Hyper-V reports an error to Linux during the probe, and the OS disk fails to get setup. Then Linux fails to boot in the VM. Fix this by having CONFIG_HYPERV always select SYSFB. Then the VMBus driver in a Gen 2 VM can always reserve the MMIO space for the graphics framebuffer driver, and prevent the undefined behavior. Fixes: a07b50d80ab6 ("hyperv: avoid dependency on screen_info") Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> --- drivers/hv/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig index eefa0b559b73..e3b07f390c03 100644 --- a/drivers/hv/Kconfig +++ b/drivers/hv/Kconfig @@ -9,6 +9,7 @@ config HYPERV select PARAVIRT select X86_HV_CALLBACK_VECTOR if X86 select OF_EARLY_FLATTREE if OF + select SYSFB help Select this option to run Linux as a Hyper-V client operating system. -- 2.25.1

3 months, 3 weeks

5
8
0 0

[PATCH] mmc: sdhci-omap: Add error handling for sdhci_runtime_suspend_host()

by Wentao Liang

The sdhci_omap_runtime_suspend() calls sdhci_runtime_suspend_host() but does not handle the return value. A proper implementation can be found in sdhci_am654_runtime_suspend(). Add error handling for sdhci_runtime_suspend_host(). Return the error code if the suspend fails. Fixes: f433e8aac6b9 ("mmc: sdhci-omap: Implement PM runtime functions") Cc: stable(a)vger.kernel.org # v5.16 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/mmc/host/sdhci-omap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/mmc/host/sdhci-omap.c b/drivers/mmc/host/sdhci-omap.c index 54d795205fb4..69b2e4e5cb20 100644 --- a/drivers/mmc/host/sdhci-omap.c +++ b/drivers/mmc/host/sdhci-omap.c @@ -1438,6 +1438,7 @@ static int __maybe_unused sdhci_omap_runtime_suspend(struct device *dev) struct sdhci_host *host = dev_get_drvdata(dev); struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); struct sdhci_omap_host *omap_host = sdhci_pltfm_priv(pltfm_host); + int ret; if (host->tuning_mode != SDHCI_TUNING_MODE_3) mmc_retune_needed(host->mmc); @@ -1445,7 +1446,9 @@ static int __maybe_unused sdhci_omap_runtime_suspend(struct device *dev) if (omap_host->con != -EINVAL) sdhci_runtime_suspend_host(host); - sdhci_omap_context_save(omap_host); + ret = sdhci_omap_context_save(omap_host); + if (ret) + return ret; pinctrl_pm_select_idle_state(dev); -- 2.42.0.windows.2

3 months, 3 weeks

2
1
0 0

+ alloc_tag-allocate-percpu-counters-for-module-tags-dynamically.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: alloc_tag: allocate percpu counters for module tags dynamically has been added to the -mm mm-hotfixes-unstable branch. Its filename is alloc_tag-allocate-percpu-counters-for-module-tags-dynamically.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: alloc_tag: allocate percpu counters for module tags dynamically Date: Fri, 16 May 2025 17:07:39 -0700 When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by free_module(). This will lead to UAF if the memory allocated by a module is accessed after module was unloaded. To fix this we allocate percpu counters for module allocation tags dynamically and we keep it alive for tags which are still in use after module unloading. This also removes the requirement of a larger PERCPU_MODULE_RESERVE when memory allocation profiling is enabled because percpu memory for counters does not need to be reserved anymore. Link: https://lkml.kernel.org/r/20250517000739.5930-1-surenb@google.com Fixes: 0db6f8d7820a ("alloc_tag: load module tags into separate contiguous memory") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reported-by: David Wang <00107082(a)163.com> Closes: https://lore.kernel.org/all/20250516131246.6244-1-00107082@163.com/ Tested-by: David Wang <00107082(a)163.com> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/alloc_tag.h | 12 ++++ include/linux/codetag.h | 8 +-- include/linux/percpu.h | 4 - lib/alloc_tag.c | 89 ++++++++++++++++++++++++++++-------- lib/codetag.c | 5 +- 5 files changed, 89 insertions(+), 29 deletions(-) --- a/include/linux/alloc_tag.h~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/include/linux/alloc_tag.h @@ -104,6 +104,16 @@ DECLARE_PER_CPU(struct alloc_tag_counter #else /* ARCH_NEEDS_WEAK_PER_CPU */ +#ifdef MODULE + +#define DEFINE_ALLOC_TAG(_alloc_tag) \ + static struct alloc_tag _alloc_tag __used __aligned(8) \ + __section(ALLOC_TAG_SECTION_NAME) = { \ + .ct = CODE_TAG_INIT, \ + .counters = NULL }; + +#else /* MODULE */ + #define DEFINE_ALLOC_TAG(_alloc_tag) \ static DEFINE_PER_CPU(struct alloc_tag_counters, _alloc_tag_cntr); \ static struct alloc_tag _alloc_tag __used __aligned(8) \ @@ -111,6 +121,8 @@ DECLARE_PER_CPU(struct alloc_tag_counter .ct = CODE_TAG_INIT, \ .counters = &_alloc_tag_cntr }; +#endif /* MODULE */ + #endif /* ARCH_NEEDS_WEAK_PER_CPU */ DECLARE_STATIC_KEY_MAYBE(CONFIG_MEM_ALLOC_PROFILING_ENABLED_BY_DEFAULT, --- a/include/linux/codetag.h~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/include/linux/codetag.h @@ -36,10 +36,10 @@ union codetag_ref { struct codetag_type_desc { const char *section; size_t tag_size; - void (*module_load)(struct codetag_type *cttype, - struct codetag_module *cmod); - void (*module_unload)(struct codetag_type *cttype, - struct codetag_module *cmod); + void (*module_load)(struct module *mod, + struct codetag *start, struct codetag *end); + void (*module_unload)(struct module *mod, + struct codetag *start, struct codetag *end); #ifdef CONFIG_MODULES void (*module_replaced)(struct module *mod, struct module *new_mod); bool (*needs_section_mem)(struct module *mod, unsigned long size); --- a/include/linux/percpu.h~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/include/linux/percpu.h @@ -15,11 +15,7 @@ /* enough to cover all DEFINE_PER_CPUs in modules */ #ifdef CONFIG_MODULES -#ifdef CONFIG_MEM_ALLOC_PROFILING -#define PERCPU_MODULE_RESERVE (8 << 13) -#else #define PERCPU_MODULE_RESERVE (8 << 10) -#endif #else #define PERCPU_MODULE_RESERVE 0 #endif --- a/lib/alloc_tag.c~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/lib/alloc_tag.c @@ -350,18 +350,28 @@ static bool needs_section_mem(struct mod return size >= sizeof(struct alloc_tag); } -static struct alloc_tag *find_used_tag(struct alloc_tag *from, struct alloc_tag *to) +static bool clean_unused_counters(struct alloc_tag *start_tag, + struct alloc_tag *end_tag) { - while (from <= to) { + struct alloc_tag *tag; + bool ret = true; + + for (tag = start_tag; tag <= end_tag; tag++) { struct alloc_tag_counters counter; - counter = alloc_tag_read(from); - if (counter.bytes) - return from; - from++; + if (!tag->counters) + continue; + + counter = alloc_tag_read(tag); + if (!counter.bytes) { + free_percpu(tag->counters); + tag->counters = NULL; + } else { + ret = false; + } } - return NULL; + return ret; } /* Called with mod_area_mt locked */ @@ -371,12 +381,16 @@ static void clean_unused_module_areas_lo struct module *val; mas_for_each(&mas, val, module_tags.size) { + struct alloc_tag *start_tag; + struct alloc_tag *end_tag; + if (val != &unloaded_mod) continue; /* Release area if all tags are unused */ - if (!find_used_tag((struct alloc_tag *)(module_tags.start_addr + mas.index), - (struct alloc_tag *)(module_tags.start_addr + mas.last))) + start_tag = (struct alloc_tag *)(module_tags.start_addr + mas.index); + end_tag = (struct alloc_tag *)(module_tags.start_addr + mas.last); + if (clean_unused_counters(start_tag, end_tag)) mas_erase(&mas); } } @@ -561,7 +575,8 @@ unlock: static void release_module_tags(struct module *mod, bool used) { MA_STATE(mas, &mod_area_mt, module_tags.size, module_tags.size); - struct alloc_tag *tag; + struct alloc_tag *start_tag; + struct alloc_tag *end_tag; struct module *val; mas_lock(&mas); @@ -575,15 +590,22 @@ static void release_module_tags(struct m if (!used) goto release_area; - /* Find out if the area is used */ - tag = find_used_tag((struct alloc_tag *)(module_tags.start_addr + mas.index), - (struct alloc_tag *)(module_tags.start_addr + mas.last)); - if (tag) { - struct alloc_tag_counters counter = alloc_tag_read(tag); - - pr_info("%s:%u module %s func:%s has %llu allocated at module unload\n", - tag->ct.filename, tag->ct.lineno, tag->ct.modname, - tag->ct.function, counter.bytes); + start_tag = (struct alloc_tag *)(module_tags.start_addr + mas.index); + end_tag = (struct alloc_tag *)(module_tags.start_addr + mas.last); + if (!clean_unused_counters(start_tag, end_tag)) { + struct alloc_tag *tag; + + for (tag = start_tag; tag <= end_tag; tag++) { + struct alloc_tag_counters counter; + + if (!tag->counters) + continue; + + counter = alloc_tag_read(tag); + pr_info("%s:%u module %s func:%s has %llu allocated at module unload\n", + tag->ct.filename, tag->ct.lineno, tag->ct.modname, + tag->ct.function, counter.bytes); + } } else { used = false; } @@ -596,6 +618,34 @@ out: mas_unlock(&mas); } +static void load_module(struct module *mod, struct codetag *start, struct codetag *stop) +{ + /* Allocate module alloc_tag percpu counters */ + struct alloc_tag *start_tag; + struct alloc_tag *stop_tag; + struct alloc_tag *tag; + + if (!mod) + return; + + start_tag = ct_to_alloc_tag(start); + stop_tag = ct_to_alloc_tag(stop); + for (tag = start_tag; tag < stop_tag; tag++) { + WARN_ON(tag->counters); + tag->counters = alloc_percpu(struct alloc_tag_counters); + if (!tag->counters) { + while (--tag >= start_tag) { + free_percpu(tag->counters); + tag->counters = NULL; + } + shutdown_mem_profiling(true); + pr_err("Failed to allocate memory for allocation tag percpu counters in the module %s. Memory allocation profiling is disabled!\n", + mod->name); + break; + } + } +} + static void replace_module(struct module *mod, struct module *new_mod) { MA_STATE(mas, &mod_area_mt, 0, module_tags.size); @@ -757,6 +807,7 @@ static int __init alloc_tag_init(void) .needs_section_mem = needs_section_mem, .alloc_section_mem = reserve_module_tags, .free_section_mem = release_module_tags, + .module_load = load_module, .module_replaced = replace_module, #endif }; --- a/lib/codetag.c~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/lib/codetag.c @@ -194,7 +194,7 @@ static int codetag_module_init(struct co if (err >= 0) { cttype->count += range_size(cttype, &range); if (cttype->desc.module_load) - cttype->desc.module_load(cttype, cmod); + cttype->desc.module_load(mod, range.start, range.stop); } up_write(&cttype->mod_lock); @@ -333,7 +333,8 @@ void codetag_unload_module(struct module } if (found) { if (cttype->desc.module_unload) - cttype->desc.module_unload(cttype, cmod); + cttype->desc.module_unload(cmod->mod, + cmod->range.start, cmod->range.stop); cttype->count -= range_size(cttype, &cmod->range); idr_remove(&cttype->mod_idr, mod_id); _ Patches currently in -mm which might be from surenb(a)google.com are alloc_tag-allocate-percpu-counters-for-module-tags-dynamically.patch

3 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.4 1/5] HID: quirks: Add ADATA XPG alpha wireless mouse support

by Sasha Levin

From: Milton Barrera <miltonjosue2001(a)gmail.com> [ Upstream commit fa9fdeea1b7d6440c22efa6d59a769eae8bc89f1 ] This patch adds HID_QUIRK_ALWAYS_POLL for the ADATA XPG wireless gaming mouse (USB ID 125f:7505) and its USB dongle (USB ID 125f:7506). Without this quirk, the device does not generate input events properly. Signed-off-by: Milton Barrera <miltonjosue2001(a)gmail.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hid/hid-ids.h | 4 ++++ drivers/hid/hid-quirks.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h index d5369577b4755..356916608cc49 100644 --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -40,6 +40,10 @@ #define USB_VENDOR_ID_ACTIONSTAR 0x2101 #define USB_DEVICE_ID_ACTIONSTAR_1011 0x1011 +#define USB_VENDOR_ID_ADATA_XPG 0x125f +#define USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE 0x7505 +#define USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE_DONGLE 0x7506 + #define USB_VENDOR_ID_ADS_TECH 0x06e1 #define USB_DEVICE_ID_ADS_TECH_RADIO_SI470X 0xa155 diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c index 9b375ca53946e..ff1a9d142cddf 100644 --- a/drivers/hid/hid-quirks.c +++ b/drivers/hid/hid-quirks.c @@ -27,6 +27,8 @@ static const struct hid_device_id hid_quirks[] = { { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE_DONGLE), HID_QUIRK_ALWAYS_POLL }, { HID_USB_DEVICE(USB_VENDOR_ID_AFATECH, USB_DEVICE_ID_AFATECH_AF9016), HID_QUIRK_FULLSPEED_INTERVAL }, { HID_USB_DEVICE(USB_VENDOR_ID_AIREN, USB_DEVICE_ID_AIREN_SLIMPLUS), HID_QUIRK_NOGET }, { HID_USB_DEVICE(USB_VENDOR_ID_AKAI_09E8, USB_DEVICE_ID_AKAI_09E8_MIDIMIX), HID_QUIRK_NO_INIT_REPORTS }, -- 2.39.5

3 months, 3 weeks

1
4
0 0

[PATCH AUTOSEL 5.10 1/6] HID: quirks: Add ADATA XPG alpha wireless mouse support

by Sasha Levin

From: Milton Barrera <miltonjosue2001(a)gmail.com> [ Upstream commit fa9fdeea1b7d6440c22efa6d59a769eae8bc89f1 ] This patch adds HID_QUIRK_ALWAYS_POLL for the ADATA XPG wireless gaming mouse (USB ID 125f:7505) and its USB dongle (USB ID 125f:7506). Without this quirk, the device does not generate input events properly. Signed-off-by: Milton Barrera <miltonjosue2001(a)gmail.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hid/hid-ids.h | 4 ++++ drivers/hid/hid-quirks.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h index d86720fce48f9..4b8f8e0ce8ca2 100644 --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -41,6 +41,10 @@ #define USB_VENDOR_ID_ACTIONSTAR 0x2101 #define USB_DEVICE_ID_ACTIONSTAR_1011 0x1011 +#define USB_VENDOR_ID_ADATA_XPG 0x125f +#define USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE 0x7505 +#define USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE_DONGLE 0x7506 + #define USB_VENDOR_ID_ADS_TECH 0x06e1 #define USB_DEVICE_ID_ADS_TECH_RADIO_SI470X 0xa155 diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c index 9c1afe9cdddfd..b3e7ede8f398e 100644 --- a/drivers/hid/hid-quirks.c +++ b/drivers/hid/hid-quirks.c @@ -27,6 +27,8 @@ static const struct hid_device_id hid_quirks[] = { { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE_DONGLE), HID_QUIRK_ALWAYS_POLL }, { HID_USB_DEVICE(USB_VENDOR_ID_AFATECH, USB_DEVICE_ID_AFATECH_AF9016), HID_QUIRK_FULLSPEED_INTERVAL }, { HID_USB_DEVICE(USB_VENDOR_ID_AIREN, USB_DEVICE_ID_AIREN_SLIMPLUS), HID_QUIRK_NOGET }, { HID_USB_DEVICE(USB_VENDOR_ID_AKAI_09E8, USB_DEVICE_ID_AKAI_09E8_MIDIMIX), HID_QUIRK_NO_INIT_REPORTS }, -- 2.39.5

3 months, 3 weeks

1
5
0 0

[PATCH AUTOSEL 5.15 1/7] HID: quirks: Add ADATA XPG alpha wireless mouse support

by Sasha Levin

From: Milton Barrera <miltonjosue2001(a)gmail.com> [ Upstream commit fa9fdeea1b7d6440c22efa6d59a769eae8bc89f1 ] This patch adds HID_QUIRK_ALWAYS_POLL for the ADATA XPG wireless gaming mouse (USB ID 125f:7505) and its USB dongle (USB ID 125f:7506). Without this quirk, the device does not generate input events properly. Signed-off-by: Milton Barrera <miltonjosue2001(a)gmail.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hid/hid-ids.h | 4 ++++ drivers/hid/hid-quirks.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h index 44825a916eeb2..08494eb652091 100644 --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -41,6 +41,10 @@ #define USB_VENDOR_ID_ACTIONSTAR 0x2101 #define USB_DEVICE_ID_ACTIONSTAR_1011 0x1011 +#define USB_VENDOR_ID_ADATA_XPG 0x125f +#define USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE 0x7505 +#define USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE_DONGLE 0x7506 + #define USB_VENDOR_ID_ADS_TECH 0x06e1 #define USB_DEVICE_ID_ADS_TECH_RADIO_SI470X 0xa155 diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c index b5ad4c87daacf..126cadb117fef 100644 --- a/drivers/hid/hid-quirks.c +++ b/drivers/hid/hid-quirks.c @@ -27,6 +27,8 @@ static const struct hid_device_id hid_quirks[] = { { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE_DONGLE), HID_QUIRK_ALWAYS_POLL }, { HID_USB_DEVICE(USB_VENDOR_ID_AFATECH, USB_DEVICE_ID_AFATECH_AF9016), HID_QUIRK_FULLSPEED_INTERVAL }, { HID_USB_DEVICE(USB_VENDOR_ID_AIREN, USB_DEVICE_ID_AIREN_SLIMPLUS), HID_QUIRK_NOGET }, { HID_USB_DEVICE(USB_VENDOR_ID_AKAI_09E8, USB_DEVICE_ID_AKAI_09E8_MIDIMIX), HID_QUIRK_NO_INIT_REPORTS }, -- 2.39.5

3 months, 3 weeks

1
6
0 0

[PATCH AUTOSEL 6.1 1/8] HID: quirks: Add ADATA XPG alpha wireless mouse support

by Sasha Levin

From: Milton Barrera <miltonjosue2001(a)gmail.com> [ Upstream commit fa9fdeea1b7d6440c22efa6d59a769eae8bc89f1 ] This patch adds HID_QUIRK_ALWAYS_POLL for the ADATA XPG wireless gaming mouse (USB ID 125f:7505) and its USB dongle (USB ID 125f:7506). Without this quirk, the device does not generate input events properly. Signed-off-by: Milton Barrera <miltonjosue2001(a)gmail.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hid/hid-ids.h | 4 ++++ drivers/hid/hid-quirks.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h index 4187d890bcc1a..e078d2ac92c87 100644 --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -41,6 +41,10 @@ #define USB_VENDOR_ID_ACTIONSTAR 0x2101 #define USB_DEVICE_ID_ACTIONSTAR_1011 0x1011 +#define USB_VENDOR_ID_ADATA_XPG 0x125f +#define USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE 0x7505 +#define USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE_DONGLE 0x7506 + #define USB_VENDOR_ID_ADS_TECH 0x06e1 #define USB_DEVICE_ID_ADS_TECH_RADIO_SI470X 0xa155 diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c index 875c44e5cf6c2..d8c5c7d451efd 100644 --- a/drivers/hid/hid-quirks.c +++ b/drivers/hid/hid-quirks.c @@ -27,6 +27,8 @@ static const struct hid_device_id hid_quirks[] = { { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE_DONGLE), HID_QUIRK_ALWAYS_POLL }, { HID_USB_DEVICE(USB_VENDOR_ID_AFATECH, USB_DEVICE_ID_AFATECH_AF9016), HID_QUIRK_FULLSPEED_INTERVAL }, { HID_USB_DEVICE(USB_VENDOR_ID_AIREN, USB_DEVICE_ID_AIREN_SLIMPLUS), HID_QUIRK_NOGET }, { HID_USB_DEVICE(USB_VENDOR_ID_AKAI_09E8, USB_DEVICE_ID_AKAI_09E8_MIDIMIX), HID_QUIRK_NO_INIT_REPORTS }, -- 2.39.5

3 months, 3 weeks

1
7
0 0

[PATCH AUTOSEL 6.6 01/11] dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open

by Sasha Levin

From: Purva Yeshi <purvayeshi550(a)gmail.com> [ Upstream commit 97994333de2b8062d2df4e6ce0dc65c2dc0f40dc ] Fix Smatch-detected issue: drivers/dma/idxd/cdev.c:321 idxd_cdev_open() error: uninitialized symbol 'sva'. 'sva' pointer may be used uninitialized in error handling paths. Specifically, if PASID support is enabled and iommu_sva_bind_device() returns an error, the code jumps to the cleanup label and attempts to call iommu_sva_unbind_device(sva) without ensuring that sva was successfully assigned. This triggers a Smatch warning about an uninitialized symbol. Initialize sva to NULL at declaration and add a check using IS_ERR_OR_NULL() before unbinding the device. This ensures the function does not use an invalid or uninitialized pointer during cleanup. Signed-off-by: Purva Yeshi <purvayeshi550(a)gmail.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Link: https://lore.kernel.org/r/20250410110216.21592-1-purvayeshi550@gmail.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/dma/idxd/cdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c index c18633ad8455f..c9eea639a749e 100644 --- a/drivers/dma/idxd/cdev.c +++ b/drivers/dma/idxd/cdev.c @@ -225,7 +225,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp) struct idxd_wq *wq; struct device *dev, *fdev; int rc = 0; - struct iommu_sva *sva; + struct iommu_sva *sva = NULL; unsigned int pasid; struct idxd_cdev *idxd_cdev; @@ -322,7 +322,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp) if (device_user_pasid_enabled(idxd)) idxd_xa_pasid_remove(ctx); failed_get_pasid: - if (device_user_pasid_enabled(idxd)) + if (device_user_pasid_enabled(idxd) && !IS_ERR_OR_NULL(sva)) iommu_sva_unbind_device(sva); failed: mutex_unlock(&wq->wq_lock); -- 2.39.5

3 months, 3 weeks

1
10
0 0

[PATCH AUTOSEL 6.12 01/18] dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open

by Sasha Levin

From: Purva Yeshi <purvayeshi550(a)gmail.com> [ Upstream commit 97994333de2b8062d2df4e6ce0dc65c2dc0f40dc ] Fix Smatch-detected issue: drivers/dma/idxd/cdev.c:321 idxd_cdev_open() error: uninitialized symbol 'sva'. 'sva' pointer may be used uninitialized in error handling paths. Specifically, if PASID support is enabled and iommu_sva_bind_device() returns an error, the code jumps to the cleanup label and attempts to call iommu_sva_unbind_device(sva) without ensuring that sva was successfully assigned. This triggers a Smatch warning about an uninitialized symbol. Initialize sva to NULL at declaration and add a check using IS_ERR_OR_NULL() before unbinding the device. This ensures the function does not use an invalid or uninitialized pointer during cleanup. Signed-off-by: Purva Yeshi <purvayeshi550(a)gmail.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Link: https://lore.kernel.org/r/20250410110216.21592-1-purvayeshi550@gmail.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/dma/idxd/cdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c index 57f1bf2ab20be..48210760bdf87 100644 --- a/drivers/dma/idxd/cdev.c +++ b/drivers/dma/idxd/cdev.c @@ -225,7 +225,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp) struct idxd_wq *wq; struct device *dev, *fdev; int rc = 0; - struct iommu_sva *sva; + struct iommu_sva *sva = NULL; unsigned int pasid; struct idxd_cdev *idxd_cdev; @@ -322,7 +322,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp) if (device_user_pasid_enabled(idxd)) idxd_xa_pasid_remove(ctx); failed_get_pasid: - if (device_user_pasid_enabled(idxd)) + if (device_user_pasid_enabled(idxd) && !IS_ERR_OR_NULL(sva)) iommu_sva_unbind_device(sva); failed: mutex_unlock(&wq->wq_lock); -- 2.39.5

3 months, 3 weeks

1
17
0 0

[PATCH AUTOSEL 6.14 01/23] dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open

by Sasha Levin

From: Purva Yeshi <purvayeshi550(a)gmail.com> [ Upstream commit 97994333de2b8062d2df4e6ce0dc65c2dc0f40dc ] Fix Smatch-detected issue: drivers/dma/idxd/cdev.c:321 idxd_cdev_open() error: uninitialized symbol 'sva'. 'sva' pointer may be used uninitialized in error handling paths. Specifically, if PASID support is enabled and iommu_sva_bind_device() returns an error, the code jumps to the cleanup label and attempts to call iommu_sva_unbind_device(sva) without ensuring that sva was successfully assigned. This triggers a Smatch warning about an uninitialized symbol. Initialize sva to NULL at declaration and add a check using IS_ERR_OR_NULL() before unbinding the device. This ensures the function does not use an invalid or uninitialized pointer during cleanup. Signed-off-by: Purva Yeshi <purvayeshi550(a)gmail.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Link: https://lore.kernel.org/r/20250410110216.21592-1-purvayeshi550@gmail.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/dma/idxd/cdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c index ff94ee892339d..7bd031a608943 100644 --- a/drivers/dma/idxd/cdev.c +++ b/drivers/dma/idxd/cdev.c @@ -222,7 +222,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp) struct idxd_wq *wq; struct device *dev, *fdev; int rc = 0; - struct iommu_sva *sva; + struct iommu_sva *sva = NULL; unsigned int pasid; struct idxd_cdev *idxd_cdev; @@ -317,7 +317,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp) if (device_user_pasid_enabled(idxd)) idxd_xa_pasid_remove(ctx); failed_get_pasid: - if (device_user_pasid_enabled(idxd)) + if (device_user_pasid_enabled(idxd) && !IS_ERR_OR_NULL(sva)) iommu_sva_unbind_device(sva); failed: mutex_unlock(&wq->wq_lock); -- 2.39.5

3 months, 3 weeks

1
22
0 0

+ module-release-codetag-section-when-module-load-fails.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: module: release codetag section when module load fails has been added to the -mm mm-hotfixes-unstable branch. Its filename is module-release-codetag-section-when-module-load-fails.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Wang <00107082(a)163.com> Subject: module: release codetag section when module load fails Date: Tue, 20 May 2025 00:38:23 +0800 When module load fails after memory for codetag section is ready, codetag section memory will not be properly released. This causes memory leak, and if next module load happens to get the same module address, codetag may pick the uninitialized section when manipulating tags during module unload, and leads to "unable to handle page fault" BUG. Link: https://lkml.kernel.org/r/20250519163823.7540-1-00107082@163.com Fixes: 0db6f8d7820a ("alloc_tag: load module tags into separate contiguous memory") Closes: https://lore.kernel.org/all/20250516131246.6244-1-00107082@163.com/ Signed-off-by: David Wang <00107082(a)163.com> Acked-by: Suren Baghdasaryan <surenb(a)google.com> Cc: Petr Pavlu <petr.pavlu(a)suse.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/module/main.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/module/main.c~module-release-codetag-section-when-module-load-fails +++ a/kernel/module/main.c @@ -2829,6 +2829,7 @@ static void module_deallocate(struct mod { percpu_modfree(mod); module_arch_freeing_init(mod); + codetag_free_module_sections(mod); free_mod_mem(mod); } _ Patches currently in -mm which might be from 00107082(a)163.com are module-release-codetag-section-when-module-load-fails.patch

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/xe/gsc: do not flush the GSC worker from the reset path" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 03552d8ac0afcc080c339faa0b726e2c0e9361cb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051238-lurch-dollop-0b0f@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 03552d8ac0afcc080c339faa0b726e2c0e9361cb Mon Sep 17 00:00:00 2001 From: Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> Date: Fri, 2 May 2025 08:51:04 -0700 Subject: [PATCH] drm/xe/gsc: do not flush the GSC worker from the reset path The workqueue used for the reset worker is marked as WQ_MEM_RECLAIM, while the GSC one isn't (and can't be as we need to do memory allocations in the gsc worker). Therefore, we can't flush the latter from the former. The reason why we had such a flush was to avoid interrupting either the GSC FW load or in progress GSC proxy operations. GSC proxy operations fall into 2 categories: 1) GSC proxy init: this only happens once immediately after GSC FW load and does not support being interrupted. The only way to recover from an interruption of the proxy init is to do an FLR and re-load the GSC. 2) GSC proxy request: this can happen in response to a request that the driver sends to the GSC. If this is interrupted, the GSC FW will timeout and the driver request will be failed, but overall the GSC will keep working fine. Flushing the work allowed us to avoid interruption in both cases (unless the hang came from the GSC engine itself, in which case we're toast anyway). However, a failure on a proxy request is tolerable if we're in a scenario where we're triggering a GT reset (i.e., something is already gone pretty wrong), so what we really need to avoid is interrupting the init flow, which we can do by polling on the register that reports when the proxy init is complete (as that ensure us that all the load and init operations have been completed). Note that during suspend we still want to do a flush of the worker to make sure it completes any operations involving the HW before the power is cut. v2: fix spelling in commit msg, rename waiter function (Julia) Fixes: dd0e89e5edc2 ("drm/xe/gsc: GSC FW load") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4830 Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Alan Previn <alan.previn.teres.alexis(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Julia Filipchuk <julia.filipchuk(a)intel.com> Link: https://lore.kernel.org/r/20250502155104.2201469-1-daniele.ceraolospurio@in… (cherry picked from commit 12370bfcc4f0bdf70279ec5b570eb298963422b5) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_gsc.c b/drivers/gpu/drm/xe/xe_gsc.c index fd41113f8572..0bcf97063ff6 100644 --- a/drivers/gpu/drm/xe/xe_gsc.c +++ b/drivers/gpu/drm/xe/xe_gsc.c @@ -555,6 +555,28 @@ void xe_gsc_wait_for_worker_completion(struct xe_gsc *gsc) flush_work(&gsc->work); } +void xe_gsc_stop_prepare(struct xe_gsc *gsc) +{ + struct xe_gt *gt = gsc_to_gt(gsc); + int ret; + + if (!xe_uc_fw_is_loadable(&gsc->fw) || xe_uc_fw_is_in_error_state(&gsc->fw)) + return; + + xe_force_wake_assert_held(gt_to_fw(gt), XE_FW_GSC); + + /* + * If the GSC FW load or the proxy init are interrupted, the only way + * to recover it is to do an FLR and reload the GSC from scratch. + * Therefore, let's wait for the init to complete before stopping + * operations. The proxy init is the last step, so we can just wait on + * that + */ + ret = xe_gsc_wait_for_proxy_init_done(gsc); + if (ret) + xe_gt_err(gt, "failed to wait for GSC init completion before uc stop\n"); +} + /* * wa_14015076503: if the GSC FW is loaded, we need to alert it before doing a * GSC engine reset by writing a notification bit in the GS1 register and then diff --git a/drivers/gpu/drm/xe/xe_gsc.h b/drivers/gpu/drm/xe/xe_gsc.h index d99f66c38075..b8b8e0810ad9 100644 --- a/drivers/gpu/drm/xe/xe_gsc.h +++ b/drivers/gpu/drm/xe/xe_gsc.h @@ -16,6 +16,7 @@ struct xe_hw_engine; int xe_gsc_init(struct xe_gsc *gsc); int xe_gsc_init_post_hwconfig(struct xe_gsc *gsc); void xe_gsc_wait_for_worker_completion(struct xe_gsc *gsc); +void xe_gsc_stop_prepare(struct xe_gsc *gsc); void xe_gsc_load_start(struct xe_gsc *gsc); void xe_gsc_hwe_irq_handler(struct xe_hw_engine *hwe, u16 intr_vec); diff --git a/drivers/gpu/drm/xe/xe_gsc_proxy.c b/drivers/gpu/drm/xe/xe_gsc_proxy.c index 8cf70b228ff3..d0519cd6704a 100644 --- a/drivers/gpu/drm/xe/xe_gsc_proxy.c +++ b/drivers/gpu/drm/xe/xe_gsc_proxy.c @@ -71,6 +71,17 @@ bool xe_gsc_proxy_init_done(struct xe_gsc *gsc) HECI1_FWSTS1_PROXY_STATE_NORMAL; } +int xe_gsc_wait_for_proxy_init_done(struct xe_gsc *gsc) +{ + struct xe_gt *gt = gsc_to_gt(gsc); + + /* Proxy init can take up to 500ms, so wait double that for safety */ + return xe_mmio_wait32(&gt->mmio, HECI_FWSTS1(MTL_GSC_HECI1_BASE), + HECI1_FWSTS1_CURRENT_STATE, + HECI1_FWSTS1_PROXY_STATE_NORMAL, + USEC_PER_SEC, NULL, false); +} + static void __gsc_proxy_irq_rmw(struct xe_gsc *gsc, u32 clr, u32 set) { struct xe_gt *gt = gsc_to_gt(gsc); diff --git a/drivers/gpu/drm/xe/xe_gsc_proxy.h b/drivers/gpu/drm/xe/xe_gsc_proxy.h index fdef56995cd4..765602221dbc 100644 --- a/drivers/gpu/drm/xe/xe_gsc_proxy.h +++ b/drivers/gpu/drm/xe/xe_gsc_proxy.h @@ -12,6 +12,7 @@ struct xe_gsc; int xe_gsc_proxy_init(struct xe_gsc *gsc); bool xe_gsc_proxy_init_done(struct xe_gsc *gsc); +int xe_gsc_wait_for_proxy_init_done(struct xe_gsc *gsc); int xe_gsc_proxy_start(struct xe_gsc *gsc); int xe_gsc_proxy_request_handler(struct xe_gsc *gsc); diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c index 10a9e3c72b36..66198cf2662c 100644 --- a/drivers/gpu/drm/xe/xe_gt.c +++ b/drivers/gpu/drm/xe/xe_gt.c @@ -857,7 +857,7 @@ void xe_gt_suspend_prepare(struct xe_gt *gt) fw_ref = xe_force_wake_get(gt_to_fw(gt), XE_FORCEWAKE_ALL); - xe_uc_stop_prepare(&gt->uc); + xe_uc_suspend_prepare(&gt->uc); xe_force_wake_put(gt_to_fw(gt), fw_ref); } diff --git a/drivers/gpu/drm/xe/xe_uc.c b/drivers/gpu/drm/xe/xe_uc.c index c14bd2282044..3a8751a8b92d 100644 --- a/drivers/gpu/drm/xe/xe_uc.c +++ b/drivers/gpu/drm/xe/xe_uc.c @@ -244,7 +244,7 @@ void xe_uc_gucrc_disable(struct xe_uc *uc) void xe_uc_stop_prepare(struct xe_uc *uc) { - xe_gsc_wait_for_worker_completion(&uc->gsc); + xe_gsc_stop_prepare(&uc->gsc); xe_guc_stop_prepare(&uc->guc); } @@ -278,6 +278,12 @@ static void uc_reset_wait(struct xe_uc *uc) goto again; } +void xe_uc_suspend_prepare(struct xe_uc *uc) +{ + xe_gsc_wait_for_worker_completion(&uc->gsc); + xe_guc_stop_prepare(&uc->guc); +} + int xe_uc_suspend(struct xe_uc *uc) { /* GuC submission not enabled, nothing to do */ diff --git a/drivers/gpu/drm/xe/xe_uc.h b/drivers/gpu/drm/xe/xe_uc.h index 3813c1ede450..c23e6f5e2514 100644 --- a/drivers/gpu/drm/xe/xe_uc.h +++ b/drivers/gpu/drm/xe/xe_uc.h @@ -18,6 +18,7 @@ int xe_uc_reset_prepare(struct xe_uc *uc); void xe_uc_stop_prepare(struct xe_uc *uc); void xe_uc_stop(struct xe_uc *uc); int xe_uc_start(struct xe_uc *uc); +void xe_uc_suspend_prepare(struct xe_uc *uc); int xe_uc_suspend(struct xe_uc *uc); int xe_uc_sanitize_reset(struct xe_uc *uc); void xe_uc_declare_wedged(struct xe_uc *uc);

3 months, 3 weeks

3
3
0 0

[PATCH v2] binder: fix use-after-free in binderfs_evict_inode()

by Carlos Llamas

From: Dmitry Antipov <dmantipov(a)yandex.ru> Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699 CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1c2/0x2a0 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 print_report+0x155/0x840 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 ? __phys_addr+0xba/0x170 ? binderfs_evict_inode+0x1de/0x2d0 kasan_report+0x147/0x180 ? binderfs_evict_inode+0x1de/0x2d0 binderfs_evict_inode+0x1de/0x2d0 ? __pfx_binderfs_evict_inode+0x10/0x10 evict+0x524/0x9f0 ? __pfx_lock_release+0x10/0x10 ? __pfx_evict+0x10/0x10 ? do_raw_spin_unlock+0x4d/0x210 ? _raw_spin_unlock+0x28/0x50 ? iput+0x697/0x9b0 __dentry_kill+0x209/0x660 ? shrink_kill+0x8d/0x2c0 shrink_kill+0xa9/0x2c0 shrink_dentry_list+0x2e0/0x5e0 shrink_dcache_parent+0xa2/0x2c0 ? __pfx_shrink_dcache_parent+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 do_one_tree+0x23/0xe0 shrink_dcache_for_umount+0xa0/0x170 generic_shutdown_super+0x67/0x390 kill_litter_super+0x76/0xb0 binderfs_kill_super+0x44/0x90 deactivate_locked_super+0xb9/0x130 cleanup_mnt+0x422/0x4c0 ? lockdep_hardirqs_on+0x9d/0x150 task_work_run+0x1d2/0x260 ? __pfx_task_work_run+0x10/0x10 resume_user_mode_work+0x52/0x60 syscall_exit_to_user_mode+0x9a/0x120 do_syscall_64+0x103/0x210 ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830 </TASK> Allocated by task 1705: kasan_save_track+0x3e/0x80 __kasan_kmalloc+0x8f/0xa0 __kmalloc_cache_noprof+0x213/0x3e0 binderfs_binder_device_create+0x183/0xa80 binder_ctl_ioctl+0x138/0x190 __x64_sys_ioctl+0x120/0x1b0 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1705: kasan_save_track+0x3e/0x80 kasan_save_free_info+0x46/0x50 __kasan_slab_free+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 do_unlinkat+0x390/0x5b0 __x64_sys_unlink+0x47/0x50 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption. I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well. Cc: stable(a)vger.kernel.org Reported-by: syzbot+353d7b75658a95aa955a(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=353d7b75658a95aa955a Fixes: e77aff5528a18 ("binderfs: fix use-after-free in binder_devices") Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Acked-by: Carlos Llamas <cmllamas(a)google.com> Signed-off-by: Carlos Llamas <cmllamas(a)google.com> --- v1: https://lore.kernel.org/all/20250324132427.922495-1-dmantipov@yandex.ru/ v2: - Collect tags. Actually Cc Greg and stable@ this time. drivers/android/binder.c | 15 +++++++++++++-- drivers/android/binder_internal.h | 8 ++++++-- drivers/android/binderfs.c | 2 +- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 5fc2c8ee61b1..8d9c5f436fca 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -79,6 +79,8 @@ static HLIST_HEAD(binder_deferred_list); static DEFINE_MUTEX(binder_deferred_lock); static HLIST_HEAD(binder_devices); +static DEFINE_SPINLOCK(binder_devices_lock); + static HLIST_HEAD(binder_procs); static DEFINE_MUTEX(binder_procs_lock); @@ -6929,7 +6931,16 @@ const struct binder_debugfs_entry binder_debugfs_entries[] = { void binder_add_device(struct binder_device *device) { + spin_lock(&binder_devices_lock); hlist_add_head(&device->hlist, &binder_devices); + spin_unlock(&binder_devices_lock); +} + +void binder_remove_device(struct binder_device *device) +{ + spin_lock(&binder_devices_lock); + hlist_del_init(&device->hlist); + spin_unlock(&binder_devices_lock); } static int __init init_binder_device(const char *name) @@ -6956,7 +6967,7 @@ static int __init init_binder_device(const char *name) return ret; } - hlist_add_head(&binder_device->hlist, &binder_devices); + binder_add_device(binder_device); return ret; } @@ -7018,7 +7029,7 @@ static int __init binder_init(void) err_init_binder_device_failed: hlist_for_each_entry_safe(device, tmp, &binder_devices, hlist) { misc_deregister(&device->miscdev); - hlist_del(&device->hlist); + binder_remove_device(device); kfree(device); } diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h index 6a66c9769c6c..1ba5caf1d88d 100644 --- a/drivers/android/binder_internal.h +++ b/drivers/android/binder_internal.h @@ -583,9 +583,13 @@ struct binder_object { /** * Add a binder device to binder_devices * @device: the new binder device to add to the global list - * - * Not reentrant as the list is not protected by any locks */ void binder_add_device(struct binder_device *device); +/** + * Remove a binder device to binder_devices + * @device: the binder device to remove from the global list + */ +void binder_remove_device(struct binder_device *device); + #endif /* _LINUX_BINDER_INTERNAL_H */ diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c index 94c6446604fc..44d430c4ebef 100644 --- a/drivers/android/binderfs.c +++ b/drivers/android/binderfs.c @@ -274,7 +274,7 @@ static void binderfs_evict_inode(struct inode *inode) mutex_unlock(&binderfs_minors_mutex); if (refcount_dec_and_test(&device->ref)) { - hlist_del_init(&device->hlist); + binder_remove_device(device); kfree(device->context.name); kfree(device); } -- 2.49.0.1101.gccaa498523-goog

3 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] drm/tiny: panel-mipi-dbi: Use drm_client_setup_with_fourcc()" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 9c1798259b9420f38f1fa1b83e3d864c3eb1a83e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051936-qualify-waged-4677@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9c1798259b9420f38f1fa1b83e3d864c3eb1a83e Mon Sep 17 00:00:00 2001 From: Fabio Estevam <festevam(a)denx.de> Date: Thu, 17 Apr 2025 07:34:58 -0300 Subject: [PATCH] drm/tiny: panel-mipi-dbi: Use drm_client_setup_with_fourcc() Since commit 559358282e5b ("drm/fb-helper: Don't use the preferred depth for the BPP default"), RGB565 displays such as the CFAF240320X no longer render correctly: colors are distorted and the content is shown twice horizontally. This regression is due to the fbdev emulation layer defaulting to 32 bits per pixel, whereas the display expects 16 bpp (RGB565). As a result, the framebuffer data is incorrectly interpreted by the panel. Fix the issue by calling drm_client_setup_with_fourcc() with a format explicitly selected based on the display's bits-per-pixel value. For 16 bpp, use DRM_FORMAT_RGB565; for other values, fall back to the previous behavior. This ensures that the allocated framebuffer format matches the hardware expectations, avoiding color and layout corruption. Tested on a CFAF240320X display with an RGB565 configuration, confirming correct colors and layout after applying this patch. Cc: stable(a)vger.kernel.org Fixes: 559358282e5b ("drm/fb-helper: Don't use the preferred depth for the BPP default") Signed-off-by: Fabio Estevam <festevam(a)denx.de> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Javier Martinez Canillas <javierm(a)redhat.com> Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Link: https://lore.kernel.org/r/20250417103458.2496790-1-festevam@gmail.com diff --git a/drivers/gpu/drm/tiny/panel-mipi-dbi.c b/drivers/gpu/drm/tiny/panel-mipi-dbi.c index 0460ecaef4bd..23914a9f7fd3 100644 --- a/drivers/gpu/drm/tiny/panel-mipi-dbi.c +++ b/drivers/gpu/drm/tiny/panel-mipi-dbi.c @@ -390,7 +390,10 @@ static int panel_mipi_dbi_spi_probe(struct spi_device *spi) spi_set_drvdata(spi, drm); - drm_client_setup(drm, NULL); + if (bpp == 16) + drm_client_setup_with_fourcc(drm, DRM_FORMAT_RGB565); + else + drm_client_setup_with_fourcc(drm, DRM_FORMAT_RGB888); return 0; }

3 months, 3 weeks

3
3
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Fix role detection on" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 54c4c58713aaff76c2422ff5750e557ab3b100d7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051925-parasail-grinch-05f6@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 54c4c58713aaff76c2422ff5750e557ab3b100d7 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:28 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind It has been observed on the Renesas RZ/G3S SoC that unbinding and binding the PHY driver leads to role autodetection failures. This issue occurs when PHY 3 is the first initialized PHY. PHY 3 does not have an interrupt associated with the USB2_INT_ENABLE register (as rcar_gen3_int_enable[3] = 0). As a result, rcar_gen3_init_otg() is called to initialize OTG without enabling PHY interrupts. To resolve this, add rcar_gen3_is_any_otg_rphy_initialized() and call it in role_store(), role_show(), and rcar_gen3_init_otg(). At the same time, rcar_gen3_init_otg() is only called when initialization for a PHY with interrupt bits is in progress. As a result, the struct rcar_gen3_phy::otg_initialized is no longer needed. Fixes: 549b6b55b005 ("phy: renesas: rcar-gen3-usb2: enable/disable independent irqs") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-2-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 775f4f973a6c..46afba2fe0dc 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -107,7 +107,6 @@ struct rcar_gen3_phy { struct rcar_gen3_chan *ch; u32 int_enable_bits; bool initialized; - bool otg_initialized; bool powered; }; @@ -320,16 +319,15 @@ static bool rcar_gen3_is_any_rphy_initialized(struct rcar_gen3_chan *ch) return false; } -static bool rcar_gen3_needs_init_otg(struct rcar_gen3_chan *ch) +static bool rcar_gen3_is_any_otg_rphy_initialized(struct rcar_gen3_chan *ch) { - int i; - - for (i = 0; i < NUM_OF_PHYS; i++) { - if (ch->rphys[i].otg_initialized) - return false; + for (enum rcar_gen3_phy_index i = PHY_INDEX_BOTH_HC; i <= PHY_INDEX_EHCI; + i++) { + if (ch->rphys[i].initialized) + return true; } - return true; + return false; } static bool rcar_gen3_are_all_rphys_power_off(struct rcar_gen3_chan *ch) @@ -351,7 +349,7 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; - if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; if (sysfs_streq(buf, "host")) @@ -389,7 +387,7 @@ static ssize_t role_show(struct device *dev, struct device_attribute *attr, { struct rcar_gen3_chan *ch = dev_get_drvdata(dev); - if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; return sprintf(buf, "%s\n", rcar_gen3_is_host(ch) ? "host" : @@ -402,6 +400,9 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) void __iomem *usb2_base = ch->base; u32 val; + if (!ch->is_otg_channel || rcar_gen3_is_any_otg_rphy_initialized(ch)) + return; + /* Should not use functions of read-modify-write a register */ val = readl(usb2_base + USB2_LINECTRL1); val = (val & ~USB2_LINECTRL1_DP_RPD) | USB2_LINECTRL1_DPRPD_EN | @@ -465,12 +466,9 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); - /* Initialize otg part */ - if (channel->is_otg_channel) { - if (rcar_gen3_needs_init_otg(channel)) - rcar_gen3_init_otg(channel); - rphy->otg_initialized = true; - } + /* Initialize otg part (only if we initialize a PHY with IRQs). */ + if (rphy->int_enable_bits) + rcar_gen3_init_otg(channel); rphy->initialized = true; @@ -486,9 +484,6 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) rphy->initialized = false; - if (channel->is_otg_channel) - rphy->otg_initialized = false; - val = readl(usb2_base + USB2_INT_ENABLE); val &= ~rphy->int_enable_bits; if (!rcar_gen3_is_any_rphy_initialized(channel))

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Fix role detection on" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 54c4c58713aaff76c2422ff5750e557ab3b100d7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051923-veto-uncivil-bb49@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 54c4c58713aaff76c2422ff5750e557ab3b100d7 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:28 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind It has been observed on the Renesas RZ/G3S SoC that unbinding and binding the PHY driver leads to role autodetection failures. This issue occurs when PHY 3 is the first initialized PHY. PHY 3 does not have an interrupt associated with the USB2_INT_ENABLE register (as rcar_gen3_int_enable[3] = 0). As a result, rcar_gen3_init_otg() is called to initialize OTG without enabling PHY interrupts. To resolve this, add rcar_gen3_is_any_otg_rphy_initialized() and call it in role_store(), role_show(), and rcar_gen3_init_otg(). At the same time, rcar_gen3_init_otg() is only called when initialization for a PHY with interrupt bits is in progress. As a result, the struct rcar_gen3_phy::otg_initialized is no longer needed. Fixes: 549b6b55b005 ("phy: renesas: rcar-gen3-usb2: enable/disable independent irqs") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-2-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 775f4f973a6c..46afba2fe0dc 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -107,7 +107,6 @@ struct rcar_gen3_phy { struct rcar_gen3_chan *ch; u32 int_enable_bits; bool initialized; - bool otg_initialized; bool powered; }; @@ -320,16 +319,15 @@ static bool rcar_gen3_is_any_rphy_initialized(struct rcar_gen3_chan *ch) return false; } -static bool rcar_gen3_needs_init_otg(struct rcar_gen3_chan *ch) +static bool rcar_gen3_is_any_otg_rphy_initialized(struct rcar_gen3_chan *ch) { - int i; - - for (i = 0; i < NUM_OF_PHYS; i++) { - if (ch->rphys[i].otg_initialized) - return false; + for (enum rcar_gen3_phy_index i = PHY_INDEX_BOTH_HC; i <= PHY_INDEX_EHCI; + i++) { + if (ch->rphys[i].initialized) + return true; } - return true; + return false; } static bool rcar_gen3_are_all_rphys_power_off(struct rcar_gen3_chan *ch) @@ -351,7 +349,7 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; - if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; if (sysfs_streq(buf, "host")) @@ -389,7 +387,7 @@ static ssize_t role_show(struct device *dev, struct device_attribute *attr, { struct rcar_gen3_chan *ch = dev_get_drvdata(dev); - if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; return sprintf(buf, "%s\n", rcar_gen3_is_host(ch) ? "host" : @@ -402,6 +400,9 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) void __iomem *usb2_base = ch->base; u32 val; + if (!ch->is_otg_channel || rcar_gen3_is_any_otg_rphy_initialized(ch)) + return; + /* Should not use functions of read-modify-write a register */ val = readl(usb2_base + USB2_LINECTRL1); val = (val & ~USB2_LINECTRL1_DP_RPD) | USB2_LINECTRL1_DPRPD_EN | @@ -465,12 +466,9 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); - /* Initialize otg part */ - if (channel->is_otg_channel) { - if (rcar_gen3_needs_init_otg(channel)) - rcar_gen3_init_otg(channel); - rphy->otg_initialized = true; - } + /* Initialize otg part (only if we initialize a PHY with IRQs). */ + if (rphy->int_enable_bits) + rcar_gen3_init_otg(channel); rphy->initialized = true; @@ -486,9 +484,6 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) rphy->initialized = false; - if (channel->is_otg_channel) - rphy->otg_initialized = false; - val = readl(usb2_base + USB2_INT_ENABLE); val &= ~rphy->int_enable_bits; if (!rcar_gen3_is_any_rphy_initialized(channel))

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Fix role detection on" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 54c4c58713aaff76c2422ff5750e557ab3b100d7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051924-sulfite-ahoy-71d8@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 54c4c58713aaff76c2422ff5750e557ab3b100d7 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:28 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind It has been observed on the Renesas RZ/G3S SoC that unbinding and binding the PHY driver leads to role autodetection failures. This issue occurs when PHY 3 is the first initialized PHY. PHY 3 does not have an interrupt associated with the USB2_INT_ENABLE register (as rcar_gen3_int_enable[3] = 0). As a result, rcar_gen3_init_otg() is called to initialize OTG without enabling PHY interrupts. To resolve this, add rcar_gen3_is_any_otg_rphy_initialized() and call it in role_store(), role_show(), and rcar_gen3_init_otg(). At the same time, rcar_gen3_init_otg() is only called when initialization for a PHY with interrupt bits is in progress. As a result, the struct rcar_gen3_phy::otg_initialized is no longer needed. Fixes: 549b6b55b005 ("phy: renesas: rcar-gen3-usb2: enable/disable independent irqs") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-2-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 775f4f973a6c..46afba2fe0dc 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -107,7 +107,6 @@ struct rcar_gen3_phy { struct rcar_gen3_chan *ch; u32 int_enable_bits; bool initialized; - bool otg_initialized; bool powered; }; @@ -320,16 +319,15 @@ static bool rcar_gen3_is_any_rphy_initialized(struct rcar_gen3_chan *ch) return false; } -static bool rcar_gen3_needs_init_otg(struct rcar_gen3_chan *ch) +static bool rcar_gen3_is_any_otg_rphy_initialized(struct rcar_gen3_chan *ch) { - int i; - - for (i = 0; i < NUM_OF_PHYS; i++) { - if (ch->rphys[i].otg_initialized) - return false; + for (enum rcar_gen3_phy_index i = PHY_INDEX_BOTH_HC; i <= PHY_INDEX_EHCI; + i++) { + if (ch->rphys[i].initialized) + return true; } - return true; + return false; } static bool rcar_gen3_are_all_rphys_power_off(struct rcar_gen3_chan *ch) @@ -351,7 +349,7 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; - if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; if (sysfs_streq(buf, "host")) @@ -389,7 +387,7 @@ static ssize_t role_show(struct device *dev, struct device_attribute *attr, { struct rcar_gen3_chan *ch = dev_get_drvdata(dev); - if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; return sprintf(buf, "%s\n", rcar_gen3_is_host(ch) ? "host" : @@ -402,6 +400,9 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) void __iomem *usb2_base = ch->base; u32 val; + if (!ch->is_otg_channel || rcar_gen3_is_any_otg_rphy_initialized(ch)) + return; + /* Should not use functions of read-modify-write a register */ val = readl(usb2_base + USB2_LINECTRL1); val = (val & ~USB2_LINECTRL1_DP_RPD) | USB2_LINECTRL1_DPRPD_EN | @@ -465,12 +466,9 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); - /* Initialize otg part */ - if (channel->is_otg_channel) { - if (rcar_gen3_needs_init_otg(channel)) - rcar_gen3_init_otg(channel); - rphy->otg_initialized = true; - } + /* Initialize otg part (only if we initialize a PHY with IRQs). */ + if (rphy->int_enable_bits) + rcar_gen3_init_otg(channel); rphy->initialized = true; @@ -486,9 +484,6 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) rphy->initialized = false; - if (channel->is_otg_channel) - rphy->otg_initialized = false; - val = readl(usb2_base + USB2_INT_ENABLE); val &= ~rphy->int_enable_bits; if (!rcar_gen3_is_any_rphy_initialized(channel))

3 months, 3 weeks

1
0
0 0

[PATCH] net: hns3: Add error handling for VLAN filter hardware configuration

by Wentao Liang

The hclge_rm_vport_vlan_table() calls hclge_set_vlan_filter_hw() but does not check the return value. This could lead to execution with potentially invalid data. A proper implementation can be found in hclge_add_vport_all_vlan_table(). Add error handling after calling hclge_set_vlan_filter_hw(). If hclge_set_vlan_filter_hw() fails, log an error message via dev_err() and return. Fixes: c6075b193462 ("net: hns3: Record VF vlan tables") Cc: stable(a)vger.kernel.org # v5.1 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- .../hisilicon/hns3/hns3pf/hclge_main.c | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c index db7845009252..5ab4c7f63766 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c @@ -10141,15 +10141,23 @@ static void hclge_rm_vport_vlan_table(struct hclge_vport *vport, u16 vlan_id, { struct hclge_vport_vlan_cfg *vlan, *tmp; struct hclge_dev *hdev = vport->back; + int ret; list_for_each_entry_safe(vlan, tmp, &vport->vlan_list, node) { if (vlan->vlan_id == vlan_id) { - if (is_write_tbl && vlan->hd_tbl_status) - hclge_set_vlan_filter_hw(hdev, - htons(ETH_P_8021Q), - vport->vport_id, - vlan_id, - true); + if (is_write_tbl && vlan->hd_tbl_status) { + ret = hclge_set_vlan_filter_hw(hdev, + htons(ETH_P_8021Q), + vport->vport_id, + vlan_id, + true); + if (ret) { + dev_err(&hdev->pdev->dev, + "restore vport vlan list failed, ret=%d\n", + ret); + return; + } + } list_del(&vlan->node); kfree(vlan); -- 2.42.0.windows.2

3 months, 3 weeks

2
1
0 0

regression in 6.6.91: arch/x86/kernel/alternative.c:1452:5: error: redefinition of 'its_static_thunk'

by Natanael Copa

Hi! When building 6.6.91 for Alpine Linux I got this error on 32 bit x86: CC net/devlink/dpipe.o /home/buildozer/aports/main/linux-lts/src/linux-6.6/arch/x86/kernel/alternative.c:1452:5: error: redefinition of 'its_static_thunk' 1452 | u8 *its_static_thunk(int reg) | ^~~~~~~~~~~~~~~~ In file included from /home/buildozer/aports/main/linux-lts/src/linux-6.6/arch/x86/include/asm/barrier.h:5, from /home/buildozer/aports/main/linux-lts/src/linux-6.6/include/linux/list.h:11, from /home/buildozer/aports/main/linux-lts/src/linux-6.6/include/linux/module.h:12, from /home/buildozer/aports/main/linux-lts/src/linux-6.6/arch/x86/kernel/alternative.c:4: /home/buildozer/aports/main/linux-lts/src/linux-6.6/arch/x86/include/asm/alternative.h:143:19: note: previous definition of 'its_static_thunk' with type 'u8 *(int)' {aka 'unsigned char *(int)'} 143 | static inline u8 *its_static_thunk(int reg) | ^~~~~~~~~~~~~~~~ CC [M] net/sched/act_skbmod.o make[4]: *** [/home/buildozer/aports/main/linux-lts/src/linux-6.6/scripts/Makefile.build:243: arch/x86/kernel/alternative.o] Error 1 make[3]: *** [/home/buildozer/aports/main/linux-lts/src/linux-6.6/scripts/Makefile.build:480: arch/x86/kernel] Error 2 make[3]: *** Waiting for unfinished jobs.... I believe this was introduce with commit 772934d9062a0f7297ad4e5bffbd904208655660 Author: Peter Zijlstra <peterz(a)infradead.org> Date: Wed Apr 23 09:57:31 2025 +0200 x86/its: FineIBT-paranoid vs ITS commit e52c1dc7455d32c8a55f9949d300e5e87d011fa6 upstream.

3 months, 3 weeks

2
1
0 0

[PATCH] perf/arm-cmn: Add CMN S3 ACPI binding

by Robin Murphy

An ACPI binding for CMN S3 was not yet finalised when the driver support was originally written, but v1.2 of DEN0093 "ACPI for Arm Components" has at last been published; support ACPI systems using the proper HID. Cc: stable(a)vger.kernel.org Fixes: 0dc2f4963f7e ("perf/arm-cmn: Support CMN S3") Signed-off-by: Robin Murphy <robin.murphy(a)arm.com> --- drivers/perf/arm-cmn.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c index e385f187a084..403850b1040d 100644 --- a/drivers/perf/arm-cmn.c +++ b/drivers/perf/arm-cmn.c @@ -2651,6 +2651,7 @@ static const struct acpi_device_id arm_cmn_acpi_match[] = { { "ARMHC600", PART_CMN600 }, { "ARMHC650" }, { "ARMHC700" }, + { "ARMHC003" }, {} }; MODULE_DEVICE_TABLE(acpi, arm_cmn_acpi_match); -- 2.39.2.101.g768bb238c484.dirty

3 months, 3 weeks

2
1
0 0

[PATCH net] phy: dp83869: fix interrupts issue when using with an optical fiber sfp. to correctly clear the interrupts both status registers must be read.

by chalianis1＠gmail.com

From: Anis Chali <chalianis1(a)gmail.com> from datasheet of dp83869hm 7.3.6 Interrupt The DP83869HM can be configured to generate an interrupt when changes of internal status occur. The interrupt allows a MAC to act upon the status in the PHY without polling the PHY registers. The interrupt source can be selected through the interrupt registers, MICR (12h) and FIBER_INT_EN (C18h). The interrupt status can be read from ISR (13h) and FIBER_INT_STTS (C19h) registers. Some interrupts are enabled by default and can be disabled through register access. Both the interrupt status registers must be read in order to clear pending interrupts. Until the pending interrupts are cleared, new interrupts may not be routed to the interrupt pin. Fixes: interrupts issue when using with an optical fiber sfp. Signed-off-by: Anis Chali <chalianis1(a)gmail.com> --- drivers/net/phy/dp83869.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c index a62cd838a9ea..1e8c20f387b8 100644 --- a/drivers/net/phy/dp83869.c +++ b/drivers/net/phy/dp83869.c @@ -41,6 +41,7 @@ #define DP83869_IO_MUX_CFG 0x0170 #define DP83869_OP_MODE 0x01df #define DP83869_FX_CTRL 0x0c00 +#define DP83869_FX_INT_STS 0x0c19 #define DP83869_SW_RESET BIT(15) #define DP83869_SW_RESTART BIT(14) @@ -195,6 +196,12 @@ static int dp83869_ack_interrupt(struct phy_device *phydev) if (err < 0) return err; + if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, phydev->supported)) { + err = phy_read_mmd(phydev, DP83869_DEVADDR, DP83869_FX_INT_STS); + if (err < 0) + return err; + } + return 0; } -- 2.49.0

3 months, 3 weeks

3
2
0 0

v2 [PATCH] ocfs2: fix panic in failed foilio allocation

by Mark Tinguely

In the page to order 0 folio conversion series, the commit 7e119cff9d0a, "ocfs2: convert w_pages to w_folios" and commit 9a5e08652dc4b, "ocfs2: use an array of folios instead of an array of pages", saves -ENOMEM in the folio array upon allocation failure and calls the folio array free code. The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry. Signed-off-by: Mark Tinguely <mark.tinguely(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Matthew Wilcox <willy(a)infradead.org> --- v2: sorry, ocfs2_grab_folios() needs the same change. the other callers do not need the change. --- fs/ocfs2/alloc.c | 1 + fs/ocfs2/aops.c | 1 + 2 files changed, 2 insertions(+) diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c index b8ac85b548c7..821cb7874685 100644 --- a/fs/ocfs2/alloc.c +++ b/fs/ocfs2/alloc.c @@ -6918,6 +6918,7 @@ static int ocfs2_grab_folios(struct inode *inode, loff_t start, loff_t end, if (IS_ERR(folios[numfolios])) { ret = PTR_ERR(folios[numfolios]); mlog_errno(ret); + folios[numfolios] = NULL; goto out; } diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 40b6bce12951..89aadc6cdd87 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(struct address_space *mapping, if (IS_ERR(wc->w_folios[i])) { ret = PTR_ERR(wc->w_folios[i]); mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } } -- 2.39.5 (Apple Git-154)

3 months, 3 weeks

3
3
0 0

Fortinet Customers List

by Christy Woody

Hi, Would you be interested in acquiring Fortinet-Checkpoint-Palo Alto-Watchguard-SonicWALL Userscontacts list? We have other Technologies users List: - Juniper Networks BitDefender Cisco Meraki Sophos Webroot Imperva FireEye Symantec Forcepoint FireMon Imperva McAfee Interested in reaching these tech users? Reply with your “target tech and region” and I’ll provide more details. Cheers, Christy Woody Senior Lead Executive US-CANADA-EMEA-APAC Reply “LEAVEOUT” in the subject to unsubscribe.

3 months, 3 weeks

1
0
0 0

[PATCH] drm/i915/dp_mst: Work around Thunderbolt sink disconnect after SINK_COUNT_ESI read

by Imre Deak

Due to a problem in the iTBT DP-in adapter's firmware the sink on a TBT link may get disconnected inadvertently if the SINK_COUNT_ESI and the DP_LINK_SERVICE_IRQ_VECTOR_ESI0 registers are read in a single AUX transaction. Work around the issue by reading these registers in separate transactions. The issue affects MTL+ platforms and will be fixed in the DP-in adapter firmware, however releasing that firmware fix may take some time and is not guaranteed to be available for all systems. Based on this apply the workaround on affected platforms. See HSD #13013007775. Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13760 Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14147 Cc: stable(a)vger.kernel.org Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/i915/display/intel_dp.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index 21297bc4cc00d..208a953b04a2f 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -4538,6 +4538,23 @@ intel_dp_mst_disconnect(struct intel_dp *intel_dp) static bool intel_dp_get_sink_irq_esi(struct intel_dp *intel_dp, u8 *esi) { + struct intel_display *display = to_intel_display(intel_dp); + + /* + * Display WA for HSD #13013007775: mtl/arl/lnl + * Read the sink count and link service IRQ registers in separate + * transactions to prevent disconnecting the sink on a TBT link + * inadvertently. + */ + if (IS_DISPLAY_VER(display, 14, 20) && !display->platform.battlemage) { + if (drm_dp_dpcd_read(&intel_dp->aux, DP_SINK_COUNT_ESI, esi, 3) != 3) + return false; + + /* DP_SINK_COUNT_ESI + 3 == DP_LINK_SERVICE_IRQ_VECTOR_ESI0 */ + return drm_dp_dpcd_readb(&intel_dp->aux, DP_LINK_SERVICE_IRQ_VECTOR_ESI0, + &esi[3]) == 1; + } + return drm_dp_dpcd_read(&intel_dp->aux, DP_SINK_COUNT_ESI, esi, 4) == 4; } -- 2.44.2

3 months, 3 weeks

3
4
0 0

FAILED: patch "[PATCH] dmaengine: idxd: fix memory leak in error handling path of" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 90022b3a6981ec234902be5dbf0f983a12c759fc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051947-vexingly-upheaval-8642@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 90022b3a6981ec234902be5dbf0f983a12c759fc Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:15 +0800 Subject: [PATCH] dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe Memory allocated for idxd is not freed if an error occurs during idxd_pci_probe(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Cc: stable(a)vger.kernel.org Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Link: https://lore.kernel.org/r/20250404120217.48772-8-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 302d8983ed8c..f2b5b17538c0 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -587,6 +587,17 @@ static void idxd_read_caps(struct idxd_device *idxd) idxd->hw.iaa_cap.bits = ioread64(idxd->reg_base + IDXD_IAACAP_OFFSET); } +static void idxd_free(struct idxd_device *idxd) +{ + if (!idxd) + return; + + put_device(idxd_confdev(idxd)); + bitmap_free(idxd->opcap_bmap); + ida_free(&idxd_ida, idxd->id); + kfree(idxd); +} + static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_data *data) { struct device *dev = &pdev->dev; @@ -1255,7 +1266,7 @@ int idxd_pci_probe_alloc(struct idxd_device *idxd, struct pci_dev *pdev, err: pci_iounmap(pdev, idxd->reg_base); err_iomap: - put_device(idxd_confdev(idxd)); + idxd_free(idxd); err_idxd_alloc: pci_disable_device(pdev); return rc;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: idxd: Add missing idxd cleanup to fix memory leak" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051922-ozone-overpass-e4e1@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:16 +0800 Subject: [PATCH] dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call The remove call stack is missing idxd cleanup to free bitmap, ida and the idxd_device. Call idxd_free() helper routines to make sure we exit gracefully. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Cc: stable(a)vger.kernel.org Suggested-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Link: https://lore.kernel.org/r/20250404120217.48772-9-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index f2b5b17538c0..974b926bd930 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1335,6 +1335,7 @@ static void idxd_remove(struct pci_dev *pdev) destroy_workqueue(idxd->wq); perfmon_pmu_remove(idxd); put_device(idxd_confdev(idxd)); + idxd_free(idxd); } static struct pci_driver idxd_pci_driver = {

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: idxd: Add missing cleanups in cleanup internals" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 61d651572b6c4fe50c7b39a390760f3a910c7ccf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051904-earache-virtuous-e35d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 61d651572b6c4fe50c7b39a390760f3a910c7ccf Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:13 +0800 Subject: [PATCH] dmaengine: idxd: Add missing cleanups in cleanup internals The idxd_cleanup_internals() function only decreases the reference count of groups, engines, and wqs but is missing the step to release memory resources. To fix this, use the cleanup helper to properly release the memory resources. Fixes: ddf742d4f3f1 ("dmaengine: idxd: Add missing cleanup for early error out in probe call") Cc: stable(a)vger.kernel.org Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Link: https://lore.kernel.org/r/20250404120217.48772-6-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index a40fb2fd5006..f8129d2d53f1 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -407,14 +407,9 @@ static int idxd_setup_groups(struct idxd_device *idxd) static void idxd_cleanup_internals(struct idxd_device *idxd) { - int i; - - for (i = 0; i < idxd->max_groups; i++) - put_device(group_confdev(idxd->groups[i])); - for (i = 0; i < idxd->max_engines; i++) - put_device(engine_confdev(idxd->engines[i])); - for (i = 0; i < idxd->max_wqs; i++) - put_device(wq_confdev(idxd->wqs[i])); + idxd_clean_groups(idxd); + idxd_clean_engines(idxd); + idxd_clean_wqs(idxd); destroy_workqueue(idxd->wq); }

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: idxd: Add missing cleanup for early error out in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 61259fb96e023f7299c442c48b13e72c441fc0f2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051921-smother-limpness-650a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 61259fb96e023f7299c442c48b13e72c441fc0f2 Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:12 +0800 Subject: [PATCH] dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals The idxd_setup_internals() is missing some cleanup when things fail in the middle. Add the appropriate cleanup routines: - cleanup groups - cleanup enginces - cleanup wqs to make sure it exits gracefully. Fixes: defe49f96012 ("dmaengine: idxd: fix group conf_dev lifetime") Cc: stable(a)vger.kernel.org Suggested-by: Fenghua Yu <fenghuay(a)nvidia.com> Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Link: https://lore.kernel.org/r/20250404120217.48772-5-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 7f0a26e2e0a5..a40fb2fd5006 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -155,6 +155,25 @@ static void idxd_cleanup_interrupts(struct idxd_device *idxd) pci_free_irq_vectors(pdev); } +static void idxd_clean_wqs(struct idxd_device *idxd) +{ + struct idxd_wq *wq; + struct device *conf_dev; + int i; + + for (i = 0; i < idxd->max_wqs; i++) { + wq = idxd->wqs[i]; + if (idxd->hw.wq_cap.op_config) + bitmap_free(wq->opcap_bmap); + kfree(wq->wqcfg); + conf_dev = wq_confdev(wq); + put_device(conf_dev); + kfree(wq); + } + bitmap_free(idxd->wq_enable_map); + kfree(idxd->wqs); +} + static int idxd_setup_wqs(struct idxd_device *idxd) { struct device *dev = &idxd->pdev->dev; @@ -245,6 +264,21 @@ static int idxd_setup_wqs(struct idxd_device *idxd) return rc; } +static void idxd_clean_engines(struct idxd_device *idxd) +{ + struct idxd_engine *engine; + struct device *conf_dev; + int i; + + for (i = 0; i < idxd->max_engines; i++) { + engine = idxd->engines[i]; + conf_dev = engine_confdev(engine); + put_device(conf_dev); + kfree(engine); + } + kfree(idxd->engines); +} + static int idxd_setup_engines(struct idxd_device *idxd) { struct idxd_engine *engine; @@ -296,6 +330,19 @@ static int idxd_setup_engines(struct idxd_device *idxd) return rc; } +static void idxd_clean_groups(struct idxd_device *idxd) +{ + struct idxd_group *group; + int i; + + for (i = 0; i < idxd->max_groups; i++) { + group = idxd->groups[i]; + put_device(group_confdev(group)); + kfree(group); + } + kfree(idxd->groups); +} + static int idxd_setup_groups(struct idxd_device *idxd) { struct device *dev = &idxd->pdev->dev; @@ -410,7 +457,7 @@ static int idxd_init_evl(struct idxd_device *idxd) static int idxd_setup_internals(struct idxd_device *idxd) { struct device *dev = &idxd->pdev->dev; - int rc, i; + int rc; init_waitqueue_head(&idxd->cmd_waitq); @@ -441,14 +488,11 @@ static int idxd_setup_internals(struct idxd_device *idxd) err_evl: destroy_workqueue(idxd->wq); err_wkq_create: - for (i = 0; i < idxd->max_groups; i++) - put_device(group_confdev(idxd->groups[i])); + idxd_clean_groups(idxd); err_group: - for (i = 0; i < idxd->max_engines; i++) - put_device(engine_confdev(idxd->engines[i])); + idxd_clean_engines(idxd); err_engine: - for (i = 0; i < idxd->max_wqs; i++) - put_device(wq_confdev(idxd->wqs[i])); + idxd_clean_wqs(idxd); err_wqs: return rc; }

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: mediatek: Fix a possible deadlock error in" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 157ae5ffd76a2857ccb4b7ce40bc5a344ca00395 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051932-arrogant-spirits-b273@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 157ae5ffd76a2857ccb4b7ce40bc5a344ca00395 Mon Sep 17 00:00:00 2001 From: Qiu-ji Chen <chenqiuji666(a)gmail.com> Date: Thu, 8 May 2025 15:36:33 +0800 Subject: [PATCH] dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a potential deadlock bug. Observe that in the mtk-cqdma.c file, functions like mtk_cqdma_issue_pending() and mtk_cqdma_free_active_desc() properly acquire the pc lock before the vc lock when handling pc and vc fields. However, mtk_cqdma_tx_status() violates this order by first acquiring the vc lock before invoking mtk_cqdma_find_active_desc(), which subsequently takes the pc lock. This reversed locking sequence (vc → pc) contradicts the established pc → vc order and creates deadlock risks. Fix the issue by moving the vc lock acquisition code from mtk_cqdma_find_active_desc() to mtk_cqdma_tx_status(). Ensure the pc lock is acquired before the vc lock in the calling function to maintain correct locking hierarchy. Note that since mtk_cqdma_find_active_desc() is a static function with only one caller (mtk_cqdma_tx_status()), this modification safely eliminates the deadlock possibility without affecting other components. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including deadlocks, data races and atomicity violations. Fixes: b1f01e48df5a ("dmaengine: mediatek: Add MediaTek Command-Queue DMA controller for MT6765 SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Link: https://lore.kernel.org/r/20250508073634.3719-1-chenqiuji666@gmail.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c index d5ddb4e30e71..e35271ac1eed 100644 --- a/drivers/dma/mediatek/mtk-cqdma.c +++ b/drivers/dma/mediatek/mtk-cqdma.c @@ -422,13 +422,10 @@ static struct virt_dma_desc *mtk_cqdma_find_active_desc(struct dma_chan *c, struct virt_dma_desc *vd; unsigned long flags; - spin_lock_irqsave(&cvc->pc->lock, flags); list_for_each_entry(vd, &cvc->pc->queue, node) if (vd->tx.cookie == cookie) { - spin_unlock_irqrestore(&cvc->pc->lock, flags); return vd; } - spin_unlock_irqrestore(&cvc->pc->lock, flags); list_for_each_entry(vd, &cvc->vc.desc_issued, node) if (vd->tx.cookie == cookie) @@ -452,9 +449,11 @@ static enum dma_status mtk_cqdma_tx_status(struct dma_chan *c, if (ret == DMA_COMPLETE || !txstate) return ret; + spin_lock_irqsave(&cvc->pc->lock, flags); spin_lock_irqsave(&cvc->vc.lock, flags); vd = mtk_cqdma_find_active_desc(c, cookie); spin_unlock_irqrestore(&cvc->vc.lock, flags); + spin_unlock_irqrestore(&cvc->pc->lock, flags); if (vd) { cvd = to_cqdma_vdesc(vd);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: idxd: Refactor remove call with idxd_cleanup()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x a409e919ca321cc0e28f8abf96fde299f0072a81 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051939-grumpily-unbuckled-7738@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a409e919ca321cc0e28f8abf96fde299f0072a81 Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:17 +0800 Subject: [PATCH] dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Cc: stable(a)vger.kernel.org Suggested-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Link: https://lore.kernel.org/r/20250404120217.48772-10-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 974b926bd930..760b7d81fcd8 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1308,7 +1308,6 @@ static void idxd_shutdown(struct pci_dev *pdev) static void idxd_remove(struct pci_dev *pdev) { struct idxd_device *idxd = pci_get_drvdata(pdev); - struct idxd_irq_entry *irq_entry; idxd_unregister_devices(idxd); /* @@ -1321,21 +1320,12 @@ static void idxd_remove(struct pci_dev *pdev) get_device(idxd_confdev(idxd)); device_unregister(idxd_confdev(idxd)); idxd_shutdown(pdev); - if (device_pasid_enabled(idxd)) - idxd_disable_system_pasid(idxd); idxd_device_remove_debugfs(idxd); - - irq_entry = idxd_get_ie(idxd, 0); - free_irq(irq_entry->vector, irq_entry); - pci_free_irq_vectors(pdev); + idxd_cleanup(idxd); pci_iounmap(pdev, idxd->reg_base); - if (device_user_pasid_enabled(idxd)) - idxd_disable_sva(pdev); - pci_disable_device(pdev); - destroy_workqueue(idxd->wq); - perfmon_pmu_remove(idxd); put_device(idxd_confdev(idxd)); idxd_free(idxd); + pci_disable_device(pdev); } static struct pci_driver idxd_pci_driver = {

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: idxd: Refactor remove call with idxd_cleanup()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x a409e919ca321cc0e28f8abf96fde299f0072a81 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051938-garden-pungent-45cd@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a409e919ca321cc0e28f8abf96fde299f0072a81 Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:17 +0800 Subject: [PATCH] dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Cc: stable(a)vger.kernel.org Suggested-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Link: https://lore.kernel.org/r/20250404120217.48772-10-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 974b926bd930..760b7d81fcd8 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1308,7 +1308,6 @@ static void idxd_shutdown(struct pci_dev *pdev) static void idxd_remove(struct pci_dev *pdev) { struct idxd_device *idxd = pci_get_drvdata(pdev); - struct idxd_irq_entry *irq_entry; idxd_unregister_devices(idxd); /* @@ -1321,21 +1320,12 @@ static void idxd_remove(struct pci_dev *pdev) get_device(idxd_confdev(idxd)); device_unregister(idxd_confdev(idxd)); idxd_shutdown(pdev); - if (device_pasid_enabled(idxd)) - idxd_disable_system_pasid(idxd); idxd_device_remove_debugfs(idxd); - - irq_entry = idxd_get_ie(idxd, 0); - free_irq(irq_entry->vector, irq_entry); - pci_free_irq_vectors(pdev); + idxd_cleanup(idxd); pci_iounmap(pdev, idxd->reg_base); - if (device_user_pasid_enabled(idxd)) - idxd_disable_sva(pdev); - pci_disable_device(pdev); - destroy_workqueue(idxd->wq); - perfmon_pmu_remove(idxd); put_device(idxd_confdev(idxd)); idxd_free(idxd); + pci_disable_device(pdev); } static struct pci_driver idxd_pci_driver = {

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: idxd: Refactor remove call with idxd_cleanup()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a409e919ca321cc0e28f8abf96fde299f0072a81 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051938-reactor-print-6033@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a409e919ca321cc0e28f8abf96fde299f0072a81 Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:17 +0800 Subject: [PATCH] dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Cc: stable(a)vger.kernel.org Suggested-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Link: https://lore.kernel.org/r/20250404120217.48772-10-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 974b926bd930..760b7d81fcd8 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1308,7 +1308,6 @@ static void idxd_shutdown(struct pci_dev *pdev) static void idxd_remove(struct pci_dev *pdev) { struct idxd_device *idxd = pci_get_drvdata(pdev); - struct idxd_irq_entry *irq_entry; idxd_unregister_devices(idxd); /* @@ -1321,21 +1320,12 @@ static void idxd_remove(struct pci_dev *pdev) get_device(idxd_confdev(idxd)); device_unregister(idxd_confdev(idxd)); idxd_shutdown(pdev); - if (device_pasid_enabled(idxd)) - idxd_disable_system_pasid(idxd); idxd_device_remove_debugfs(idxd); - - irq_entry = idxd_get_ie(idxd, 0); - free_irq(irq_entry->vector, irq_entry); - pci_free_irq_vectors(pdev); + idxd_cleanup(idxd); pci_iounmap(pdev, idxd->reg_base); - if (device_user_pasid_enabled(idxd)) - idxd_disable_sva(pdev); - pci_disable_device(pdev); - destroy_workqueue(idxd->wq); - perfmon_pmu_remove(idxd); put_device(idxd_confdev(idxd)); idxd_free(idxd); + pci_disable_device(pdev); } static struct pci_driver idxd_pci_driver = {

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: idxd: fix memory leak in error handling path of" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 90022b3a6981ec234902be5dbf0f983a12c759fc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051919-legislate-uptake-1812@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 90022b3a6981ec234902be5dbf0f983a12c759fc Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:15 +0800 Subject: [PATCH] dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe Memory allocated for idxd is not freed if an error occurs during idxd_pci_probe(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Cc: stable(a)vger.kernel.org Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Link: https://lore.kernel.org/r/20250404120217.48772-8-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 302d8983ed8c..f2b5b17538c0 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -587,6 +587,17 @@ static void idxd_read_caps(struct idxd_device *idxd) idxd->hw.iaa_cap.bits = ioread64(idxd->reg_base + IDXD_IAACAP_OFFSET); } +static void idxd_free(struct idxd_device *idxd) +{ + if (!idxd) + return; + + put_device(idxd_confdev(idxd)); + bitmap_free(idxd->opcap_bmap); + ida_free(&idxd_ida, idxd->id); + kfree(idxd); +} + static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_data *data) { struct device *dev = &pdev->dev; @@ -1255,7 +1266,7 @@ int idxd_pci_probe_alloc(struct idxd_device *idxd, struct pci_dev *pdev, err: pci_iounmap(pdev, idxd->reg_base); err_iomap: - put_device(idxd_confdev(idxd)); + idxd_free(idxd); err_idxd_alloc: pci_disable_device(pdev); return rc;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dmaengine: idxd: Add missing idxd cleanup to fix memory leak" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051952-skyward-derail-feae@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805 Mon Sep 17 00:00:00 2001 From: Shuai Xue <xueshuai(a)linux.alibaba.com> Date: Fri, 4 Apr 2025 20:02:16 +0800 Subject: [PATCH] dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call The remove call stack is missing idxd cleanup to free bitmap, ida and the idxd_device. Call idxd_free() helper routines to make sure we exit gracefully. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Cc: stable(a)vger.kernel.org Suggested-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Signed-off-by: Shuai Xue <xueshuai(a)linux.alibaba.com> Reviewed-by: Fenghua Yu <fenghuay(a)nvidia.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Link: https://lore.kernel.org/r/20250404120217.48772-9-xueshuai@linux.alibaba.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index f2b5b17538c0..974b926bd930 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1335,6 +1335,7 @@ static void idxd_remove(struct pci_dev *pdev) destroy_workqueue(idxd->wq); perfmon_pmu_remove(idxd); put_device(idxd_confdev(idxd)); + idxd_free(idxd); } static struct pci_driver idxd_pci_driver = {

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] nvmet: pci-epf: clear completion queue IRQ flag on delete" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 85adf2094abb9084770dc4ab302aaa9c5d26dd2d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051914-expulsion-cinema-9689@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 85adf2094abb9084770dc4ab302aaa9c5d26dd2d Mon Sep 17 00:00:00 2001 From: Damien Le Moal <dlemoal(a)kernel.org> Date: Fri, 9 May 2025 08:25:00 +0900 Subject: [PATCH] nvmet: pci-epf: clear completion queue IRQ flag on delete The function nvmet_pci_epf_delete_cq() unconditionally calls nvmet_pci_epf_remove_irq_vector() even for completion queues that do not have interrupts enabled. Furthermore, for completion queues that do have IRQ enabled, deleting and re-creating the completion queue leaves the flag NVMET_PCI_EPF_Q_IRQ_ENABLED set, even if the completion queue is being re-created with IRQ disabled. Fix these issues by calling nvmet_pci_epf_remove_irq_vector() only if NVMET_PCI_EPF_Q_IRQ_ENABLED is set and make sure to always clear that flag. Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver") Cc: stable(a)vger.kernel.org Signed-off-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Christoph Hellwig <hch(a)lst.de> diff --git a/drivers/nvme/target/pci-epf.c b/drivers/nvme/target/pci-epf.c index 7fab7f3d79b7..d5442991f2fb 100644 --- a/drivers/nvme/target/pci-epf.c +++ b/drivers/nvme/target/pci-epf.c @@ -1344,7 +1344,8 @@ static u16 nvmet_pci_epf_delete_cq(struct nvmet_ctrl *tctrl, u16 cqid) cancel_delayed_work_sync(&cq->work); nvmet_pci_epf_drain_queue(cq); - nvmet_pci_epf_remove_irq_vector(ctrl, cq->vector); + if (test_and_clear_bit(NVMET_PCI_EPF_Q_IRQ_ENABLED, &cq->flags)) + nvmet_pci_epf_remove_irq_vector(ctrl, cq->vector); nvmet_pci_epf_mem_unmap(ctrl->nvme_epf, &cq->pci_map); return NVME_SC_SUCCESS;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: fix incorrect fallback for subpool" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x a833a693a490ecff8ba377654c6d4d333718b6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051910-sharpness-improvise-0b77@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a833a693a490ecff8ba377654c6d4d333718b6b1 Mon Sep 17 00:00:00 2001 From: Wupeng Ma <mawupeng1(a)huawei.com> Date: Thu, 10 Apr 2025 14:26:33 +0800 Subject: [PATCH] mm: hugetlb: fix incorrect fallback for subpool During our testing with hugetlb subpool enabled, we observe that hstate->resv_huge_pages may underflow into negative values. Root cause analysis reveals a race condition in subpool reservation fallback handling as follow: hugetlb_reserve_pages() /* Attempt subpool reservation */ gbl_reserve = hugepage_subpool_get_pages(spool, chg); /* Global reservation may fail after subpool allocation */ if (hugetlb_acct_memory(h, gbl_reserve) < 0) goto out_put_pages; out_put_pages: /* This incorrectly restores reservation to subpool */ hugepage_subpool_put_pages(spool, chg); When hugetlb_acct_memory() fails after subpool allocation, the current implementation over-commits subpool reservations by returning the full 'chg' value instead of the actual allocated 'gbl_reserve' amount. This discrepancy propagates to global reservations during subsequent releases, eventually causing resv_huge_pages underflow. This problem can be trigger easily with the following steps: 1. reverse hugepage for hugeltb allocation 2. mount hugetlbfs with min_size to enable hugetlb subpool 3. alloc hugepages with two task(make sure the second will fail due to insufficient amount of hugepages) 4. with for a few seconds and repeat step 3 which will make hstate->resv_huge_pages to go below zero. To fix this problem, return corrent amount of pages to subpool during the fallback after hugepage_subpool_get_pages is called. Link: https://lkml.kernel.org/r/20250410062633.3102457-1-mawupeng1@huawei.com Fixes: 1c5ecae3a93f ("hugetlbfs: add minimum size accounting to subpools") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> Tested-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ma Wupeng <mawupeng1(a)huawei.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 6ea1be71aa42..7ae38bfb9096 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -3010,7 +3010,7 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, struct hugepage_subpool *spool = subpool_vma(vma); struct hstate *h = hstate_vma(vma); struct folio *folio; - long retval, gbl_chg; + long retval, gbl_chg, gbl_reserve; map_chg_state map_chg; int ret, idx; struct hugetlb_cgroup *h_cg = NULL; @@ -3163,8 +3163,16 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, hugetlb_cgroup_uncharge_cgroup_rsvd(idx, pages_per_huge_page(h), h_cg); out_subpool_put: - if (map_chg) - hugepage_subpool_put_pages(spool, 1); + /* + * put page to subpool iff the quota of subpool's rsv_hpages is used + * during hugepage_subpool_get_pages. + */ + if (map_chg && !gbl_chg) { + gbl_reserve = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -gbl_reserve); + } + + out_end_reservation: if (map_chg != MAP_CHG_ENFORCED) vma_end_reservation(h, vma, addr); @@ -7239,7 +7247,7 @@ bool hugetlb_reserve_pages(struct inode *inode, struct vm_area_struct *vma, vm_flags_t vm_flags) { - long chg = -1, add = -1; + long chg = -1, add = -1, spool_resv, gbl_resv; struct hstate *h = hstate_inode(inode); struct hugepage_subpool *spool = subpool_inode(inode); struct resv_map *resv_map; @@ -7374,8 +7382,16 @@ bool hugetlb_reserve_pages(struct inode *inode, return true; out_put_pages: - /* put back original number of pages, chg */ - (void)hugepage_subpool_put_pages(spool, chg); + spool_resv = chg - gbl_reserve; + if (spool_resv) { + /* put sub pool's reservation back, chg - gbl_reserve */ + gbl_resv = hugepage_subpool_put_pages(spool, spool_resv); + /* + * subpool's reserved pages can not be put back due to race, + * return to hstate. + */ + hugetlb_acct_memory(h, -gbl_resv); + } out_uncharge_cgroup: hugetlb_cgroup_uncharge_cgroup_rsvd(hstate_index(h), chg * pages_per_huge_page(h), h_cg);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: fix incorrect fallback for subpool" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x a833a693a490ecff8ba377654c6d4d333718b6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051909-bluff-anchovy-3f6f@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a833a693a490ecff8ba377654c6d4d333718b6b1 Mon Sep 17 00:00:00 2001 From: Wupeng Ma <mawupeng1(a)huawei.com> Date: Thu, 10 Apr 2025 14:26:33 +0800 Subject: [PATCH] mm: hugetlb: fix incorrect fallback for subpool During our testing with hugetlb subpool enabled, we observe that hstate->resv_huge_pages may underflow into negative values. Root cause analysis reveals a race condition in subpool reservation fallback handling as follow: hugetlb_reserve_pages() /* Attempt subpool reservation */ gbl_reserve = hugepage_subpool_get_pages(spool, chg); /* Global reservation may fail after subpool allocation */ if (hugetlb_acct_memory(h, gbl_reserve) < 0) goto out_put_pages; out_put_pages: /* This incorrectly restores reservation to subpool */ hugepage_subpool_put_pages(spool, chg); When hugetlb_acct_memory() fails after subpool allocation, the current implementation over-commits subpool reservations by returning the full 'chg' value instead of the actual allocated 'gbl_reserve' amount. This discrepancy propagates to global reservations during subsequent releases, eventually causing resv_huge_pages underflow. This problem can be trigger easily with the following steps: 1. reverse hugepage for hugeltb allocation 2. mount hugetlbfs with min_size to enable hugetlb subpool 3. alloc hugepages with two task(make sure the second will fail due to insufficient amount of hugepages) 4. with for a few seconds and repeat step 3 which will make hstate->resv_huge_pages to go below zero. To fix this problem, return corrent amount of pages to subpool during the fallback after hugepage_subpool_get_pages is called. Link: https://lkml.kernel.org/r/20250410062633.3102457-1-mawupeng1@huawei.com Fixes: 1c5ecae3a93f ("hugetlbfs: add minimum size accounting to subpools") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> Tested-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ma Wupeng <mawupeng1(a)huawei.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 6ea1be71aa42..7ae38bfb9096 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -3010,7 +3010,7 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, struct hugepage_subpool *spool = subpool_vma(vma); struct hstate *h = hstate_vma(vma); struct folio *folio; - long retval, gbl_chg; + long retval, gbl_chg, gbl_reserve; map_chg_state map_chg; int ret, idx; struct hugetlb_cgroup *h_cg = NULL; @@ -3163,8 +3163,16 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, hugetlb_cgroup_uncharge_cgroup_rsvd(idx, pages_per_huge_page(h), h_cg); out_subpool_put: - if (map_chg) - hugepage_subpool_put_pages(spool, 1); + /* + * put page to subpool iff the quota of subpool's rsv_hpages is used + * during hugepage_subpool_get_pages. + */ + if (map_chg && !gbl_chg) { + gbl_reserve = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -gbl_reserve); + } + + out_end_reservation: if (map_chg != MAP_CHG_ENFORCED) vma_end_reservation(h, vma, addr); @@ -7239,7 +7247,7 @@ bool hugetlb_reserve_pages(struct inode *inode, struct vm_area_struct *vma, vm_flags_t vm_flags) { - long chg = -1, add = -1; + long chg = -1, add = -1, spool_resv, gbl_resv; struct hstate *h = hstate_inode(inode); struct hugepage_subpool *spool = subpool_inode(inode); struct resv_map *resv_map; @@ -7374,8 +7382,16 @@ bool hugetlb_reserve_pages(struct inode *inode, return true; out_put_pages: - /* put back original number of pages, chg */ - (void)hugepage_subpool_put_pages(spool, chg); + spool_resv = chg - gbl_reserve; + if (spool_resv) { + /* put sub pool's reservation back, chg - gbl_reserve */ + gbl_resv = hugepage_subpool_put_pages(spool, spool_resv); + /* + * subpool's reserved pages can not be put back due to race, + * return to hstate. + */ + hugetlb_acct_memory(h, -gbl_resv); + } out_uncharge_cgroup: hugetlb_cgroup_uncharge_cgroup_rsvd(hstate_index(h), chg * pages_per_huge_page(h), h_cg);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: fix incorrect fallback for subpool" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x a833a693a490ecff8ba377654c6d4d333718b6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051908-repulsive-crazed-331a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a833a693a490ecff8ba377654c6d4d333718b6b1 Mon Sep 17 00:00:00 2001 From: Wupeng Ma <mawupeng1(a)huawei.com> Date: Thu, 10 Apr 2025 14:26:33 +0800 Subject: [PATCH] mm: hugetlb: fix incorrect fallback for subpool During our testing with hugetlb subpool enabled, we observe that hstate->resv_huge_pages may underflow into negative values. Root cause analysis reveals a race condition in subpool reservation fallback handling as follow: hugetlb_reserve_pages() /* Attempt subpool reservation */ gbl_reserve = hugepage_subpool_get_pages(spool, chg); /* Global reservation may fail after subpool allocation */ if (hugetlb_acct_memory(h, gbl_reserve) < 0) goto out_put_pages; out_put_pages: /* This incorrectly restores reservation to subpool */ hugepage_subpool_put_pages(spool, chg); When hugetlb_acct_memory() fails after subpool allocation, the current implementation over-commits subpool reservations by returning the full 'chg' value instead of the actual allocated 'gbl_reserve' amount. This discrepancy propagates to global reservations during subsequent releases, eventually causing resv_huge_pages underflow. This problem can be trigger easily with the following steps: 1. reverse hugepage for hugeltb allocation 2. mount hugetlbfs with min_size to enable hugetlb subpool 3. alloc hugepages with two task(make sure the second will fail due to insufficient amount of hugepages) 4. with for a few seconds and repeat step 3 which will make hstate->resv_huge_pages to go below zero. To fix this problem, return corrent amount of pages to subpool during the fallback after hugepage_subpool_get_pages is called. Link: https://lkml.kernel.org/r/20250410062633.3102457-1-mawupeng1@huawei.com Fixes: 1c5ecae3a93f ("hugetlbfs: add minimum size accounting to subpools") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> Tested-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ma Wupeng <mawupeng1(a)huawei.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 6ea1be71aa42..7ae38bfb9096 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -3010,7 +3010,7 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, struct hugepage_subpool *spool = subpool_vma(vma); struct hstate *h = hstate_vma(vma); struct folio *folio; - long retval, gbl_chg; + long retval, gbl_chg, gbl_reserve; map_chg_state map_chg; int ret, idx; struct hugetlb_cgroup *h_cg = NULL; @@ -3163,8 +3163,16 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, hugetlb_cgroup_uncharge_cgroup_rsvd(idx, pages_per_huge_page(h), h_cg); out_subpool_put: - if (map_chg) - hugepage_subpool_put_pages(spool, 1); + /* + * put page to subpool iff the quota of subpool's rsv_hpages is used + * during hugepage_subpool_get_pages. + */ + if (map_chg && !gbl_chg) { + gbl_reserve = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -gbl_reserve); + } + + out_end_reservation: if (map_chg != MAP_CHG_ENFORCED) vma_end_reservation(h, vma, addr); @@ -7239,7 +7247,7 @@ bool hugetlb_reserve_pages(struct inode *inode, struct vm_area_struct *vma, vm_flags_t vm_flags) { - long chg = -1, add = -1; + long chg = -1, add = -1, spool_resv, gbl_resv; struct hstate *h = hstate_inode(inode); struct hugepage_subpool *spool = subpool_inode(inode); struct resv_map *resv_map; @@ -7374,8 +7382,16 @@ bool hugetlb_reserve_pages(struct inode *inode, return true; out_put_pages: - /* put back original number of pages, chg */ - (void)hugepage_subpool_put_pages(spool, chg); + spool_resv = chg - gbl_reserve; + if (spool_resv) { + /* put sub pool's reservation back, chg - gbl_reserve */ + gbl_resv = hugepage_subpool_put_pages(spool, spool_resv); + /* + * subpool's reserved pages can not be put back due to race, + * return to hstate. + */ + hugetlb_acct_memory(h, -gbl_resv); + } out_uncharge_cgroup: hugetlb_cgroup_uncharge_cgroup_rsvd(hstate_index(h), chg * pages_per_huge_page(h), h_cg);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: fix incorrect fallback for subpool" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a833a693a490ecff8ba377654c6d4d333718b6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051907-laxative-caviar-b847@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a833a693a490ecff8ba377654c6d4d333718b6b1 Mon Sep 17 00:00:00 2001 From: Wupeng Ma <mawupeng1(a)huawei.com> Date: Thu, 10 Apr 2025 14:26:33 +0800 Subject: [PATCH] mm: hugetlb: fix incorrect fallback for subpool During our testing with hugetlb subpool enabled, we observe that hstate->resv_huge_pages may underflow into negative values. Root cause analysis reveals a race condition in subpool reservation fallback handling as follow: hugetlb_reserve_pages() /* Attempt subpool reservation */ gbl_reserve = hugepage_subpool_get_pages(spool, chg); /* Global reservation may fail after subpool allocation */ if (hugetlb_acct_memory(h, gbl_reserve) < 0) goto out_put_pages; out_put_pages: /* This incorrectly restores reservation to subpool */ hugepage_subpool_put_pages(spool, chg); When hugetlb_acct_memory() fails after subpool allocation, the current implementation over-commits subpool reservations by returning the full 'chg' value instead of the actual allocated 'gbl_reserve' amount. This discrepancy propagates to global reservations during subsequent releases, eventually causing resv_huge_pages underflow. This problem can be trigger easily with the following steps: 1. reverse hugepage for hugeltb allocation 2. mount hugetlbfs with min_size to enable hugetlb subpool 3. alloc hugepages with two task(make sure the second will fail due to insufficient amount of hugepages) 4. with for a few seconds and repeat step 3 which will make hstate->resv_huge_pages to go below zero. To fix this problem, return corrent amount of pages to subpool during the fallback after hugepage_subpool_get_pages is called. Link: https://lkml.kernel.org/r/20250410062633.3102457-1-mawupeng1@huawei.com Fixes: 1c5ecae3a93f ("hugetlbfs: add minimum size accounting to subpools") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> Tested-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ma Wupeng <mawupeng1(a)huawei.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 6ea1be71aa42..7ae38bfb9096 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -3010,7 +3010,7 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, struct hugepage_subpool *spool = subpool_vma(vma); struct hstate *h = hstate_vma(vma); struct folio *folio; - long retval, gbl_chg; + long retval, gbl_chg, gbl_reserve; map_chg_state map_chg; int ret, idx; struct hugetlb_cgroup *h_cg = NULL; @@ -3163,8 +3163,16 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, hugetlb_cgroup_uncharge_cgroup_rsvd(idx, pages_per_huge_page(h), h_cg); out_subpool_put: - if (map_chg) - hugepage_subpool_put_pages(spool, 1); + /* + * put page to subpool iff the quota of subpool's rsv_hpages is used + * during hugepage_subpool_get_pages. + */ + if (map_chg && !gbl_chg) { + gbl_reserve = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -gbl_reserve); + } + + out_end_reservation: if (map_chg != MAP_CHG_ENFORCED) vma_end_reservation(h, vma, addr); @@ -7239,7 +7247,7 @@ bool hugetlb_reserve_pages(struct inode *inode, struct vm_area_struct *vma, vm_flags_t vm_flags) { - long chg = -1, add = -1; + long chg = -1, add = -1, spool_resv, gbl_resv; struct hstate *h = hstate_inode(inode); struct hugepage_subpool *spool = subpool_inode(inode); struct resv_map *resv_map; @@ -7374,8 +7382,16 @@ bool hugetlb_reserve_pages(struct inode *inode, return true; out_put_pages: - /* put back original number of pages, chg */ - (void)hugepage_subpool_put_pages(spool, chg); + spool_resv = chg - gbl_reserve; + if (spool_resv) { + /* put sub pool's reservation back, chg - gbl_reserve */ + gbl_resv = hugepage_subpool_put_pages(spool, spool_resv); + /* + * subpool's reserved pages can not be put back due to race, + * return to hstate. + */ + hugetlb_acct_memory(h, -gbl_resv); + } out_uncharge_cgroup: hugetlb_cgroup_uncharge_cgroup_rsvd(hstate_index(h), chg * pages_per_huge_page(h), h_cg);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: fix incorrect fallback for subpool" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a833a693a490ecff8ba377654c6d4d333718b6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051905-getup-hatchery-57be@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a833a693a490ecff8ba377654c6d4d333718b6b1 Mon Sep 17 00:00:00 2001 From: Wupeng Ma <mawupeng1(a)huawei.com> Date: Thu, 10 Apr 2025 14:26:33 +0800 Subject: [PATCH] mm: hugetlb: fix incorrect fallback for subpool During our testing with hugetlb subpool enabled, we observe that hstate->resv_huge_pages may underflow into negative values. Root cause analysis reveals a race condition in subpool reservation fallback handling as follow: hugetlb_reserve_pages() /* Attempt subpool reservation */ gbl_reserve = hugepage_subpool_get_pages(spool, chg); /* Global reservation may fail after subpool allocation */ if (hugetlb_acct_memory(h, gbl_reserve) < 0) goto out_put_pages; out_put_pages: /* This incorrectly restores reservation to subpool */ hugepage_subpool_put_pages(spool, chg); When hugetlb_acct_memory() fails after subpool allocation, the current implementation over-commits subpool reservations by returning the full 'chg' value instead of the actual allocated 'gbl_reserve' amount. This discrepancy propagates to global reservations during subsequent releases, eventually causing resv_huge_pages underflow. This problem can be trigger easily with the following steps: 1. reverse hugepage for hugeltb allocation 2. mount hugetlbfs with min_size to enable hugetlb subpool 3. alloc hugepages with two task(make sure the second will fail due to insufficient amount of hugepages) 4. with for a few seconds and repeat step 3 which will make hstate->resv_huge_pages to go below zero. To fix this problem, return corrent amount of pages to subpool during the fallback after hugepage_subpool_get_pages is called. Link: https://lkml.kernel.org/r/20250410062633.3102457-1-mawupeng1@huawei.com Fixes: 1c5ecae3a93f ("hugetlbfs: add minimum size accounting to subpools") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> Tested-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ma Wupeng <mawupeng1(a)huawei.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 6ea1be71aa42..7ae38bfb9096 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -3010,7 +3010,7 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, struct hugepage_subpool *spool = subpool_vma(vma); struct hstate *h = hstate_vma(vma); struct folio *folio; - long retval, gbl_chg; + long retval, gbl_chg, gbl_reserve; map_chg_state map_chg; int ret, idx; struct hugetlb_cgroup *h_cg = NULL; @@ -3163,8 +3163,16 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, hugetlb_cgroup_uncharge_cgroup_rsvd(idx, pages_per_huge_page(h), h_cg); out_subpool_put: - if (map_chg) - hugepage_subpool_put_pages(spool, 1); + /* + * put page to subpool iff the quota of subpool's rsv_hpages is used + * during hugepage_subpool_get_pages. + */ + if (map_chg && !gbl_chg) { + gbl_reserve = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -gbl_reserve); + } + + out_end_reservation: if (map_chg != MAP_CHG_ENFORCED) vma_end_reservation(h, vma, addr); @@ -7239,7 +7247,7 @@ bool hugetlb_reserve_pages(struct inode *inode, struct vm_area_struct *vma, vm_flags_t vm_flags) { - long chg = -1, add = -1; + long chg = -1, add = -1, spool_resv, gbl_resv; struct hstate *h = hstate_inode(inode); struct hugepage_subpool *spool = subpool_inode(inode); struct resv_map *resv_map; @@ -7374,8 +7382,16 @@ bool hugetlb_reserve_pages(struct inode *inode, return true; out_put_pages: - /* put back original number of pages, chg */ - (void)hugepage_subpool_put_pages(spool, chg); + spool_resv = chg - gbl_reserve; + if (spool_resv) { + /* put sub pool's reservation back, chg - gbl_reserve */ + gbl_resv = hugepage_subpool_put_pages(spool, spool_resv); + /* + * subpool's reserved pages can not be put back due to race, + * return to hstate. + */ + hugetlb_acct_memory(h, -gbl_resv); + } out_uncharge_cgroup: hugetlb_cgroup_uncharge_cgroup_rsvd(hstate_index(h), chg * pages_per_huge_page(h), h_cg);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: fix incorrect fallback for subpool" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x a833a693a490ecff8ba377654c6d4d333718b6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051959-steadily-imposing-a3e6@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a833a693a490ecff8ba377654c6d4d333718b6b1 Mon Sep 17 00:00:00 2001 From: Wupeng Ma <mawupeng1(a)huawei.com> Date: Thu, 10 Apr 2025 14:26:33 +0800 Subject: [PATCH] mm: hugetlb: fix incorrect fallback for subpool During our testing with hugetlb subpool enabled, we observe that hstate->resv_huge_pages may underflow into negative values. Root cause analysis reveals a race condition in subpool reservation fallback handling as follow: hugetlb_reserve_pages() /* Attempt subpool reservation */ gbl_reserve = hugepage_subpool_get_pages(spool, chg); /* Global reservation may fail after subpool allocation */ if (hugetlb_acct_memory(h, gbl_reserve) < 0) goto out_put_pages; out_put_pages: /* This incorrectly restores reservation to subpool */ hugepage_subpool_put_pages(spool, chg); When hugetlb_acct_memory() fails after subpool allocation, the current implementation over-commits subpool reservations by returning the full 'chg' value instead of the actual allocated 'gbl_reserve' amount. This discrepancy propagates to global reservations during subsequent releases, eventually causing resv_huge_pages underflow. This problem can be trigger easily with the following steps: 1. reverse hugepage for hugeltb allocation 2. mount hugetlbfs with min_size to enable hugetlb subpool 3. alloc hugepages with two task(make sure the second will fail due to insufficient amount of hugepages) 4. with for a few seconds and repeat step 3 which will make hstate->resv_huge_pages to go below zero. To fix this problem, return corrent amount of pages to subpool during the fallback after hugepage_subpool_get_pages is called. Link: https://lkml.kernel.org/r/20250410062633.3102457-1-mawupeng1@huawei.com Fixes: 1c5ecae3a93f ("hugetlbfs: add minimum size accounting to subpools") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> Tested-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ma Wupeng <mawupeng1(a)huawei.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 6ea1be71aa42..7ae38bfb9096 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -3010,7 +3010,7 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, struct hugepage_subpool *spool = subpool_vma(vma); struct hstate *h = hstate_vma(vma); struct folio *folio; - long retval, gbl_chg; + long retval, gbl_chg, gbl_reserve; map_chg_state map_chg; int ret, idx; struct hugetlb_cgroup *h_cg = NULL; @@ -3163,8 +3163,16 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, hugetlb_cgroup_uncharge_cgroup_rsvd(idx, pages_per_huge_page(h), h_cg); out_subpool_put: - if (map_chg) - hugepage_subpool_put_pages(spool, 1); + /* + * put page to subpool iff the quota of subpool's rsv_hpages is used + * during hugepage_subpool_get_pages. + */ + if (map_chg && !gbl_chg) { + gbl_reserve = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -gbl_reserve); + } + + out_end_reservation: if (map_chg != MAP_CHG_ENFORCED) vma_end_reservation(h, vma, addr); @@ -7239,7 +7247,7 @@ bool hugetlb_reserve_pages(struct inode *inode, struct vm_area_struct *vma, vm_flags_t vm_flags) { - long chg = -1, add = -1; + long chg = -1, add = -1, spool_resv, gbl_resv; struct hstate *h = hstate_inode(inode); struct hugepage_subpool *spool = subpool_inode(inode); struct resv_map *resv_map; @@ -7374,8 +7382,16 @@ bool hugetlb_reserve_pages(struct inode *inode, return true; out_put_pages: - /* put back original number of pages, chg */ - (void)hugepage_subpool_put_pages(spool, chg); + spool_resv = chg - gbl_reserve; + if (spool_resv) { + /* put sub pool's reservation back, chg - gbl_reserve */ + gbl_resv = hugepage_subpool_put_pages(spool, spool_resv); + /* + * subpool's reserved pages can not be put back due to race, + * return to hstate. + */ + hugetlb_acct_memory(h, -gbl_resv); + } out_uncharge_cgroup: hugetlb_cgroup_uncharge_cgroup_rsvd(hstate_index(h), chg * pages_per_huge_page(h), h_cg);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] wifi: mt76: disable napi on driver removal" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 78ab4be549533432d97ea8989d2f00b508fa68d8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051939-overbuilt-leverage-7eec@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 78ab4be549533432d97ea8989d2f00b508fa68d8 Mon Sep 17 00:00:00 2001 From: Fedor Pchelkin <pchelkin(a)ispras.ru> Date: Tue, 6 May 2025 14:55:39 +0300 Subject: [PATCH] wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b ("net: warn if NAPI instance wasn't shut down"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: <TASK> mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org). Fixes: 2ac515a5d74f ("mt76: mt76x02: use napi polling for tx cleanup") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Tested-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> Link: https://patch.msgid.link/20250506115540.19045-1-pchelkin@ispras.ru Signed-off-by: Felix Fietkau <nbd(a)nbd.name> diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c index 844af16ee551..35b4ec91979e 100644 --- a/drivers/net/wireless/mediatek/mt76/dma.c +++ b/drivers/net/wireless/mediatek/mt76/dma.c @@ -1011,6 +1011,7 @@ void mt76_dma_cleanup(struct mt76_dev *dev) int i; mt76_worker_disable(&dev->tx_worker); + napi_disable(&dev->tx_napi); netif_napi_del(&dev->tx_napi); for (i = 0; i < ARRAY_SIZE(dev->phys); i++) {

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] scsi: sd_zbc: block: Respect bio vector limits for REPORT" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x e8007fad5457ea547ca63bb011fdb03213571c7e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051959-radiantly-ominous-f8f3@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e8007fad5457ea547ca63bb011fdb03213571c7e Mon Sep 17 00:00:00 2001 From: Steve Siwinski <ssiwinski(a)atto.com> Date: Thu, 8 May 2025 16:01:22 -0400 Subject: [PATCH] scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer The REPORT ZONES buffer size is currently limited by the HBA's maximum segment count to ensure the buffer can be mapped. However, the block layer further limits the number of iovec entries to 1024 when allocating a bio. To avoid allocation of buffers too large to be mapped, further restrict the maximum buffer size to BIO_MAX_INLINE_VECS. Replace the UIO_MAXIOV symbolic name with the more contextually appropriate BIO_MAX_INLINE_VECS. Fixes: b091ac616846 ("sd_zbc: Fix report zones buffer allocation") Cc: stable(a)vger.kernel.org Signed-off-by: Steve Siwinski <ssiwinski(a)atto.com> Link: https://lore.kernel.org/r/20250508200122.243129-1-ssiwinski@atto.com Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/block/bio.c b/block/bio.c index 4e6c85a33d74..4be592d37fb6 100644 --- a/block/bio.c +++ b/block/bio.c @@ -611,7 +611,7 @@ struct bio *bio_kmalloc(unsigned short nr_vecs, gfp_t gfp_mask) { struct bio *bio; - if (nr_vecs > UIO_MAXIOV) + if (nr_vecs > BIO_MAX_INLINE_VECS) return NULL; return kmalloc(struct_size(bio, bi_inline_vecs, nr_vecs), gfp_mask); } diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c index 7a447ff600d2..a8db66428f80 100644 --- a/drivers/scsi/sd_zbc.c +++ b/drivers/scsi/sd_zbc.c @@ -169,6 +169,7 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, unsigned int nr_zones, size_t *buflen) { struct request_queue *q = sdkp->disk->queue; + unsigned int max_segments; size_t bufsize; void *buf; @@ -180,12 +181,15 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, * Furthermore, since the report zone command cannot be split, make * sure that the allocated buffer can always be mapped by limiting the * number of pages allocated to the HBA max segments limit. + * Since max segments can be larger than the max inline bio vectors, + * further limit the allocated buffer to BIO_MAX_INLINE_VECS. */ nr_zones = min(nr_zones, sdkp->zone_info.nr_zones); bufsize = roundup((nr_zones + 1) * 64, SECTOR_SIZE); bufsize = min_t(size_t, bufsize, queue_max_hw_sectors(q) << SECTOR_SHIFT); - bufsize = min_t(size_t, bufsize, queue_max_segments(q) << PAGE_SHIFT); + max_segments = min(BIO_MAX_INLINE_VECS, queue_max_segments(q)); + bufsize = min_t(size_t, bufsize, max_segments << PAGE_SHIFT); while (bufsize >= SECTOR_SIZE) { buf = kvzalloc(bufsize, GFP_KERNEL | __GFP_NORETRY); diff --git a/include/linux/bio.h b/include/linux/bio.h index cafc7c215de8..b786ec5bcc81 100644 --- a/include/linux/bio.h +++ b/include/linux/bio.h @@ -11,6 +11,7 @@ #include <linux/uio.h> #define BIO_MAX_VECS 256U +#define BIO_MAX_INLINE_VECS UIO_MAXIOV struct queue_limits;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] scsi: sd_zbc: block: Respect bio vector limits for REPORT" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x e8007fad5457ea547ca63bb011fdb03213571c7e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051959-relieving-trifocals-0eed@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e8007fad5457ea547ca63bb011fdb03213571c7e Mon Sep 17 00:00:00 2001 From: Steve Siwinski <ssiwinski(a)atto.com> Date: Thu, 8 May 2025 16:01:22 -0400 Subject: [PATCH] scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer The REPORT ZONES buffer size is currently limited by the HBA's maximum segment count to ensure the buffer can be mapped. However, the block layer further limits the number of iovec entries to 1024 when allocating a bio. To avoid allocation of buffers too large to be mapped, further restrict the maximum buffer size to BIO_MAX_INLINE_VECS. Replace the UIO_MAXIOV symbolic name with the more contextually appropriate BIO_MAX_INLINE_VECS. Fixes: b091ac616846 ("sd_zbc: Fix report zones buffer allocation") Cc: stable(a)vger.kernel.org Signed-off-by: Steve Siwinski <ssiwinski(a)atto.com> Link: https://lore.kernel.org/r/20250508200122.243129-1-ssiwinski@atto.com Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/block/bio.c b/block/bio.c index 4e6c85a33d74..4be592d37fb6 100644 --- a/block/bio.c +++ b/block/bio.c @@ -611,7 +611,7 @@ struct bio *bio_kmalloc(unsigned short nr_vecs, gfp_t gfp_mask) { struct bio *bio; - if (nr_vecs > UIO_MAXIOV) + if (nr_vecs > BIO_MAX_INLINE_VECS) return NULL; return kmalloc(struct_size(bio, bi_inline_vecs, nr_vecs), gfp_mask); } diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c index 7a447ff600d2..a8db66428f80 100644 --- a/drivers/scsi/sd_zbc.c +++ b/drivers/scsi/sd_zbc.c @@ -169,6 +169,7 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, unsigned int nr_zones, size_t *buflen) { struct request_queue *q = sdkp->disk->queue; + unsigned int max_segments; size_t bufsize; void *buf; @@ -180,12 +181,15 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, * Furthermore, since the report zone command cannot be split, make * sure that the allocated buffer can always be mapped by limiting the * number of pages allocated to the HBA max segments limit. + * Since max segments can be larger than the max inline bio vectors, + * further limit the allocated buffer to BIO_MAX_INLINE_VECS. */ nr_zones = min(nr_zones, sdkp->zone_info.nr_zones); bufsize = roundup((nr_zones + 1) * 64, SECTOR_SIZE); bufsize = min_t(size_t, bufsize, queue_max_hw_sectors(q) << SECTOR_SHIFT); - bufsize = min_t(size_t, bufsize, queue_max_segments(q) << PAGE_SHIFT); + max_segments = min(BIO_MAX_INLINE_VECS, queue_max_segments(q)); + bufsize = min_t(size_t, bufsize, max_segments << PAGE_SHIFT); while (bufsize >= SECTOR_SIZE) { buf = kvzalloc(bufsize, GFP_KERNEL | __GFP_NORETRY); diff --git a/include/linux/bio.h b/include/linux/bio.h index cafc7c215de8..b786ec5bcc81 100644 --- a/include/linux/bio.h +++ b/include/linux/bio.h @@ -11,6 +11,7 @@ #include <linux/uio.h> #define BIO_MAX_VECS 256U +#define BIO_MAX_INLINE_VECS UIO_MAXIOV struct queue_limits;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] scsi: sd_zbc: block: Respect bio vector limits for REPORT" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e8007fad5457ea547ca63bb011fdb03213571c7e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051958-canal-tidbit-2b4d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e8007fad5457ea547ca63bb011fdb03213571c7e Mon Sep 17 00:00:00 2001 From: Steve Siwinski <ssiwinski(a)atto.com> Date: Thu, 8 May 2025 16:01:22 -0400 Subject: [PATCH] scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer The REPORT ZONES buffer size is currently limited by the HBA's maximum segment count to ensure the buffer can be mapped. However, the block layer further limits the number of iovec entries to 1024 when allocating a bio. To avoid allocation of buffers too large to be mapped, further restrict the maximum buffer size to BIO_MAX_INLINE_VECS. Replace the UIO_MAXIOV symbolic name with the more contextually appropriate BIO_MAX_INLINE_VECS. Fixes: b091ac616846 ("sd_zbc: Fix report zones buffer allocation") Cc: stable(a)vger.kernel.org Signed-off-by: Steve Siwinski <ssiwinski(a)atto.com> Link: https://lore.kernel.org/r/20250508200122.243129-1-ssiwinski@atto.com Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/block/bio.c b/block/bio.c index 4e6c85a33d74..4be592d37fb6 100644 --- a/block/bio.c +++ b/block/bio.c @@ -611,7 +611,7 @@ struct bio *bio_kmalloc(unsigned short nr_vecs, gfp_t gfp_mask) { struct bio *bio; - if (nr_vecs > UIO_MAXIOV) + if (nr_vecs > BIO_MAX_INLINE_VECS) return NULL; return kmalloc(struct_size(bio, bi_inline_vecs, nr_vecs), gfp_mask); } diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c index 7a447ff600d2..a8db66428f80 100644 --- a/drivers/scsi/sd_zbc.c +++ b/drivers/scsi/sd_zbc.c @@ -169,6 +169,7 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, unsigned int nr_zones, size_t *buflen) { struct request_queue *q = sdkp->disk->queue; + unsigned int max_segments; size_t bufsize; void *buf; @@ -180,12 +181,15 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, * Furthermore, since the report zone command cannot be split, make * sure that the allocated buffer can always be mapped by limiting the * number of pages allocated to the HBA max segments limit. + * Since max segments can be larger than the max inline bio vectors, + * further limit the allocated buffer to BIO_MAX_INLINE_VECS. */ nr_zones = min(nr_zones, sdkp->zone_info.nr_zones); bufsize = roundup((nr_zones + 1) * 64, SECTOR_SIZE); bufsize = min_t(size_t, bufsize, queue_max_hw_sectors(q) << SECTOR_SHIFT); - bufsize = min_t(size_t, bufsize, queue_max_segments(q) << PAGE_SHIFT); + max_segments = min(BIO_MAX_INLINE_VECS, queue_max_segments(q)); + bufsize = min_t(size_t, bufsize, max_segments << PAGE_SHIFT); while (bufsize >= SECTOR_SIZE) { buf = kvzalloc(bufsize, GFP_KERNEL | __GFP_NORETRY); diff --git a/include/linux/bio.h b/include/linux/bio.h index cafc7c215de8..b786ec5bcc81 100644 --- a/include/linux/bio.h +++ b/include/linux/bio.h @@ -11,6 +11,7 @@ #include <linux/uio.h> #define BIO_MAX_VECS 256U +#define BIO_MAX_INLINE_VECS UIO_MAXIOV struct queue_limits;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051926-moonlit-rash-12a3@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:30 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data The phy-rcar-gen3-usb2 driver exposes four individual PHYs that are requested and configured by PHY users. The struct phy_ops APIs access the same set of registers to configure all PHYs. Additionally, PHY settings can be modified through sysfs or an IRQ handler. While some struct phy_ops APIs are protected by a driver-wide mutex, others rely on individual PHY-specific mutexes. This approach can lead to various issues, including: 1/ the IRQ handler may interrupt PHY settings in progress, racing with hardware configuration protected by a mutex lock 2/ due to msleep(20) in rcar_gen3_init_otg(), while a configuration thread suspends to wait for the delay, another thread may try to configure another PHY (with phy_init() + phy_power_on()); re-running the phy_init() goes to the exact same configuration code, re-running the same hardware configuration on the same set of registers (and bits) which might impact the result of the msleep for the 1st configuring thread 3/ sysfs can configure the hardware (though role_store()) and it can still race with the phy_init()/phy_power_on() APIs calling into the drivers struct phy_ops To address these issues, add a spinlock to protect hardware register access and driver private data structures (e.g., calls to rcar_gen3_is_any_rphy_initialized()). Checking driver-specific data remains necessary as all PHY instances share common settings. With this change, the existing mutex protection is removed and the cleanup.h helpers are used. While at it, to keep the code simpler, do not skip regulator_enable()/regulator_disable() APIs in rcar_gen3_phy_usb2_power_on()/rcar_gen3_phy_usb2_power_off() as the regulators enable/disable operations are reference counted anyway. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-4-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index bb05fd26eb7f..00ce564463de 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -9,6 +9,7 @@ * Copyright (C) 2014 Cogent Embedded, Inc. */ +#include <linux/cleanup.h> #include <linux/extcon-provider.h> #include <linux/interrupt.h> #include <linux/io.h> @@ -118,7 +119,7 @@ struct rcar_gen3_chan { struct regulator *vbus; struct reset_control *rstc; struct work_struct work; - struct mutex lock; /* protects rphys[...].powered */ + spinlock_t lock; /* protects access to hardware and driver data structure. */ enum usb_dr_mode dr_mode; u32 obint_enable_bits; bool extcon_host; @@ -348,6 +349,8 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; + guard(spinlock_irqsave)(&ch->lock); + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; @@ -415,7 +418,7 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) val = readl(usb2_base + USB2_ADPCTRL); writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); } - msleep(20); + mdelay(20); writel(0xffffffff, usb2_base + USB2_OBINTSTA); writel(ch->obint_enable_bits, usb2_base + USB2_OBINTEN); @@ -436,12 +439,14 @@ static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) if (pm_runtime_suspended(dev)) goto rpm_put; - status = readl(usb2_base + USB2_OBINTSTA); - if (status & ch->obint_enable_bits) { - dev_vdbg(dev, "%s: %08x\n", __func__, status); - writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); - rcar_gen3_device_recognition(ch); - ret = IRQ_HANDLED; + scoped_guard(spinlock, &ch->lock) { + status = readl(usb2_base + USB2_OBINTSTA); + if (status & ch->obint_enable_bits) { + dev_vdbg(dev, "%s: %08x\n", __func__, status); + writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); + rcar_gen3_device_recognition(ch); + ret = IRQ_HANDLED; + } } rpm_put: @@ -456,6 +461,8 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + /* Initialize USB2 part */ val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; @@ -479,6 +486,8 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + rphy->initialized = false; val = readl(usb2_base + USB2_INT_ENABLE); @@ -498,16 +507,17 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) u32 val; int ret = 0; - mutex_lock(&channel->lock); - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; - if (channel->vbus) { ret = regulator_enable(channel->vbus); if (ret) - goto out; + return ret; } + guard(spinlock_irqsave)(&channel->lock); + + if (!rcar_gen3_are_all_rphys_power_off(channel)) + goto out; + val = readl(usb2_base + USB2_USBCTR); val |= USB2_USBCTR_PLL_RST; writel(val, usb2_base + USB2_USBCTR); @@ -517,7 +527,6 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) out: /* The powered flag should be set for any other phys anyway */ rphy->powered = true; - mutex_unlock(&channel->lock); return 0; } @@ -528,18 +537,12 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - mutex_lock(&channel->lock); - rphy->powered = false; - - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; + scoped_guard(spinlock_irqsave, &channel->lock) + rphy->powered = false; if (channel->vbus) ret = regulator_disable(channel->vbus); -out: - mutex_unlock(&channel->lock); - return ret; } @@ -750,7 +753,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) if (phy_data->no_adp_ctrl) channel->obint_enable_bits = USB2_OBINT_IDCHG_EN; - mutex_init(&channel->lock); + spin_lock_init(&channel->lock); for (i = 0; i < NUM_OF_PHYS; i++) { channel->rphys[i].phy = devm_phy_create(dev, NULL, phy_data->phy_usb2_ops);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051925-shine-trump-fcd5@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:30 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data The phy-rcar-gen3-usb2 driver exposes four individual PHYs that are requested and configured by PHY users. The struct phy_ops APIs access the same set of registers to configure all PHYs. Additionally, PHY settings can be modified through sysfs or an IRQ handler. While some struct phy_ops APIs are protected by a driver-wide mutex, others rely on individual PHY-specific mutexes. This approach can lead to various issues, including: 1/ the IRQ handler may interrupt PHY settings in progress, racing with hardware configuration protected by a mutex lock 2/ due to msleep(20) in rcar_gen3_init_otg(), while a configuration thread suspends to wait for the delay, another thread may try to configure another PHY (with phy_init() + phy_power_on()); re-running the phy_init() goes to the exact same configuration code, re-running the same hardware configuration on the same set of registers (and bits) which might impact the result of the msleep for the 1st configuring thread 3/ sysfs can configure the hardware (though role_store()) and it can still race with the phy_init()/phy_power_on() APIs calling into the drivers struct phy_ops To address these issues, add a spinlock to protect hardware register access and driver private data structures (e.g., calls to rcar_gen3_is_any_rphy_initialized()). Checking driver-specific data remains necessary as all PHY instances share common settings. With this change, the existing mutex protection is removed and the cleanup.h helpers are used. While at it, to keep the code simpler, do not skip regulator_enable()/regulator_disable() APIs in rcar_gen3_phy_usb2_power_on()/rcar_gen3_phy_usb2_power_off() as the regulators enable/disable operations are reference counted anyway. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-4-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index bb05fd26eb7f..00ce564463de 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -9,6 +9,7 @@ * Copyright (C) 2014 Cogent Embedded, Inc. */ +#include <linux/cleanup.h> #include <linux/extcon-provider.h> #include <linux/interrupt.h> #include <linux/io.h> @@ -118,7 +119,7 @@ struct rcar_gen3_chan { struct regulator *vbus; struct reset_control *rstc; struct work_struct work; - struct mutex lock; /* protects rphys[...].powered */ + spinlock_t lock; /* protects access to hardware and driver data structure. */ enum usb_dr_mode dr_mode; u32 obint_enable_bits; bool extcon_host; @@ -348,6 +349,8 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; + guard(spinlock_irqsave)(&ch->lock); + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; @@ -415,7 +418,7 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) val = readl(usb2_base + USB2_ADPCTRL); writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); } - msleep(20); + mdelay(20); writel(0xffffffff, usb2_base + USB2_OBINTSTA); writel(ch->obint_enable_bits, usb2_base + USB2_OBINTEN); @@ -436,12 +439,14 @@ static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) if (pm_runtime_suspended(dev)) goto rpm_put; - status = readl(usb2_base + USB2_OBINTSTA); - if (status & ch->obint_enable_bits) { - dev_vdbg(dev, "%s: %08x\n", __func__, status); - writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); - rcar_gen3_device_recognition(ch); - ret = IRQ_HANDLED; + scoped_guard(spinlock, &ch->lock) { + status = readl(usb2_base + USB2_OBINTSTA); + if (status & ch->obint_enable_bits) { + dev_vdbg(dev, "%s: %08x\n", __func__, status); + writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); + rcar_gen3_device_recognition(ch); + ret = IRQ_HANDLED; + } } rpm_put: @@ -456,6 +461,8 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + /* Initialize USB2 part */ val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; @@ -479,6 +486,8 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + rphy->initialized = false; val = readl(usb2_base + USB2_INT_ENABLE); @@ -498,16 +507,17 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) u32 val; int ret = 0; - mutex_lock(&channel->lock); - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; - if (channel->vbus) { ret = regulator_enable(channel->vbus); if (ret) - goto out; + return ret; } + guard(spinlock_irqsave)(&channel->lock); + + if (!rcar_gen3_are_all_rphys_power_off(channel)) + goto out; + val = readl(usb2_base + USB2_USBCTR); val |= USB2_USBCTR_PLL_RST; writel(val, usb2_base + USB2_USBCTR); @@ -517,7 +527,6 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) out: /* The powered flag should be set for any other phys anyway */ rphy->powered = true; - mutex_unlock(&channel->lock); return 0; } @@ -528,18 +537,12 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - mutex_lock(&channel->lock); - rphy->powered = false; - - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; + scoped_guard(spinlock_irqsave, &channel->lock) + rphy->powered = false; if (channel->vbus) ret = regulator_disable(channel->vbus); -out: - mutex_unlock(&channel->lock); - return ret; } @@ -750,7 +753,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) if (phy_data->no_adp_ctrl) channel->obint_enable_bits = USB2_OBINT_IDCHG_EN; - mutex_init(&channel->lock); + spin_lock_init(&channel->lock); for (i = 0; i < NUM_OF_PHYS; i++) { channel->rphys[i].phy = devm_phy_create(dev, NULL, phy_data->phy_usb2_ops);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051924-cofounder-rotten-e3f9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:30 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data The phy-rcar-gen3-usb2 driver exposes four individual PHYs that are requested and configured by PHY users. The struct phy_ops APIs access the same set of registers to configure all PHYs. Additionally, PHY settings can be modified through sysfs or an IRQ handler. While some struct phy_ops APIs are protected by a driver-wide mutex, others rely on individual PHY-specific mutexes. This approach can lead to various issues, including: 1/ the IRQ handler may interrupt PHY settings in progress, racing with hardware configuration protected by a mutex lock 2/ due to msleep(20) in rcar_gen3_init_otg(), while a configuration thread suspends to wait for the delay, another thread may try to configure another PHY (with phy_init() + phy_power_on()); re-running the phy_init() goes to the exact same configuration code, re-running the same hardware configuration on the same set of registers (and bits) which might impact the result of the msleep for the 1st configuring thread 3/ sysfs can configure the hardware (though role_store()) and it can still race with the phy_init()/phy_power_on() APIs calling into the drivers struct phy_ops To address these issues, add a spinlock to protect hardware register access and driver private data structures (e.g., calls to rcar_gen3_is_any_rphy_initialized()). Checking driver-specific data remains necessary as all PHY instances share common settings. With this change, the existing mutex protection is removed and the cleanup.h helpers are used. While at it, to keep the code simpler, do not skip regulator_enable()/regulator_disable() APIs in rcar_gen3_phy_usb2_power_on()/rcar_gen3_phy_usb2_power_off() as the regulators enable/disable operations are reference counted anyway. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-4-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index bb05fd26eb7f..00ce564463de 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -9,6 +9,7 @@ * Copyright (C) 2014 Cogent Embedded, Inc. */ +#include <linux/cleanup.h> #include <linux/extcon-provider.h> #include <linux/interrupt.h> #include <linux/io.h> @@ -118,7 +119,7 @@ struct rcar_gen3_chan { struct regulator *vbus; struct reset_control *rstc; struct work_struct work; - struct mutex lock; /* protects rphys[...].powered */ + spinlock_t lock; /* protects access to hardware and driver data structure. */ enum usb_dr_mode dr_mode; u32 obint_enable_bits; bool extcon_host; @@ -348,6 +349,8 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; + guard(spinlock_irqsave)(&ch->lock); + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; @@ -415,7 +418,7 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) val = readl(usb2_base + USB2_ADPCTRL); writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); } - msleep(20); + mdelay(20); writel(0xffffffff, usb2_base + USB2_OBINTSTA); writel(ch->obint_enable_bits, usb2_base + USB2_OBINTEN); @@ -436,12 +439,14 @@ static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) if (pm_runtime_suspended(dev)) goto rpm_put; - status = readl(usb2_base + USB2_OBINTSTA); - if (status & ch->obint_enable_bits) { - dev_vdbg(dev, "%s: %08x\n", __func__, status); - writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); - rcar_gen3_device_recognition(ch); - ret = IRQ_HANDLED; + scoped_guard(spinlock, &ch->lock) { + status = readl(usb2_base + USB2_OBINTSTA); + if (status & ch->obint_enable_bits) { + dev_vdbg(dev, "%s: %08x\n", __func__, status); + writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); + rcar_gen3_device_recognition(ch); + ret = IRQ_HANDLED; + } } rpm_put: @@ -456,6 +461,8 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + /* Initialize USB2 part */ val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; @@ -479,6 +486,8 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + rphy->initialized = false; val = readl(usb2_base + USB2_INT_ENABLE); @@ -498,16 +507,17 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) u32 val; int ret = 0; - mutex_lock(&channel->lock); - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; - if (channel->vbus) { ret = regulator_enable(channel->vbus); if (ret) - goto out; + return ret; } + guard(spinlock_irqsave)(&channel->lock); + + if (!rcar_gen3_are_all_rphys_power_off(channel)) + goto out; + val = readl(usb2_base + USB2_USBCTR); val |= USB2_USBCTR_PLL_RST; writel(val, usb2_base + USB2_USBCTR); @@ -517,7 +527,6 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) out: /* The powered flag should be set for any other phys anyway */ rphy->powered = true; - mutex_unlock(&channel->lock); return 0; } @@ -528,18 +537,12 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - mutex_lock(&channel->lock); - rphy->powered = false; - - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; + scoped_guard(spinlock_irqsave, &channel->lock) + rphy->powered = false; if (channel->vbus) ret = regulator_disable(channel->vbus); -out: - mutex_unlock(&channel->lock); - return ret; } @@ -750,7 +753,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) if (phy_data->no_adp_ctrl) channel->obint_enable_bits = USB2_OBINT_IDCHG_EN; - mutex_init(&channel->lock); + spin_lock_init(&channel->lock); for (i = 0; i < NUM_OF_PHYS; i++) { channel->rphys[i].phy = devm_phy_create(dev, NULL, phy_data->phy_usb2_ops);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051923-subwoofer-bullpen-424f@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:30 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data The phy-rcar-gen3-usb2 driver exposes four individual PHYs that are requested and configured by PHY users. The struct phy_ops APIs access the same set of registers to configure all PHYs. Additionally, PHY settings can be modified through sysfs or an IRQ handler. While some struct phy_ops APIs are protected by a driver-wide mutex, others rely on individual PHY-specific mutexes. This approach can lead to various issues, including: 1/ the IRQ handler may interrupt PHY settings in progress, racing with hardware configuration protected by a mutex lock 2/ due to msleep(20) in rcar_gen3_init_otg(), while a configuration thread suspends to wait for the delay, another thread may try to configure another PHY (with phy_init() + phy_power_on()); re-running the phy_init() goes to the exact same configuration code, re-running the same hardware configuration on the same set of registers (and bits) which might impact the result of the msleep for the 1st configuring thread 3/ sysfs can configure the hardware (though role_store()) and it can still race with the phy_init()/phy_power_on() APIs calling into the drivers struct phy_ops To address these issues, add a spinlock to protect hardware register access and driver private data structures (e.g., calls to rcar_gen3_is_any_rphy_initialized()). Checking driver-specific data remains necessary as all PHY instances share common settings. With this change, the existing mutex protection is removed and the cleanup.h helpers are used. While at it, to keep the code simpler, do not skip regulator_enable()/regulator_disable() APIs in rcar_gen3_phy_usb2_power_on()/rcar_gen3_phy_usb2_power_off() as the regulators enable/disable operations are reference counted anyway. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-4-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index bb05fd26eb7f..00ce564463de 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -9,6 +9,7 @@ * Copyright (C) 2014 Cogent Embedded, Inc. */ +#include <linux/cleanup.h> #include <linux/extcon-provider.h> #include <linux/interrupt.h> #include <linux/io.h> @@ -118,7 +119,7 @@ struct rcar_gen3_chan { struct regulator *vbus; struct reset_control *rstc; struct work_struct work; - struct mutex lock; /* protects rphys[...].powered */ + spinlock_t lock; /* protects access to hardware and driver data structure. */ enum usb_dr_mode dr_mode; u32 obint_enable_bits; bool extcon_host; @@ -348,6 +349,8 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; + guard(spinlock_irqsave)(&ch->lock); + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; @@ -415,7 +418,7 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) val = readl(usb2_base + USB2_ADPCTRL); writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); } - msleep(20); + mdelay(20); writel(0xffffffff, usb2_base + USB2_OBINTSTA); writel(ch->obint_enable_bits, usb2_base + USB2_OBINTEN); @@ -436,12 +439,14 @@ static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) if (pm_runtime_suspended(dev)) goto rpm_put; - status = readl(usb2_base + USB2_OBINTSTA); - if (status & ch->obint_enable_bits) { - dev_vdbg(dev, "%s: %08x\n", __func__, status); - writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); - rcar_gen3_device_recognition(ch); - ret = IRQ_HANDLED; + scoped_guard(spinlock, &ch->lock) { + status = readl(usb2_base + USB2_OBINTSTA); + if (status & ch->obint_enable_bits) { + dev_vdbg(dev, "%s: %08x\n", __func__, status); + writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); + rcar_gen3_device_recognition(ch); + ret = IRQ_HANDLED; + } } rpm_put: @@ -456,6 +461,8 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + /* Initialize USB2 part */ val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; @@ -479,6 +486,8 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + rphy->initialized = false; val = readl(usb2_base + USB2_INT_ENABLE); @@ -498,16 +507,17 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) u32 val; int ret = 0; - mutex_lock(&channel->lock); - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; - if (channel->vbus) { ret = regulator_enable(channel->vbus); if (ret) - goto out; + return ret; } + guard(spinlock_irqsave)(&channel->lock); + + if (!rcar_gen3_are_all_rphys_power_off(channel)) + goto out; + val = readl(usb2_base + USB2_USBCTR); val |= USB2_USBCTR_PLL_RST; writel(val, usb2_base + USB2_USBCTR); @@ -517,7 +527,6 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) out: /* The powered flag should be set for any other phys anyway */ rphy->powered = true; - mutex_unlock(&channel->lock); return 0; } @@ -528,18 +537,12 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - mutex_lock(&channel->lock); - rphy->powered = false; - - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; + scoped_guard(spinlock_irqsave, &channel->lock) + rphy->powered = false; if (channel->vbus) ret = regulator_disable(channel->vbus); -out: - mutex_unlock(&channel->lock); - return ret; } @@ -750,7 +753,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) if (phy_data->no_adp_ctrl) channel->obint_enable_bits = USB2_OBINT_IDCHG_EN; - mutex_init(&channel->lock); + spin_lock_init(&channel->lock); for (i = 0; i < NUM_OF_PHYS; i++) { channel->rphys[i].phy = devm_phy_create(dev, NULL, phy_data->phy_usb2_ops);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051922-retrial-capsule-56c7@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:30 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data The phy-rcar-gen3-usb2 driver exposes four individual PHYs that are requested and configured by PHY users. The struct phy_ops APIs access the same set of registers to configure all PHYs. Additionally, PHY settings can be modified through sysfs or an IRQ handler. While some struct phy_ops APIs are protected by a driver-wide mutex, others rely on individual PHY-specific mutexes. This approach can lead to various issues, including: 1/ the IRQ handler may interrupt PHY settings in progress, racing with hardware configuration protected by a mutex lock 2/ due to msleep(20) in rcar_gen3_init_otg(), while a configuration thread suspends to wait for the delay, another thread may try to configure another PHY (with phy_init() + phy_power_on()); re-running the phy_init() goes to the exact same configuration code, re-running the same hardware configuration on the same set of registers (and bits) which might impact the result of the msleep for the 1st configuring thread 3/ sysfs can configure the hardware (though role_store()) and it can still race with the phy_init()/phy_power_on() APIs calling into the drivers struct phy_ops To address these issues, add a spinlock to protect hardware register access and driver private data structures (e.g., calls to rcar_gen3_is_any_rphy_initialized()). Checking driver-specific data remains necessary as all PHY instances share common settings. With this change, the existing mutex protection is removed and the cleanup.h helpers are used. While at it, to keep the code simpler, do not skip regulator_enable()/regulator_disable() APIs in rcar_gen3_phy_usb2_power_on()/rcar_gen3_phy_usb2_power_off() as the regulators enable/disable operations are reference counted anyway. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-4-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index bb05fd26eb7f..00ce564463de 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -9,6 +9,7 @@ * Copyright (C) 2014 Cogent Embedded, Inc. */ +#include <linux/cleanup.h> #include <linux/extcon-provider.h> #include <linux/interrupt.h> #include <linux/io.h> @@ -118,7 +119,7 @@ struct rcar_gen3_chan { struct regulator *vbus; struct reset_control *rstc; struct work_struct work; - struct mutex lock; /* protects rphys[...].powered */ + spinlock_t lock; /* protects access to hardware and driver data structure. */ enum usb_dr_mode dr_mode; u32 obint_enable_bits; bool extcon_host; @@ -348,6 +349,8 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; + guard(spinlock_irqsave)(&ch->lock); + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; @@ -415,7 +418,7 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) val = readl(usb2_base + USB2_ADPCTRL); writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); } - msleep(20); + mdelay(20); writel(0xffffffff, usb2_base + USB2_OBINTSTA); writel(ch->obint_enable_bits, usb2_base + USB2_OBINTEN); @@ -436,12 +439,14 @@ static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) if (pm_runtime_suspended(dev)) goto rpm_put; - status = readl(usb2_base + USB2_OBINTSTA); - if (status & ch->obint_enable_bits) { - dev_vdbg(dev, "%s: %08x\n", __func__, status); - writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); - rcar_gen3_device_recognition(ch); - ret = IRQ_HANDLED; + scoped_guard(spinlock, &ch->lock) { + status = readl(usb2_base + USB2_OBINTSTA); + if (status & ch->obint_enable_bits) { + dev_vdbg(dev, "%s: %08x\n", __func__, status); + writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); + rcar_gen3_device_recognition(ch); + ret = IRQ_HANDLED; + } } rpm_put: @@ -456,6 +461,8 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + /* Initialize USB2 part */ val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; @@ -479,6 +486,8 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + rphy->initialized = false; val = readl(usb2_base + USB2_INT_ENABLE); @@ -498,16 +507,17 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) u32 val; int ret = 0; - mutex_lock(&channel->lock); - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; - if (channel->vbus) { ret = regulator_enable(channel->vbus); if (ret) - goto out; + return ret; } + guard(spinlock_irqsave)(&channel->lock); + + if (!rcar_gen3_are_all_rphys_power_off(channel)) + goto out; + val = readl(usb2_base + USB2_USBCTR); val |= USB2_USBCTR_PLL_RST; writel(val, usb2_base + USB2_USBCTR); @@ -517,7 +527,6 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) out: /* The powered flag should be set for any other phys anyway */ rphy->powered = true; - mutex_unlock(&channel->lock); return 0; } @@ -528,18 +537,12 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - mutex_lock(&channel->lock); - rphy->powered = false; - - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; + scoped_guard(spinlock_irqsave, &channel->lock) + rphy->powered = false; if (channel->vbus) ret = regulator_disable(channel->vbus); -out: - mutex_unlock(&channel->lock); - return ret; } @@ -750,7 +753,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) if (phy_data->no_adp_ctrl) channel->obint_enable_bits = USB2_OBINT_IDCHG_EN; - mutex_init(&channel->lock); + spin_lock_init(&channel->lock); for (i = 0; i < NUM_OF_PHYS; i++) { channel->rphys[i].phy = devm_phy_create(dev, NULL, phy_data->phy_usb2_ops);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051921-mortuary-renter-2468@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:30 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data The phy-rcar-gen3-usb2 driver exposes four individual PHYs that are requested and configured by PHY users. The struct phy_ops APIs access the same set of registers to configure all PHYs. Additionally, PHY settings can be modified through sysfs or an IRQ handler. While some struct phy_ops APIs are protected by a driver-wide mutex, others rely on individual PHY-specific mutexes. This approach can lead to various issues, including: 1/ the IRQ handler may interrupt PHY settings in progress, racing with hardware configuration protected by a mutex lock 2/ due to msleep(20) in rcar_gen3_init_otg(), while a configuration thread suspends to wait for the delay, another thread may try to configure another PHY (with phy_init() + phy_power_on()); re-running the phy_init() goes to the exact same configuration code, re-running the same hardware configuration on the same set of registers (and bits) which might impact the result of the msleep for the 1st configuring thread 3/ sysfs can configure the hardware (though role_store()) and it can still race with the phy_init()/phy_power_on() APIs calling into the drivers struct phy_ops To address these issues, add a spinlock to protect hardware register access and driver private data structures (e.g., calls to rcar_gen3_is_any_rphy_initialized()). Checking driver-specific data remains necessary as all PHY instances share common settings. With this change, the existing mutex protection is removed and the cleanup.h helpers are used. While at it, to keep the code simpler, do not skip regulator_enable()/regulator_disable() APIs in rcar_gen3_phy_usb2_power_on()/rcar_gen3_phy_usb2_power_off() as the regulators enable/disable operations are reference counted anyway. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-4-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index bb05fd26eb7f..00ce564463de 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -9,6 +9,7 @@ * Copyright (C) 2014 Cogent Embedded, Inc. */ +#include <linux/cleanup.h> #include <linux/extcon-provider.h> #include <linux/interrupt.h> #include <linux/io.h> @@ -118,7 +119,7 @@ struct rcar_gen3_chan { struct regulator *vbus; struct reset_control *rstc; struct work_struct work; - struct mutex lock; /* protects rphys[...].powered */ + spinlock_t lock; /* protects access to hardware and driver data structure. */ enum usb_dr_mode dr_mode; u32 obint_enable_bits; bool extcon_host; @@ -348,6 +349,8 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; + guard(spinlock_irqsave)(&ch->lock); + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; @@ -415,7 +418,7 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) val = readl(usb2_base + USB2_ADPCTRL); writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); } - msleep(20); + mdelay(20); writel(0xffffffff, usb2_base + USB2_OBINTSTA); writel(ch->obint_enable_bits, usb2_base + USB2_OBINTEN); @@ -436,12 +439,14 @@ static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) if (pm_runtime_suspended(dev)) goto rpm_put; - status = readl(usb2_base + USB2_OBINTSTA); - if (status & ch->obint_enable_bits) { - dev_vdbg(dev, "%s: %08x\n", __func__, status); - writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); - rcar_gen3_device_recognition(ch); - ret = IRQ_HANDLED; + scoped_guard(spinlock, &ch->lock) { + status = readl(usb2_base + USB2_OBINTSTA); + if (status & ch->obint_enable_bits) { + dev_vdbg(dev, "%s: %08x\n", __func__, status); + writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); + rcar_gen3_device_recognition(ch); + ret = IRQ_HANDLED; + } } rpm_put: @@ -456,6 +461,8 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + /* Initialize USB2 part */ val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; @@ -479,6 +486,8 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + rphy->initialized = false; val = readl(usb2_base + USB2_INT_ENABLE); @@ -498,16 +507,17 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) u32 val; int ret = 0; - mutex_lock(&channel->lock); - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; - if (channel->vbus) { ret = regulator_enable(channel->vbus); if (ret) - goto out; + return ret; } + guard(spinlock_irqsave)(&channel->lock); + + if (!rcar_gen3_are_all_rphys_power_off(channel)) + goto out; + val = readl(usb2_base + USB2_USBCTR); val |= USB2_USBCTR_PLL_RST; writel(val, usb2_base + USB2_USBCTR); @@ -517,7 +527,6 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) out: /* The powered flag should be set for any other phys anyway */ rphy->powered = true; - mutex_unlock(&channel->lock); return 0; } @@ -528,18 +537,12 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - mutex_lock(&channel->lock); - rphy->powered = false; - - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; + scoped_guard(spinlock_irqsave, &channel->lock) + rphy->powered = false; if (channel->vbus) ret = regulator_disable(channel->vbus); -out: - mutex_unlock(&channel->lock); - return ret; } @@ -750,7 +753,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) if (phy_data->no_adp_ctrl) channel->obint_enable_bits = USB2_OBINT_IDCHG_EN; - mutex_init(&channel->lock); + spin_lock_init(&channel->lock); for (i = 0; i < NUM_OF_PHYS; i++) { channel->rphys[i].phy = devm_phy_create(dev, NULL, phy_data->phy_usb2_ops);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051920-hemlock-tableful-9784@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55a387ebb9219cbe4edfa8ba9996ccb0e7ad4932 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:30 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data The phy-rcar-gen3-usb2 driver exposes four individual PHYs that are requested and configured by PHY users. The struct phy_ops APIs access the same set of registers to configure all PHYs. Additionally, PHY settings can be modified through sysfs or an IRQ handler. While some struct phy_ops APIs are protected by a driver-wide mutex, others rely on individual PHY-specific mutexes. This approach can lead to various issues, including: 1/ the IRQ handler may interrupt PHY settings in progress, racing with hardware configuration protected by a mutex lock 2/ due to msleep(20) in rcar_gen3_init_otg(), while a configuration thread suspends to wait for the delay, another thread may try to configure another PHY (with phy_init() + phy_power_on()); re-running the phy_init() goes to the exact same configuration code, re-running the same hardware configuration on the same set of registers (and bits) which might impact the result of the msleep for the 1st configuring thread 3/ sysfs can configure the hardware (though role_store()) and it can still race with the phy_init()/phy_power_on() APIs calling into the drivers struct phy_ops To address these issues, add a spinlock to protect hardware register access and driver private data structures (e.g., calls to rcar_gen3_is_any_rphy_initialized()). Checking driver-specific data remains necessary as all PHY instances share common settings. With this change, the existing mutex protection is removed and the cleanup.h helpers are used. While at it, to keep the code simpler, do not skip regulator_enable()/regulator_disable() APIs in rcar_gen3_phy_usb2_power_on()/rcar_gen3_phy_usb2_power_off() as the regulators enable/disable operations are reference counted anyway. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-4-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index bb05fd26eb7f..00ce564463de 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -9,6 +9,7 @@ * Copyright (C) 2014 Cogent Embedded, Inc. */ +#include <linux/cleanup.h> #include <linux/extcon-provider.h> #include <linux/interrupt.h> #include <linux/io.h> @@ -118,7 +119,7 @@ struct rcar_gen3_chan { struct regulator *vbus; struct reset_control *rstc; struct work_struct work; - struct mutex lock; /* protects rphys[...].powered */ + spinlock_t lock; /* protects access to hardware and driver data structure. */ enum usb_dr_mode dr_mode; u32 obint_enable_bits; bool extcon_host; @@ -348,6 +349,8 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; + guard(spinlock_irqsave)(&ch->lock); + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; @@ -415,7 +418,7 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) val = readl(usb2_base + USB2_ADPCTRL); writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); } - msleep(20); + mdelay(20); writel(0xffffffff, usb2_base + USB2_OBINTSTA); writel(ch->obint_enable_bits, usb2_base + USB2_OBINTEN); @@ -436,12 +439,14 @@ static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) if (pm_runtime_suspended(dev)) goto rpm_put; - status = readl(usb2_base + USB2_OBINTSTA); - if (status & ch->obint_enable_bits) { - dev_vdbg(dev, "%s: %08x\n", __func__, status); - writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); - rcar_gen3_device_recognition(ch); - ret = IRQ_HANDLED; + scoped_guard(spinlock, &ch->lock) { + status = readl(usb2_base + USB2_OBINTSTA); + if (status & ch->obint_enable_bits) { + dev_vdbg(dev, "%s: %08x\n", __func__, status); + writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); + rcar_gen3_device_recognition(ch); + ret = IRQ_HANDLED; + } } rpm_put: @@ -456,6 +461,8 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + /* Initialize USB2 part */ val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; @@ -479,6 +486,8 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + rphy->initialized = false; val = readl(usb2_base + USB2_INT_ENABLE); @@ -498,16 +507,17 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) u32 val; int ret = 0; - mutex_lock(&channel->lock); - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; - if (channel->vbus) { ret = regulator_enable(channel->vbus); if (ret) - goto out; + return ret; } + guard(spinlock_irqsave)(&channel->lock); + + if (!rcar_gen3_are_all_rphys_power_off(channel)) + goto out; + val = readl(usb2_base + USB2_USBCTR); val |= USB2_USBCTR_PLL_RST; writel(val, usb2_base + USB2_USBCTR); @@ -517,7 +527,6 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) out: /* The powered flag should be set for any other phys anyway */ rphy->powered = true; - mutex_unlock(&channel->lock); return 0; } @@ -528,18 +537,12 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - mutex_lock(&channel->lock); - rphy->powered = false; - - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; + scoped_guard(spinlock_irqsave, &channel->lock) + rphy->powered = false; if (channel->vbus) ret = regulator_disable(channel->vbus); -out: - mutex_unlock(&channel->lock); - return ret; } @@ -750,7 +753,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) if (phy_data->no_adp_ctrl) channel->obint_enable_bits = USB2_OBINT_IDCHG_EN; - mutex_init(&channel->lock); + spin_lock_init(&channel->lock); for (i = 0; i < NUM_OF_PHYS; i++) { channel->rphys[i].phy = devm_phy_create(dev, NULL, phy_data->phy_usb2_ops);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 9ce71e85b29eb63e48e294479742e670513f03a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051915-festival-pasta-654b@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9ce71e85b29eb63e48e294479742e670513f03a0 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:31 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off Assert PLL reset on PHY power off. This saves power. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-5-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 00ce564463de..118899efda70 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -537,9 +537,17 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - scoped_guard(spinlock_irqsave, &channel->lock) + scoped_guard(spinlock_irqsave, &channel->lock) { rphy->powered = false; + if (rcar_gen3_are_all_rphys_power_off(channel)) { + u32 val = readl(channel->base + USB2_USBCTR); + + val |= USB2_USBCTR_PLL_RST; + writel(val, channel->base + USB2_USBCTR); + } + } + if (channel->vbus) ret = regulator_disable(channel->vbus);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9ce71e85b29eb63e48e294479742e670513f03a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051914-destiny-cesarean-1d44@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9ce71e85b29eb63e48e294479742e670513f03a0 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:31 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off Assert PLL reset on PHY power off. This saves power. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-5-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 00ce564463de..118899efda70 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -537,9 +537,17 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - scoped_guard(spinlock_irqsave, &channel->lock) + scoped_guard(spinlock_irqsave, &channel->lock) { rphy->powered = false; + if (rcar_gen3_are_all_rphys_power_off(channel)) { + u32 val = readl(channel->base + USB2_USBCTR); + + val |= USB2_USBCTR_PLL_RST; + writel(val, channel->base + USB2_USBCTR); + } + } + if (channel->vbus) ret = regulator_disable(channel->vbus);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9ce71e85b29eb63e48e294479742e670513f03a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051914-stopwatch-crumpet-385d@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9ce71e85b29eb63e48e294479742e670513f03a0 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:31 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off Assert PLL reset on PHY power off. This saves power. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-5-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 00ce564463de..118899efda70 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -537,9 +537,17 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - scoped_guard(spinlock_irqsave, &channel->lock) + scoped_guard(spinlock_irqsave, &channel->lock) { rphy->powered = false; + if (rcar_gen3_are_all_rphys_power_off(channel)) { + u32 val = readl(channel->base + USB2_USBCTR); + + val |= USB2_USBCTR_PLL_RST; + writel(val, channel->base + USB2_USBCTR); + } + } + if (channel->vbus) ret = regulator_disable(channel->vbus);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9ce71e85b29eb63e48e294479742e670513f03a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051913-shaky-bamboo-9c7a@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9ce71e85b29eb63e48e294479742e670513f03a0 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:31 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off Assert PLL reset on PHY power off. This saves power. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-5-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 00ce564463de..118899efda70 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -537,9 +537,17 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - scoped_guard(spinlock_irqsave, &channel->lock) + scoped_guard(spinlock_irqsave, &channel->lock) { rphy->powered = false; + if (rcar_gen3_are_all_rphys_power_off(channel)) { + u32 val = readl(channel->base + USB2_USBCTR); + + val |= USB2_USBCTR_PLL_RST; + writel(val, channel->base + USB2_USBCTR); + } + } + if (channel->vbus) ret = regulator_disable(channel->vbus);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 9ce71e85b29eb63e48e294479742e670513f03a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051908-squiggle-pastrami-b849@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9ce71e85b29eb63e48e294479742e670513f03a0 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:31 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off Assert PLL reset on PHY power off. This saves power. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-5-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 00ce564463de..118899efda70 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -537,9 +537,17 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - scoped_guard(spinlock_irqsave, &channel->lock) + scoped_guard(spinlock_irqsave, &channel->lock) { rphy->powered = false; + if (rcar_gen3_are_all_rphys_power_off(channel)) { + u32 val = readl(channel->base + USB2_USBCTR); + + val |= USB2_USBCTR_PLL_RST; + writel(val, channel->base + USB2_USBCTR); + } + } + if (channel->vbus) ret = regulator_disable(channel->vbus);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9ce71e85b29eb63e48e294479742e670513f03a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051908-smock-python-51a3@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9ce71e85b29eb63e48e294479742e670513f03a0 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:31 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off Assert PLL reset on PHY power off. This saves power. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-5-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 00ce564463de..118899efda70 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -537,9 +537,17 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - scoped_guard(spinlock_irqsave, &channel->lock) + scoped_guard(spinlock_irqsave, &channel->lock) { rphy->powered = false; + if (rcar_gen3_are_all_rphys_power_off(channel)) { + u32 val = readl(channel->base + USB2_USBCTR); + + val |= USB2_USBCTR_PLL_RST; + writel(val, channel->base + USB2_USBCTR); + } + } + if (channel->vbus) ret = regulator_disable(channel->vbus);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 9ce71e85b29eb63e48e294479742e670513f03a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051907-refinance-ventricle-ea1c@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9ce71e85b29eb63e48e294479742e670513f03a0 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Wed, 7 May 2025 15:50:31 +0300 Subject: [PATCH] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off Assert PLL reset on PHY power off. This saves power. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://lore.kernel.org/r/20250507125032.565017-5-claudiu.beznea.uj@bp.rene… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 00ce564463de..118899efda70 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -537,9 +537,17 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - scoped_guard(spinlock_irqsave, &channel->lock) + scoped_guard(spinlock_irqsave, &channel->lock) { rphy->powered = false; + if (rcar_gen3_are_all_rphys_power_off(channel)) { + u32 val = readl(channel->base + USB2_USBCTR); + + val |= USB2_USBCTR_PLL_RST; + writel(val, channel->base + USB2_USBCTR); + } + } + if (channel->vbus) ret = regulator_disable(channel->vbus);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] net: dsa: microchip: let phylink manage PHY EEE configuration" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 76ca05e0abe31a4f47a5b5a85041b5a22c03baf8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051904-lung-dreaded-8c5a@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76ca05e0abe31a4f47a5b5a85041b5a22c03baf8 Mon Sep 17 00:00:00 2001 From: Oleksij Rempel <o.rempel(a)pengutronix.de> Date: Sun, 4 May 2025 10:14:33 +0200 Subject: [PATCH] net: dsa: microchip: let phylink manage PHY EEE configuration on KSZ switches Phylink expects MAC drivers to provide LPI callbacks to properly manage Energy Efficient Ethernet (EEE) configuration. On KSZ switches with integrated PHYs, LPI is internally handled by hardware, while ports without integrated PHYs have no documented MAC-level LPI support. Provide dummy mac_disable_tx_lpi() and mac_enable_tx_lpi() callbacks to satisfy phylink requirements. Also, set default EEE capabilities during phylink initialization where applicable. Since phylink can now gracefully handle optional EEE configuration, remove the need for the MICREL_NO_EEE PHY flag. This change addresses issues caused by incomplete EEE refactoring introduced in commit fe0d4fd9285e ("net: phy: Keep track of EEE configuration"). It is not easily possible to fix all older kernels, but this patch ensures proper behavior on latest kernels and can be considered for backporting to stable kernels starting from v6.14. Fixes: fe0d4fd9285e ("net: phy: Keep track of EEE configuration") Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Cc: stable(a)vger.kernel.org # v6.14+ Link: https://patch.msgid.link/20250504081434.424489-2-o.rempel@pengutronix.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c index 89f0796894af..f95a9aac56ee 100644 --- a/drivers/net/dsa/microchip/ksz_common.c +++ b/drivers/net/dsa/microchip/ksz_common.c @@ -265,16 +265,70 @@ static void ksz_phylink_mac_link_down(struct phylink_config *config, unsigned int mode, phy_interface_t interface); +/** + * ksz_phylink_mac_disable_tx_lpi() - Callback to signal LPI support (Dummy) + * @config: phylink config structure + * + * This function is a dummy handler. See ksz_phylink_mac_enable_tx_lpi() for + * a detailed explanation of EEE/LPI handling in KSZ switches. + */ +static void ksz_phylink_mac_disable_tx_lpi(struct phylink_config *config) +{ +} + +/** + * ksz_phylink_mac_enable_tx_lpi() - Callback to signal LPI support (Dummy) + * @config: phylink config structure + * @timer: timer value before entering LPI (unused) + * @tx_clock_stop: whether to stop the TX clock in LPI mode (unused) + * + * This function signals to phylink that the driver architecture supports + * LPI management, enabling phylink to control EEE advertisement during + * negotiation according to IEEE Std 802.3 (Clause 78). + * + * Hardware Management of EEE/LPI State: + * For KSZ switch ports with integrated PHYs (e.g., KSZ9893R ports 1-2), + * observation and testing suggest that the actual EEE / Low Power Idle (LPI) + * state transitions are managed autonomously by the hardware based on + * the auto-negotiation results. (Note: While the datasheet describes EEE + * operation based on negotiation, it doesn't explicitly detail the internal + * MAC/PHY interaction, so autonomous hardware management of the MAC state + * for LPI is inferred from observed behavior). + * This hardware control, consistent with the switch's ability to operate + * autonomously via strapping, means MAC-level software intervention is not + * required or exposed for managing the LPI state once EEE is negotiated. + * (Ref: KSZ9893R Data Sheet DS00002420D, primarily Section 4.7.5 explaining + * EEE, also Sections 4.1.7 on Auto-Negotiation and 3.2.1 on Configuration + * Straps). + * + * Additionally, ports configured as MAC interfaces (e.g., KSZ9893R port 3) + * lack documented MAC-level LPI control. + * + * Therefore, this callback performs no action and serves primarily to inform + * phylink of LPI awareness and to document the inferred hardware behavior. + * + * Returns: 0 (Always success) + */ +static int ksz_phylink_mac_enable_tx_lpi(struct phylink_config *config, + u32 timer, bool tx_clock_stop) +{ + return 0; +} + static const struct phylink_mac_ops ksz88x3_phylink_mac_ops = { .mac_config = ksz88x3_phylink_mac_config, .mac_link_down = ksz_phylink_mac_link_down, .mac_link_up = ksz8_phylink_mac_link_up, + .mac_disable_tx_lpi = ksz_phylink_mac_disable_tx_lpi, + .mac_enable_tx_lpi = ksz_phylink_mac_enable_tx_lpi, }; static const struct phylink_mac_ops ksz8_phylink_mac_ops = { .mac_config = ksz_phylink_mac_config, .mac_link_down = ksz_phylink_mac_link_down, .mac_link_up = ksz8_phylink_mac_link_up, + .mac_disable_tx_lpi = ksz_phylink_mac_disable_tx_lpi, + .mac_enable_tx_lpi = ksz_phylink_mac_enable_tx_lpi, }; static const struct ksz_dev_ops ksz88xx_dev_ops = { @@ -358,6 +412,8 @@ static const struct phylink_mac_ops ksz9477_phylink_mac_ops = { .mac_config = ksz_phylink_mac_config, .mac_link_down = ksz_phylink_mac_link_down, .mac_link_up = ksz9477_phylink_mac_link_up, + .mac_disable_tx_lpi = ksz_phylink_mac_disable_tx_lpi, + .mac_enable_tx_lpi = ksz_phylink_mac_enable_tx_lpi, }; static const struct ksz_dev_ops ksz9477_dev_ops = { @@ -401,6 +457,8 @@ static const struct phylink_mac_ops lan937x_phylink_mac_ops = { .mac_config = ksz_phylink_mac_config, .mac_link_down = ksz_phylink_mac_link_down, .mac_link_up = ksz9477_phylink_mac_link_up, + .mac_disable_tx_lpi = ksz_phylink_mac_disable_tx_lpi, + .mac_enable_tx_lpi = ksz_phylink_mac_enable_tx_lpi, }; static const struct ksz_dev_ops lan937x_dev_ops = { @@ -2016,6 +2074,18 @@ static void ksz_phylink_get_caps(struct dsa_switch *ds, int port, if (dev->dev_ops->get_caps) dev->dev_ops->get_caps(dev, port, config); + + if (ds->ops->support_eee && ds->ops->support_eee(ds, port)) { + memcpy(config->lpi_interfaces, config->supported_interfaces, + sizeof(config->lpi_interfaces)); + + config->lpi_capabilities = MAC_100FD; + if (dev->info->gbit_capable[port]) + config->lpi_capabilities |= MAC_1000FD; + + /* EEE is fully operational */ + config->eee_enabled_default = true; + } } void ksz_r_mib_stats64(struct ksz_device *dev, int port) @@ -3008,31 +3078,6 @@ static u32 ksz_get_phy_flags(struct dsa_switch *ds, int port) if (!port) return MICREL_KSZ8_P1_ERRATA; break; - case KSZ8567_CHIP_ID: - /* KSZ8567R Errata DS80000752C Module 4 */ - case KSZ8765_CHIP_ID: - case KSZ8794_CHIP_ID: - case KSZ8795_CHIP_ID: - /* KSZ879x/KSZ877x/KSZ876x Errata DS80000687C Module 2 */ - case KSZ9477_CHIP_ID: - /* KSZ9477S Errata DS80000754A Module 4 */ - case KSZ9567_CHIP_ID: - /* KSZ9567S Errata DS80000756A Module 4 */ - case KSZ9896_CHIP_ID: - /* KSZ9896C Errata DS80000757A Module 3 */ - case KSZ9897_CHIP_ID: - case LAN9646_CHIP_ID: - /* KSZ9897R Errata DS80000758C Module 4 */ - /* Energy Efficient Ethernet (EEE) feature select must be manually disabled - * The EEE feature is enabled by default, but it is not fully - * operational. It must be manually disabled through register - * controls. If not disabled, the PHY ports can auto-negotiate - * to enable EEE, and this feature can cause link drops when - * linked to another device supporting EEE. - * - * The same item appears in the errata for all switches above. - */ - return MICREL_NO_EEE; } return 0; @@ -3466,6 +3511,20 @@ static int ksz_max_mtu(struct dsa_switch *ds, int port) return -EOPNOTSUPP; } +/** + * ksz_support_eee - Determine Energy Efficient Ethernet (EEE) support for a + * port + * @ds: Pointer to the DSA switch structure + * @port: Port number to check + * + * This function also documents devices where EEE was initially advertised but + * later withdrawn due to reliability issues, as described in official errata + * documents. These devices are explicitly listed to record known limitations, + * even if there is no technical necessity for runtime checks. + * + * Returns: true if the internal PHY on the given port supports fully + * operational EEE, false otherwise. + */ static bool ksz_support_eee(struct dsa_switch *ds, int port) { struct ksz_device *dev = ds->priv; @@ -3475,15 +3534,35 @@ static bool ksz_support_eee(struct dsa_switch *ds, int port) switch (dev->chip_id) { case KSZ8563_CHIP_ID: - case KSZ8567_CHIP_ID: - case KSZ9477_CHIP_ID: case KSZ9563_CHIP_ID: - case KSZ9567_CHIP_ID: case KSZ9893_CHIP_ID: + return true; + case KSZ8567_CHIP_ID: + /* KSZ8567R Errata DS80000752C Module 4 */ + case KSZ8765_CHIP_ID: + case KSZ8794_CHIP_ID: + case KSZ8795_CHIP_ID: + /* KSZ879x/KSZ877x/KSZ876x Errata DS80000687C Module 2 */ + case KSZ9477_CHIP_ID: + /* KSZ9477S Errata DS80000754A Module 4 */ + case KSZ9567_CHIP_ID: + /* KSZ9567S Errata DS80000756A Module 4 */ case KSZ9896_CHIP_ID: + /* KSZ9896C Errata DS80000757A Module 3 */ case KSZ9897_CHIP_ID: case LAN9646_CHIP_ID: - return true; + /* KSZ9897R Errata DS80000758C Module 4 */ + /* Energy Efficient Ethernet (EEE) feature select must be + * manually disabled + * The EEE feature is enabled by default, but it is not fully + * operational. It must be manually disabled through register + * controls. If not disabled, the PHY ports can auto-negotiate + * to enable EEE, and this feature can cause link drops when + * linked to another device supporting EEE. + * + * The same item appears in the errata for all switches above. + */ + break; } return false;

3 months, 3 weeks

1
0
0 0

[PATCH] gpio: sysfs: add missing mutex_destroy()

by Bartosz Golaszewski

From: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> We initialize the data->mutex in gpiod_export() but lack the corresponding mutex_destroy() in gpiod_unexport() causing a resource leak with mutex debugging enabled. Add the call right before kfreeing the GPIO data. Fixes: 6ffcb7971486 ("gpio: sysfs: use per-gpio locking") Cc: stable(a)vger.kernel.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/gpio/gpiolib-sysfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c index 4a3aa09dad9d..cd3381a4bc93 100644 --- a/drivers/gpio/gpiolib-sysfs.c +++ b/drivers/gpio/gpiolib-sysfs.c @@ -713,6 +713,7 @@ void gpiod_unexport(struct gpio_desc *desc) } put_device(dev); + mutex_destroy(&data->mutex); kfree(data); } EXPORT_SYMBOL_GPL(gpiod_unexport); -- 2.45.2

3 months, 3 weeks

2
6
0 0

FAILED: patch "[PATCH] ftrace: Fix preemption accounting for stacktrace filter" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 11aff32439df6ca5b3b891b43032faf88f4a6a29 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051939-front-expediter-3ddd@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 11aff32439df6ca5b3b891b43032faf88f4a6a29 Mon Sep 17 00:00:00 2001 From: pengdonglin <pengdonglin(a)xiaomi.com> Date: Mon, 12 May 2025 17:42:46 +0800 Subject: [PATCH] ftrace: Fix preemption accounting for stacktrace filter command The preemption count of the stacktrace filter command to trace ksys_read is consistently incorrect: $ echo ksys_read:stacktrace > set_ftrace_filter <...>-453 [004] ...1. 38.308956: <stack trace> => ksys_read => do_syscall_64 => entry_SYSCALL_64_after_hwframe The root cause is that the trace framework disables preemption when invoking the filter command callback in function_trace_probe_call: preempt_disable_notrace(); probe_ops->func(ip, parent_ip, probe_opsbe->tr, probe_ops, probe->data); preempt_enable_notrace(); Use tracing_gen_ctx_dec() to account for the preempt_disable_notrace(), which will output the correct preemption count: $ echo ksys_read:stacktrace > set_ftrace_filter <...>-410 [006] ..... 31.420396: <stack trace> => ksys_read => do_syscall_64 => entry_SYSCALL_64_after_hwframe Cc: stable(a)vger.kernel.org Fixes: 36590c50b2d07 ("tracing: Merge irqflags + preempt counter.") Link: https://lore.kernel.org/20250512094246.1167956-2-dolinux.peng@gmail.com Signed-off-by: pengdonglin <dolinux.peng(a)gmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_functions.c b/kernel/trace/trace_functions.c index 98ccf3f00c51..4e37a0f6aaa3 100644 --- a/kernel/trace/trace_functions.c +++ b/kernel/trace/trace_functions.c @@ -633,11 +633,7 @@ ftrace_traceoff(unsigned long ip, unsigned long parent_ip, static __always_inline void trace_stack(struct trace_array *tr) { - unsigned int trace_ctx; - - trace_ctx = tracing_gen_ctx(); - - __trace_stack(tr, trace_ctx, FTRACE_STACK_SKIP); + __trace_stack(tr, tracing_gen_ctx_dec(), FTRACE_STACK_SKIP); } static void

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ftrace: Fix preemption accounting for stacktrace filter" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 11aff32439df6ca5b3b891b43032faf88f4a6a29 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051938-tweezers-vendor-8ef7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 11aff32439df6ca5b3b891b43032faf88f4a6a29 Mon Sep 17 00:00:00 2001 From: pengdonglin <pengdonglin(a)xiaomi.com> Date: Mon, 12 May 2025 17:42:46 +0800 Subject: [PATCH] ftrace: Fix preemption accounting for stacktrace filter command The preemption count of the stacktrace filter command to trace ksys_read is consistently incorrect: $ echo ksys_read:stacktrace > set_ftrace_filter <...>-453 [004] ...1. 38.308956: <stack trace> => ksys_read => do_syscall_64 => entry_SYSCALL_64_after_hwframe The root cause is that the trace framework disables preemption when invoking the filter command callback in function_trace_probe_call: preempt_disable_notrace(); probe_ops->func(ip, parent_ip, probe_opsbe->tr, probe_ops, probe->data); preempt_enable_notrace(); Use tracing_gen_ctx_dec() to account for the preempt_disable_notrace(), which will output the correct preemption count: $ echo ksys_read:stacktrace > set_ftrace_filter <...>-410 [006] ..... 31.420396: <stack trace> => ksys_read => do_syscall_64 => entry_SYSCALL_64_after_hwframe Cc: stable(a)vger.kernel.org Fixes: 36590c50b2d07 ("tracing: Merge irqflags + preempt counter.") Link: https://lore.kernel.org/20250512094246.1167956-2-dolinux.peng@gmail.com Signed-off-by: pengdonglin <dolinux.peng(a)gmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_functions.c b/kernel/trace/trace_functions.c index 98ccf3f00c51..4e37a0f6aaa3 100644 --- a/kernel/trace/trace_functions.c +++ b/kernel/trace/trace_functions.c @@ -633,11 +633,7 @@ ftrace_traceoff(unsigned long ip, unsigned long parent_ip, static __always_inline void trace_stack(struct trace_array *tr) { - unsigned int trace_ctx; - - trace_ctx = tracing_gen_ctx(); - - __trace_stack(tr, trace_ctx, FTRACE_STACK_SKIP); + __trace_stack(tr, tracing_gen_ctx_dec(), FTRACE_STACK_SKIP); } static void

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ftrace: Fix preemption accounting for stacktrace trigger" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x e333332657f615ac2b55aa35565c4a882018bbe9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051919-daintily-bountiful-20e1@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e333332657f615ac2b55aa35565c4a882018bbe9 Mon Sep 17 00:00:00 2001 From: pengdonglin <pengdonglin(a)xiaomi.com> Date: Mon, 12 May 2025 17:42:45 +0800 Subject: [PATCH] ftrace: Fix preemption accounting for stacktrace trigger command When using the stacktrace trigger command to trace syscalls, the preemption count was consistently reported as 1 when the system call event itself had 0 ("."). For example: root@ubuntu22-vm:/sys/kernel/tracing/events/syscalls/sys_enter_read $ echo stacktrace > trigger $ echo 1 > enable sshd-416 [002] ..... 232.864910: sys_read(fd: a, buf: 556b1f3221d0, count: 8000) sshd-416 [002] ...1. 232.864913: <stack trace> => ftrace_syscall_enter => syscall_trace_enter => do_syscall_64 => entry_SYSCALL_64_after_hwframe The root cause is that the trace framework disables preemption in __DO_TRACE before invoking the trigger callback. Use the tracing_gen_ctx_dec() that will accommodate for the increase of the preemption count in __DO_TRACE when calling the callback. The result is the accurate reporting of: sshd-410 [004] ..... 210.117660: sys_read(fd: 4, buf: 559b725ba130, count: 40000) sshd-410 [004] ..... 210.117662: <stack trace> => ftrace_syscall_enter => syscall_trace_enter => do_syscall_64 => entry_SYSCALL_64_after_hwframe Cc: stable(a)vger.kernel.org Fixes: ce33c845b030c ("tracing: Dump stacktrace trigger to the corresponding instance") Link: https://lore.kernel.org/20250512094246.1167956-1-dolinux.peng@gmail.com Signed-off-by: pengdonglin <dolinux.peng(a)gmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c index b66b6d235d91..6e87ae2a1a66 100644 --- a/kernel/trace/trace_events_trigger.c +++ b/kernel/trace/trace_events_trigger.c @@ -1560,7 +1560,7 @@ stacktrace_trigger(struct event_trigger_data *data, struct trace_event_file *file = data->private_data; if (file) - __trace_stack(file->tr, tracing_gen_ctx(), STACK_SKIP); + __trace_stack(file->tr, tracing_gen_ctx_dec(), STACK_SKIP); else trace_dump_stack(STACK_SKIP); }

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ftrace: Fix preemption accounting for stacktrace trigger" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x e333332657f615ac2b55aa35565c4a882018bbe9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051918-embellish-voting-0097@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e333332657f615ac2b55aa35565c4a882018bbe9 Mon Sep 17 00:00:00 2001 From: pengdonglin <pengdonglin(a)xiaomi.com> Date: Mon, 12 May 2025 17:42:45 +0800 Subject: [PATCH] ftrace: Fix preemption accounting for stacktrace trigger command When using the stacktrace trigger command to trace syscalls, the preemption count was consistently reported as 1 when the system call event itself had 0 ("."). For example: root@ubuntu22-vm:/sys/kernel/tracing/events/syscalls/sys_enter_read $ echo stacktrace > trigger $ echo 1 > enable sshd-416 [002] ..... 232.864910: sys_read(fd: a, buf: 556b1f3221d0, count: 8000) sshd-416 [002] ...1. 232.864913: <stack trace> => ftrace_syscall_enter => syscall_trace_enter => do_syscall_64 => entry_SYSCALL_64_after_hwframe The root cause is that the trace framework disables preemption in __DO_TRACE before invoking the trigger callback. Use the tracing_gen_ctx_dec() that will accommodate for the increase of the preemption count in __DO_TRACE when calling the callback. The result is the accurate reporting of: sshd-410 [004] ..... 210.117660: sys_read(fd: 4, buf: 559b725ba130, count: 40000) sshd-410 [004] ..... 210.117662: <stack trace> => ftrace_syscall_enter => syscall_trace_enter => do_syscall_64 => entry_SYSCALL_64_after_hwframe Cc: stable(a)vger.kernel.org Fixes: ce33c845b030c ("tracing: Dump stacktrace trigger to the corresponding instance") Link: https://lore.kernel.org/20250512094246.1167956-1-dolinux.peng@gmail.com Signed-off-by: pengdonglin <dolinux.peng(a)gmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c index b66b6d235d91..6e87ae2a1a66 100644 --- a/kernel/trace/trace_events_trigger.c +++ b/kernel/trace/trace_events_trigger.c @@ -1560,7 +1560,7 @@ stacktrace_trigger(struct event_trigger_data *data, struct trace_event_file *file = data->private_data; if (file) - __trace_stack(file->tr, tracing_gen_ctx(), STACK_SKIP); + __trace_stack(file->tr, tracing_gen_ctx_dec(), STACK_SKIP); else trace_dump_stack(STACK_SKIP); }

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] i2c: designware: Fix an error handling path in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1cfe51ef07ca3286581d612debfb0430eeccbb65 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051957-stagnant-footsore-4840@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1cfe51ef07ca3286581d612debfb0430eeccbb65 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Date: Tue, 13 May 2025 19:56:41 +0200 Subject: [PATCH] i2c: designware: Fix an error handling path in i2c_dw_pci_probe() If navi_amd_register_client() fails, the previous i2c_dw_probe() call should be undone by a corresponding i2c_del_adapter() call, as already done in the remove function. Fixes: 17631e8ca2d3 ("i2c: designware: Add driver support for AMD NAVI GPU") Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Cc: <stable(a)vger.kernel.org> # v5.13+ Acked-by: Jarkko Nikula <jarkko.nikula(a)linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> Link: https://lore.kernel.org/r/fcd9651835a32979df8802b2db9504c523a8ebbb.17471589… diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c index 8e0267c7cc29..f21f9877c040 100644 --- a/drivers/i2c/busses/i2c-designware-pcidrv.c +++ b/drivers/i2c/busses/i2c-designware-pcidrv.c @@ -278,9 +278,11 @@ static int i2c_dw_pci_probe(struct pci_dev *pdev, if ((dev->flags & MODEL_MASK) == MODEL_AMD_NAVI_GPU) { dev->slave = i2c_new_ccgx_ucsi(&dev->adapter, dev->irq, &dgpu_node); - if (IS_ERR(dev->slave)) + if (IS_ERR(dev->slave)) { + i2c_del_adapter(&dev->adapter); return dev_err_probe(device, PTR_ERR(dev->slave), "register UCSI failed\n"); + } } pm_runtime_set_autosuspend_delay(device, 1000);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] i2c: designware: Fix an error handling path in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 1cfe51ef07ca3286581d612debfb0430eeccbb65 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051956-squealer-murky-a238@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1cfe51ef07ca3286581d612debfb0430eeccbb65 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Date: Tue, 13 May 2025 19:56:41 +0200 Subject: [PATCH] i2c: designware: Fix an error handling path in i2c_dw_pci_probe() If navi_amd_register_client() fails, the previous i2c_dw_probe() call should be undone by a corresponding i2c_del_adapter() call, as already done in the remove function. Fixes: 17631e8ca2d3 ("i2c: designware: Add driver support for AMD NAVI GPU") Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Cc: <stable(a)vger.kernel.org> # v5.13+ Acked-by: Jarkko Nikula <jarkko.nikula(a)linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> Link: https://lore.kernel.org/r/fcd9651835a32979df8802b2db9504c523a8ebbb.17471589… diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c index 8e0267c7cc29..f21f9877c040 100644 --- a/drivers/i2c/busses/i2c-designware-pcidrv.c +++ b/drivers/i2c/busses/i2c-designware-pcidrv.c @@ -278,9 +278,11 @@ static int i2c_dw_pci_probe(struct pci_dev *pdev, if ((dev->flags & MODEL_MASK) == MODEL_AMD_NAVI_GPU) { dev->slave = i2c_new_ccgx_ucsi(&dev->adapter, dev->irq, &dgpu_node); - if (IS_ERR(dev->slave)) + if (IS_ERR(dev->slave)) { + i2c_del_adapter(&dev->adapter); return dev_err_probe(device, PTR_ERR(dev->slave), "register UCSI failed\n"); + } } pm_runtime_set_autosuspend_delay(device, 1000);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] i2c: designware: Fix an error handling path in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1cfe51ef07ca3286581d612debfb0430eeccbb65 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051956-employed-unranked-500c@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1cfe51ef07ca3286581d612debfb0430eeccbb65 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Date: Tue, 13 May 2025 19:56:41 +0200 Subject: [PATCH] i2c: designware: Fix an error handling path in i2c_dw_pci_probe() If navi_amd_register_client() fails, the previous i2c_dw_probe() call should be undone by a corresponding i2c_del_adapter() call, as already done in the remove function. Fixes: 17631e8ca2d3 ("i2c: designware: Add driver support for AMD NAVI GPU") Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Cc: <stable(a)vger.kernel.org> # v5.13+ Acked-by: Jarkko Nikula <jarkko.nikula(a)linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> Link: https://lore.kernel.org/r/fcd9651835a32979df8802b2db9504c523a8ebbb.17471589… diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c index 8e0267c7cc29..f21f9877c040 100644 --- a/drivers/i2c/busses/i2c-designware-pcidrv.c +++ b/drivers/i2c/busses/i2c-designware-pcidrv.c @@ -278,9 +278,11 @@ static int i2c_dw_pci_probe(struct pci_dev *pdev, if ((dev->flags & MODEL_MASK) == MODEL_AMD_NAVI_GPU) { dev->slave = i2c_new_ccgx_ucsi(&dev->adapter, dev->irq, &dgpu_node); - if (IS_ERR(dev->slave)) + if (IS_ERR(dev->slave)) { + i2c_del_adapter(&dev->adapter); return dev_err_probe(device, PTR_ERR(dev->slave), "register UCSI failed\n"); + } } pm_runtime_set_autosuspend_delay(device, 1000);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dma-buf: insert memory barrier before updating num_fences" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 72c7d62583ebce7baeb61acce6057c361f73be4a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051949-keep-opposing-04c8@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 72c7d62583ebce7baeb61acce6057c361f73be4a Mon Sep 17 00:00:00 2001 From: Hyejeong Choi <hjeong.choi(a)samsung.com> Date: Mon, 12 May 2025 21:06:38 -0500 Subject: [PATCH] dma-buf: insert memory barrier before updating num_fences MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit smp_store_mb() inserts memory barrier after storing operation. It is different with what the comment is originally aiming so Null pointer dereference can be happened if memory update is reordered. Signed-off-by: Hyejeong Choi <hjeong.choi(a)samsung.com> Fixes: a590d0fdbaa5 ("dma-buf: Update reservation shared_count after adding the new fence") CC: stable(a)vger.kernel.org Reviewed-by: Christian König <christian.koenig(a)amd.com> Link: https://lore.kernel.org/r/20250513020638.GA2329653@au1-maretx-p37.eng.sarc.… Signed-off-by: Christian König <christian.koenig(a)amd.com> diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c index 5f8d010516f0..b1ef4546346d 100644 --- a/drivers/dma-buf/dma-resv.c +++ b/drivers/dma-buf/dma-resv.c @@ -320,8 +320,9 @@ void dma_resv_add_fence(struct dma_resv *obj, struct dma_fence *fence, count++; dma_resv_list_set(fobj, i, fence, usage); - /* pointer update must be visible before we extend the num_fences */ - smp_store_mb(fobj->num_fences, count); + /* fence update must be visible before we extend the num_fences */ + smp_wmb(); + fobj->num_fences = count; } EXPORT_SYMBOL(dma_resv_add_fence);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] dma-buf: insert memory barrier before updating num_fences" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 72c7d62583ebce7baeb61acce6057c361f73be4a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051949-jaywalker-stargazer-fc9f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 72c7d62583ebce7baeb61acce6057c361f73be4a Mon Sep 17 00:00:00 2001 From: Hyejeong Choi <hjeong.choi(a)samsung.com> Date: Mon, 12 May 2025 21:06:38 -0500 Subject: [PATCH] dma-buf: insert memory barrier before updating num_fences MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit smp_store_mb() inserts memory barrier after storing operation. It is different with what the comment is originally aiming so Null pointer dereference can be happened if memory update is reordered. Signed-off-by: Hyejeong Choi <hjeong.choi(a)samsung.com> Fixes: a590d0fdbaa5 ("dma-buf: Update reservation shared_count after adding the new fence") CC: stable(a)vger.kernel.org Reviewed-by: Christian König <christian.koenig(a)amd.com> Link: https://lore.kernel.org/r/20250513020638.GA2329653@au1-maretx-p37.eng.sarc.… Signed-off-by: Christian König <christian.koenig(a)amd.com> diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c index 5f8d010516f0..b1ef4546346d 100644 --- a/drivers/dma-buf/dma-resv.c +++ b/drivers/dma-buf/dma-resv.c @@ -320,8 +320,9 @@ void dma_resv_add_fence(struct dma_resv *obj, struct dma_fence *fence, count++; dma_resv_list_set(fobj, i, fence, usage); - /* pointer update must be visible before we extend the num_fences */ - smp_store_mb(fobj->num_fences, count); + /* fence update must be visible before we extend the num_fences */ + smp_wmb(); + fobj->num_fences = count; } EXPORT_SYMBOL(dma_resv_add_fence);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: usb-audio: Add sample rate quirk for Audioengine D1" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2b24eb060c2bb9ef79e1d3bcf633ba1bc95215d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051950-washer-silica-cf99@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2b24eb060c2bb9ef79e1d3bcf633ba1bc95215d6 Mon Sep 17 00:00:00 2001 From: Christian Heusel <christian(a)heusel.eu> Date: Mon, 12 May 2025 22:23:37 +0200 Subject: [PATCH] ALSA: usb-audio: Add sample rate quirk for Audioengine D1 A user reported on the Arch Linux Forums that their device is emitting the following message in the kernel journal, which is fixed by adding the quirk as submitted in this patch: > kernel: usb 1-2: current rate 8436480 is different from the runtime rate 48000 There also is an entry for this product line added long time ago. Their specific device has the following ID: $ lsusb | grep Audio Bus 001 Device 002: ID 1101:0003 EasyPass Industrial Co., Ltd Audioengine D1 Link: https://bbs.archlinux.org/viewtopic.php?id=305494 Fixes: 93f9d1a4ac593 ("ALSA: usb-audio: Apply sample rate quirk for Audioengine D1") Cc: stable(a)vger.kernel.org Signed-off-by: Christian Heusel <christian(a)heusel.eu> Link: https://patch.msgid.link/20250512-audioengine-quirk-addition-v1-1-4c370af6e… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 9112313a9dbc..eb192834db68 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -2250,6 +2250,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { QUIRK_FLAG_FIXED_RATE), DEVICE_FLG(0x0fd9, 0x0008, /* Hauppauge HVR-950Q */ QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER), + DEVICE_FLG(0x1101, 0x0003, /* Audioengine D1 */ + QUIRK_FLAG_GET_SAMPLE_RATE), DEVICE_FLG(0x1224, 0x2a25, /* Jieli Technology USB PHY 2.0 */ QUIRK_FLAG_GET_SAMPLE_RATE | QUIRK_FLAG_MIC_RES_16), DEVICE_FLG(0x1395, 0x740a, /* Sennheiser DECT */

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: usb-audio: Add sample rate quirk for Audioengine D1" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2b24eb060c2bb9ef79e1d3bcf633ba1bc95215d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051950-shrunk-outboard-edca@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2b24eb060c2bb9ef79e1d3bcf633ba1bc95215d6 Mon Sep 17 00:00:00 2001 From: Christian Heusel <christian(a)heusel.eu> Date: Mon, 12 May 2025 22:23:37 +0200 Subject: [PATCH] ALSA: usb-audio: Add sample rate quirk for Audioengine D1 A user reported on the Arch Linux Forums that their device is emitting the following message in the kernel journal, which is fixed by adding the quirk as submitted in this patch: > kernel: usb 1-2: current rate 8436480 is different from the runtime rate 48000 There also is an entry for this product line added long time ago. Their specific device has the following ID: $ lsusb | grep Audio Bus 001 Device 002: ID 1101:0003 EasyPass Industrial Co., Ltd Audioengine D1 Link: https://bbs.archlinux.org/viewtopic.php?id=305494 Fixes: 93f9d1a4ac593 ("ALSA: usb-audio: Apply sample rate quirk for Audioengine D1") Cc: stable(a)vger.kernel.org Signed-off-by: Christian Heusel <christian(a)heusel.eu> Link: https://patch.msgid.link/20250512-audioengine-quirk-addition-v1-1-4c370af6e… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 9112313a9dbc..eb192834db68 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -2250,6 +2250,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { QUIRK_FLAG_FIXED_RATE), DEVICE_FLG(0x0fd9, 0x0008, /* Hauppauge HVR-950Q */ QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER), + DEVICE_FLG(0x1101, 0x0003, /* Audioengine D1 */ + QUIRK_FLAG_GET_SAMPLE_RATE), DEVICE_FLG(0x1224, 0x2a25, /* Jieli Technology USB PHY 2.0 */ QUIRK_FLAG_GET_SAMPLE_RATE | QUIRK_FLAG_MIC_RES_16), DEVICE_FLG(0x1395, 0x740a, /* Sennheiser DECT */

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix discard worker infinite loop after disabling" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 54db6d1bdd71fa90172a2a6aca3308bbf7fa7eb5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051954-gratified-manager-da96@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 54db6d1bdd71fa90172a2a6aca3308bbf7fa7eb5 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 5 May 2025 16:03:16 +0100 Subject: [PATCH] btrfs: fix discard worker infinite loop after disabling discard If the discard worker is running and there's currently only one block group, that block group is a data block group, it's in the unused block groups discard list and is being used (it got an extent allocated from it after becoming unused), the worker can end up in an infinite loop if a transaction abort happens or the async discard is disabled (during remount or unmount for example). This happens like this: 1) Task A, the discard worker, is at peek_discard_list() and find_next_block_group() returns block group X; 2) Block group X is in the unused block groups discard list (its discard index is BTRFS_DISCARD_INDEX_UNUSED) since at some point in the past it become an unused block group and was added to that list, but then later it got an extent allocated from it, so its ->used counter is not zero anymore; 3) The current transaction is aborted by task B and we end up at __btrfs_handle_fs_error() in the transaction abort path, where we call btrfs_discard_stop(), which clears BTRFS_FS_DISCARD_RUNNING from fs_info, and then at __btrfs_handle_fs_error() we set the fs to RO mode (setting SB_RDONLY in the super block's s_flags field); 4) Task A calls __add_to_discard_list() with the goal of moving the block group from the unused block groups discard list into another discard list, but at __add_to_discard_list() we end up doing nothing because btrfs_run_discard_work() returns false, since the super block has SB_RDONLY set in its flags and BTRFS_FS_DISCARD_RUNNING is not set anymore in fs_info->flags. So block group X remains in the unused block groups discard list; 5) Task A then does a goto into the 'again' label, calls find_next_block_group() again we gets block group X again. Then it repeats the previous steps over and over since there are not other block groups in the discard lists and block group X is never moved out of the unused block groups discard list since btrfs_run_discard_work() keeps returning false and therefore __add_to_discard_list() doesn't move block group X out of that discard list. When this happens we can get a soft lockup report like this: [71.957] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:3:97] [71.957] Modules linked in: xfs af_packet rfkill (...) [71.957] CPU: 0 UID: 0 PID: 97 Comm: kworker/u4:3 Tainted: G W 6.14.2-1-default #1 openSUSE Tumbleweed 968795ef2b1407352128b466fe887416c33af6fa [71.957] Tainted: [W]=WARN [71.957] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 [71.957] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [71.957] RIP: 0010:btrfs_discard_workfn+0xc4/0x400 [btrfs] [71.957] Code: c1 01 48 83 (...) [71.957] RSP: 0018:ffffafaec03efe08 EFLAGS: 00000246 [71.957] RAX: ffff897045500000 RBX: ffff8970413ed8d0 RCX: 0000000000000000 [71.957] RDX: 0000000000000001 RSI: ffff8970413ed8d0 RDI: 0000000a8f1272ad [71.957] RBP: 0000000a9d61c60e R08: ffff897045500140 R09: 8080808080808080 [71.957] R10: ffff897040276800 R11: fefefefefefefeff R12: ffff8970413ed860 [71.957] R13: ffff897045500000 R14: ffff8970413ed868 R15: 0000000000000000 [71.957] FS: 0000000000000000(0000) GS:ffff89707bc00000(0000) knlGS:0000000000000000 [71.957] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [71.957] CR2: 00005605bcc8d2f0 CR3: 000000010376a001 CR4: 0000000000770ef0 [71.957] PKRU: 55555554 [71.957] Call Trace: [71.957] <TASK> [71.957] process_one_work+0x17e/0x330 [71.957] worker_thread+0x2ce/0x3f0 [71.957] ? __pfx_worker_thread+0x10/0x10 [71.957] kthread+0xef/0x220 [71.957] ? __pfx_kthread+0x10/0x10 [71.957] ret_from_fork+0x34/0x50 [71.957] ? __pfx_kthread+0x10/0x10 [71.957] ret_from_fork_asm+0x1a/0x30 [71.957] </TASK> [71.957] Kernel panic - not syncing: softlockup: hung tasks [71.987] CPU: 0 UID: 0 PID: 97 Comm: kworker/u4:3 Tainted: G W L 6.14.2-1-default #1 openSUSE Tumbleweed 968795ef2b1407352128b466fe887416c33af6fa [71.989] Tainted: [W]=WARN, [L]=SOFTLOCKUP [71.989] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 [71.991] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [71.992] Call Trace: [71.993] <IRQ> [71.994] dump_stack_lvl+0x5a/0x80 [71.994] panic+0x10b/0x2da [71.995] watchdog_timer_fn.cold+0x9a/0xa1 [71.996] ? __pfx_watchdog_timer_fn+0x10/0x10 [71.997] __hrtimer_run_queues+0x132/0x2a0 [71.997] hrtimer_interrupt+0xff/0x230 [71.998] __sysvec_apic_timer_interrupt+0x55/0x100 [71.999] sysvec_apic_timer_interrupt+0x6c/0x90 [72.000] </IRQ> [72.000] <TASK> [72.001] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [72.002] RIP: 0010:btrfs_discard_workfn+0xc4/0x400 [btrfs] [72.002] Code: c1 01 48 83 (...) [72.005] RSP: 0018:ffffafaec03efe08 EFLAGS: 00000246 [72.006] RAX: ffff897045500000 RBX: ffff8970413ed8d0 RCX: 0000000000000000 [72.006] RDX: 0000000000000001 RSI: ffff8970413ed8d0 RDI: 0000000a8f1272ad [72.007] RBP: 0000000a9d61c60e R08: ffff897045500140 R09: 8080808080808080 [72.008] R10: ffff897040276800 R11: fefefefefefefeff R12: ffff8970413ed860 [72.009] R13: ffff897045500000 R14: ffff8970413ed868 R15: 0000000000000000 [72.010] ? btrfs_discard_workfn+0x51/0x400 [btrfs 23b01089228eb964071fb7ca156eee8cd3bf996f] [72.011] process_one_work+0x17e/0x330 [72.012] worker_thread+0x2ce/0x3f0 [72.013] ? __pfx_worker_thread+0x10/0x10 [72.014] kthread+0xef/0x220 [72.014] ? __pfx_kthread+0x10/0x10 [72.015] ret_from_fork+0x34/0x50 [72.015] ? __pfx_kthread+0x10/0x10 [72.016] ret_from_fork_asm+0x1a/0x30 [72.017] </TASK> [72.017] Kernel Offset: 0x15000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [72.019] Rebooting in 90 seconds.. So fix this by making sure we move a block group out of the unused block groups discard list when calling __add_to_discard_list(). Fixes: 2bee7eb8bb81 ("btrfs: discard one region at a time in async discard") Link: https://bugzilla.suse.com/show_bug.cgi?id=1242012 CC: stable(a)vger.kernel.org # 5.10+ Reviewed-by: Boris Burkov <boris(a)bur.io> Reviewed-by: Daniel Vacek <neelx(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/discard.c b/fs/btrfs/discard.c index d6eef4bd9e9d..de23c4b3515e 100644 --- a/fs/btrfs/discard.c +++ b/fs/btrfs/discard.c @@ -94,8 +94,6 @@ static void __add_to_discard_list(struct btrfs_discard_ctl *discard_ctl, struct btrfs_block_group *block_group) { lockdep_assert_held(&discard_ctl->lock); - if (!btrfs_run_discard_work(discard_ctl)) - return; if (list_empty(&block_group->discard_list) || block_group->discard_index == BTRFS_DISCARD_INDEX_UNUSED) { @@ -118,6 +116,9 @@ static void add_to_discard_list(struct btrfs_discard_ctl *discard_ctl, if (!btrfs_is_block_group_data_only(block_group)) return; + if (!btrfs_run_discard_work(discard_ctl)) + return; + spin_lock(&discard_ctl->lock); __add_to_discard_list(discard_ctl, block_group); spin_unlock(&discard_ctl->lock); @@ -244,6 +245,18 @@ static struct btrfs_block_group *peek_discard_list( block_group->used != 0) { if (btrfs_is_block_group_data_only(block_group)) { __add_to_discard_list(discard_ctl, block_group); + /* + * The block group must have been moved to other + * discard list even if discard was disabled in + * the meantime or a transaction abort happened, + * otherwise we can end up in an infinite loop, + * always jumping into the 'again' label and + * keep getting this block group over and over + * in case there are no other block groups in + * the discard lists. + */ + ASSERT(block_group->discard_index != + BTRFS_DISCARD_INDEX_UNUSED); } else { list_del_init(&block_group->discard_list); btrfs_put_block_group(block_group);

3 months, 3 weeks

1
0
0 0

[PATCH] net: atlantic: Add error handling in set_raw_ingress_record()

by Wentao Liang

The set_raw_ingress_record() calls aq_mss_mdio_write() but does not check the return value. A proper implementation can be found in get_raw_ingress_record(). Add error handling for aq_mss_mdio_write(). If the write fails, return immediately. Fixes: b8f8a0b7b5cb ("net: atlantic: MACSec ingress offload HW bindings") Cc: stable(a)vger.kernel.org # v5.7 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- .../aquantia/atlantic/macsec/macsec_api.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c index 431924959520..5e87f8b749c5 100644 --- a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c +++ b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c @@ -62,6 +62,7 @@ static int set_raw_ingress_record(struct aq_hw_s *hw, u16 *packed_record, { struct mss_ingress_lut_addr_ctl_register lut_sel_reg; struct mss_ingress_lut_ctl_register lut_op_reg; + int ret; unsigned int i; @@ -105,11 +106,15 @@ static int set_raw_ingress_record(struct aq_hw_s *hw, u16 *packed_record, lut_op_reg.bits_0.lut_read = 0; lut_op_reg.bits_0.lut_write = 1; - aq_mss_mdio_write(hw, MDIO_MMD_VEND1, - MSS_INGRESS_LUT_ADDR_CTL_REGISTER_ADDR, - lut_sel_reg.word_0); - aq_mss_mdio_write(hw, MDIO_MMD_VEND1, MSS_INGRESS_LUT_CTL_REGISTER_ADDR, - lut_op_reg.word_0); + ret = aq_mss_mdio_write(hw, MDIO_MMD_VEND1, + MSS_INGRESS_LUT_ADDR_CTL_REGISTER_ADDR, + lut_sel_reg.word_0); + if (unlikely(ret)) + return ret; + ret = aq_mss_mdio_write(hw, MDIO_MMD_VEND1, MSS_INGRESS_LUT_CTL_REGISTER_ADDR, + lut_op_reg.word_0); + if (unlikely(ret)) + return ret; return 0; } -- 2.42.0.windows.2

3 months, 3 weeks

3
2
0 0

FAILED: patch "[PATCH] gpio: pca953x: fix IRQ storm on system wake up" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 3e38f946062b4845961ab86b726651b4457b2af8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051941-unpeeled-unhealthy-c905@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3e38f946062b4845961ab86b726651b4457b2af8 Mon Sep 17 00:00:00 2001 From: Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> Date: Mon, 12 May 2025 11:54:41 +0200 Subject: [PATCH] gpio: pca953x: fix IRQ storm on system wake up If an input changes state during wake-up and is used as an interrupt source, the IRQ handler reads the volatile input register to clear the interrupt mask and deassert the IRQ line. However, the IRQ handler is triggered before access to the register is granted, causing the read operation to fail. As a result, the IRQ handler enters a loop, repeatedly printing the "failed reading register" message, until `pca953x_resume()` is eventually called, which restores the driver context and enables access to registers. Fix by disabling the IRQ line before entering suspend mode, and re-enabling it after the driver context is restored in `pca953x_resume()`. An IRQ can be disabled with disable_irq() and still wake the system as long as the IRQ has wake enabled, so the wake-up functionality is preserved. Fixes: b76574300504 ("gpio: pca953x: Restore registers after suspend/resume cycle") Cc: stable(a)vger.kernel.org Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> Signed-off-by: Francesco Dolcini <francesco.dolcini(a)toradex.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Tested-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Link: https://lore.kernel.org/r/20250512095441.31645-1-francesco@dolcini.it Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c index 442435ded020..13cc120cf11f 100644 --- a/drivers/gpio/gpio-pca953x.c +++ b/drivers/gpio/gpio-pca953x.c @@ -1204,6 +1204,8 @@ static int pca953x_restore_context(struct pca953x_chip *chip) guard(mutex)(&chip->i2c_lock); + if (chip->client->irq > 0) + enable_irq(chip->client->irq); regcache_cache_only(chip->regmap, false); regcache_mark_dirty(chip->regmap); ret = pca953x_regcache_sync(chip); @@ -1216,6 +1218,10 @@ static int pca953x_restore_context(struct pca953x_chip *chip) static void pca953x_save_context(struct pca953x_chip *chip) { guard(mutex)(&chip->i2c_lock); + + /* Disable IRQ to prevent early triggering while regmap "cache only" is on */ + if (chip->client->irq > 0) + disable_irq(chip->client->irq); regcache_cache_only(chip->regmap, true); }

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Defer BW-optimization-blocked DRR" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 874697e127931bf50a37ce9d96ee80f3a08a0c38 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051955-bloating-depress-5c89@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 874697e127931bf50a37ce9d96ee80f3a08a0c38 Mon Sep 17 00:00:00 2001 From: John Olender <john.olender(a)gmail.com> Date: Wed, 16 Apr 2025 02:54:26 -0400 Subject: [PATCH] drm/amd/display: Defer BW-optimization-blocked DRR adjustments [Why & How] Instead of dropping DRR updates, defer them. This fixes issues where monitor continues to see incorrect refresh rate after VRR was turned off by userspace. Fixes: 32953485c558 ("drm/amd/display: Do not update DRR while BW optimizations pending") Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3546 Reviewed-by: Sun peng Li <sunpeng.li(a)amd.com> Signed-off-by: John Olender <john.olender(a)gmail.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Ray Wu <ray.wu(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 53761b7ecd83e6fbb9f2206f8c980a6aa308c844) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 1525c408d452..cc01b9c68b47 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -372,6 +372,8 @@ get_crtc_by_otg_inst(struct amdgpu_device *adev, static inline bool is_dc_timing_adjust_needed(struct dm_crtc_state *old_state, struct dm_crtc_state *new_state) { + if (new_state->stream->adjust.timing_adjust_pending) + return true; if (new_state->freesync_config.state == VRR_STATE_ACTIVE_FIXED) return true; else if (amdgpu_dm_crtc_vrr_active(old_state) != amdgpu_dm_crtc_vrr_active(new_state)) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index 28d1353f403d..ba4ce8a63158 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -439,9 +439,12 @@ bool dc_stream_adjust_vmin_vmax(struct dc *dc, * Don't adjust DRR while there's bandwidth optimizations pending to * avoid conflicting with firmware updates. */ - if (dc->ctx->dce_version > DCE_VERSION_MAX) - if (dc->optimized_required || dc->wm_optimized_required) + if (dc->ctx->dce_version > DCE_VERSION_MAX) { + if (dc->optimized_required || dc->wm_optimized_required) { + stream->adjust.timing_adjust_pending = true; return false; + } + } dc_exit_ips_for_hw_access(dc); @@ -3168,7 +3171,8 @@ static void copy_stream_update_to_stream(struct dc *dc, if (update->crtc_timing_adjust) { if (stream->adjust.v_total_min != update->crtc_timing_adjust->v_total_min || - stream->adjust.v_total_max != update->crtc_timing_adjust->v_total_max) + stream->adjust.v_total_max != update->crtc_timing_adjust->v_total_max || + stream->adjust.timing_adjust_pending) update->crtc_timing_adjust->timing_adjust_pending = true; stream->adjust = *update->crtc_timing_adjust; update->crtc_timing_adjust->timing_adjust_pending = false;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Defer BW-optimization-blocked DRR" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 874697e127931bf50a37ce9d96ee80f3a08a0c38 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051956-dayroom-vintage-a21f@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 874697e127931bf50a37ce9d96ee80f3a08a0c38 Mon Sep 17 00:00:00 2001 From: John Olender <john.olender(a)gmail.com> Date: Wed, 16 Apr 2025 02:54:26 -0400 Subject: [PATCH] drm/amd/display: Defer BW-optimization-blocked DRR adjustments [Why & How] Instead of dropping DRR updates, defer them. This fixes issues where monitor continues to see incorrect refresh rate after VRR was turned off by userspace. Fixes: 32953485c558 ("drm/amd/display: Do not update DRR while BW optimizations pending") Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3546 Reviewed-by: Sun peng Li <sunpeng.li(a)amd.com> Signed-off-by: John Olender <john.olender(a)gmail.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Ray Wu <ray.wu(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 53761b7ecd83e6fbb9f2206f8c980a6aa308c844) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 1525c408d452..cc01b9c68b47 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -372,6 +372,8 @@ get_crtc_by_otg_inst(struct amdgpu_device *adev, static inline bool is_dc_timing_adjust_needed(struct dm_crtc_state *old_state, struct dm_crtc_state *new_state) { + if (new_state->stream->adjust.timing_adjust_pending) + return true; if (new_state->freesync_config.state == VRR_STATE_ACTIVE_FIXED) return true; else if (amdgpu_dm_crtc_vrr_active(old_state) != amdgpu_dm_crtc_vrr_active(new_state)) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index 28d1353f403d..ba4ce8a63158 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -439,9 +439,12 @@ bool dc_stream_adjust_vmin_vmax(struct dc *dc, * Don't adjust DRR while there's bandwidth optimizations pending to * avoid conflicting with firmware updates. */ - if (dc->ctx->dce_version > DCE_VERSION_MAX) - if (dc->optimized_required || dc->wm_optimized_required) + if (dc->ctx->dce_version > DCE_VERSION_MAX) { + if (dc->optimized_required || dc->wm_optimized_required) { + stream->adjust.timing_adjust_pending = true; return false; + } + } dc_exit_ips_for_hw_access(dc); @@ -3168,7 +3171,8 @@ static void copy_stream_update_to_stream(struct dc *dc, if (update->crtc_timing_adjust) { if (stream->adjust.v_total_min != update->crtc_timing_adjust->v_total_min || - stream->adjust.v_total_max != update->crtc_timing_adjust->v_total_max) + stream->adjust.v_total_max != update->crtc_timing_adjust->v_total_max || + stream->adjust.timing_adjust_pending) update->crtc_timing_adjust->timing_adjust_pending = true; stream->adjust = *update->crtc_timing_adjust; update->crtc_timing_adjust->timing_adjust_pending = false;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Defer BW-optimization-blocked DRR" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 874697e127931bf50a37ce9d96ee80f3a08a0c38 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051955-attitude-power-7034@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 874697e127931bf50a37ce9d96ee80f3a08a0c38 Mon Sep 17 00:00:00 2001 From: John Olender <john.olender(a)gmail.com> Date: Wed, 16 Apr 2025 02:54:26 -0400 Subject: [PATCH] drm/amd/display: Defer BW-optimization-blocked DRR adjustments [Why & How] Instead of dropping DRR updates, defer them. This fixes issues where monitor continues to see incorrect refresh rate after VRR was turned off by userspace. Fixes: 32953485c558 ("drm/amd/display: Do not update DRR while BW optimizations pending") Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3546 Reviewed-by: Sun peng Li <sunpeng.li(a)amd.com> Signed-off-by: John Olender <john.olender(a)gmail.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Ray Wu <ray.wu(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 53761b7ecd83e6fbb9f2206f8c980a6aa308c844) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 1525c408d452..cc01b9c68b47 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -372,6 +372,8 @@ get_crtc_by_otg_inst(struct amdgpu_device *adev, static inline bool is_dc_timing_adjust_needed(struct dm_crtc_state *old_state, struct dm_crtc_state *new_state) { + if (new_state->stream->adjust.timing_adjust_pending) + return true; if (new_state->freesync_config.state == VRR_STATE_ACTIVE_FIXED) return true; else if (amdgpu_dm_crtc_vrr_active(old_state) != amdgpu_dm_crtc_vrr_active(new_state)) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index 28d1353f403d..ba4ce8a63158 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -439,9 +439,12 @@ bool dc_stream_adjust_vmin_vmax(struct dc *dc, * Don't adjust DRR while there's bandwidth optimizations pending to * avoid conflicting with firmware updates. */ - if (dc->ctx->dce_version > DCE_VERSION_MAX) - if (dc->optimized_required || dc->wm_optimized_required) + if (dc->ctx->dce_version > DCE_VERSION_MAX) { + if (dc->optimized_required || dc->wm_optimized_required) { + stream->adjust.timing_adjust_pending = true; return false; + } + } dc_exit_ips_for_hw_access(dc); @@ -3168,7 +3171,8 @@ static void copy_stream_update_to_stream(struct dc *dc, if (update->crtc_timing_adjust) { if (stream->adjust.v_total_min != update->crtc_timing_adjust->v_total_min || - stream->adjust.v_total_max != update->crtc_timing_adjust->v_total_max) + stream->adjust.v_total_max != update->crtc_timing_adjust->v_total_max || + stream->adjust.timing_adjust_pending) update->crtc_timing_adjust->timing_adjust_pending = true; stream->adjust = *update->crtc_timing_adjust; update->crtc_timing_adjust->timing_adjust_pending = false;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Avoid flooding unnecessary info messages" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x d33724ffb743d3d2698bd969e29253ae0cff9739 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051942-empty-unlivable-7496@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d33724ffb743d3d2698bd969e29253ae0cff9739 Mon Sep 17 00:00:00 2001 From: Wayne Lin <Wayne.Lin(a)amd.com> Date: Tue, 13 May 2025 11:20:24 +0800 Subject: [PATCH] drm/amd/display: Avoid flooding unnecessary info messages It's expected that we'll encounter temporary exceptions during aux transactions. Adjust logging from drm_info to drm_dbg_dp to prevent flooding with unnecessary log messages. Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Link: https://lore.kernel.org/r/20250513032026.838036-1-Wayne.Lin@amd.com Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index c93eef6f7a6b..5cdbc86ef8f5 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -107,7 +107,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, if (payload.write && result >= 0) { if (result) { /*one byte indicating partially written bytes*/ - drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX partially written\n"); result = payload.data[0]; } else if (!payload.reply[0]) /*I2C_ACK|AUX_ACK*/ @@ -133,11 +133,11 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, break; } - drm_info(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); } if (payload.reply[0]) - drm_info(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", payload.reply[0]); return result;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/xe: Add WA BB to capture active context utilization" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 617d824c5323b8474b3665ae6c410c98b839e0b0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051925-crewman-endowment-b27d@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 617d824c5323b8474b3665ae6c410c98b839e0b0 Mon Sep 17 00:00:00 2001 From: Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> Date: Fri, 9 May 2025 09:12:03 -0700 Subject: [PATCH] drm/xe: Add WA BB to capture active context utilization Context Timestamp (CTX_TIMESTAMP) in the LRC accumulates the run ticks of the context, but only gets updated when the context switches out. In order to check how long a context has been active before it switches out, two things are required: (1) Determine if the context is running: To do so, we program the WA BB to set an initial value for CTX_TIMESTAMP in the LRC. The value chosen is 1 since 0 is the initial value when the LRC is initialized. During a query, we just check for this value to determine if the context is active. If the context switched out, it would overwrite this location with the actual CTX_TIMESTAMP MMIO value. Note that WA BB runs as the last part of the context restore, so reusing this LRC location will not clobber anything. (2) Calculate the time that the context has been active for: The CTX_TIMESTAMP ticks only when the context is active. If a context is active, we just use the CTX_TIMESTAMP MMIO as the new value of utilization. While doing so, we need to read the CTX_TIMESTAMP MMIO for the specific engine instance. Since we do not know which instance the context is running on until it is scheduled, we also read the ENGINE_ID MMIO in the WA BB and store it in the PPHSWP. Using the above 2 instructions in a WA BB, capture active context utilization. v2: (Matt Brost) - This breaks TDR, fix it by saving the CTX_TIMESTAMP register "drm/xe: Save CTX_TIMESTAMP mmio value instead of LRC value" - Drop tile from LRC if using gt "drm/xe: Save the gt pointer in LRC and drop the tile" v3: - Remove helpers for bb_per_ctx_ptr (Matt) - Add define for context active value (Matt) - Use 64 bit CTX TIMESTAMP for platforms that support it. For platforms that don't, live with the rare race. (Matt, Lucas) - Convert engine id to hwe and get the MMIO value (Lucas) - Correct commit message on when WA BB runs (Lucas) v4: - s/GRAPHICS_VER(...)/xe->info.has_64bit_timestamp/ (Matt) - Drop support for active utilization on a VF (CI failure) - In xe_lrc_init ensure the lrc value is 0 to begin with (CI regression) v5: - Minor checkpatch fix - Squash into previous commit and make TDR use 32-bit time - Update code comment to match commit msg Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4532 Cc: <stable(a)vger.kernel.org> # v6.13+ Suggested-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Signed-off-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Link: https://lore.kernel.org/r/20250509161159.2173069-8-umesh.nerlige.ramappa@in… (cherry picked from commit 82b98cadb01f63cdb159e596ec06866d00f8e8c7) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/regs/xe_engine_regs.h b/drivers/gpu/drm/xe/regs/xe_engine_regs.h index fb8ec317b6ee..891f928d80ce 100644 --- a/drivers/gpu/drm/xe/regs/xe_engine_regs.h +++ b/drivers/gpu/drm/xe/regs/xe_engine_regs.h @@ -43,6 +43,10 @@ #define XEHPC_BCS8_RING_BASE 0x3ee000 #define GSCCS_RING_BASE 0x11a000 +#define ENGINE_ID(base) XE_REG((base) + 0x8c) +#define ENGINE_INSTANCE_ID REG_GENMASK(9, 4) +#define ENGINE_CLASS_ID REG_GENMASK(2, 0) + #define RING_TAIL(base) XE_REG((base) + 0x30) #define TAIL_ADDR REG_GENMASK(20, 3) @@ -154,6 +158,7 @@ #define STOP_RING REG_BIT(8) #define RING_CTX_TIMESTAMP(base) XE_REG((base) + 0x3a8) +#define RING_CTX_TIMESTAMP_UDW(base) XE_REG((base) + 0x3ac) #define CSBE_DEBUG_STATUS(base) XE_REG((base) + 0x3fc) #define RING_FORCE_TO_NONPRIV(base, i) XE_REG(((base) + 0x4d0) + (i) * 4) diff --git a/drivers/gpu/drm/xe/regs/xe_lrc_layout.h b/drivers/gpu/drm/xe/regs/xe_lrc_layout.h index 57944f90bbf6..994af591a2e8 100644 --- a/drivers/gpu/drm/xe/regs/xe_lrc_layout.h +++ b/drivers/gpu/drm/xe/regs/xe_lrc_layout.h @@ -11,7 +11,9 @@ #define CTX_RING_TAIL (0x06 + 1) #define CTX_RING_START (0x08 + 1) #define CTX_RING_CTL (0x0a + 1) +#define CTX_BB_PER_CTX_PTR (0x12 + 1) #define CTX_TIMESTAMP (0x22 + 1) +#define CTX_TIMESTAMP_UDW (0x24 + 1) #define CTX_INDIRECT_RING_STATE (0x26 + 1) #define CTX_PDP0_UDW (0x30 + 1) #define CTX_PDP0_LDW (0x32 + 1) diff --git a/drivers/gpu/drm/xe/xe_device_types.h b/drivers/gpu/drm/xe/xe_device_types.h index 9f8667ebba85..0482f26aa480 100644 --- a/drivers/gpu/drm/xe/xe_device_types.h +++ b/drivers/gpu/drm/xe/xe_device_types.h @@ -330,6 +330,8 @@ struct xe_device { u8 has_sriov:1; /** @info.has_usm: Device has unified shared memory support */ u8 has_usm:1; + /** @info.has_64bit_timestamp: Device supports 64-bit timestamps */ + u8 has_64bit_timestamp:1; /** @info.is_dgfx: is discrete device */ u8 is_dgfx:1; /** diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c index 606922d9dd73..cd9b1c32f30f 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue.c +++ b/drivers/gpu/drm/xe/xe_exec_queue.c @@ -830,7 +830,7 @@ void xe_exec_queue_update_run_ticks(struct xe_exec_queue *q) { struct xe_device *xe = gt_to_xe(q->gt); struct xe_lrc *lrc; - u32 old_ts, new_ts; + u64 old_ts, new_ts; int idx; /* diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index 31bc2022bfc2..769781d577df 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -941,7 +941,7 @@ static bool check_timeout(struct xe_exec_queue *q, struct xe_sched_job *job) return xe_sched_invalidate_job(job, 2); } - ctx_timestamp = xe_lrc_ctx_timestamp(q->lrc[0]); + ctx_timestamp = lower_32_bits(xe_lrc_ctx_timestamp(q->lrc[0])); ctx_job_timestamp = xe_lrc_ctx_job_timestamp(q->lrc[0]); /* diff --git a/drivers/gpu/drm/xe/xe_lrc.c b/drivers/gpu/drm/xe/xe_lrc.c index 79b43fec4f79..03bfba696b37 100644 --- a/drivers/gpu/drm/xe/xe_lrc.c +++ b/drivers/gpu/drm/xe/xe_lrc.c @@ -24,6 +24,7 @@ #include "xe_hw_fence.h" #include "xe_map.h" #include "xe_memirq.h" +#include "xe_mmio.h" #include "xe_sriov.h" #include "xe_trace_lrc.h" #include "xe_vm.h" @@ -650,6 +651,7 @@ u32 xe_lrc_pphwsp_offset(struct xe_lrc *lrc) #define LRC_START_SEQNO_PPHWSP_OFFSET (LRC_SEQNO_PPHWSP_OFFSET + 8) #define LRC_CTX_JOB_TIMESTAMP_OFFSET (LRC_START_SEQNO_PPHWSP_OFFSET + 8) #define LRC_PARALLEL_PPHWSP_OFFSET 2048 +#define LRC_ENGINE_ID_PPHWSP_OFFSET 2096 #define LRC_PPHWSP_SIZE SZ_4K u32 xe_lrc_regs_offset(struct xe_lrc *lrc) @@ -694,11 +696,21 @@ static inline u32 __xe_lrc_parallel_offset(struct xe_lrc *lrc) return xe_lrc_pphwsp_offset(lrc) + LRC_PARALLEL_PPHWSP_OFFSET; } +static inline u32 __xe_lrc_engine_id_offset(struct xe_lrc *lrc) +{ + return xe_lrc_pphwsp_offset(lrc) + LRC_ENGINE_ID_PPHWSP_OFFSET; +} + static u32 __xe_lrc_ctx_timestamp_offset(struct xe_lrc *lrc) { return __xe_lrc_regs_offset(lrc) + CTX_TIMESTAMP * sizeof(u32); } +static u32 __xe_lrc_ctx_timestamp_udw_offset(struct xe_lrc *lrc) +{ + return __xe_lrc_regs_offset(lrc) + CTX_TIMESTAMP_UDW * sizeof(u32); +} + static inline u32 __xe_lrc_indirect_ring_offset(struct xe_lrc *lrc) { /* Indirect ring state page is at the very end of LRC */ @@ -726,8 +738,10 @@ DECL_MAP_ADDR_HELPERS(regs) DECL_MAP_ADDR_HELPERS(start_seqno) DECL_MAP_ADDR_HELPERS(ctx_job_timestamp) DECL_MAP_ADDR_HELPERS(ctx_timestamp) +DECL_MAP_ADDR_HELPERS(ctx_timestamp_udw) DECL_MAP_ADDR_HELPERS(parallel) DECL_MAP_ADDR_HELPERS(indirect_ring) +DECL_MAP_ADDR_HELPERS(engine_id) #undef DECL_MAP_ADDR_HELPERS @@ -742,19 +756,38 @@ u32 xe_lrc_ctx_timestamp_ggtt_addr(struct xe_lrc *lrc) return __xe_lrc_ctx_timestamp_ggtt_addr(lrc); } +/** + * xe_lrc_ctx_timestamp_udw_ggtt_addr() - Get ctx timestamp udw GGTT address + * @lrc: Pointer to the lrc. + * + * Returns: ctx timestamp udw GGTT address + */ +u32 xe_lrc_ctx_timestamp_udw_ggtt_addr(struct xe_lrc *lrc) +{ + return __xe_lrc_ctx_timestamp_udw_ggtt_addr(lrc); +} + /** * xe_lrc_ctx_timestamp() - Read ctx timestamp value * @lrc: Pointer to the lrc. * * Returns: ctx timestamp value */ -u32 xe_lrc_ctx_timestamp(struct xe_lrc *lrc) +u64 xe_lrc_ctx_timestamp(struct xe_lrc *lrc) { struct xe_device *xe = lrc_to_xe(lrc); struct iosys_map map; + u32 ldw, udw = 0; map = __xe_lrc_ctx_timestamp_map(lrc); - return xe_map_read32(xe, &map); + ldw = xe_map_read32(xe, &map); + + if (xe->info.has_64bit_timestamp) { + map = __xe_lrc_ctx_timestamp_udw_map(lrc); + udw = xe_map_read32(xe, &map); + } + + return (u64)udw << 32 | ldw; } /** @@ -877,6 +910,65 @@ static void xe_lrc_finish(struct xe_lrc *lrc) xe_bo_unpin(lrc->bo); xe_bo_unlock(lrc->bo); xe_bo_put(lrc->bo); + xe_bo_unpin_map_no_vm(lrc->bb_per_ctx_bo); +} + +/* + * xe_lrc_setup_utilization() - Setup wa bb to assist in calculating active + * context run ticks. + * @lrc: Pointer to the lrc. + * + * Context Timestamp (CTX_TIMESTAMP) in the LRC accumulates the run ticks of the + * context, but only gets updated when the context switches out. In order to + * check how long a context has been active before it switches out, two things + * are required: + * + * (1) Determine if the context is running: + * To do so, we program the WA BB to set an initial value for CTX_TIMESTAMP in + * the LRC. The value chosen is 1 since 0 is the initial value when the LRC is + * initialized. During a query, we just check for this value to determine if the + * context is active. If the context switched out, it would overwrite this + * location with the actual CTX_TIMESTAMP MMIO value. Note that WA BB runs as + * the last part of context restore, so reusing this LRC location will not + * clobber anything. + * + * (2) Calculate the time that the context has been active for: + * The CTX_TIMESTAMP ticks only when the context is active. If a context is + * active, we just use the CTX_TIMESTAMP MMIO as the new value of utilization. + * While doing so, we need to read the CTX_TIMESTAMP MMIO for the specific + * engine instance. Since we do not know which instance the context is running + * on until it is scheduled, we also read the ENGINE_ID MMIO in the WA BB and + * store it in the PPHSWP. + */ +#define CONTEXT_ACTIVE 1ULL +static void xe_lrc_setup_utilization(struct xe_lrc *lrc) +{ + u32 *cmd; + + cmd = lrc->bb_per_ctx_bo->vmap.vaddr; + + *cmd++ = MI_STORE_REGISTER_MEM | MI_SRM_USE_GGTT | MI_SRM_ADD_CS_OFFSET; + *cmd++ = ENGINE_ID(0).addr; + *cmd++ = __xe_lrc_engine_id_ggtt_addr(lrc); + *cmd++ = 0; + + *cmd++ = MI_STORE_DATA_IMM | MI_SDI_GGTT | MI_SDI_NUM_DW(1); + *cmd++ = __xe_lrc_ctx_timestamp_ggtt_addr(lrc); + *cmd++ = 0; + *cmd++ = lower_32_bits(CONTEXT_ACTIVE); + + if (lrc_to_xe(lrc)->info.has_64bit_timestamp) { + *cmd++ = MI_STORE_DATA_IMM | MI_SDI_GGTT | MI_SDI_NUM_DW(1); + *cmd++ = __xe_lrc_ctx_timestamp_udw_ggtt_addr(lrc); + *cmd++ = 0; + *cmd++ = upper_32_bits(CONTEXT_ACTIVE); + } + + *cmd++ = MI_BATCH_BUFFER_END; + + xe_lrc_write_ctx_reg(lrc, CTX_BB_PER_CTX_PTR, + xe_bo_ggtt_addr(lrc->bb_per_ctx_bo) | 1); + } #define PVC_CTX_ASID (0x2e + 1) @@ -893,6 +985,7 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, void *init_data = NULL; u32 arb_enable; u32 lrc_size; + u32 bo_flags; int err; kref_init(&lrc->refcount); @@ -902,22 +995,30 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, if (xe_gt_has_indirect_ring_state(gt)) lrc->flags |= XE_LRC_FLAG_INDIRECT_RING_STATE; + bo_flags = XE_BO_FLAG_VRAM_IF_DGFX(tile) | XE_BO_FLAG_GGTT | + XE_BO_FLAG_GGTT_INVALIDATE; + /* * FIXME: Perma-pinning LRC as we don't yet support moving GGTT address * via VM bind calls. */ lrc->bo = xe_bo_create_pin_map(xe, tile, vm, lrc_size, ttm_bo_type_kernel, - XE_BO_FLAG_VRAM_IF_DGFX(tile) | - XE_BO_FLAG_GGTT | - XE_BO_FLAG_GGTT_INVALIDATE); + bo_flags); if (IS_ERR(lrc->bo)) return PTR_ERR(lrc->bo); + lrc->bb_per_ctx_bo = xe_bo_create_pin_map(xe, tile, NULL, SZ_4K, + ttm_bo_type_kernel, + bo_flags); + if (IS_ERR(lrc->bb_per_ctx_bo)) { + err = PTR_ERR(lrc->bb_per_ctx_bo); + goto err_lrc_finish; + } + lrc->size = lrc_size; lrc->ring.size = ring_size; lrc->ring.tail = 0; - lrc->ctx_timestamp = 0; xe_hw_fence_ctx_init(&lrc->fence_ctx, hwe->gt, hwe->fence_irq, hwe->name); @@ -990,7 +1091,10 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, xe_lrc_read_ctx_reg(lrc, CTX_CONTEXT_CONTROL) | _MASKED_BIT_ENABLE(CTX_CTRL_PXP_ENABLE)); + lrc->ctx_timestamp = 0; xe_lrc_write_ctx_reg(lrc, CTX_TIMESTAMP, 0); + if (lrc_to_xe(lrc)->info.has_64bit_timestamp) + xe_lrc_write_ctx_reg(lrc, CTX_TIMESTAMP_UDW, 0); if (xe->info.has_asid && vm) xe_lrc_write_ctx_reg(lrc, PVC_CTX_ASID, vm->usm.asid); @@ -1019,6 +1123,8 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, map = __xe_lrc_start_seqno_map(lrc); xe_map_write32(lrc_to_xe(lrc), &map, lrc->fence_ctx.next_seqno - 1); + xe_lrc_setup_utilization(lrc); + return 0; err_lrc_finish: @@ -1238,6 +1344,21 @@ struct iosys_map xe_lrc_parallel_map(struct xe_lrc *lrc) return __xe_lrc_parallel_map(lrc); } +/** + * xe_lrc_engine_id() - Read engine id value + * @lrc: Pointer to the lrc. + * + * Returns: context id value + */ +static u32 xe_lrc_engine_id(struct xe_lrc *lrc) +{ + struct xe_device *xe = lrc_to_xe(lrc); + struct iosys_map map; + + map = __xe_lrc_engine_id_map(lrc); + return xe_map_read32(xe, &map); +} + static int instr_dw(u32 cmd_header) { /* GFXPIPE "SINGLE_DW" opcodes are a single dword */ @@ -1684,7 +1805,7 @@ struct xe_lrc_snapshot *xe_lrc_snapshot_capture(struct xe_lrc *lrc) snapshot->lrc_offset = xe_lrc_pphwsp_offset(lrc); snapshot->lrc_size = lrc->bo->size - snapshot->lrc_offset; snapshot->lrc_snapshot = NULL; - snapshot->ctx_timestamp = xe_lrc_ctx_timestamp(lrc); + snapshot->ctx_timestamp = lower_32_bits(xe_lrc_ctx_timestamp(lrc)); snapshot->ctx_job_timestamp = xe_lrc_ctx_job_timestamp(lrc); return snapshot; } @@ -1784,22 +1905,74 @@ void xe_lrc_snapshot_free(struct xe_lrc_snapshot *snapshot) kfree(snapshot); } +static int get_ctx_timestamp(struct xe_lrc *lrc, u32 engine_id, u64 *reg_ctx_ts) +{ + u16 class = REG_FIELD_GET(ENGINE_CLASS_ID, engine_id); + u16 instance = REG_FIELD_GET(ENGINE_INSTANCE_ID, engine_id); + struct xe_hw_engine *hwe; + u64 val; + + hwe = xe_gt_hw_engine(lrc->gt, class, instance, false); + if (xe_gt_WARN_ONCE(lrc->gt, !hwe || xe_hw_engine_is_reserved(hwe), + "Unexpected engine class:instance %d:%d for context utilization\n", + class, instance)) + return -1; + + if (lrc_to_xe(lrc)->info.has_64bit_timestamp) + val = xe_mmio_read64_2x32(&hwe->gt->mmio, + RING_CTX_TIMESTAMP(hwe->mmio_base)); + else + val = xe_mmio_read32(&hwe->gt->mmio, + RING_CTX_TIMESTAMP(hwe->mmio_base)); + + *reg_ctx_ts = val; + + return 0; +} + /** * xe_lrc_update_timestamp() - Update ctx timestamp * @lrc: Pointer to the lrc. * @old_ts: Old timestamp value * * Populate @old_ts current saved ctx timestamp, read new ctx timestamp and - * update saved value. + * update saved value. With support for active contexts, the calculation may be + * slightly racy, so follow a read-again logic to ensure that the context is + * still active before returning the right timestamp. * * Returns: New ctx timestamp value */ -u32 xe_lrc_update_timestamp(struct xe_lrc *lrc, u32 *old_ts) +u64 xe_lrc_update_timestamp(struct xe_lrc *lrc, u64 *old_ts) { + u64 lrc_ts, reg_ts; + u32 engine_id; + *old_ts = lrc->ctx_timestamp; - lrc->ctx_timestamp = xe_lrc_ctx_timestamp(lrc); + lrc_ts = xe_lrc_ctx_timestamp(lrc); + /* CTX_TIMESTAMP mmio read is invalid on VF, so return the LRC value */ + if (IS_SRIOV_VF(lrc_to_xe(lrc))) { + lrc->ctx_timestamp = lrc_ts; + goto done; + } + if (lrc_ts == CONTEXT_ACTIVE) { + engine_id = xe_lrc_engine_id(lrc); + if (!get_ctx_timestamp(lrc, engine_id, &reg_ts)) + lrc->ctx_timestamp = reg_ts; + + /* read lrc again to ensure context is still active */ + lrc_ts = xe_lrc_ctx_timestamp(lrc); + } + + /* + * If context switched out, just use the lrc_ts. Note that this needs to + * be a separate if condition. + */ + if (lrc_ts != CONTEXT_ACTIVE) + lrc->ctx_timestamp = lrc_ts; + +done: trace_xe_lrc_update_timestamp(lrc, *old_ts); return lrc->ctx_timestamp; diff --git a/drivers/gpu/drm/xe/xe_lrc.h b/drivers/gpu/drm/xe/xe_lrc.h index 0b40f349ab95..eb6e8de8c939 100644 --- a/drivers/gpu/drm/xe/xe_lrc.h +++ b/drivers/gpu/drm/xe/xe_lrc.h @@ -120,7 +120,8 @@ void xe_lrc_snapshot_print(struct xe_lrc_snapshot *snapshot, struct drm_printer void xe_lrc_snapshot_free(struct xe_lrc_snapshot *snapshot); u32 xe_lrc_ctx_timestamp_ggtt_addr(struct xe_lrc *lrc); -u32 xe_lrc_ctx_timestamp(struct xe_lrc *lrc); +u32 xe_lrc_ctx_timestamp_udw_ggtt_addr(struct xe_lrc *lrc); +u64 xe_lrc_ctx_timestamp(struct xe_lrc *lrc); u32 xe_lrc_ctx_job_timestamp_ggtt_addr(struct xe_lrc *lrc); u32 xe_lrc_ctx_job_timestamp(struct xe_lrc *lrc); @@ -136,6 +137,6 @@ u32 xe_lrc_ctx_job_timestamp(struct xe_lrc *lrc); * * Returns the current LRC timestamp */ -u32 xe_lrc_update_timestamp(struct xe_lrc *lrc, u32 *old_ts); +u64 xe_lrc_update_timestamp(struct xe_lrc *lrc, u64 *old_ts); #endif diff --git a/drivers/gpu/drm/xe/xe_lrc_types.h b/drivers/gpu/drm/xe/xe_lrc_types.h index cd38586ae989..ae24cf6f8dd9 100644 --- a/drivers/gpu/drm/xe/xe_lrc_types.h +++ b/drivers/gpu/drm/xe/xe_lrc_types.h @@ -52,7 +52,10 @@ struct xe_lrc { struct xe_hw_fence_ctx fence_ctx; /** @ctx_timestamp: readout value of CTX_TIMESTAMP on last update */ - u32 ctx_timestamp; + u64 ctx_timestamp; + + /** @bb_per_ctx_bo: buffer object for per context batch wa buffer */ + struct xe_bo *bb_per_ctx_bo; }; struct xe_lrc_snapshot; diff --git a/drivers/gpu/drm/xe/xe_pci.c b/drivers/gpu/drm/xe/xe_pci.c index 818f023166d5..f4d108dc49b1 100644 --- a/drivers/gpu/drm/xe/xe_pci.c +++ b/drivers/gpu/drm/xe/xe_pci.c @@ -140,6 +140,7 @@ static const struct xe_graphics_desc graphics_xelpg = { .has_indirect_ring_state = 1, \ .has_range_tlb_invalidation = 1, \ .has_usm = 1, \ + .has_64bit_timestamp = 1, \ .va_bits = 48, \ .vm_max_level = 4, \ .hw_engine_mask = \ @@ -668,6 +669,7 @@ static int xe_info_init(struct xe_device *xe, xe->info.has_range_tlb_invalidation = graphics_desc->has_range_tlb_invalidation; xe->info.has_usm = graphics_desc->has_usm; + xe->info.has_64bit_timestamp = graphics_desc->has_64bit_timestamp; for_each_remote_tile(tile, xe, id) { int err; diff --git a/drivers/gpu/drm/xe/xe_pci_types.h b/drivers/gpu/drm/xe/xe_pci_types.h index e9b9bbc138d3..ca6b10d35573 100644 --- a/drivers/gpu/drm/xe/xe_pci_types.h +++ b/drivers/gpu/drm/xe/xe_pci_types.h @@ -21,6 +21,7 @@ struct xe_graphics_desc { u8 has_indirect_ring_state:1; u8 has_range_tlb_invalidation:1; u8 has_usm:1; + u8 has_64bit_timestamp:1; }; struct xe_media_desc { diff --git a/drivers/gpu/drm/xe/xe_trace_lrc.h b/drivers/gpu/drm/xe/xe_trace_lrc.h index 5c669a0b2180..d525cbee1e34 100644 --- a/drivers/gpu/drm/xe/xe_trace_lrc.h +++ b/drivers/gpu/drm/xe/xe_trace_lrc.h @@ -19,12 +19,12 @@ #define __dev_name_lrc(lrc) dev_name(gt_to_xe((lrc)->fence_ctx.gt)->drm.dev) TRACE_EVENT(xe_lrc_update_timestamp, - TP_PROTO(struct xe_lrc *lrc, uint32_t old), + TP_PROTO(struct xe_lrc *lrc, uint64_t old), TP_ARGS(lrc, old), TP_STRUCT__entry( __field(struct xe_lrc *, lrc) - __field(u32, old) - __field(u32, new) + __field(u64, old) + __field(u64, new) __string(name, lrc->fence_ctx.name) __string(device_id, __dev_name_lrc(lrc)) ), @@ -36,7 +36,7 @@ TRACE_EVENT(xe_lrc_update_timestamp, __assign_str(name); __assign_str(device_id); ), - TP_printk("lrc=:%p lrc->name=%s old=%u new=%u device_id:%s", + TP_printk("lrc=:%p lrc->name=%s old=%llu new=%llu device_id:%s", __entry->lrc, __get_str(name), __entry->old, __entry->new, __get_str(device_id))

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/xe: Add WA BB to capture active context utilization" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 617d824c5323b8474b3665ae6c410c98b839e0b0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051924-uptake-sacred-dd3a@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 617d824c5323b8474b3665ae6c410c98b839e0b0 Mon Sep 17 00:00:00 2001 From: Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> Date: Fri, 9 May 2025 09:12:03 -0700 Subject: [PATCH] drm/xe: Add WA BB to capture active context utilization Context Timestamp (CTX_TIMESTAMP) in the LRC accumulates the run ticks of the context, but only gets updated when the context switches out. In order to check how long a context has been active before it switches out, two things are required: (1) Determine if the context is running: To do so, we program the WA BB to set an initial value for CTX_TIMESTAMP in the LRC. The value chosen is 1 since 0 is the initial value when the LRC is initialized. During a query, we just check for this value to determine if the context is active. If the context switched out, it would overwrite this location with the actual CTX_TIMESTAMP MMIO value. Note that WA BB runs as the last part of the context restore, so reusing this LRC location will not clobber anything. (2) Calculate the time that the context has been active for: The CTX_TIMESTAMP ticks only when the context is active. If a context is active, we just use the CTX_TIMESTAMP MMIO as the new value of utilization. While doing so, we need to read the CTX_TIMESTAMP MMIO for the specific engine instance. Since we do not know which instance the context is running on until it is scheduled, we also read the ENGINE_ID MMIO in the WA BB and store it in the PPHSWP. Using the above 2 instructions in a WA BB, capture active context utilization. v2: (Matt Brost) - This breaks TDR, fix it by saving the CTX_TIMESTAMP register "drm/xe: Save CTX_TIMESTAMP mmio value instead of LRC value" - Drop tile from LRC if using gt "drm/xe: Save the gt pointer in LRC and drop the tile" v3: - Remove helpers for bb_per_ctx_ptr (Matt) - Add define for context active value (Matt) - Use 64 bit CTX TIMESTAMP for platforms that support it. For platforms that don't, live with the rare race. (Matt, Lucas) - Convert engine id to hwe and get the MMIO value (Lucas) - Correct commit message on when WA BB runs (Lucas) v4: - s/GRAPHICS_VER(...)/xe->info.has_64bit_timestamp/ (Matt) - Drop support for active utilization on a VF (CI failure) - In xe_lrc_init ensure the lrc value is 0 to begin with (CI regression) v5: - Minor checkpatch fix - Squash into previous commit and make TDR use 32-bit time - Update code comment to match commit msg Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4532 Cc: <stable(a)vger.kernel.org> # v6.13+ Suggested-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Signed-off-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Link: https://lore.kernel.org/r/20250509161159.2173069-8-umesh.nerlige.ramappa@in… (cherry picked from commit 82b98cadb01f63cdb159e596ec06866d00f8e8c7) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/regs/xe_engine_regs.h b/drivers/gpu/drm/xe/regs/xe_engine_regs.h index fb8ec317b6ee..891f928d80ce 100644 --- a/drivers/gpu/drm/xe/regs/xe_engine_regs.h +++ b/drivers/gpu/drm/xe/regs/xe_engine_regs.h @@ -43,6 +43,10 @@ #define XEHPC_BCS8_RING_BASE 0x3ee000 #define GSCCS_RING_BASE 0x11a000 +#define ENGINE_ID(base) XE_REG((base) + 0x8c) +#define ENGINE_INSTANCE_ID REG_GENMASK(9, 4) +#define ENGINE_CLASS_ID REG_GENMASK(2, 0) + #define RING_TAIL(base) XE_REG((base) + 0x30) #define TAIL_ADDR REG_GENMASK(20, 3) @@ -154,6 +158,7 @@ #define STOP_RING REG_BIT(8) #define RING_CTX_TIMESTAMP(base) XE_REG((base) + 0x3a8) +#define RING_CTX_TIMESTAMP_UDW(base) XE_REG((base) + 0x3ac) #define CSBE_DEBUG_STATUS(base) XE_REG((base) + 0x3fc) #define RING_FORCE_TO_NONPRIV(base, i) XE_REG(((base) + 0x4d0) + (i) * 4) diff --git a/drivers/gpu/drm/xe/regs/xe_lrc_layout.h b/drivers/gpu/drm/xe/regs/xe_lrc_layout.h index 57944f90bbf6..994af591a2e8 100644 --- a/drivers/gpu/drm/xe/regs/xe_lrc_layout.h +++ b/drivers/gpu/drm/xe/regs/xe_lrc_layout.h @@ -11,7 +11,9 @@ #define CTX_RING_TAIL (0x06 + 1) #define CTX_RING_START (0x08 + 1) #define CTX_RING_CTL (0x0a + 1) +#define CTX_BB_PER_CTX_PTR (0x12 + 1) #define CTX_TIMESTAMP (0x22 + 1) +#define CTX_TIMESTAMP_UDW (0x24 + 1) #define CTX_INDIRECT_RING_STATE (0x26 + 1) #define CTX_PDP0_UDW (0x30 + 1) #define CTX_PDP0_LDW (0x32 + 1) diff --git a/drivers/gpu/drm/xe/xe_device_types.h b/drivers/gpu/drm/xe/xe_device_types.h index 9f8667ebba85..0482f26aa480 100644 --- a/drivers/gpu/drm/xe/xe_device_types.h +++ b/drivers/gpu/drm/xe/xe_device_types.h @@ -330,6 +330,8 @@ struct xe_device { u8 has_sriov:1; /** @info.has_usm: Device has unified shared memory support */ u8 has_usm:1; + /** @info.has_64bit_timestamp: Device supports 64-bit timestamps */ + u8 has_64bit_timestamp:1; /** @info.is_dgfx: is discrete device */ u8 is_dgfx:1; /** diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c index 606922d9dd73..cd9b1c32f30f 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue.c +++ b/drivers/gpu/drm/xe/xe_exec_queue.c @@ -830,7 +830,7 @@ void xe_exec_queue_update_run_ticks(struct xe_exec_queue *q) { struct xe_device *xe = gt_to_xe(q->gt); struct xe_lrc *lrc; - u32 old_ts, new_ts; + u64 old_ts, new_ts; int idx; /* diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index 31bc2022bfc2..769781d577df 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -941,7 +941,7 @@ static bool check_timeout(struct xe_exec_queue *q, struct xe_sched_job *job) return xe_sched_invalidate_job(job, 2); } - ctx_timestamp = xe_lrc_ctx_timestamp(q->lrc[0]); + ctx_timestamp = lower_32_bits(xe_lrc_ctx_timestamp(q->lrc[0])); ctx_job_timestamp = xe_lrc_ctx_job_timestamp(q->lrc[0]); /* diff --git a/drivers/gpu/drm/xe/xe_lrc.c b/drivers/gpu/drm/xe/xe_lrc.c index 79b43fec4f79..03bfba696b37 100644 --- a/drivers/gpu/drm/xe/xe_lrc.c +++ b/drivers/gpu/drm/xe/xe_lrc.c @@ -24,6 +24,7 @@ #include "xe_hw_fence.h" #include "xe_map.h" #include "xe_memirq.h" +#include "xe_mmio.h" #include "xe_sriov.h" #include "xe_trace_lrc.h" #include "xe_vm.h" @@ -650,6 +651,7 @@ u32 xe_lrc_pphwsp_offset(struct xe_lrc *lrc) #define LRC_START_SEQNO_PPHWSP_OFFSET (LRC_SEQNO_PPHWSP_OFFSET + 8) #define LRC_CTX_JOB_TIMESTAMP_OFFSET (LRC_START_SEQNO_PPHWSP_OFFSET + 8) #define LRC_PARALLEL_PPHWSP_OFFSET 2048 +#define LRC_ENGINE_ID_PPHWSP_OFFSET 2096 #define LRC_PPHWSP_SIZE SZ_4K u32 xe_lrc_regs_offset(struct xe_lrc *lrc) @@ -694,11 +696,21 @@ static inline u32 __xe_lrc_parallel_offset(struct xe_lrc *lrc) return xe_lrc_pphwsp_offset(lrc) + LRC_PARALLEL_PPHWSP_OFFSET; } +static inline u32 __xe_lrc_engine_id_offset(struct xe_lrc *lrc) +{ + return xe_lrc_pphwsp_offset(lrc) + LRC_ENGINE_ID_PPHWSP_OFFSET; +} + static u32 __xe_lrc_ctx_timestamp_offset(struct xe_lrc *lrc) { return __xe_lrc_regs_offset(lrc) + CTX_TIMESTAMP * sizeof(u32); } +static u32 __xe_lrc_ctx_timestamp_udw_offset(struct xe_lrc *lrc) +{ + return __xe_lrc_regs_offset(lrc) + CTX_TIMESTAMP_UDW * sizeof(u32); +} + static inline u32 __xe_lrc_indirect_ring_offset(struct xe_lrc *lrc) { /* Indirect ring state page is at the very end of LRC */ @@ -726,8 +738,10 @@ DECL_MAP_ADDR_HELPERS(regs) DECL_MAP_ADDR_HELPERS(start_seqno) DECL_MAP_ADDR_HELPERS(ctx_job_timestamp) DECL_MAP_ADDR_HELPERS(ctx_timestamp) +DECL_MAP_ADDR_HELPERS(ctx_timestamp_udw) DECL_MAP_ADDR_HELPERS(parallel) DECL_MAP_ADDR_HELPERS(indirect_ring) +DECL_MAP_ADDR_HELPERS(engine_id) #undef DECL_MAP_ADDR_HELPERS @@ -742,19 +756,38 @@ u32 xe_lrc_ctx_timestamp_ggtt_addr(struct xe_lrc *lrc) return __xe_lrc_ctx_timestamp_ggtt_addr(lrc); } +/** + * xe_lrc_ctx_timestamp_udw_ggtt_addr() - Get ctx timestamp udw GGTT address + * @lrc: Pointer to the lrc. + * + * Returns: ctx timestamp udw GGTT address + */ +u32 xe_lrc_ctx_timestamp_udw_ggtt_addr(struct xe_lrc *lrc) +{ + return __xe_lrc_ctx_timestamp_udw_ggtt_addr(lrc); +} + /** * xe_lrc_ctx_timestamp() - Read ctx timestamp value * @lrc: Pointer to the lrc. * * Returns: ctx timestamp value */ -u32 xe_lrc_ctx_timestamp(struct xe_lrc *lrc) +u64 xe_lrc_ctx_timestamp(struct xe_lrc *lrc) { struct xe_device *xe = lrc_to_xe(lrc); struct iosys_map map; + u32 ldw, udw = 0; map = __xe_lrc_ctx_timestamp_map(lrc); - return xe_map_read32(xe, &map); + ldw = xe_map_read32(xe, &map); + + if (xe->info.has_64bit_timestamp) { + map = __xe_lrc_ctx_timestamp_udw_map(lrc); + udw = xe_map_read32(xe, &map); + } + + return (u64)udw << 32 | ldw; } /** @@ -877,6 +910,65 @@ static void xe_lrc_finish(struct xe_lrc *lrc) xe_bo_unpin(lrc->bo); xe_bo_unlock(lrc->bo); xe_bo_put(lrc->bo); + xe_bo_unpin_map_no_vm(lrc->bb_per_ctx_bo); +} + +/* + * xe_lrc_setup_utilization() - Setup wa bb to assist in calculating active + * context run ticks. + * @lrc: Pointer to the lrc. + * + * Context Timestamp (CTX_TIMESTAMP) in the LRC accumulates the run ticks of the + * context, but only gets updated when the context switches out. In order to + * check how long a context has been active before it switches out, two things + * are required: + * + * (1) Determine if the context is running: + * To do so, we program the WA BB to set an initial value for CTX_TIMESTAMP in + * the LRC. The value chosen is 1 since 0 is the initial value when the LRC is + * initialized. During a query, we just check for this value to determine if the + * context is active. If the context switched out, it would overwrite this + * location with the actual CTX_TIMESTAMP MMIO value. Note that WA BB runs as + * the last part of context restore, so reusing this LRC location will not + * clobber anything. + * + * (2) Calculate the time that the context has been active for: + * The CTX_TIMESTAMP ticks only when the context is active. If a context is + * active, we just use the CTX_TIMESTAMP MMIO as the new value of utilization. + * While doing so, we need to read the CTX_TIMESTAMP MMIO for the specific + * engine instance. Since we do not know which instance the context is running + * on until it is scheduled, we also read the ENGINE_ID MMIO in the WA BB and + * store it in the PPHSWP. + */ +#define CONTEXT_ACTIVE 1ULL +static void xe_lrc_setup_utilization(struct xe_lrc *lrc) +{ + u32 *cmd; + + cmd = lrc->bb_per_ctx_bo->vmap.vaddr; + + *cmd++ = MI_STORE_REGISTER_MEM | MI_SRM_USE_GGTT | MI_SRM_ADD_CS_OFFSET; + *cmd++ = ENGINE_ID(0).addr; + *cmd++ = __xe_lrc_engine_id_ggtt_addr(lrc); + *cmd++ = 0; + + *cmd++ = MI_STORE_DATA_IMM | MI_SDI_GGTT | MI_SDI_NUM_DW(1); + *cmd++ = __xe_lrc_ctx_timestamp_ggtt_addr(lrc); + *cmd++ = 0; + *cmd++ = lower_32_bits(CONTEXT_ACTIVE); + + if (lrc_to_xe(lrc)->info.has_64bit_timestamp) { + *cmd++ = MI_STORE_DATA_IMM | MI_SDI_GGTT | MI_SDI_NUM_DW(1); + *cmd++ = __xe_lrc_ctx_timestamp_udw_ggtt_addr(lrc); + *cmd++ = 0; + *cmd++ = upper_32_bits(CONTEXT_ACTIVE); + } + + *cmd++ = MI_BATCH_BUFFER_END; + + xe_lrc_write_ctx_reg(lrc, CTX_BB_PER_CTX_PTR, + xe_bo_ggtt_addr(lrc->bb_per_ctx_bo) | 1); + } #define PVC_CTX_ASID (0x2e + 1) @@ -893,6 +985,7 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, void *init_data = NULL; u32 arb_enable; u32 lrc_size; + u32 bo_flags; int err; kref_init(&lrc->refcount); @@ -902,22 +995,30 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, if (xe_gt_has_indirect_ring_state(gt)) lrc->flags |= XE_LRC_FLAG_INDIRECT_RING_STATE; + bo_flags = XE_BO_FLAG_VRAM_IF_DGFX(tile) | XE_BO_FLAG_GGTT | + XE_BO_FLAG_GGTT_INVALIDATE; + /* * FIXME: Perma-pinning LRC as we don't yet support moving GGTT address * via VM bind calls. */ lrc->bo = xe_bo_create_pin_map(xe, tile, vm, lrc_size, ttm_bo_type_kernel, - XE_BO_FLAG_VRAM_IF_DGFX(tile) | - XE_BO_FLAG_GGTT | - XE_BO_FLAG_GGTT_INVALIDATE); + bo_flags); if (IS_ERR(lrc->bo)) return PTR_ERR(lrc->bo); + lrc->bb_per_ctx_bo = xe_bo_create_pin_map(xe, tile, NULL, SZ_4K, + ttm_bo_type_kernel, + bo_flags); + if (IS_ERR(lrc->bb_per_ctx_bo)) { + err = PTR_ERR(lrc->bb_per_ctx_bo); + goto err_lrc_finish; + } + lrc->size = lrc_size; lrc->ring.size = ring_size; lrc->ring.tail = 0; - lrc->ctx_timestamp = 0; xe_hw_fence_ctx_init(&lrc->fence_ctx, hwe->gt, hwe->fence_irq, hwe->name); @@ -990,7 +1091,10 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, xe_lrc_read_ctx_reg(lrc, CTX_CONTEXT_CONTROL) | _MASKED_BIT_ENABLE(CTX_CTRL_PXP_ENABLE)); + lrc->ctx_timestamp = 0; xe_lrc_write_ctx_reg(lrc, CTX_TIMESTAMP, 0); + if (lrc_to_xe(lrc)->info.has_64bit_timestamp) + xe_lrc_write_ctx_reg(lrc, CTX_TIMESTAMP_UDW, 0); if (xe->info.has_asid && vm) xe_lrc_write_ctx_reg(lrc, PVC_CTX_ASID, vm->usm.asid); @@ -1019,6 +1123,8 @@ static int xe_lrc_init(struct xe_lrc *lrc, struct xe_hw_engine *hwe, map = __xe_lrc_start_seqno_map(lrc); xe_map_write32(lrc_to_xe(lrc), &map, lrc->fence_ctx.next_seqno - 1); + xe_lrc_setup_utilization(lrc); + return 0; err_lrc_finish: @@ -1238,6 +1344,21 @@ struct iosys_map xe_lrc_parallel_map(struct xe_lrc *lrc) return __xe_lrc_parallel_map(lrc); } +/** + * xe_lrc_engine_id() - Read engine id value + * @lrc: Pointer to the lrc. + * + * Returns: context id value + */ +static u32 xe_lrc_engine_id(struct xe_lrc *lrc) +{ + struct xe_device *xe = lrc_to_xe(lrc); + struct iosys_map map; + + map = __xe_lrc_engine_id_map(lrc); + return xe_map_read32(xe, &map); +} + static int instr_dw(u32 cmd_header) { /* GFXPIPE "SINGLE_DW" opcodes are a single dword */ @@ -1684,7 +1805,7 @@ struct xe_lrc_snapshot *xe_lrc_snapshot_capture(struct xe_lrc *lrc) snapshot->lrc_offset = xe_lrc_pphwsp_offset(lrc); snapshot->lrc_size = lrc->bo->size - snapshot->lrc_offset; snapshot->lrc_snapshot = NULL; - snapshot->ctx_timestamp = xe_lrc_ctx_timestamp(lrc); + snapshot->ctx_timestamp = lower_32_bits(xe_lrc_ctx_timestamp(lrc)); snapshot->ctx_job_timestamp = xe_lrc_ctx_job_timestamp(lrc); return snapshot; } @@ -1784,22 +1905,74 @@ void xe_lrc_snapshot_free(struct xe_lrc_snapshot *snapshot) kfree(snapshot); } +static int get_ctx_timestamp(struct xe_lrc *lrc, u32 engine_id, u64 *reg_ctx_ts) +{ + u16 class = REG_FIELD_GET(ENGINE_CLASS_ID, engine_id); + u16 instance = REG_FIELD_GET(ENGINE_INSTANCE_ID, engine_id); + struct xe_hw_engine *hwe; + u64 val; + + hwe = xe_gt_hw_engine(lrc->gt, class, instance, false); + if (xe_gt_WARN_ONCE(lrc->gt, !hwe || xe_hw_engine_is_reserved(hwe), + "Unexpected engine class:instance %d:%d for context utilization\n", + class, instance)) + return -1; + + if (lrc_to_xe(lrc)->info.has_64bit_timestamp) + val = xe_mmio_read64_2x32(&hwe->gt->mmio, + RING_CTX_TIMESTAMP(hwe->mmio_base)); + else + val = xe_mmio_read32(&hwe->gt->mmio, + RING_CTX_TIMESTAMP(hwe->mmio_base)); + + *reg_ctx_ts = val; + + return 0; +} + /** * xe_lrc_update_timestamp() - Update ctx timestamp * @lrc: Pointer to the lrc. * @old_ts: Old timestamp value * * Populate @old_ts current saved ctx timestamp, read new ctx timestamp and - * update saved value. + * update saved value. With support for active contexts, the calculation may be + * slightly racy, so follow a read-again logic to ensure that the context is + * still active before returning the right timestamp. * * Returns: New ctx timestamp value */ -u32 xe_lrc_update_timestamp(struct xe_lrc *lrc, u32 *old_ts) +u64 xe_lrc_update_timestamp(struct xe_lrc *lrc, u64 *old_ts) { + u64 lrc_ts, reg_ts; + u32 engine_id; + *old_ts = lrc->ctx_timestamp; - lrc->ctx_timestamp = xe_lrc_ctx_timestamp(lrc); + lrc_ts = xe_lrc_ctx_timestamp(lrc); + /* CTX_TIMESTAMP mmio read is invalid on VF, so return the LRC value */ + if (IS_SRIOV_VF(lrc_to_xe(lrc))) { + lrc->ctx_timestamp = lrc_ts; + goto done; + } + if (lrc_ts == CONTEXT_ACTIVE) { + engine_id = xe_lrc_engine_id(lrc); + if (!get_ctx_timestamp(lrc, engine_id, &reg_ts)) + lrc->ctx_timestamp = reg_ts; + + /* read lrc again to ensure context is still active */ + lrc_ts = xe_lrc_ctx_timestamp(lrc); + } + + /* + * If context switched out, just use the lrc_ts. Note that this needs to + * be a separate if condition. + */ + if (lrc_ts != CONTEXT_ACTIVE) + lrc->ctx_timestamp = lrc_ts; + +done: trace_xe_lrc_update_timestamp(lrc, *old_ts); return lrc->ctx_timestamp; diff --git a/drivers/gpu/drm/xe/xe_lrc.h b/drivers/gpu/drm/xe/xe_lrc.h index 0b40f349ab95..eb6e8de8c939 100644 --- a/drivers/gpu/drm/xe/xe_lrc.h +++ b/drivers/gpu/drm/xe/xe_lrc.h @@ -120,7 +120,8 @@ void xe_lrc_snapshot_print(struct xe_lrc_snapshot *snapshot, struct drm_printer void xe_lrc_snapshot_free(struct xe_lrc_snapshot *snapshot); u32 xe_lrc_ctx_timestamp_ggtt_addr(struct xe_lrc *lrc); -u32 xe_lrc_ctx_timestamp(struct xe_lrc *lrc); +u32 xe_lrc_ctx_timestamp_udw_ggtt_addr(struct xe_lrc *lrc); +u64 xe_lrc_ctx_timestamp(struct xe_lrc *lrc); u32 xe_lrc_ctx_job_timestamp_ggtt_addr(struct xe_lrc *lrc); u32 xe_lrc_ctx_job_timestamp(struct xe_lrc *lrc); @@ -136,6 +137,6 @@ u32 xe_lrc_ctx_job_timestamp(struct xe_lrc *lrc); * * Returns the current LRC timestamp */ -u32 xe_lrc_update_timestamp(struct xe_lrc *lrc, u32 *old_ts); +u64 xe_lrc_update_timestamp(struct xe_lrc *lrc, u64 *old_ts); #endif diff --git a/drivers/gpu/drm/xe/xe_lrc_types.h b/drivers/gpu/drm/xe/xe_lrc_types.h index cd38586ae989..ae24cf6f8dd9 100644 --- a/drivers/gpu/drm/xe/xe_lrc_types.h +++ b/drivers/gpu/drm/xe/xe_lrc_types.h @@ -52,7 +52,10 @@ struct xe_lrc { struct xe_hw_fence_ctx fence_ctx; /** @ctx_timestamp: readout value of CTX_TIMESTAMP on last update */ - u32 ctx_timestamp; + u64 ctx_timestamp; + + /** @bb_per_ctx_bo: buffer object for per context batch wa buffer */ + struct xe_bo *bb_per_ctx_bo; }; struct xe_lrc_snapshot; diff --git a/drivers/gpu/drm/xe/xe_pci.c b/drivers/gpu/drm/xe/xe_pci.c index 818f023166d5..f4d108dc49b1 100644 --- a/drivers/gpu/drm/xe/xe_pci.c +++ b/drivers/gpu/drm/xe/xe_pci.c @@ -140,6 +140,7 @@ static const struct xe_graphics_desc graphics_xelpg = { .has_indirect_ring_state = 1, \ .has_range_tlb_invalidation = 1, \ .has_usm = 1, \ + .has_64bit_timestamp = 1, \ .va_bits = 48, \ .vm_max_level = 4, \ .hw_engine_mask = \ @@ -668,6 +669,7 @@ static int xe_info_init(struct xe_device *xe, xe->info.has_range_tlb_invalidation = graphics_desc->has_range_tlb_invalidation; xe->info.has_usm = graphics_desc->has_usm; + xe->info.has_64bit_timestamp = graphics_desc->has_64bit_timestamp; for_each_remote_tile(tile, xe, id) { int err; diff --git a/drivers/gpu/drm/xe/xe_pci_types.h b/drivers/gpu/drm/xe/xe_pci_types.h index e9b9bbc138d3..ca6b10d35573 100644 --- a/drivers/gpu/drm/xe/xe_pci_types.h +++ b/drivers/gpu/drm/xe/xe_pci_types.h @@ -21,6 +21,7 @@ struct xe_graphics_desc { u8 has_indirect_ring_state:1; u8 has_range_tlb_invalidation:1; u8 has_usm:1; + u8 has_64bit_timestamp:1; }; struct xe_media_desc { diff --git a/drivers/gpu/drm/xe/xe_trace_lrc.h b/drivers/gpu/drm/xe/xe_trace_lrc.h index 5c669a0b2180..d525cbee1e34 100644 --- a/drivers/gpu/drm/xe/xe_trace_lrc.h +++ b/drivers/gpu/drm/xe/xe_trace_lrc.h @@ -19,12 +19,12 @@ #define __dev_name_lrc(lrc) dev_name(gt_to_xe((lrc)->fence_ctx.gt)->drm.dev) TRACE_EVENT(xe_lrc_update_timestamp, - TP_PROTO(struct xe_lrc *lrc, uint32_t old), + TP_PROTO(struct xe_lrc *lrc, uint64_t old), TP_ARGS(lrc, old), TP_STRUCT__entry( __field(struct xe_lrc *, lrc) - __field(u32, old) - __field(u32, new) + __field(u64, old) + __field(u64, new) __string(name, lrc->fence_ctx.name) __string(device_id, __dev_name_lrc(lrc)) ), @@ -36,7 +36,7 @@ TRACE_EVENT(xe_lrc_update_timestamp, __assign_str(name); __assign_str(device_id); ), - TP_printk("lrc=:%p lrc->name=%s old=%u new=%u device_id:%s", + TP_printk("lrc=:%p lrc->name=%s old=%llu new=%llu device_id:%s", __entry->lrc, __get_str(name), __entry->old, __entry->new, __get_str(device_id))

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/tiny: panel-mipi-dbi: Use drm_client_setup_with_fourcc()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9c1798259b9420f38f1fa1b83e3d864c3eb1a83e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051937-backup-carton-07fd@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9c1798259b9420f38f1fa1b83e3d864c3eb1a83e Mon Sep 17 00:00:00 2001 From: Fabio Estevam <festevam(a)denx.de> Date: Thu, 17 Apr 2025 07:34:58 -0300 Subject: [PATCH] drm/tiny: panel-mipi-dbi: Use drm_client_setup_with_fourcc() Since commit 559358282e5b ("drm/fb-helper: Don't use the preferred depth for the BPP default"), RGB565 displays such as the CFAF240320X no longer render correctly: colors are distorted and the content is shown twice horizontally. This regression is due to the fbdev emulation layer defaulting to 32 bits per pixel, whereas the display expects 16 bpp (RGB565). As a result, the framebuffer data is incorrectly interpreted by the panel. Fix the issue by calling drm_client_setup_with_fourcc() with a format explicitly selected based on the display's bits-per-pixel value. For 16 bpp, use DRM_FORMAT_RGB565; for other values, fall back to the previous behavior. This ensures that the allocated framebuffer format matches the hardware expectations, avoiding color and layout corruption. Tested on a CFAF240320X display with an RGB565 configuration, confirming correct colors and layout after applying this patch. Cc: stable(a)vger.kernel.org Fixes: 559358282e5b ("drm/fb-helper: Don't use the preferred depth for the BPP default") Signed-off-by: Fabio Estevam <festevam(a)denx.de> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Javier Martinez Canillas <javierm(a)redhat.com> Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Link: https://lore.kernel.org/r/20250417103458.2496790-1-festevam@gmail.com diff --git a/drivers/gpu/drm/tiny/panel-mipi-dbi.c b/drivers/gpu/drm/tiny/panel-mipi-dbi.c index 0460ecaef4bd..23914a9f7fd3 100644 --- a/drivers/gpu/drm/tiny/panel-mipi-dbi.c +++ b/drivers/gpu/drm/tiny/panel-mipi-dbi.c @@ -390,7 +390,10 @@ static int panel_mipi_dbi_spi_probe(struct spi_device *spi) spi_set_drvdata(spi, drm); - drm_client_setup(drm, NULL); + if (bpp == 16) + drm_client_setup_with_fourcc(drm, DRM_FORMAT_RGB565); + else + drm_client_setup_with_fourcc(drm, DRM_FORMAT_RGB888); return 0; }

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix folio leak in submit_one_async_extent()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a0fd1c6098633f9a95fc2f636383546c82b704c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051949-line-blog-2ffe@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a0fd1c6098633f9a95fc2f636383546c82b704c3 Mon Sep 17 00:00:00 2001 From: Boris Burkov <boris(a)bur.io> Date: Wed, 7 May 2025 12:42:24 -0700 Subject: [PATCH] btrfs: fix folio leak in submit_one_async_extent() If btrfs_reserve_extent() fails while submitting an async_extent for a compressed write, then we fail to call free_async_extent_pages() on the async_extent and leak its folios. A likely cause for such a failure would be btrfs_reserve_extent() failing to find a large enough contiguous free extent for the compressed extent. I was able to reproduce this by: 1. mount with compress-force=zstd:3 2. fallocating most of a filesystem to a big file 3. fragmenting the remaining free space 4. trying to copy in a file which zstd would generate large compressed extents for (vmlinux worked well for this) Step 4. hits the memory leak and can be repeated ad nauseam to eventually exhaust the system memory. Fix this by detecting the case where we fallback to uncompressed submission for a compressed async_extent and ensuring that we call free_async_extent_pages(). Fixes: 131a821a243f ("btrfs: fallback if compressed IO fails for ENOSPC") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Co-developed-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: Boris Burkov <boris(a)bur.io> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index d295a37fa049..c1bd17915f81 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -1109,6 +1109,7 @@ static void submit_one_async_extent(struct async_chunk *async_chunk, struct extent_state *cached = NULL; struct extent_map *em; int ret = 0; + bool free_pages = false; u64 start = async_extent->start; u64 end = async_extent->start + async_extent->ram_size - 1; @@ -1129,7 +1130,10 @@ static void submit_one_async_extent(struct async_chunk *async_chunk, } if (async_extent->compress_type == BTRFS_COMPRESS_NONE) { + ASSERT(!async_extent->folios); + ASSERT(async_extent->nr_folios == 0); submit_uncompressed_range(inode, async_extent, locked_folio); + free_pages = true; goto done; } @@ -1145,6 +1149,7 @@ static void submit_one_async_extent(struct async_chunk *async_chunk, * fall back to uncompressed. */ submit_uncompressed_range(inode, async_extent, locked_folio); + free_pages = true; goto done; } @@ -1186,6 +1191,8 @@ static void submit_one_async_extent(struct async_chunk *async_chunk, done: if (async_chunk->blkcg_css) kthread_associate_blkcg(NULL); + if (free_pages) + free_async_extent_pages(async_extent); kfree(async_extent); return;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix discard worker infinite loop after disabling" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 54db6d1bdd71fa90172a2a6aca3308bbf7fa7eb5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051934-turret-savage-e165@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 54db6d1bdd71fa90172a2a6aca3308bbf7fa7eb5 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 5 May 2025 16:03:16 +0100 Subject: [PATCH] btrfs: fix discard worker infinite loop after disabling discard If the discard worker is running and there's currently only one block group, that block group is a data block group, it's in the unused block groups discard list and is being used (it got an extent allocated from it after becoming unused), the worker can end up in an infinite loop if a transaction abort happens or the async discard is disabled (during remount or unmount for example). This happens like this: 1) Task A, the discard worker, is at peek_discard_list() and find_next_block_group() returns block group X; 2) Block group X is in the unused block groups discard list (its discard index is BTRFS_DISCARD_INDEX_UNUSED) since at some point in the past it become an unused block group and was added to that list, but then later it got an extent allocated from it, so its ->used counter is not zero anymore; 3) The current transaction is aborted by task B and we end up at __btrfs_handle_fs_error() in the transaction abort path, where we call btrfs_discard_stop(), which clears BTRFS_FS_DISCARD_RUNNING from fs_info, and then at __btrfs_handle_fs_error() we set the fs to RO mode (setting SB_RDONLY in the super block's s_flags field); 4) Task A calls __add_to_discard_list() with the goal of moving the block group from the unused block groups discard list into another discard list, but at __add_to_discard_list() we end up doing nothing because btrfs_run_discard_work() returns false, since the super block has SB_RDONLY set in its flags and BTRFS_FS_DISCARD_RUNNING is not set anymore in fs_info->flags. So block group X remains in the unused block groups discard list; 5) Task A then does a goto into the 'again' label, calls find_next_block_group() again we gets block group X again. Then it repeats the previous steps over and over since there are not other block groups in the discard lists and block group X is never moved out of the unused block groups discard list since btrfs_run_discard_work() keeps returning false and therefore __add_to_discard_list() doesn't move block group X out of that discard list. When this happens we can get a soft lockup report like this: [71.957] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:3:97] [71.957] Modules linked in: xfs af_packet rfkill (...) [71.957] CPU: 0 UID: 0 PID: 97 Comm: kworker/u4:3 Tainted: G W 6.14.2-1-default #1 openSUSE Tumbleweed 968795ef2b1407352128b466fe887416c33af6fa [71.957] Tainted: [W]=WARN [71.957] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 [71.957] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [71.957] RIP: 0010:btrfs_discard_workfn+0xc4/0x400 [btrfs] [71.957] Code: c1 01 48 83 (...) [71.957] RSP: 0018:ffffafaec03efe08 EFLAGS: 00000246 [71.957] RAX: ffff897045500000 RBX: ffff8970413ed8d0 RCX: 0000000000000000 [71.957] RDX: 0000000000000001 RSI: ffff8970413ed8d0 RDI: 0000000a8f1272ad [71.957] RBP: 0000000a9d61c60e R08: ffff897045500140 R09: 8080808080808080 [71.957] R10: ffff897040276800 R11: fefefefefefefeff R12: ffff8970413ed860 [71.957] R13: ffff897045500000 R14: ffff8970413ed868 R15: 0000000000000000 [71.957] FS: 0000000000000000(0000) GS:ffff89707bc00000(0000) knlGS:0000000000000000 [71.957] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [71.957] CR2: 00005605bcc8d2f0 CR3: 000000010376a001 CR4: 0000000000770ef0 [71.957] PKRU: 55555554 [71.957] Call Trace: [71.957] <TASK> [71.957] process_one_work+0x17e/0x330 [71.957] worker_thread+0x2ce/0x3f0 [71.957] ? __pfx_worker_thread+0x10/0x10 [71.957] kthread+0xef/0x220 [71.957] ? __pfx_kthread+0x10/0x10 [71.957] ret_from_fork+0x34/0x50 [71.957] ? __pfx_kthread+0x10/0x10 [71.957] ret_from_fork_asm+0x1a/0x30 [71.957] </TASK> [71.957] Kernel panic - not syncing: softlockup: hung tasks [71.987] CPU: 0 UID: 0 PID: 97 Comm: kworker/u4:3 Tainted: G W L 6.14.2-1-default #1 openSUSE Tumbleweed 968795ef2b1407352128b466fe887416c33af6fa [71.989] Tainted: [W]=WARN, [L]=SOFTLOCKUP [71.989] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 [71.991] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [71.992] Call Trace: [71.993] <IRQ> [71.994] dump_stack_lvl+0x5a/0x80 [71.994] panic+0x10b/0x2da [71.995] watchdog_timer_fn.cold+0x9a/0xa1 [71.996] ? __pfx_watchdog_timer_fn+0x10/0x10 [71.997] __hrtimer_run_queues+0x132/0x2a0 [71.997] hrtimer_interrupt+0xff/0x230 [71.998] __sysvec_apic_timer_interrupt+0x55/0x100 [71.999] sysvec_apic_timer_interrupt+0x6c/0x90 [72.000] </IRQ> [72.000] <TASK> [72.001] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [72.002] RIP: 0010:btrfs_discard_workfn+0xc4/0x400 [btrfs] [72.002] Code: c1 01 48 83 (...) [72.005] RSP: 0018:ffffafaec03efe08 EFLAGS: 00000246 [72.006] RAX: ffff897045500000 RBX: ffff8970413ed8d0 RCX: 0000000000000000 [72.006] RDX: 0000000000000001 RSI: ffff8970413ed8d0 RDI: 0000000a8f1272ad [72.007] RBP: 0000000a9d61c60e R08: ffff897045500140 R09: 8080808080808080 [72.008] R10: ffff897040276800 R11: fefefefefefefeff R12: ffff8970413ed860 [72.009] R13: ffff897045500000 R14: ffff8970413ed868 R15: 0000000000000000 [72.010] ? btrfs_discard_workfn+0x51/0x400 [btrfs 23b01089228eb964071fb7ca156eee8cd3bf996f] [72.011] process_one_work+0x17e/0x330 [72.012] worker_thread+0x2ce/0x3f0 [72.013] ? __pfx_worker_thread+0x10/0x10 [72.014] kthread+0xef/0x220 [72.014] ? __pfx_kthread+0x10/0x10 [72.015] ret_from_fork+0x34/0x50 [72.015] ? __pfx_kthread+0x10/0x10 [72.016] ret_from_fork_asm+0x1a/0x30 [72.017] </TASK> [72.017] Kernel Offset: 0x15000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [72.019] Rebooting in 90 seconds.. So fix this by making sure we move a block group out of the unused block groups discard list when calling __add_to_discard_list(). Fixes: 2bee7eb8bb81 ("btrfs: discard one region at a time in async discard") Link: https://bugzilla.suse.com/show_bug.cgi?id=1242012 CC: stable(a)vger.kernel.org # 5.10+ Reviewed-by: Boris Burkov <boris(a)bur.io> Reviewed-by: Daniel Vacek <neelx(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/discard.c b/fs/btrfs/discard.c index d6eef4bd9e9d..de23c4b3515e 100644 --- a/fs/btrfs/discard.c +++ b/fs/btrfs/discard.c @@ -94,8 +94,6 @@ static void __add_to_discard_list(struct btrfs_discard_ctl *discard_ctl, struct btrfs_block_group *block_group) { lockdep_assert_held(&discard_ctl->lock); - if (!btrfs_run_discard_work(discard_ctl)) - return; if (list_empty(&block_group->discard_list) || block_group->discard_index == BTRFS_DISCARD_INDEX_UNUSED) { @@ -118,6 +116,9 @@ static void add_to_discard_list(struct btrfs_discard_ctl *discard_ctl, if (!btrfs_is_block_group_data_only(block_group)) return; + if (!btrfs_run_discard_work(discard_ctl)) + return; + spin_lock(&discard_ctl->lock); __add_to_discard_list(discard_ctl, block_group); spin_unlock(&discard_ctl->lock); @@ -244,6 +245,18 @@ static struct btrfs_block_group *peek_discard_list( block_group->used != 0) { if (btrfs_is_block_group_data_only(block_group)) { __add_to_discard_list(discard_ctl, block_group); + /* + * The block group must have been moved to other + * discard list even if discard was disabled in + * the meantime or a transaction abort happened, + * otherwise we can end up in an infinite loop, + * always jumping into the 'again' label and + * keep getting this block group over and over + * in case there are no other block groups in + * the discard lists. + */ + ASSERT(block_group->discard_index != + BTRFS_DISCARD_INDEX_UNUSED); } else { list_del_init(&block_group->discard_list); btrfs_put_block_group(block_group);

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Avoid flooding unnecessary info messages" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051918-corned-scrounger-ebcc@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c Mon Sep 17 00:00:00 2001 From: Wayne Lin <Wayne.Lin(a)amd.com> Date: Tue, 13 May 2025 11:20:24 +0800 Subject: [PATCH] drm/amd/display: Avoid flooding unnecessary info messages It's expected that we'll encounter temporary exceptions during aux transactions. Adjust logging from drm_info to drm_dbg_dp to prevent flooding with unnecessary log messages. Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Link: https://lore.kernel.org/r/20250513032026.838036-1-Wayne.Lin@amd.com Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 0d7b72c75802..25e8befbcc47 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -107,7 +107,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, if (payload.write && result >= 0) { if (result) { /*one byte indicating partially written bytes*/ - drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX partially written\n"); result = payload.data[0]; } else if (!payload.reply[0]) /*I2C_ACK|AUX_ACK*/ @@ -133,11 +133,11 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, break; } - drm_info(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); } if (payload.reply[0]) - drm_info(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", payload.reply[0]); return result;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Avoid flooding unnecessary info messages" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051918-limes-spendable-685f@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c Mon Sep 17 00:00:00 2001 From: Wayne Lin <Wayne.Lin(a)amd.com> Date: Tue, 13 May 2025 11:20:24 +0800 Subject: [PATCH] drm/amd/display: Avoid flooding unnecessary info messages It's expected that we'll encounter temporary exceptions during aux transactions. Adjust logging from drm_info to drm_dbg_dp to prevent flooding with unnecessary log messages. Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Link: https://lore.kernel.org/r/20250513032026.838036-1-Wayne.Lin@amd.com Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 0d7b72c75802..25e8befbcc47 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -107,7 +107,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, if (payload.write && result >= 0) { if (result) { /*one byte indicating partially written bytes*/ - drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX partially written\n"); result = payload.data[0]; } else if (!payload.reply[0]) /*I2C_ACK|AUX_ACK*/ @@ -133,11 +133,11 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, break; } - drm_info(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); } if (payload.reply[0]) - drm_info(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", payload.reply[0]); return result;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Avoid flooding unnecessary info messages" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051918-freefall-brute-4716@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c Mon Sep 17 00:00:00 2001 From: Wayne Lin <Wayne.Lin(a)amd.com> Date: Tue, 13 May 2025 11:20:24 +0800 Subject: [PATCH] drm/amd/display: Avoid flooding unnecessary info messages It's expected that we'll encounter temporary exceptions during aux transactions. Adjust logging from drm_info to drm_dbg_dp to prevent flooding with unnecessary log messages. Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Link: https://lore.kernel.org/r/20250513032026.838036-1-Wayne.Lin@amd.com Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 0d7b72c75802..25e8befbcc47 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -107,7 +107,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, if (payload.write && result >= 0) { if (result) { /*one byte indicating partially written bytes*/ - drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX partially written\n"); result = payload.data[0]; } else if (!payload.reply[0]) /*I2C_ACK|AUX_ACK*/ @@ -133,11 +133,11 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, break; } - drm_info(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); } if (payload.reply[0]) - drm_info(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", payload.reply[0]); return result;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Avoid flooding unnecessary info messages" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051917-outer-worrier-c3ff@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c Mon Sep 17 00:00:00 2001 From: Wayne Lin <Wayne.Lin(a)amd.com> Date: Tue, 13 May 2025 11:20:24 +0800 Subject: [PATCH] drm/amd/display: Avoid flooding unnecessary info messages It's expected that we'll encounter temporary exceptions during aux transactions. Adjust logging from drm_info to drm_dbg_dp to prevent flooding with unnecessary log messages. Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Link: https://lore.kernel.org/r/20250513032026.838036-1-Wayne.Lin@amd.com Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 0d7b72c75802..25e8befbcc47 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -107,7 +107,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, if (payload.write && result >= 0) { if (result) { /*one byte indicating partially written bytes*/ - drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX partially written\n"); result = payload.data[0]; } else if (!payload.reply[0]) /*I2C_ACK|AUX_ACK*/ @@ -133,11 +133,11 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, break; } - drm_info(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); } if (payload.reply[0]) - drm_info(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", payload.reply[0]); return result;

3 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Avoid flooding unnecessary info messages" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051917-kabob-bagginess-9b30@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c Mon Sep 17 00:00:00 2001 From: Wayne Lin <Wayne.Lin(a)amd.com> Date: Tue, 13 May 2025 11:20:24 +0800 Subject: [PATCH] drm/amd/display: Avoid flooding unnecessary info messages It's expected that we'll encounter temporary exceptions during aux transactions. Adjust logging from drm_info to drm_dbg_dp to prevent flooding with unnecessary log messages. Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Link: https://lore.kernel.org/r/20250513032026.838036-1-Wayne.Lin@amd.com Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 0d7b72c75802..25e8befbcc47 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -107,7 +107,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, if (payload.write && result >= 0) { if (result) { /*one byte indicating partially written bytes*/ - drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX partially written\n"); result = payload.data[0]; } else if (!payload.reply[0]) /*I2C_ACK|AUX_ACK*/ @@ -133,11 +133,11 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, break; } - drm_info(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); + drm_dbg_dp(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result); } if (payload.reply[0]) - drm_info(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", + drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.", payload.reply[0]); return result;

3 months, 3 weeks

1
0
0 0

[PATCH net] llc: fix data loss when reading from a socket in llc_ui_recvmsg()

by Ilia Gavrilov

For SOCK_STREAM sockets, if user buffer size (len) is less than skb size (skb->len), the remaining data from skb will be lost after calling kfree_skb(). To fix this, move the statement for partial reading above skb deletion. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) Fixes: 30a584d944fb ("[LLX]: SOCK_DGRAM interface fixes") Cc: stable(a)vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> --- net/llc/af_llc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c index 0259cde394ba..cc77ec5769d8 100644 --- a/net/llc/af_llc.c +++ b/net/llc/af_llc.c @@ -887,15 +887,15 @@ static int llc_ui_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, if (sk->sk_type != SOCK_STREAM) goto copy_uaddr; + /* Partial read */ + if (used + offset < skb_len) + continue; + if (!(flags & MSG_PEEK)) { skb_unlink(skb, &sk->sk_receive_queue); kfree_skb(skb); *seq = 0; } - - /* Partial read */ - if (used + offset < skb_len) - continue; } while (len > 0); out: -- 2.39.5

3 months, 3 weeks

2
1
0 0

[PATCH 0/5] net: ch9200: fix various bugs and improve qinheng ch9200 driver

by Qasim Ijaz

This patch series aims to fix various issues throughout the QinHeng CH9200 driver. This driver fails to handle various failures, which in one case has lead to a uninit access bug found via syzbot. Upon reviewing the driver I fixed a few more issues which I have included in this patch series. Parts of this series are the product of discussions and suggestions I had from others like Andrew Lunn, Simon Horman and Jakub Kicinski you can view those discussions below: Link: <https://lore.kernel.org/all/20250319112156.48312-1-qasdev00@gmail.com> Link: <https://lore.kernel.org/all/20250218002443.11731-1-qasdev00@gmail.com/> Link: <https://lore.kernel.org/all/20250311161157.49065-1-qasdev00@gmail.com/> Qasim Ijaz (5): fix uninitialised access bug during mii_nway_restart remove extraneous return that prevents error propagation fail fast on control_read() failures during get_mac_address() add missing error handling in ch9200_bind() avoid triggering NWay restart on non-zero PHY ID drivers/net/usb/ch9200.c | 61 ++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 21 deletions(-) -- 2.39.5

3 months, 3 weeks

4
20
0 0

[PATCH] dummycon: Trigger redraw when switching consoles with deferred takeover

by Thomas Zimmermann

Signal vt subsystem to redraw console when switching to dummycon with deferred takeover enabled. Makes the console switch to fbcon and displays the available output. With deferred takeover enabled, dummycon acts as the placeholder until the first output to the console happens. At that point, fbcon takes over. If the output happens while dummycon is not active, it cannot inform fbcon. This is the case if the vt subsystem runs in graphics mode. A typical graphical boot starts plymouth, a display manager and a compositor; all while leaving out dummycon. Switching to a text-mode console leaves the console with dummycon even if a getty terminal has been started. Returning true from dummycon's con_switch helper signals the vt subsystem to redraw the screen. If there's output available dummycon's con_putc{s} helpers trigger deferred takeover of fbcon, which sets a display mode and displays the output. If no output is available, dummycon remains active. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reported-by: Andrei Borzenkov <arvidjaar(a)gmail.com> Closes: https://bugzilla.suse.com/show_bug.cgi?id=1242191 Tested-by: Andrei Borzenkov <arvidjaar(a)gmail.com> Fixes: 83d83bebf401 ("console/fbcon: Add support for deferred console takeover") Cc: Hans de Goede <hdegoede(a)redhat.com> Cc: linux-fbdev(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v4.19+ --- drivers/video/console/dummycon.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/video/console/dummycon.c b/drivers/video/console/dummycon.c index 139049368fdc..afb8e4d2fc34 100644 --- a/drivers/video/console/dummycon.c +++ b/drivers/video/console/dummycon.c @@ -85,6 +85,12 @@ static bool dummycon_blank(struct vc_data *vc, enum vesa_blank_mode blank, /* Redraw, so that we get putc(s) for output done while blanked */ return true; } + +static bool dummycon_switch(struct vc_data *vc) +{ + /* Redraw, so that we get putc(s) for output done while switched away */ + return true; +} #else static void dummycon_putc(struct vc_data *vc, u16 c, unsigned int y, unsigned int x) { } @@ -95,6 +101,10 @@ static bool dummycon_blank(struct vc_data *vc, enum vesa_blank_mode blank, { return false; } +static bool dummycon_switch(struct vc_data *vc) +{ + return false; +} #endif static const char *dummycon_startup(void) @@ -124,11 +134,6 @@ static bool dummycon_scroll(struct vc_data *vc, unsigned int top, return false; } -static bool dummycon_switch(struct vc_data *vc) -{ - return false; -} - /* * The console `switch' structure for the dummy console * -- 2.49.0

3 months, 3 weeks

2
2
0 0

[PATCH V2 2/2] phy: tegra: xusb: Disable periodic tracking on Tegra234

by Wayne Chang

From: Haotien Hsu <haotienh(a)nvidia.com> Periodic calibration updates (~10µs) may overlap with transfers when PCIe NVMe SSD, LPDDR, and USB2 devices operate simultaneously, causing crosstalk on Tegra234 devices. Hence disable periodic calibration updates and make this a one-time calibration. Fixes: d8163a32ca95 ("phy: tegra: xusb: Add Tegra234 support") Cc: stable(a)vger.kernel.org Signed-off-by: Haotien Hsu <haotienh(a)nvidia.com> Signed-off-by: Wayne Chang <waynec(a)nvidia.com> --- V1->V2: Rebased the commit drivers/phy/tegra/xusb-tegra186.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/phy/tegra/xusb-tegra186.c b/drivers/phy/tegra/xusb-tegra186.c index 683692f0ec3c..ba668c77457f 100644 --- a/drivers/phy/tegra/xusb-tegra186.c +++ b/drivers/phy/tegra/xusb-tegra186.c @@ -1711,7 +1711,7 @@ const struct tegra_xusb_padctl_soc tegra234_xusb_padctl_soc = { .num_supplies = ARRAY_SIZE(tegra194_xusb_padctl_supply_names), .supports_gen2 = true, .poll_trk_completed = true, - .trk_hw_mode = true, + .trk_hw_mode = false, .trk_update_on_idle = true, .supports_lp_cfg_en = true, }; -- 2.25.1

3 months, 3 weeks

1
0
0 0

[PATCH V2 1/2] phy: tegra: xusb: Decouple CYA_TRK_CODE_UPDATE_ON_IDLE from trk_hw_mode

by Wayne Chang

The logic that drives the pad calibration values resides in the controller reset domain and so the calibration values are only being captured when the controller is out of reset. However, by clearing the CYA_TRK_CODE_UPDATE_ON_IDLE bit, the calibration values can be set while the controller is in reset. The CYA_TRK_CODE_UPDATE_ON_IDLE bit was previously cleared based on the trk_hw_mode flag, but this dependency is not necessary. Instead, introduce a new flag, trk_update_on_idle, to independently control this bit. Fixes: d8163a32ca95 ("phy: tegra: xusb: Add Tegra234 support") Cc: stable(a)vger.kernel.org Signed-off-by: Wayne Chang <waynec(a)nvidia.com> --- V1->V2: Rebased the commit drivers/phy/tegra/xusb-tegra186.c | 14 ++++++++------ drivers/phy/tegra/xusb.h | 1 + 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/phy/tegra/xusb-tegra186.c b/drivers/phy/tegra/xusb-tegra186.c index 23a23f2d64e5..683692f0ec3c 100644 --- a/drivers/phy/tegra/xusb-tegra186.c +++ b/drivers/phy/tegra/xusb-tegra186.c @@ -648,14 +648,15 @@ static void tegra186_utmi_bias_pad_power_on(struct tegra_xusb_padctl *padctl) udelay(100); } - if (padctl->soc->trk_hw_mode) { - value = padctl_readl(padctl, XUSB_PADCTL_USB2_BIAS_PAD_CTL2); - value |= USB2_TRK_HW_MODE; + value = padctl_readl(padctl, XUSB_PADCTL_USB2_BIAS_PAD_CTL2); + if (padctl->soc->trk_update_on_idle) value &= ~CYA_TRK_CODE_UPDATE_ON_IDLE; - padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL2); - } else { + if (padctl->soc->trk_hw_mode) + value |= USB2_TRK_HW_MODE; + padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL2); + + if (!padctl->soc->trk_hw_mode) clk_disable_unprepare(priv->usb2_trk_clk); - } } static void tegra186_utmi_bias_pad_power_off(struct tegra_xusb_padctl *padctl) @@ -1711,6 +1712,7 @@ const struct tegra_xusb_padctl_soc tegra234_xusb_padctl_soc = { .supports_gen2 = true, .poll_trk_completed = true, .trk_hw_mode = true, + .trk_update_on_idle = true, .supports_lp_cfg_en = true, }; EXPORT_SYMBOL_GPL(tegra234_xusb_padctl_soc); diff --git a/drivers/phy/tegra/xusb.h b/drivers/phy/tegra/xusb.h index 6e45d194c689..d2b5f9565132 100644 --- a/drivers/phy/tegra/xusb.h +++ b/drivers/phy/tegra/xusb.h @@ -434,6 +434,7 @@ struct tegra_xusb_padctl_soc { bool need_fake_usb3_port; bool poll_trk_completed; bool trk_hw_mode; + bool trk_update_on_idle; bool supports_lp_cfg_en; }; -- 2.25.1

3 months, 3 weeks

1
0
0 0

[PATCH] net: mlx5: vport: Add error handling in mlx5_query_nic_vport_node_guid()

by Wentao Liang

The function mlx5_query_nic_vport_node_guid() calls the functuion mlx5_query_nic_vport_context() but does not check its return value. A proper implementation can be found in mlx5_nic_vport_query_local_lb(). Add error handling for mlx5_query_nic_vport_context(). If it fails, free the out buffer via kvfree() and return error code. Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") Cc: stable(a)vger.kernel.org # v4.5 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/net/ethernet/mellanox/mlx5/core/vport.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c index 276b162ccf18..db45ad72ff43 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c @@ -464,20 +464,23 @@ int mlx5_query_nic_vport_sd_group(struct mlx5_core_dev *mdev, u8 *sd_group) int mlx5_query_nic_vport_node_guid(struct mlx5_core_dev *mdev, u64 *node_guid) { u32 *out; - int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); + int ret, outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); out = kvzalloc(outlen, GFP_KERNEL); if (!out) return -ENOMEM; - mlx5_query_nic_vport_context(mdev, 0, out); + ret = mlx5_query_nic_vport_context(mdev, 0, out); + if (ret) + goto err; *node_guid = MLX5_GET64(query_nic_vport_context_out, out, nic_vport_context.node_guid); - + ret = 0; +err: kvfree(out); - return 0; + return ret; } EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_node_guid); -- 2.42.0.windows.2

3 months, 3 weeks

2
1
0 0

[PATCH] wifi: wilc1000: Add error handling for wilc_sdio_cmd52()

by Wentao Liang

The wilc_sdio_read_size() calls wilc_sdio_cmd52() but does not check the return value. This could lead to execution with potentially invalid data if wilc_sdio_cmd52() fails. A proper implementation can be found in wilc_sdio_read_reg(). Add error handling for wilc_sdio_cmd52(). If wilc_sdio_cmd52() fails, log an error message via dev_err(). Fixes: 0e1af73ddeb9 ("staging/wilc1000: use proper naming for global symbols") Cc: stable(a)vger.kernel.org # v4.15 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/net/wireless/microchip/wilc1000/sdio.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c index 5262c8846c13..e7a2bc9f9902 100644 --- a/drivers/net/wireless/microchip/wilc1000/sdio.c +++ b/drivers/net/wireless/microchip/wilc1000/sdio.c @@ -771,6 +771,8 @@ static int wilc_sdio_read_size(struct wilc *wilc, u32 *size) { u32 tmp; struct sdio_cmd52 cmd; + struct sdio_func *func = dev_to_sdio_func(wilc->dev); + int ret; /** * Read DMA count in words @@ -780,12 +782,20 @@ static int wilc_sdio_read_size(struct wilc *wilc, u32 *size) cmd.raw = 0; cmd.address = WILC_SDIO_INTERRUPT_DATA_SZ_REG; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) { + dev_err(&func->devm, "Fail cmd 52, interrupt data register...\n"); + return ret; + } tmp = cmd.data; cmd.address = WILC_SDIO_INTERRUPT_DATA_SZ_REG + 1; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) { + dev_err(&func->devm, "Fail cmd 52, interrupt data register...\n"); + return ret; + } tmp |= (cmd.data << 8); *size = tmp; -- 2.42.0.windows.2

3 months, 3 weeks

5
4
0 0

[PATCH v2] wifi: wilc1000: Add error handling for wilc_sdio_cmd52()

by Wentao Liang

The wilc_sdio_read_size() calls wilc_sdio_cmd52() but does not check the return value. This could lead to execution with potentially invalid data if wilc_sdio_cmd52() fails. A proper implementation can be found in wilc_sdio_read_reg(). Add error handling for wilc_sdio_cmd52(). If wilc_sdio_cmd52() fails, log an error message via dev_err(). Fixes: 0e1af73ddeb9 ("staging/wilc1000: use proper naming for global symbols") Cc: stable(a)vger.kernel.org # v4.15 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v2: Fix code error. drivers/net/wireless/microchip/wilc1000/sdio.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c index 5262c8846c13..8ff49b08bbd2 100644 --- a/drivers/net/wireless/microchip/wilc1000/sdio.c +++ b/drivers/net/wireless/microchip/wilc1000/sdio.c @@ -771,6 +771,7 @@ static int wilc_sdio_read_size(struct wilc *wilc, u32 *size) { u32 tmp; struct sdio_cmd52 cmd; + struct sdio_func *func = dev_to_sdio_func(wilc->dev); /** * Read DMA count in words @@ -780,12 +781,20 @@ static int wilc_sdio_read_size(struct wilc *wilc, u32 *size) cmd.raw = 0; cmd.address = WILC_SDIO_INTERRUPT_DATA_SZ_REG; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) { + dev_err(&func->dev, "Fail cmd 52, interrupt data register...\n"); + return ret; + } tmp = cmd.data; cmd.address = WILC_SDIO_INTERRUPT_DATA_SZ_REG + 1; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) { + dev_err(&func->dev, "Fail cmd 52, interrupt data register...\n"); + return ret; + } tmp |= (cmd.data << 8); *size = tmp; -- 2.42.0.windows.2

3 months, 3 weeks

2
1
0 0

[PATCH] net: mlx5: vport: Add error handling in mlx5_query_nic_vport_qkey_viol_cntr()

by Wentao Liang

The function mlx5_query_nic_vport_qkey_viol_cntr() calls the functuion mlx5_query_nic_vport_context() but does not check its return value. This could lead to undefined behavior if the query fails. A proper implementation can be found in mlx5_nic_vport_query_local_lb(). Add error handling for mlx5_query_nic_vport_context(). If it fails, free the out buffer via kvfree() and return error code. Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") Cc: stable(a)vger.kernel.org # v4.5 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/net/ethernet/mellanox/mlx5/core/vport.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c index 0d5f750faa45..276b162ccf18 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c @@ -518,20 +518,23 @@ int mlx5_query_nic_vport_qkey_viol_cntr(struct mlx5_core_dev *mdev, u16 *qkey_viol_cntr) { u32 *out; - int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); + int ret, outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); out = kvzalloc(outlen, GFP_KERNEL); if (!out) return -ENOMEM; - mlx5_query_nic_vport_context(mdev, 0, out); + ret = mlx5_query_nic_vport_context(mdev, 0, out); + if (ret) + goto out; *qkey_viol_cntr = MLX5_GET(query_nic_vport_context_out, out, nic_vport_context.qkey_violation_counter); - + ret = 0; +out: kvfree(out); - return 0; + return ret; } EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_qkey_viol_cntr); -- 2.42.0.windows.2

3 months, 3 weeks

2
1
0 0

[PATCH v2 0/2] crypto: octeontx2: Changes related to LMTST memory

by Bharat Bhushan

v1->v2: - Removed changes in pci-host-common.c, those were comitted by mistake. The first patch moves the initialization of cptlfs device info to the early probe stage, also eliminate redundant initialization. The second patch updates the driver to use a dynamically allocated memory region for LMTST instead of the statically allocated memory from firmware. It also adds myself as a maintainer. Bharat Bhushan (2): crypto: octeontx2: Initialize cptlfs device info once crypto: octeontx2: Use dynamic allocated memory region for lmtst MAINTAINERS | 1 + drivers/crypto/marvell/octeontx2/cn10k_cpt.c | 89 ++++++++++++++----- drivers/crypto/marvell/octeontx2/cn10k_cpt.h | 1 + .../marvell/octeontx2/otx2_cpt_common.h | 1 + .../marvell/octeontx2/otx2_cpt_mbox_common.c | 25 ++++++ drivers/crypto/marvell/octeontx2/otx2_cptlf.c | 5 +- drivers/crypto/marvell/octeontx2/otx2_cptlf.h | 12 ++- .../marvell/octeontx2/otx2_cptpf_main.c | 18 +++- .../marvell/octeontx2/otx2_cptpf_mbox.c | 6 +- .../marvell/octeontx2/otx2_cptpf_ucode.c | 2 - .../marvell/octeontx2/otx2_cptvf_main.c | 19 ++-- .../marvell/octeontx2/otx2_cptvf_mbox.c | 1 + 12 files changed, 133 insertions(+), 47 deletions(-) -- 2.34.1

3 months, 3 weeks

3
4
0 0

FAILED: patch "[PATCH] virtio_net: ensure netdev_tx_reset_queue is called on bind" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 76a771ec4c9adfd75fe53c8505cf656a075d7101 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051251-shawl-unmarked-03e8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76a771ec4c9adfd75fe53c8505cf656a075d7101 Mon Sep 17 00:00:00 2001 From: Koichiro Den <koichiro.den(a)canonical.com> Date: Fri, 6 Dec 2024 10:10:47 +0900 Subject: [PATCH] virtio_net: ensure netdev_tx_reset_queue is called on bind xsk for tx virtnet_sq_bind_xsk_pool() flushes tx skbs and then resets tx queue, so DQL counters need to be reset when flushing has actually occurred, Add virtnet_sq_free_unused_buf_done() as a callback for virtqueue_resize() to handle this. Fixes: 21a4e3ce6dc7 ("virtio_net: xsk: bind/unbind xsk for tx") Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 5cf4b2b20431..7646ddd9bef7 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -5740,7 +5740,8 @@ static int virtnet_sq_bind_xsk_pool(struct virtnet_info *vi, virtnet_tx_pause(vi, sq); - err = virtqueue_reset(sq->vq, virtnet_sq_free_unused_buf, NULL); + err = virtqueue_reset(sq->vq, virtnet_sq_free_unused_buf, + virtnet_sq_free_unused_buf_done); if (err) { netdev_err(vi->dev, "reset tx fail: tx queue index: %d err: %d\n", qindex, err); pool = NULL;

3 months, 3 weeks

2
1
0 0

[PATCH] drm: radeon: ci_dpm: Add error handling in ci_enable_vce_dpm()

by Wentao Liang

The ci_enable_vce_dpm() calls ci_send_msg_to_smc_with_parameter() but does not check the return value. A proper implementation can be found in the ci_upload_dpm_level_enable_mask(). Add a check after calling ci_send_msg_to_smc_with_parameter(), return -EINVAL if the sending fails. Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") Cc: stable(a)vger.kernel.org # v3.12 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/gpu/drm/radeon/ci_dpm.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c index 3877863c6893..c4faaa16a5c4 100644 --- a/drivers/gpu/drm/radeon/ci_dpm.c +++ b/drivers/gpu/drm/radeon/ci_dpm.c @@ -3945,6 +3945,7 @@ static int ci_enable_vce_dpm(struct radeon_device *rdev, bool enable) struct ci_power_info *pi = ci_get_pi(rdev); const struct radeon_clock_and_voltage_limits *max_limits; int i; + PPSMC_Result result; if (rdev->pm.dpm.ac_power) max_limits = &rdev->pm.dpm.dyn_state.max_clock_voltage_on_ac; @@ -3962,9 +3963,11 @@ static int ci_enable_vce_dpm(struct radeon_device *rdev, bool enable) } } - ci_send_msg_to_smc_with_parameter(rdev, - PPSMC_MSG_VCEDPM_SetEnabledMask, - pi->dpm_level_enable_mask.vce_dpm_enable_mask); + result = ci_send_msg_to_smc_with_parameter(rdev, + PPSMC_MSG_VCEDPM_SetEnabledMask, + pi->dpm_level_enable_mask.vce_dpm_enable_mask); + if (result != PPSMC_Result_OK) + return -EINVAL; } return (ci_send_msg_to_smc(rdev, enable ? -- 2.42.0.windows.2

3 months, 3 weeks

1
0
0 0

[PATCH] HID: lenovo: Unbreak USB/BT keyboards on non-ACPI platforms

by Janne Grunau via B4 Relay

From: Janne Grunau <j(a)jannau.net> Commit 84c9d2a968c8 ("HID: lenovo: Support for ThinkPad-X12-TAB-1/2 Kbd Fn keys") added a dependency on ACPI_PLATFORM_PROFILE to cycle through power profiles. This breaks USB and Bluetooth keyboards on non-ACPI platforms since platform_profile_init() fails. See the warning below for the visible symptom but cause is the dependency on the platform_profile module. [ 266.225052] kernel: usb 1-1.3.2: new full-speed USB device number 9 using xhci_hcd [ 266.316032] kernel: usb 1-1.3.2: New USB device found, idVendor=17ef, idProduct=6047, bcdDevice= 3.30 [ 266.327129] kernel: usb 1-1.3.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 266.327623] kernel: usb 1-1.3.2: Product: ThinkPad Compact USB Keyboard with TrackPoint [ 266.328096] kernel: usb 1-1.3.2: Manufacturer: Lenovo [ 266.337488] kernel: ------------[ cut here ]------------ [ 266.337551] kernel: WARNING: CPU: 4 PID: 2619 at fs/sysfs/group.c:131 internal_create_group+0xc0/0x358 [ 266.337584] kernel: Modules linked in: platform_profile(+) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft> [ 266.337685] kernel: apple_sio spi_apple apple_dart soundcore spmi_apple_controller pinctrl_apple_gpio i2c_pasemi_platform apple_admac i2c_pasemi_core clk_apple_nco xhci_pla> [ 266.337717] kernel: CPU: 4 UID: 0 PID: 2619 Comm: (udev-worker) Tainted: G S W 6.14.4-400.asahi.fc41.aarch64+16k #1 [ 266.337750] kernel: Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN [ 266.337776] kernel: Hardware name: Apple Mac mini (M1, 2020) (DT) [ 266.337808] kernel: pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 266.337834] kernel: pc : internal_create_group+0xc0/0x358 [ 266.337860] kernel: lr : sysfs_create_group+0x20/0x40 [ 266.337886] kernel: sp : ffff800086f877a0 [ 266.337914] kernel: x29: ffff800086f877b0 x28: 0000000000000000 x27: ffffb66d0b338348 [ 266.337939] kernel: x26: ffffb66d0b338358 x25: ffffb66d528c7c50 x24: ffffb66d507e37b0 [ 266.337965] kernel: x23: 0000fffebf6708d8 x22: 0000000000000000 x21: ffffb66d0b370340 [ 266.337991] kernel: x20: ffffb66d0b370308 x19: 0000000000000000 x18: 0000000000000000 [ 266.338029] kernel: x17: 554e514553007373 x16: ffffb66d4f8c2268 x15: 595342555300656c [ 266.338051] kernel: x14: 69666f72702d6d72 x13: 00353236353d4d55 x12: 4e51455300737361 [ 266.338075] kernel: x11: ffff6adf91b80100 x10: 0000000000000139 x9 : ffffb66d4f8c2288 [ 266.338097] kernel: x8 : ffff800086f87620 x7 : 0000000000000000 x6 : 0000000000000000 [ 266.338116] kernel: x5 : ffff6adfc896e100 x4 : 0000000000000000 x3 : ffff6adfc896e100 [ 266.338139] kernel: x2 : ffffb66d0b3703a0 x1 : 0000000000000000 x0 : 0000000000000000 [ 266.338155] kernel: Call trace: [ 266.338173] kernel: internal_create_group+0xc0/0x358 (P) [ 266.338193] kernel: sysfs_create_group+0x20/0x40 [ 266.338206] kernel: platform_profile_init+0x48/0x3ff8 [platform_profile] [ 266.338224] kernel: do_one_initcall+0x60/0x358 [ 266.338239] kernel: do_init_module+0x94/0x260 [ 266.338257] kernel: load_module+0x5e0/0x708 [ 266.338271] kernel: init_module_from_file+0x94/0x100 [ 266.338290] kernel: __arm64_sys_finit_module+0x268/0x360 [ 266.338309] kernel: invoke_syscall+0x6c/0x100 [ 266.338327] kernel: el0_svc_common.constprop.0+0xc8/0xf0 [ 266.338346] kernel: do_el0_svc+0x24/0x38 [ 266.338365] kernel: el0_svc+0x3c/0x170 [ 266.338385] kernel: el0t_64_sync_handler+0x10c/0x138 [ 266.338404] kernel: el0t_64_sync+0x1b0/0x1b8 [ 266.338419] kernel: ---[ end trace 0000000000000000 ]--- Fixes: 84c9d2a968c8 ("HID: lenovo: Support for ThinkPad-X12-TAB-1/2 Kbd Fn keys") Cc: stable(a)vger.kernel.org Signed-off-by: Janne Grunau <j(a)jannau.net> ------>8--------- I don't see an easy solution to keep the functionality in generic HID code which is used on non-ACPI platforms. Solution for this are not trivial so remove the functionality for now. Cc-ing the ACPI maintainers in the case they can think of a solution for this issue. --- drivers/hid/Kconfig | 1 - drivers/hid/hid-lenovo.c | 5 +---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig index a503252702b7b43c332a12b14bc8b23b83e9f028..6b4445f54b2f2818d451ff28b3f7bcc2b1c7e99f 100644 --- a/drivers/hid/Kconfig +++ b/drivers/hid/Kconfig @@ -596,7 +596,6 @@ config HID_LED config HID_LENOVO tristate "Lenovo / Thinkpad devices" depends on ACPI - select ACPI_PLATFORM_PROFILE select NEW_LEDS select LEDS_CLASS help diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c index af29ba840522f99bc2f426d4753f70d442cef3af..cff4b5ddd9aa9bad0516f8c9beb58927c24477fc 100644 --- a/drivers/hid/hid-lenovo.c +++ b/drivers/hid/hid-lenovo.c @@ -32,8 +32,6 @@ #include <linux/leds.h> #include <linux/workqueue.h> -#include <linux/platform_profile.h> - #include "hid-ids.h" /* Userspace expects F20 for mic-mute KEY_MICMUTE does not work */ @@ -729,8 +727,7 @@ static int lenovo_raw_event_TP_X12_tab(struct hid_device *hdev, u32 raw_data) report_key_event(input, KEY_RFKILL); return 1; } - platform_profile_cycle(); - return 1; + return 0; case TP_X12_RAW_HOTKEY_FN_F10: /* TAB1 has PICKUP Phone and TAB2 use Snipping tool*/ (hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB) ? --- base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8 change-id: 20250512-hid_lenovo_unbreak_non_acpi-c041f3cc13b6 Best regards, -- Janne Grunau <j(a)jannau.net>

3 months, 4 weeks

3
6
0 0

Re: Patch "sched_ext: Fix missing rq lock in scx_bpf_cpuperf_set()" has been added to the 6.12-stable tree

by Andrea Righi

Hi, On Sun, May 18, 2025 at 06:38:01AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > sched_ext: Fix missing rq lock in scx_bpf_cpuperf_set() > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > sched_ext-fix-missing-rq-lock-in-scx_bpf_cpuperf_set.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. This requires upstream commit 18853ba782bef ("sched_ext: Track currently locked rq"). Thanks, -Andrea > > > > commit b19ccb5dc4d3d35b83b94fe2514456dc0b3a9ba5 > Author: Andrea Righi <arighi(a)nvidia.com> > Date: Tue Apr 22 10:26:33 2025 +0200 > > sched_ext: Fix missing rq lock in scx_bpf_cpuperf_set() > > [ Upstream commit a11d6784d7316a6c77ca9f14fb1a698ebbb3c1fb ] > > scx_bpf_cpuperf_set() can be used to set a performance target level on > any CPU. However, it doesn't correctly acquire the corresponding rq > lock, which may lead to unsafe behavior and trigger the following > warning, due to the lockdep_assert_rq_held() check: > > [ 51.713737] WARNING: CPU: 3 PID: 3899 at kernel/sched/sched.h:1512 scx_bpf_cpuperf_set+0x1a0/0x1e0 > ... > [ 51.713836] Call trace: > [ 51.713837] scx_bpf_cpuperf_set+0x1a0/0x1e0 (P) > [ 51.713839] bpf_prog_62d35beb9301601f_bpfland_init+0x168/0x440 > [ 51.713841] bpf__sched_ext_ops_init+0x54/0x8c > [ 51.713843] scx_ops_enable.constprop.0+0x2c0/0x10f0 > [ 51.713845] bpf_scx_reg+0x18/0x30 > [ 51.713847] bpf_struct_ops_link_create+0x154/0x1b0 > [ 51.713849] __sys_bpf+0x1934/0x22a0 > > Fix by properly acquiring the rq lock when possible or raising an error > if we try to operate on a CPU that is not the one currently locked. > > Fixes: d86adb4fc0655 ("sched_ext: Add cpuperf support") > Signed-off-by: Andrea Righi <arighi(a)nvidia.com> > Acked-by: Changwoo Min <changwoo(a)igalia.com> > Signed-off-by: Tejun Heo <tj(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c > index 7ed25654820fd..0147c4452f4df 100644 > --- a/kernel/sched/ext.c > +++ b/kernel/sched/ext.c > @@ -7018,13 +7018,32 @@ __bpf_kfunc void scx_bpf_cpuperf_set(s32 cpu, u32 perf) > } > > if (ops_cpu_valid(cpu, NULL)) { > - struct rq *rq = cpu_rq(cpu); > + struct rq *rq = cpu_rq(cpu), *locked_rq = scx_locked_rq(); > + struct rq_flags rf; > + > + /* > + * When called with an rq lock held, restrict the operation > + * to the corresponding CPU to prevent ABBA deadlocks. > + */ > + if (locked_rq && rq != locked_rq) { > + scx_ops_error("Invalid target CPU %d", cpu); > + return; > + } > + > + /* > + * If no rq lock is held, allow to operate on any CPU by > + * acquiring the corresponding rq lock. > + */ > + if (!locked_rq) { > + rq_lock_irqsave(rq, &rf); > + update_rq_clock(rq); > + } > > rq->scx.cpuperf_target = perf; > + cpufreq_update_util(rq, 0); > > - rcu_read_lock_sched_notrace(); > - cpufreq_update_util(cpu_rq(cpu), 0); > - rcu_read_unlock_sched_notrace(); > + if (!locked_rq) > + rq_unlock_irqrestore(rq, &rf); > } > } >

3 months, 4 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.6.y: (build) set_ftrace_ops_ro+0x46: relocation to !ENDBR: .text+0x16c578 in vm...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.6.y: --- set_ftrace_ops_ro+0x46: relocation to !ENDBR: .text+0x16c578 in vmlinux (vmlinux.o) [logspec:kbuild,kbuild.compiler.objtool] --- - dashboard: https://d.kernelci.org/i/maestro:c49af145451f7a03012be6a37ed4b2bc44aa3470 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 615b9e10e3377467ced8f50592a1b5ba8ce053d8 Log excerpt: ===================================================== vmlinux.o: warning: objtool: set_ftrace_ops_ro+0x46: relocation to !ENDBR: .text+0x16c578 OBJCOPY modules.builtin.modinfo GEN modules.builtin GEN .vmlinux.objs MODPOST vmlinux.symvers CC .vmlinux.export.o UPD include/generated/utsversion.h CC init/version-timestamp.o LD .tmp_vmlinux.kallsyms1 ld.lld: error: undefined symbol: its_static_thunk >>> referenced by usercopy_64.c >>> vmlinux.o:(emit_indirect_jump) ===================================================== # Builds where the incident occurred: ## x86_64_defconfig+allmodconfig on (x86_64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6829871bfef071f536c1102b #kernelci issue maestro:c49af145451f7a03012be6a37ed4b2bc44aa3470 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 months, 4 weeks

1
0
0 0

Reply Request For All-Energy Exhibition 2025

by jack reacher

Hi, I just wanted to check in and see if you had the chance to review my previous email regarding All-Energy Exhibition and Conference 2025. Looking forward to your reply. Kind regards, Jack Reacher _____________________________________________________________________________________ From: Jack Reacher Subject: All-Energy Exhibition and Conference 2025 Hi, As an exhibiting company at All-Energy Exhibition and Conference 2025 we have access to the fully updated attendee list, including last-minute registrants who attended the show. This exclusive list can help you: ✅ Connect with high-intent leads ✅ Follow up with attendees who visited (or missed) your booth ✅ Maximize your ROI from the event If you're Interested, I’d love to share more details—and I can also provide pricing information. Looking forward to your thoughts. Regards, Jack Reacher Sr. Marketing Manager If you do not wish to receive this newsletter reply as "Not interested"

3 months, 4 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.6.y: (build) set_ftrace_ops_ro+0x46: relocation to !ENDBR: .text+0x16c578 in vm...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.6.y: --- set_ftrace_ops_ro+0x46: relocation to !ENDBR: .text+0x16c578 in vmlinux (vmlinux.o) [logspec:kbuild,kbuild.compiler.objtool] --- - dashboard: https://d.kernelci.org/i/maestro:c49af145451f7a03012be6a37ed4b2bc44aa3470 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 615b9e10e3377467ced8f50592a1b5ba8ce053d8 Log excerpt: ===================================================== vmlinux.o: warning: objtool: set_ftrace_ops_ro+0x46: relocation to !ENDBR: .text+0x16c578 OBJCOPY modules.builtin.modinfo GEN modules.builtin GEN .vmlinux.objs MODPOST vmlinux.symvers CC .vmlinux.export.o UPD include/generated/utsversion.h CC init/version-timestamp.o LD .tmp_vmlinux.kallsyms1 ld.lld: error: undefined symbol: its_static_thunk >>> referenced by usercopy_64.c >>> vmlinux.o:(emit_indirect_jump) ===================================================== # Builds where the incident occurred: ## x86_64_defconfig+allmodconfig on (x86_64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6829871bfef071f536c1102b #kernelci issue maestro:c49af145451f7a03012be6a37ed4b2bc44aa3470 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 months, 4 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.6.y: (build) redefinition of 'its_static_thunk' in arch/x86/kernel/alternative....

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.6.y: --- redefinition of 'its_static_thunk' in arch/x86/kernel/alternative.o (arch/x86/kernel/alternative.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:4e3244fcbf4c807ca7a60afea944a81fb0547730 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 615b9e10e3377467ced8f50592a1b5ba8ce053d8 Log excerpt: ===================================================== arch/x86/kernel/alternative.c:1452:5: error: redefinition of 'its_static_thunk' 1452 | u8 *its_static_thunk(int reg) | ^ ./arch/x86/include/asm/alternative.h:143:19: note: previous definition is here 143 | static inline u8 *its_static_thunk(int reg) | ^ CC drivers/pinctrl/bcm/pinctrl-bcm6318.o 1 error generated. ===================================================== # Builds where the incident occurred: ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:68298753fef071f536c11059 #kernelci issue maestro:4e3244fcbf4c807ca7a60afea944a81fb0547730 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 months, 4 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.6.y: (build) redefinition of ‘its_static_thunk’ in arch/x86/kernel/alternative....

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.6.y: --- redefinition of ‘its_static_thunk’ in arch/x86/kernel/alternative.o (arch/x86/kernel/alternative.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:9ad63ff53451e24010f8c5d4d7d281c39f8e2f6e - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 615b9e10e3377467ced8f50592a1b5ba8ce053d8 Log excerpt: ===================================================== arch/x86/kernel/alternative.c:1452:5: error: redefinition of ‘its_static_thunk’ 1452 | u8 *its_static_thunk(int reg) | ^~~~~~~~~~~~~~~~ In file included from ./arch/x86/include/asm/barrier.h:5, from ./include/linux/list.h:11, from ./include/linux/module.h:12, from arch/x86/kernel/alternative.c:4: ./arch/x86/include/asm/alternative.h:143:19: note: previous definition of ‘its_static_thunk’ with type ‘u8 *(int)’ {aka ‘unsigned char *(int)’} 143 | static inline u8 *its_static_thunk(int reg) | ^~~~~~~~~~~~~~~~ ===================================================== # Builds where the incident occurred: ## allnoconfig+kselftest on (x86_64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:68298772fef071f536c11071 ## cros://chromeos-6.6/x86_64/chromeos-amd-stoneyridge.flavour.config+lab-setup+x86-board+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (x86_64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:68298702fef071f536c11015 ## defconfig+kcidebug+x86-board on (i386): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:68298775fef071f536c11074 ## i386_defconfig on (i386): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6829874ffef071f536c11056 ## i386_defconfig+kselftest on (i386): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6829875efef071f536c11062 ## tinyconfig on (i386): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6829875afef071f536c1105f ## tinyconfig+kselftest on (x86_64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6829877dfef071f536c1107a #kernelci issue maestro:9ad63ff53451e24010f8c5d4d7d281c39f8e2f6e Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 months, 4 weeks

1
0
0 0

[PATCH] RDMA/irdma: puda: Clear entries after allocation to ensure clean state

by Wentao Liang

The irdma_puda_send() calls the irdma_puda_get_next_send_wqe() to get entries, but does not clear the entries after the function call. This could lead to wqe data inconsistency. A proper implementation can be found in irdma_uk_send(). Add the irdma_clr_wqes() after irdma_puda_get_next_send_wqe(). Add the headfile of the irdma_clr_wqes(). Fixes: a3a06db504d3 ("RDMA/irdma: Add privileged UDA queue implementation") Cc: stable(a)vger.kernel.org # v5.14 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/infiniband/hw/irdma/puda.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/infiniband/hw/irdma/puda.c b/drivers/infiniband/hw/irdma/puda.c index 7e3f9bca2c23..1d113ad05500 100644 --- a/drivers/infiniband/hw/irdma/puda.c +++ b/drivers/infiniband/hw/irdma/puda.c @@ -7,6 +7,7 @@ #include "protos.h" #include "puda.h" #include "ws.h" +#include "user.h" static void irdma_ieq_receive(struct irdma_sc_vsi *vsi, struct irdma_puda_buf *buf); @@ -444,6 +445,8 @@ int irdma_puda_send(struct irdma_sc_qp *qp, struct irdma_puda_send_info *info) if (!wqe) return -ENOMEM; + irdma_clr_wqes(qp, wqe_idx); + qp->qp_uk.sq_wrtrk_array[wqe_idx].wrid = (uintptr_t)info->scratch; /* Third line of WQE descriptor */ /* maclen is in words */ -- 2.42.0.windows.2

3 months, 4 weeks

3
2
0 0

Linux 6.12.29

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.29 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ .clippy.toml | 2 Documentation/ABI/testing/sysfs-devices-system-cpu | 1 Documentation/admin-guide/hw-vuln/index.rst | 1 Documentation/admin-guide/hw-vuln/indirect-target-selection.rst | 168 ++++++++ Documentation/admin-guide/kernel-parameters.txt | 18 Makefile | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 - arch/arm64/include/asm/cputype.h | 2 arch/arm64/include/asm/insn.h | 1 arch/arm64/include/asm/spectre.h | 3 arch/arm64/kernel/cpufeature.c | 9 arch/arm64/kernel/proton-pack.c | 13 arch/arm64/lib/insn.c | 60 +- arch/arm64/net/bpf_jit_comp.c | 57 ++ arch/mips/include/asm/ptrace.h | 3 arch/riscv/kernel/traps.c | 64 +-- arch/riscv/kernel/traps_misaligned.c | 17 arch/s390/kernel/entry.S | 3 arch/s390/pci/pci_clp.c | 2 arch/um/include/linux/time-internal.h | 2 arch/um/kernel/skas/syscall.c | 11 arch/x86/Kconfig | 12 arch/x86/entry/entry_64.S | 20 arch/x86/include/asm/alternative.h | 32 + arch/x86/include/asm/cpufeatures.h | 3 arch/x86/include/asm/microcode.h | 2 arch/x86/include/asm/msr-index.h | 8 arch/x86/include/asm/nospec-branch.h | 38 + arch/x86/kernel/alternative.c | 208 +++++++++- arch/x86/kernel/cpu/bugs.c | 176 ++++++++ arch/x86/kernel/cpu/common.c | 72 ++- arch/x86/kernel/cpu/microcode/amd.c | 6 arch/x86/kernel/cpu/microcode/core.c | 58 +- arch/x86/kernel/cpu/microcode/intel.c | 2 arch/x86/kernel/cpu/microcode/internal.h | 1 arch/x86/kernel/ftrace.c | 2 arch/x86/kernel/head32.c | 4 arch/x86/kernel/module.c | 6 arch/x86/kernel/static_call.c | 4 arch/x86/kernel/vmlinux.lds.S | 10 arch/x86/kvm/smm.c | 1 arch/x86/kvm/svm/svm.c | 4 arch/x86/kvm/x86.c | 4 arch/x86/lib/retpoline.S | 39 + arch/x86/mm/tlb.c | 23 + arch/x86/net/bpf_jit_comp.c | 58 ++ drivers/accel/ivpu/ivpu_hw.c | 2 drivers/base/cpu.c | 3 drivers/block/loop.c | 104 +++-- drivers/bluetooth/btmtk.c | 12 drivers/clocksource/i8253.c | 4 drivers/firmware/arm_scmi/driver.c | 13 drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 drivers/gpu/drm/amd/amdgpu/hdp_v7_0.c | 7 drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 + drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 14 drivers/gpu/drm/panel/panel-simple.c | 25 - drivers/gpu/drm/v3d/v3d_sched.c | 28 + drivers/gpu/drm/xe/tests/xe_mocs.c | 21 - drivers/gpu/drm/xe/xe_gt_pagefault.c | 11 drivers/iio/accel/adis16201.c | 4 drivers/iio/accel/adxl355_core.c | 2 drivers/iio/accel/adxl367.c | 10 drivers/iio/adc/ad7606_spi.c | 2 drivers/iio/adc/dln2-adc.c | 2 drivers/iio/adc/rockchip_saradc.c | 17 drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 drivers/iio/temperature/maxim_thermocouple.c | 2 drivers/input/joystick/xpad.c | 40 + drivers/input/keyboard/mtk-pmic-keys.c | 4 drivers/input/mouse/synaptics.c | 5 drivers/input/touchscreen/cyttsp5.c | 7 drivers/md/dm-table.c | 3 drivers/net/can/m_can/m_can.c | 3 drivers/net/can/rockchip/rockchip_canfd-core.c | 2 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +- drivers/net/dsa/b53/b53_common.c | 207 +++++++-- drivers/net/dsa/b53/b53_priv.h | 3 drivers/net/dsa/bcm_sf2.c | 1 drivers/net/ethernet/intel/ice/ice_adapter.c | 39 - drivers/net/ethernet/intel/ice/ice_adapter.h | 6 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 drivers/net/ethernet/meta/fbnic/fbnic_csr.h | 2 drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 180 ++++---- drivers/net/ethernet/meta/fbnic/fbnic_mac.c | 6 drivers/net/virtio_net.c | 61 ++ drivers/nvme/host/core.c | 3 drivers/pci/hotplug/s390_pci_hpc.c | 1 drivers/staging/axis-fifo/axis-fifo.c | 14 drivers/staging/iio/adc/ad7816.c | 2 drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c | 1 drivers/usb/cdns3/cdnsp-gadget.c | 31 + drivers/usb/cdns3/cdnsp-gadget.h | 6 drivers/usb/cdns3/cdnsp-pci.c | 12 drivers/usb/cdns3/cdnsp-ring.c | 3 drivers/usb/cdns3/core.h | 3 drivers/usb/class/usbtmc.c | 59 +- drivers/usb/dwc3/core.h | 4 drivers/usb/dwc3/gadget.c | 60 +- drivers/usb/gadget/composite.c | 12 drivers/usb/gadget/function/f_ecm.c | 7 drivers/usb/gadget/udc/tegra-xudc.c | 4 drivers/usb/host/uhci-platform.c | 2 drivers/usb/host/xhci-tegra.c | 3 drivers/usb/misc/onboard_usb_dev.c | 10 drivers/usb/typec/tcpm/tcpm.c | 2 drivers/usb/typec/ucsi/displayport.c | 2 drivers/vfio/pci/vfio_pci_core.c | 12 drivers/xen/swiotlb-xen.c | 1 drivers/xen/xenbus/xenbus.h | 2 drivers/xen/xenbus/xenbus_comms.c | 9 drivers/xen/xenbus/xenbus_dev_frontend.c | 2 drivers/xen/xenbus/xenbus_xs.c | 18 fs/btrfs/volumes.c | 91 ---- fs/erofs/fileio.c | 4 fs/erofs/zdata.c | 31 - fs/namespace.c | 3 fs/ocfs2/journal.c | 80 ++- fs/ocfs2/journal.h | 1 fs/ocfs2/ocfs2.h | 17 fs/ocfs2/quota_local.c | 9 fs/ocfs2/suballoc.c | 38 + fs/ocfs2/suballoc.h | 1 fs/ocfs2/super.c | 3 fs/smb/client/cached_dir.c | 10 fs/smb/server/oplock.c | 7 fs/smb/server/smb2pdu.c | 5 fs/smb/server/vfs.c | 7 fs/smb/server/vfs_cache.c | 33 + fs/userfaultfd.c | 28 + include/linux/cpu.h | 2 include/linux/execmem.h | 3 include/linux/ieee80211.h | 2 include/linux/module.h | 5 include/linux/types.h | 3 include/linux/vmalloc.h | 1 include/net/netdev_queues.h | 6 include/uapi/linux/types.h | 1 init/Kconfig | 3 io_uring/io_uring.c | 58 +- io_uring/sqpoll.c | 2 kernel/params.c | 4 kernel/sched/fair.c | 4 mm/huge_memory.c | 11 mm/internal.h | 27 - mm/memblock.c | 9 mm/page_alloc.c | 159 ++++--- mm/vmalloc.c | 31 + net/can/gw.c | 149 ++++--- net/core/filter.c | 1 net/core/netdev-genl.c | 69 ++- net/ipv6/addrconf.c | 15 net/mac80211/mlme.c | 12 net/netfilter/ipset/ip_set_hash_gen.h | 2 net/netfilter/ipvs/ip_vs_xmit.c | 27 - net/openvswitch/actions.c | 3 net/sched/sch_htb.c | 15 net/wireless/scan.c | 2 rust/bindings/lib.rs | 1 rust/kernel/alloc/kvec.rs | 3 rust/kernel/list.rs | 3 rust/kernel/str.rs | 46 +- rust/macros/module.rs | 19 rust/macros/pinned_drop.rs | 3 rust/uapi/lib.rs | 1 tools/objtool/check.c | 1 tools/testing/selftests/Makefile | 1 tools/testing/selftests/mm/compaction_test.c | 19 tools/testing/selftests/mm/pkey-powerpc.h | 12 tools/testing/selftests/x86/bugs/Makefile | 3 tools/testing/selftests/x86/bugs/common.py | 164 +++++++ tools/testing/selftests/x86/bugs/its_indirect_alignment.py | 150 +++++++ tools/testing/selftests/x86/bugs/its_permutations.py | 109 +++++ tools/testing/selftests/x86/bugs/its_ret_alignment.py | 139 ++++++ tools/testing/selftests/x86/bugs/its_sysfs.py | 65 +++ 188 files changed, 3220 insertions(+), 1086 deletions(-) Aditya Garg (3): Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Input: synaptics - enable InterTouch on Dell Precision M3800 Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Al Viro (1): do_umount(): add missing barrier before refcount checks in sync case Alex Deucher (5): drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush Alex Williamson (1): vfio/pci: Align huge faults to order Alexander Duyck (6): fbnic: Fix initialization of mailbox descriptor rings fbnic: Gate AXI read/write enabling on FW mailbox fbnic: Actually flush_tx instead of stalling out fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context fbnic: Do not allow mailbox to toggle to ready outside fbnic_mbx_poll_tx_ready Alexey Charkov (1): usb: uhci-platform: Make the clock really optional Andrei Kuchynski (1): usb: typec: ucsi: displayport: Fix NULL pointer access Andy Shevchenko (1): types: Complement the aligned types with signed 64-bit one Angelo Dureghello (1): iio: adc: ad7606: fix serial register access Antonios Salios (1): can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe Aurabindo Pillai (1): drm/amd/display: more liberal vmin/vmax update for freesync Borislav Petkov (AMD) (1): x86/microcode: Consolidate the loader enablement checking Christian Lamparter (1): Revert "um: work around sched_yield not yielding in time-travel mode" Christoph Hellwig (2): loop: refactor queue limits updates loop: factor out a loop_assign_backing_file helper Clément Léger (2): riscv: misaligned: factorize trap handling riscv: misaligned: enable IRQs while handling misaligned accesses Cong Wang (1): sch_htb: make htb_deactivate() idempotent Cristian Marussi (1): firmware: arm_scmi: Fix timeout checks on polling path Dan Carpenter (1): dm: add missing unlock on in dm_keyslot_evict() Daniel Golle (1): net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Daniel Sneddon (2): x86/bpf: Call branch history clearing sequence on exit x86/bpf: Add IBHF call at end of classic BPF Daniel Wagner (1): nvme: unblock ctrl state transition for firmware update Dave Hansen (1): x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Dave Penkler (3): usb: usbtmc: Fix erroneous get_stb ioctl error returns usb: usbtmc: Fix erroneous wait_srq ioctl return usb: usbtmc: Fix erroneous generic_read ioctl return Dave Stevenson (1): staging: bcm2835-camera: Initialise dev in v4l2_dev David Lechner (1): iio: imu: inv_mpu6050: align buffer for timestamp Dmitry Antipov (1): module: ensure that kobject_put() is safe for module type kobjects Dmitry Torokhov (1): Input: synaptics - enable SMBus for HP Elitebook 850 G1 Eelco Chaudron (1): openvswitch: Fix unsafe attribute parsing in output_userspace() Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Feng Tang (1): selftests/mm: compaction_test: support platform with huge mount of memory Frank Wunderlich (1): net: ethernet: mtk_eth_soc: do not reset PSE when setting FE Gabriel Krisman Bertazi (1): io_uring/sqpoll: Increase task_work submission batch size Gabriel Shahrouzi (4): staging: iio: adc: ad7816: Correct conditional logic for store mode staging: axis-fifo: Remove hardware resets for user errors staging: axis-fifo: Correct handling of tx_fifo_depth for size validation iio: adis16201: Correct inclinometer channel resolution Gao Xiang (1): erofs: ensure the extra temporary copy is valid for shortened bvecs Gary Bisson (1): Input: mtk-pmic-keys - fix possible null pointer dereference Gavin Guo (1): mm/huge_memory: fix dereferencing invalid pmd migration entry Greg Kroah-Hartman (1): Linux 6.12.29 Guillaume Nault (1): gre: Fix again IPv6 link-local address generation. Hao Qin (2): Bluetooth: btmtk: Remove resetting mt7921 before downloading the fw Bluetooth: btmtk: Remove the resetting step before downloading the fw Heiko Carstens (1): s390/entry: Fix last breaking event handling in case of stack corruption Heming Zhao (1): ocfs2: fix the issue with discontiguous allocation in the global_bitmap Himal Prasad Ghimiray (1): drm/xe/tests/mocs: Update xe_force_wake_get() return handling Hugo Villeneuve (1): Input: cyttsp5 - ensure minimum reset pulse width Jacek Lawrynowicz (1): accel/ivpu: Increase state dump msg timeout Jakub Kicinski (3): virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() net: export a helper for adding up queue stats virtio-net: fix total qstat values James Morse (6): arm64: insn: Add support for encoding DSB arm64: proton-pack: Expose whether the platform is mitigated by firmware arm64: proton-pack: Expose whether the branchy loop k value arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users arm64: proton-pack: Add new CPUs 'k' values for branch mitigation Jan Kara (3): ocfs2: switch osb->disable_recovery to enum ocfs2: implement handshaking with ocfs2 recovery thread ocfs2: stop quota recovery before disabling quotas Jason Andryuk (1): xenbus: Use kref to track req lifetime Jens Axboe (2): io_uring: ensure deferred completions are flushed for multishot io_uring: always arm linked timeouts prior to issue Jim Lin (1): usb: host: tegra: Prevent host controller crash when OTG port is used Johannes Weiner (2): mm: page_alloc: don't steal single pages from biggest buddy mm: page_alloc: speed up fallbacks in rmqueue_bulk() John Ernberg (1): xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it John Garry (2): loop: Use bdev limit helpers for configuring discard loop: Simplify discard granularity calc Jonas Gorski (11): net: dsa: b53: allow leaky reserved multicast net: dsa: b53: keep CPU port always tagged again net: dsa: b53: fix clearing PVID of a port net: dsa: b53: fix flushing old pvid VLAN on pvid change net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave net: dsa: b53: always rejoin default untagged VLAN on bridge leave net: dsa: b53: do not allow to configure VLAN 0 net: dsa: b53: do not program vlans when vlan filtering is off net: dsa: b53: fix toggling vlan_filtering net: dsa: b53: fix learning on VLAN unaware bridges net: dsa: b53: do not set learning and unicast/multicast on up Jonathan Cameron (3): iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 iio: adc: dln2: Use aligned_s64 for timestamp Jozsef Kadlecsik (1): netfilter: ipset: fix region locking in hash types Julian Anastasov (1): ipvs: fix uninit-value for saddr in do_output_route4 Kees Cook (1): mm: vmalloc: support more granular vrealloc() sizing Kelsey Maes (1): can: mcp251xfd: fix TDC setting for low data bit rates Kevin Baker (1): drm/panel: simple: Update timings for AUO G101EVN010 Lizhi Xu (1): loop: Add sanity check for read/write_iter Lode Willems (1): Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Lothar Rubusch (1): iio: accel: adxl367: fix setting odr for activity time update Lukasz Czechowski (1): usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs Manuel Fombuena (1): Input: synaptics - enable InterTouch on Dynabook Portege X30-D Marc Kleine-Budde (3): can: mcan: m_can_class_unregister(): fix order of unregistration calls can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls Matthew Brost (1): drm/xe: Add page queue multiplier Max Kellermann (1): fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() Maíra Canal (1): drm/v3d: Add job to pending list if the reset was skipped Michael-CY Lee (1): wifi: mac80211: fix the type of status_code for negotiated TID to Link Mapping Miguel Ojeda (5): rust: clean Rust 1.88.0's `unnecessary_transmutes` lint objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0 rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros` configuration rust: allow Rust 1.87.0's `clippy::ptr_eq` lint rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint Mikael Gonella-Bolduc (1): Input: cyttsp5 - fix power control issue on wakeup Mikhail Lobanov (1): KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Namjae Jeon (1): ksmbd: prevent rename with empty string Niklas Schnelle (2): s390/pci: Fix missing check for zpci_create_device() error return s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs Norbert Szetei (1): ksmbd: prevent out-of-bounds stream writes by validating *pos Nylon Chen (1): riscv: misaligned: Add handling for ZCB instructions Nysal Jan K.A. (1): selftests/mm: fix a build failure on powerpc OGAWA Hirofumi (1): loop: Fix ABBA locking race Oliver Hartkopp (1): can: gw: fix RCU/BH usage in cgw_create_job() Oliver Neukum (1): USB: usbtmc: use interruptible sleep in usbtmc_read Omar Sandoval (1): sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash Paul Aurich (1): smb: client: Avoid race in open_cached_dir with lease breaks Paul Chaignon (1): bpf: Scrub packet on bpf_redirect_peer Pawan Gupta (14): x86/bhi: Do not set BHI_DIS_S in 32-bit mode x86/speculation: Simplify and make CALL_NOSPEC consistent x86/speculation: Add a conditional CS prefix to CALL_NOSPEC x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs x86/its: Add support for RSB stuffing mitigation x86/its: Align RETs in BHB clear sequence to avoid thunking x86/ibt: Keep IBT disabled during alternative patching selftest/x86/bugs: Add selftests for ITS Pawel Laszczak (2): usb: cdnsp: Fix issue with resuming from L1 usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Peter Xu (1): mm/userfaultfd: fix uninitialized output field for -EAGAIN race Peter Zijlstra (2): x86/its: Use dynamic thunks for indirect branches x86/its: FineIBT-paranoid vs ITS Petr Vaněk (1): mm: fix folio_pte_batch() on XEN PV Prashanth K (3): usb: dwc3: gadget: Make gadget_wakeup asynchronous usb: gadget: f_ecm: Add get_status callback usb: gadget: Use get_status callback to set remote wakeup capability Przemek Kitszel (1): ice: use DSN instead of PCI BDF for ice_adapter index Qu Wenruo (1): Revert "btrfs: canonicalize the device path before adding it" RD Babiera (1): usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Roman Li (1): drm/amd/display: Fix invalid context error in dml helper Ruijing Dong (1): drm/amdgpu/vcn: using separate VCN1_AON_SOC offset Sean Heelan (1): ksmbd: Fix UAF in __close_file_table_ids Sebastian Andrzej Siewior (1): clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Sergey Temerkhanov (1): ice: Initial support for E825C hardware in ice_adapter Silvano Seva (2): iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Simon Xue (1): iio: adc: rockchip: Fix clock initialization sequence Tejas Upadhyay (1): drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs Thorsten Blum (1): MIPS: Fix MAX_REG_OFFSET Tom Lendacky (1): memblock: Accept allocated memory before use in memblock_double_array() Veerendranath Jakkam (1): wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Vicki Pfau (2): Input: xpad - fix Share button on Xbox One controllers Input: xpad - fix two controller table values Wang Zhaolong (1): ksmbd: fix memory leak in parse_lease_state() Wayne Chang (1): usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Wayne Lin (5): drm/amd/display: Shift DMUB AUX reply command if necessary drm/amd/display: Fix the checking condition in dmub aux handling drm/amd/display: Remove incorrect checking in dmub aux handler drm/amd/display: Fix wrong handling for AUX_DEFER case drm/amd/display: Copy AUX read reply data whenever length > 0 Wojciech Dubowik (1): arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Xuan Zhuo (1): virtio_net: xsk: bind/unbind xsk for tx Yeoreum Yun (1): arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to prevent wrong idmap generation

3 months, 4 weeks

1
1
0 0

Linux 6.6.91

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.91 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-devices-system-cpu | 1 Documentation/admin-guide/hw-vuln/index.rst | 1 Documentation/admin-guide/hw-vuln/indirect-target-selection.rst | 168 +++++++ Documentation/admin-guide/kernel-parameters.txt | 18 Makefile | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 - arch/arm64/include/asm/cputype.h | 2 arch/arm64/include/asm/insn.h | 1 arch/arm64/include/asm/spectre.h | 3 arch/arm64/kernel/proton-pack.c | 13 arch/arm64/lib/insn.c | 60 +- arch/arm64/net/bpf_jit_comp.c | 57 ++ arch/mips/include/asm/ptrace.h | 3 arch/x86/Kconfig | 11 arch/x86/entry/entry_64.S | 20 arch/x86/include/asm/alternative.h | 32 + arch/x86/include/asm/cpufeatures.h | 3 arch/x86/include/asm/microcode.h | 2 arch/x86/include/asm/msr-index.h | 8 arch/x86/include/asm/nospec-branch.h | 44 +- arch/x86/kernel/alternative.c | 215 +++++++++- arch/x86/kernel/cpu/bugs.c | 178 ++++++++ arch/x86/kernel/cpu/common.c | 72 ++- arch/x86/kernel/cpu/microcode/amd.c | 6 arch/x86/kernel/cpu/microcode/core.c | 58 +- arch/x86/kernel/cpu/microcode/intel.c | 2 arch/x86/kernel/cpu/microcode/internal.h | 1 arch/x86/kernel/ftrace.c | 2 arch/x86/kernel/head32.c | 4 arch/x86/kernel/module.c | 7 arch/x86/kernel/static_call.c | 4 arch/x86/kernel/vmlinux.lds.S | 10 arch/x86/kvm/x86.c | 4 arch/x86/lib/retpoline.S | 39 + arch/x86/mm/tlb.c | 23 - arch/x86/net/bpf_jit_comp.c | 61 ++ drivers/base/cpu.c | 3 drivers/clocksource/i8253.c | 4 drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 + drivers/gpu/drm/panel/panel-simple.c | 25 - drivers/gpu/drm/v3d/v3d_sched.c | 28 - drivers/iio/accel/adis16201.c | 4 drivers/iio/accel/adxl355_core.c | 2 drivers/iio/accel/adxl367.c | 10 drivers/iio/adc/ad7606_spi.c | 2 drivers/iio/adc/dln2-adc.c | 2 drivers/iio/adc/rockchip_saradc.c | 17 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 drivers/iio/temperature/maxim_thermocouple.c | 2 drivers/input/joystick/xpad.c | 40 + drivers/input/keyboard/mtk-pmic-keys.c | 4 drivers/input/mouse/synaptics.c | 5 drivers/input/touchscreen/cyttsp5.c | 7 drivers/md/dm-table.c | 3 drivers/net/can/m_can/m_can.c | 2 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 + drivers/net/dsa/b53/b53_common.c | 36 + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 16 drivers/nvme/host/core.c | 3 drivers/staging/axis-fifo/axis-fifo.c | 14 drivers/staging/iio/adc/ad7816.c | 2 drivers/usb/cdns3/cdnsp-gadget.c | 31 + drivers/usb/cdns3/cdnsp-gadget.h | 6 drivers/usb/cdns3/cdnsp-pci.c | 12 drivers/usb/cdns3/cdnsp-ring.c | 3 drivers/usb/cdns3/core.h | 3 drivers/usb/class/usbtmc.c | 59 +- drivers/usb/gadget/composite.c | 12 drivers/usb/gadget/function/f_ecm.c | 7 drivers/usb/gadget/udc/tegra-xudc.c | 4 drivers/usb/host/uhci-platform.c | 2 drivers/usb/host/xhci-tegra.c | 3 drivers/usb/typec/tcpm/tcpm.c | 2 drivers/usb/typec/ucsi/displayport.c | 2 drivers/xen/swiotlb-xen.c | 1 drivers/xen/xenbus/xenbus.h | 2 drivers/xen/xenbus/xenbus_comms.c | 9 drivers/xen/xenbus/xenbus_dev_frontend.c | 2 drivers/xen/xenbus/xenbus_xs.c | 18 fs/namespace.c | 3 fs/ocfs2/journal.c | 80 ++- fs/ocfs2/journal.h | 1 fs/ocfs2/ocfs2.h | 17 fs/ocfs2/quota_local.c | 9 fs/ocfs2/super.c | 3 fs/smb/client/cached_dir.c | 10 fs/smb/server/oplock.c | 7 fs/smb/server/smb2pdu.c | 5 fs/smb/server/vfs.c | 7 fs/smb/server/vfs_cache.c | 33 + include/linux/cpu.h | 2 include/linux/module.h | 5 include/linux/netdevice.h | 13 include/linux/types.h | 3 include/uapi/linux/types.h | 1 io_uring/io_uring.c | 61 +- kernel/params.c | 4 net/can/gw.c | 149 ++++-- net/core/filter.c | 1 net/ipv6/addrconf.c | 15 net/netfilter/ipset/ip_set_hash_gen.h | 2 net/netfilter/ipvs/ip_vs_xmit.c | 27 - net/openvswitch/actions.c | 3 net/sched/sch_htb.c | 15 net/wireless/scan.c | 2 110 files changed, 1709 insertions(+), 483 deletions(-) Aditya Garg (3): Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Input: synaptics - enable InterTouch on Dell Precision M3800 Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Al Viro (1): do_umount(): add missing barrier before refcount checks in sync case Alex Deucher (4): drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush Alexander Lobakin (1): netdevice: add netdev_tx_reset_subqueue() shorthand Alexey Charkov (1): usb: uhci-platform: Make the clock really optional Andrei Kuchynski (1): usb: typec: ucsi: displayport: Fix NULL pointer access Andy Shevchenko (1): types: Complement the aligned types with signed 64-bit one Angelo Dureghello (1): iio: adc: ad7606: fix serial register access Aurabindo Pillai (1): drm/amd/display: more liberal vmin/vmax update for freesync Borislav Petkov (AMD) (1): x86/microcode: Consolidate the loader enablement checking Cong Wang (1): sch_htb: make htb_deactivate() idempotent Dan Carpenter (1): dm: add missing unlock on in dm_keyslot_evict() Daniel Golle (1): net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Daniel Sneddon (2): x86/bpf: Call branch history clearing sequence on exit x86/bpf: Add IBHF call at end of classic BPF Daniel Wagner (1): nvme: unblock ctrl state transition for firmware update Dave Hansen (1): x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Dave Penkler (3): usb: usbtmc: Fix erroneous get_stb ioctl error returns usb: usbtmc: Fix erroneous wait_srq ioctl return usb: usbtmc: Fix erroneous generic_read ioctl return Dmitry Antipov (1): module: ensure that kobject_put() is safe for module type kobjects Dmitry Torokhov (1): Input: synaptics - enable SMBus for HP Elitebook 850 G1 Eelco Chaudron (1): openvswitch: Fix unsafe attribute parsing in output_userspace() Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Gabriel Shahrouzi (4): staging: iio: adc: ad7816: Correct conditional logic for store mode staging: axis-fifo: Remove hardware resets for user errors staging: axis-fifo: Correct handling of tx_fifo_depth for size validation iio: adis16201: Correct inclinometer channel resolution Gary Bisson (1): Input: mtk-pmic-keys - fix possible null pointer dereference Greg Kroah-Hartman (1): Linux 6.6.91 Guillaume Nault (1): gre: Fix again IPv6 link-local address generation. Hugo Villeneuve (1): Input: cyttsp5 - ensure minimum reset pulse width James Morse (6): arm64: insn: Add support for encoding DSB arm64: proton-pack: Expose whether the platform is mitigated by firmware arm64: proton-pack: Expose whether the branchy loop k value arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users arm64: proton-pack: Add new CPUs 'k' values for branch mitigation Jan Kara (3): ocfs2: switch osb->disable_recovery to enum ocfs2: implement handshaking with ocfs2 recovery thread ocfs2: stop quota recovery before disabling quotas Jason Andryuk (1): xenbus: Use kref to track req lifetime Jens Axboe (2): io_uring: always arm linked timeouts prior to issue io_uring: ensure deferred completions are posted for multishot Jim Lin (1): usb: host: tegra: Prevent host controller crash when OTG port is used John Ernberg (1): xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Jonas Gorski (6): net: dsa: b53: allow leaky reserved multicast net: dsa: b53: fix clearing PVID of a port net: dsa: b53: fix flushing old pvid VLAN on pvid change net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave net: dsa: b53: always rejoin default untagged VLAN on bridge leave net: dsa: b53: fix learning on VLAN unaware bridges Jonathan Cameron (3): iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 iio: adc: dln2: Use aligned_s64 for timestamp Jozsef Kadlecsik (1): netfilter: ipset: fix region locking in hash types Julian Anastasov (1): ipvs: fix uninit-value for saddr in do_output_route4 Kelsey Maes (1): can: mcp251xfd: fix TDC setting for low data bit rates Kevin Baker (1): drm/panel: simple: Update timings for AUO G101EVN010 Lode Willems (1): Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Lothar Rubusch (1): iio: accel: adxl367: fix setting odr for activity time update Manuel Fombuena (1): Input: synaptics - enable InterTouch on Dynabook Portege X30-D Marc Kleine-Budde (2): can: mcan: m_can_class_unregister(): fix order of unregistration calls can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Maíra Canal (1): drm/v3d: Add job to pending list if the reset was skipped Mikael Gonella-Bolduc (1): Input: cyttsp5 - fix power control issue on wakeup Namjae Jeon (1): ksmbd: prevent rename with empty string Norbert Szetei (1): ksmbd: prevent out-of-bounds stream writes by validating *pos Oliver Hartkopp (1): can: gw: fix RCU/BH usage in cgw_create_job() Oliver Neukum (1): USB: usbtmc: use interruptible sleep in usbtmc_read Paul Aurich (1): smb: client: Avoid race in open_cached_dir with lease breaks Paul Chaignon (1): bpf: Scrub packet on bpf_redirect_peer Pawan Gupta (13): x86/bhi: Do not set BHI_DIS_S in 32-bit mode x86/speculation: Simplify and make CALL_NOSPEC consistent x86/speculation: Add a conditional CS prefix to CALL_NOSPEC x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs x86/its: Add support for RSB stuffing mitigation x86/its: Align RETs in BHB clear sequence to avoid thunking x86/ibt: Keep IBT disabled during alternative patching Pawel Laszczak (2): usb: cdnsp: Fix issue with resuming from L1 usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Peter Zijlstra (2): x86/its: Use dynamic thunks for indirect branches x86/its: FineIBT-paranoid vs ITS Prashanth K (2): usb: gadget: f_ecm: Add get_status callback usb: gadget: Use get_status callback to set remote wakeup capability RD Babiera (1): usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Sean Heelan (1): ksmbd: Fix UAF in __close_file_table_ids Sebastian Andrzej Siewior (1): clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Silvano Seva (2): iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Simon Xue (1): iio: adc: rockchip: Fix clock initialization sequence Thorsten Blum (1): MIPS: Fix MAX_REG_OFFSET Veerendranath Jakkam (1): wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Vicki Pfau (2): Input: xpad - fix Share button on Xbox One controllers Input: xpad - fix two controller table values Wang Zhaolong (1): ksmbd: fix memory leak in parse_lease_state() Wayne Chang (1): usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Wayne Lin (5): drm/amd/display: Shift DMUB AUX reply command if necessary drm/amd/display: Fix the checking condition in dmub aux handling drm/amd/display: Remove incorrect checking in dmub aux handler drm/amd/display: Fix wrong handling for AUX_DEFER case drm/amd/display: Copy AUX read reply data whenever length > 0 Wojciech Dubowik (1): arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2

3 months, 4 weeks

1
1
0 0

Linux 6.1.139

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.139 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-devices-system-cpu | 1 Documentation/admin-guide/hw-vuln/index.rst | 1 Documentation/admin-guide/hw-vuln/indirect-target-selection.rst | 156 ++++++ Documentation/admin-guide/kernel-parameters.txt | 15 Makefile | 2 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 - arch/arm64/include/asm/cputype.h | 2 arch/arm64/include/asm/insn.h | 1 arch/arm64/include/asm/spectre.h | 3 arch/arm64/kernel/proton-pack.c | 13 arch/arm64/lib/insn.c | 60 +- arch/arm64/net/bpf_jit_comp.c | 57 ++ arch/mips/include/asm/ptrace.h | 3 arch/x86/Kconfig | 11 arch/x86/entry/entry_64.S | 20 arch/x86/include/asm/alternative.h | 32 + arch/x86/include/asm/cpufeatures.h | 3 arch/x86/include/asm/msr-index.h | 8 arch/x86/include/asm/nospec-branch.h | 38 + arch/x86/kernel/alternative.c | 248 +++++++++- arch/x86/kernel/cpu/bugs.c | 144 +++++ arch/x86/kernel/cpu/common.c | 72 ++ arch/x86/kernel/ftrace.c | 2 arch/x86/kernel/module.c | 7 arch/x86/kernel/static_call.c | 2 arch/x86/kernel/vmlinux.lds.S | 10 arch/x86/kvm/x86.c | 4 arch/x86/lib/retpoline.S | 39 + arch/x86/mm/tlb.c | 23 arch/x86/net/bpf_jit_comp.c | 60 ++ drivers/base/cpu.c | 8 drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 - drivers/gpu/drm/panel/panel-simple.c | 25 - drivers/gpu/drm/v3d/v3d_sched.c | 28 - drivers/iio/accel/adis16201.c | 4 drivers/iio/accel/adxl355_core.c | 2 drivers/iio/accel/adxl367.c | 10 drivers/iio/adc/ad7606_spi.c | 2 drivers/iio/adc/dln2-adc.c | 2 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 drivers/iio/temperature/maxim_thermocouple.c | 2 drivers/input/keyboard/mtk-pmic-keys.c | 4 drivers/input/mouse/synaptics.c | 5 drivers/md/dm-table.c | 3 drivers/net/can/m_can/m_can.c | 2 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 + drivers/net/dsa/b53/b53_common.c | 36 - drivers/net/phy/microchip.c | 46 + drivers/nvme/host/core.c | 3 drivers/staging/axis-fifo/axis-fifo.c | 14 drivers/staging/iio/adc/ad7816.c | 2 drivers/usb/cdns3/cdnsp-gadget.c | 31 + drivers/usb/cdns3/cdnsp-gadget.h | 6 drivers/usb/cdns3/cdnsp-pci.c | 12 drivers/usb/cdns3/cdnsp-ring.c | 3 drivers/usb/cdns3/core.h | 3 drivers/usb/class/usbtmc.c | 59 +- drivers/usb/gadget/udc/tegra-xudc.c | 4 drivers/usb/host/uhci-platform.c | 2 drivers/usb/host/xhci-tegra.c | 3 drivers/usb/typec/tcpm/tcpm.c | 2 drivers/usb/typec/ucsi/displayport.c | 2 drivers/xen/xenbus/xenbus.h | 2 drivers/xen/xenbus/xenbus_comms.c | 9 drivers/xen/xenbus/xenbus_dev_frontend.c | 2 drivers/xen/xenbus/xenbus_xs.c | 18 fs/namespace.c | 3 fs/ocfs2/journal.c | 80 ++- fs/ocfs2/journal.h | 1 fs/ocfs2/ocfs2.h | 17 fs/ocfs2/quota_local.c | 9 fs/ocfs2/super.c | 3 fs/smb/server/oplock.c | 7 fs/smb/server/vfs.c | 7 include/linux/cpu.h | 2 include/linux/module.h | 5 include/linux/rcupdate.h | 3 include/linux/types.h | 3 include/net/flow.h | 3 include/net/route.h | 6 include/uapi/linux/types.h | 1 io_uring/io_uring.c | 61 -- kernel/params.c | 4 net/can/gw.c | 149 +++--- net/core/filter.c | 1 net/ipv6/addrconf.c | 15 net/netfilter/ipset/ip_set_hash_gen.h | 2 net/netfilter/ipvs/ip_vs_xmit.c | 29 - net/openvswitch/actions.c | 3 net/sched/sch_htb.c | 15 net/sctp/protocol.c | 4 93 files changed, 1571 insertions(+), 388 deletions(-) Aditya Garg (3): Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Input: synaptics - enable InterTouch on Dell Precision M3800 Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Al Viro (1): do_umount(): add missing barrier before refcount checks in sync case Alex Deucher (1): drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Alexey Charkov (1): usb: uhci-platform: Make the clock really optional Andrei Kuchynski (1): usb: typec: ucsi: displayport: Fix NULL pointer access Andy Shevchenko (1): types: Complement the aligned types with signed 64-bit one Angelo Dureghello (1): iio: adc: ad7606: fix serial register access Borislav Petkov (AMD) (1): x86/alternative: Optimize returns patching Cong Wang (1): sch_htb: make htb_deactivate() idempotent Dan Carpenter (1): dm: add missing unlock on in dm_keyslot_evict() Daniel Sneddon (2): x86/bpf: Call branch history clearing sequence on exit x86/bpf: Add IBHF call at end of classic BPF Daniel Wagner (1): nvme: unblock ctrl state transition for firmware update Dave Hansen (1): x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Dave Penkler (3): usb: usbtmc: Fix erroneous get_stb ioctl error returns usb: usbtmc: Fix erroneous wait_srq ioctl return usb: usbtmc: Fix erroneous generic_read ioctl return Dmitry Antipov (1): module: ensure that kobject_put() is safe for module type kobjects Dmitry Torokhov (1): Input: synaptics - enable SMBus for HP Elitebook 850 G1 Eelco Chaudron (1): openvswitch: Fix unsafe attribute parsing in output_userspace() Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Gabriel Shahrouzi (4): staging: iio: adc: ad7816: Correct conditional logic for store mode staging: axis-fifo: Remove hardware resets for user errors staging: axis-fifo: Correct handling of tx_fifo_depth for size validation iio: adis16201: Correct inclinometer channel resolution Gary Bisson (1): Input: mtk-pmic-keys - fix possible null pointer dereference Greg Kroah-Hartman (2): Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Linux 6.1.139 Guillaume Nault (2): gre: Fix again IPv6 link-local address generation. ipv4: Drop tos parameter from flowi4_update_output() James Morse (6): arm64: insn: Add support for encoding DSB arm64: proton-pack: Expose whether the platform is mitigated by firmware arm64: proton-pack: Expose whether the branchy loop k value arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users arm64: proton-pack: Add new CPUs 'k' values for branch mitigation Jan Kara (3): ocfs2: switch osb->disable_recovery to enum ocfs2: implement handshaking with ocfs2 recovery thread ocfs2: stop quota recovery before disabling quotas Jason Andryuk (1): xenbus: Use kref to track req lifetime Jens Axboe (2): io_uring: always arm linked timeouts prior to issue io_uring: ensure deferred completions are posted for multishot Jim Lin (1): usb: host: tegra: Prevent host controller crash when OTG port is used Jonas Gorski (6): net: dsa: b53: allow leaky reserved multicast net: dsa: b53: fix clearing PVID of a port net: dsa: b53: fix flushing old pvid VLAN on pvid change net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave net: dsa: b53: always rejoin default untagged VLAN on bridge leave net: dsa: b53: fix learning on VLAN unaware bridges Jonathan Cameron (3): iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 iio: adc: dln2: Use aligned_s64 for timestamp Josh Poimboeuf (1): x86/alternatives: Remove faulty optimization Jozsef Kadlecsik (1): netfilter: ipset: fix region locking in hash types Julian Anastasov (1): ipvs: fix uninit-value for saddr in do_output_route4 Kelsey Maes (1): can: mcp251xfd: fix TDC setting for low data bit rates Kevin Baker (1): drm/panel: simple: Update timings for AUO G101EVN010 Lothar Rubusch (1): iio: accel: adxl367: fix setting odr for activity time update Manuel Fombuena (1): Input: synaptics - enable InterTouch on Dynabook Portege X30-D Marc Kleine-Budde (2): can: mcan: m_can_class_unregister(): fix order of unregistration calls can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Maíra Canal (1): drm/v3d: Add job to pending list if the reset was skipped Norbert Szetei (1): ksmbd: prevent out-of-bounds stream writes by validating *pos Oliver Hartkopp (1): can: gw: fix RCU/BH usage in cgw_create_job() Oliver Neukum (1): USB: usbtmc: use interruptible sleep in usbtmc_read Paul Chaignon (1): bpf: Scrub packet on bpf_redirect_peer Pawan Gupta (12): x86/bhi: Do not set BHI_DIS_S in 32-bit mode x86/speculation: Simplify and make CALL_NOSPEC consistent x86/speculation: Add a conditional CS prefix to CALL_NOSPEC x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs x86/its: Align RETs in BHB clear sequence to avoid thunking x86/ibt: Keep IBT disabled during alternative patching Pawel Laszczak (2): usb: cdnsp: Fix issue with resuming from L1 usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Peter Zijlstra (2): x86/its: Use dynamic thunks for indirect branches x86/its: FineIBT-paranoid vs ITS RD Babiera (1): usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Silvano Seva (2): iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Thorsten Blum (1): MIPS: Fix MAX_REG_OFFSET Uladzislau Rezki (Sony) (1): rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Wang Zhaolong (1): ksmbd: fix memory leak in parse_lease_state() Wayne Chang (1): usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Wayne Lin (5): drm/amd/display: Shift DMUB AUX reply command if necessary drm/amd/display: Fix the checking condition in dmub aux handling drm/amd/display: Remove incorrect checking in dmub aux handler drm/amd/display: Fix wrong handling for AUX_DEFER case drm/amd/display: Copy AUX read reply data whenever length > 0 Wojciech Dubowik (1): arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2

3 months, 4 weeks

1
1
0 0

Linux 5.15.183

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.183 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/mips/include/asm/ptrace.h | 3 arch/x86/kernel/cpu/bugs.c | 5 arch/x86/kernel/cpu/common.c | 9 arch/x86/mm/tlb.c | 23 + arch/x86/net/bpf_jit_comp.c | 52 +++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 +- drivers/gpu/drm/panel/panel-simple.c | 25 - drivers/iio/accel/adis16201.c | 4 drivers/iio/adc/ad7606_spi.c | 2 drivers/iio/adc/dln2-adc.c | 2 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 drivers/input/mouse/synaptics.c | 5 drivers/net/can/m_can/m_can.c | 2 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 drivers/net/dsa/b53/b53_common.c | 36 +- drivers/net/phy/microchip.c | 46 +++ drivers/nvme/host/core.c | 3 drivers/staging/axis-fifo/axis-fifo.c | 14 - drivers/staging/iio/adc/ad7816.c | 2 drivers/usb/cdns3/cdnsp-gadget.c | 31 ++ drivers/usb/cdns3/cdnsp-gadget.h | 6 drivers/usb/cdns3/cdnsp-pci.c | 12 drivers/usb/cdns3/cdnsp-ring.c | 3 drivers/usb/cdns3/core.h | 3 drivers/usb/class/usbtmc.c | 59 ++-- drivers/usb/gadget/udc/tegra-xudc.c | 4 drivers/usb/host/uhci-platform.c | 2 drivers/usb/host/xhci-tegra.c | 3 drivers/usb/typec/tcpm/tcpm.c | 2 drivers/usb/typec/ucsi/displayport.c | 2 drivers/xen/xenbus/xenbus.h | 2 drivers/xen/xenbus/xenbus_comms.c | 9 drivers/xen/xenbus/xenbus_dev_frontend.c | 2 drivers/xen/xenbus/xenbus_xs.c | 18 + fs/namespace.c | 3 fs/ocfs2/journal.c | 80 ++++- fs/ocfs2/journal.h | 1 fs/ocfs2/ocfs2.h | 17 + fs/ocfs2/quota_local.c | 9 fs/ocfs2/super.c | 3 include/linux/rcupdate.h | 3 include/linux/types.h | 3 include/uapi/linux/types.h | 1 kernel/params.c | 4 net/can/gw.c | 165 +++++++----- net/ipv6/addrconf.c | 15 - net/netfilter/ipset/ip_set_hash_gen.h | 2 net/openvswitch/actions.c | 3 49 files changed, 536 insertions(+), 202 deletions(-) Aditya Garg (3): Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Input: synaptics - enable InterTouch on Dell Precision M3800 Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Al Viro (1): do_umount(): add missing barrier before refcount checks in sync case Alexey Charkov (1): usb: uhci-platform: Make the clock really optional Andrei Kuchynski (1): usb: typec: ucsi: displayport: Fix NULL pointer access Andy Shevchenko (1): types: Complement the aligned types with signed 64-bit one Angelo Dureghello (1): iio: adc: ad7606: fix serial register access Daniel Sneddon (2): x86/bpf: Call branch history clearing sequence on exit x86/bpf: Add IBHF call at end of classic BPF Daniel Wagner (1): nvme: unblock ctrl state transition for firmware update Dave Hansen (1): x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Dave Penkler (3): usb: usbtmc: Fix erroneous get_stb ioctl error returns usb: usbtmc: Fix erroneous wait_srq ioctl return usb: usbtmc: Fix erroneous generic_read ioctl return Dmitry Antipov (1): module: ensure that kobject_put() is safe for module type kobjects Dmitry Torokhov (1): Input: synaptics - enable SMBus for HP Elitebook 850 G1 Eelco Chaudron (1): openvswitch: Fix unsafe attribute parsing in output_userspace() Eric Dumazet (1): can: gw: use call_rcu() instead of costly synchronize_rcu() Gabriel Shahrouzi (4): staging: iio: adc: ad7816: Correct conditional logic for store mode staging: axis-fifo: Remove hardware resets for user errors staging: axis-fifo: Correct handling of tx_fifo_depth for size validation iio: adis16201: Correct inclinometer channel resolution Greg Kroah-Hartman (2): Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Linux 5.15.183 Guillaume Nault (1): gre: Fix again IPv6 link-local address generation. Jan Kara (3): ocfs2: switch osb->disable_recovery to enum ocfs2: implement handshaking with ocfs2 recovery thread ocfs2: stop quota recovery before disabling quotas Jason Andryuk (1): xenbus: Use kref to track req lifetime Jim Lin (1): usb: host: tegra: Prevent host controller crash when OTG port is used Jonas Gorski (6): net: dsa: b53: allow leaky reserved multicast net: dsa: b53: fix clearing PVID of a port net: dsa: b53: fix flushing old pvid VLAN on pvid change net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave net: dsa: b53: always rejoin default untagged VLAN on bridge leave net: dsa: b53: fix learning on VLAN unaware bridges Jonathan Cameron (1): iio: adc: dln2: Use aligned_s64 for timestamp Jozsef Kadlecsik (1): netfilter: ipset: fix region locking in hash types Kevin Baker (1): drm/panel: simple: Update timings for AUO G101EVN010 Manuel Fombuena (1): Input: synaptics - enable InterTouch on Dynabook Portege X30-D Marc Kleine-Budde (2): can: mcan: m_can_class_unregister(): fix order of unregistration calls can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Oliver Hartkopp (1): can: gw: fix RCU/BH usage in cgw_create_job() Oliver Neukum (1): USB: usbtmc: use interruptible sleep in usbtmc_read Pawan Gupta (1): x86/bhi: Do not set BHI_DIS_S in 32-bit mode Pawel Laszczak (2): usb: cdnsp: Fix issue with resuming from L1 usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version RD Babiera (1): usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Silvano Seva (2): iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Thorsten Blum (1): MIPS: Fix MAX_REG_OFFSET Uladzislau Rezki (Sony) (1): rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Wayne Chang (1): usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Wayne Lin (1): drm/amd/display: Fix wrong handling for AUX_DEFER case

3 months, 4 weeks

1
1
0 0

[PATCH net] hv_netvsc: fix potential deadlock in netvsc_vf_setxdp()

by Saurabh Sengar

The MANA driver's probe registers netdevice via the following call chain: mana_probe() register_netdev() register_netdevice() register_netdevice() calls notifier callback for netvsc driver, holding the netdev mutex via netdev_lock_ops(). Further this netvsc notifier callback end up attempting to acquire the same lock again in dev_xdp_propagate() leading to deadlock. netvsc_netdev_event() netvsc_vf_setxdp() dev_xdp_propagate() This deadlock was not observed so far because net_shaper_ops was never set and this lock in noop in this case. Fix this by using netif_xdp_propagate instead of dev_xdp_propagate to avoid recursive locking in this path. This issue has not observed so far because net_shaper_ops was unset, making the lock path effectively a no-op. To prevent recursive locking and avoid this deadlock, replace dev_xdp_propagate() with netif_xdp_propagate(), which does not acquire the lock again. Also, clean up the unregistration path by removing unnecessary call to netvsc_vf_setxdp(), since unregister_netdevice_many_notify() already performs this cleanup via dev_xdp_uninstall. Fixes: 97246d6d21c2 ("net: hold netdev instance lock during ndo_bpf") Cc: stable(a)vger.kernel.org Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> --- drivers/net/hyperv/netvsc_bpf.c | 2 +- drivers/net/hyperv/netvsc_drv.c | 2 -- net/core/dev.c | 1 + 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/hyperv/netvsc_bpf.c b/drivers/net/hyperv/netvsc_bpf.c index e01c5997a551..1dd3755d9e6d 100644 --- a/drivers/net/hyperv/netvsc_bpf.c +++ b/drivers/net/hyperv/netvsc_bpf.c @@ -183,7 +183,7 @@ int netvsc_vf_setxdp(struct net_device *vf_netdev, struct bpf_prog *prog) xdp.command = XDP_SETUP_PROG; xdp.prog = prog; - ret = dev_xdp_propagate(vf_netdev, &xdp); + ret = netif_xdp_propagate(vf_netdev, &xdp); if (ret && prog) bpf_prog_put(prog); diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index d8b169ac0343..ee3aaf9c10e6 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -2462,8 +2462,6 @@ static int netvsc_unregister_vf(struct net_device *vf_netdev) netdev_info(ndev, "VF unregistering: %s\n", vf_netdev->name); - netvsc_vf_setxdp(vf_netdev, NULL); - reinit_completion(&net_device_ctx->vf_add); netdev_rx_handler_unregister(vf_netdev); netdev_upper_dev_unlink(vf_netdev, ndev); diff --git a/net/core/dev.c b/net/core/dev.c index fccf2167b235..8c6c9d7fba26 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -9953,6 +9953,7 @@ int netif_xdp_propagate(struct net_device *dev, struct netdev_bpf *bpf) return dev->netdev_ops->ndo_bpf(dev, bpf); } +EXPORT_SYMBOL_GPL(netif_xdp_propagate); u32 dev_xdp_prog_id(struct net_device *dev, enum bpf_xdp_mode mode) { -- 2.43.0

3 months, 4 weeks

1
0
0 0

[PATCH] wifi: wilc1000: Handle wilc_sdio_cmd52() failure in wilc_sdio_read_init()

by Wentao Liang

The wilc_sdio_read_init() calls wilc_sdio_cmd52() but does not check the return value. This could lead to execution with potentially invalid data if wilc_sdio_cmd52() fails. A proper implementation can be found in wilc_sdio_read_reg(). Add error handling for wilc_sdio_cmd52(). If wilc_sdio_cmd52() fails, log an error message via dev_err(). Fixes: eda308be643f ("staging: wilc1000: refactor interrupt handling for sdio") Cc: stable(a)vger.kernel.org # v5.7 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/net/wireless/microchip/wilc1000/sdio.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c index e7a2bc9f9902..d0e8b812b622 100644 --- a/drivers/net/wireless/microchip/wilc1000/sdio.c +++ b/drivers/net/wireless/microchip/wilc1000/sdio.c @@ -809,6 +809,7 @@ static int wilc_sdio_read_int(struct wilc *wilc, u32 *int_status) u32 tmp; u8 irq_flags; struct sdio_cmd52 cmd; + int ret; wilc_sdio_read_size(wilc, &tmp); @@ -827,7 +828,12 @@ static int wilc_sdio_read_int(struct wilc *wilc, u32 *int_status) cmd.raw = 0; cmd.read_write = 0; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) { + dev_err(&func->devm, "Fail cmd 52, get IRQ register...\n"); + return ret; + } + irq_flags = cmd.data; if (sdio_priv->irq_gpio) -- 2.42.0.windows.2

3 months, 4 weeks

2
1
0 0

[to-be-updated] xarray-fix-kmemleak-false-positive-in-xas_shrink.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: XArray: fix kmemleak false positive in xas_shrink() has been removed from the -mm tree. Its filename was xarray-fix-kmemleak-false-positive-in-xas_shrink.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Jared Kangas <jkangas(a)redhat.com> Subject: XArray: fix kmemleak false positive in xas_shrink() Date: Mon, 12 May 2025 12:17:07 -0700 Kmemleak periodically produces a false positive report that resembles the following: unreferenced object 0xffff0000c105ed08 (size 576): comm "swapper/0", pid 1, jiffies 4294937478 hex dump (first 32 bytes): 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ d8 e7 0a 8b 00 80 ff ff 20 ed 05 c1 00 00 ff ff ........ ....... backtrace (crc 69e99671): kmemleak_alloc+0xb4/0xc4 kmem_cache_alloc_lru+0x1f0/0x244 xas_alloc+0x2a0/0x3a0 xas_expand.constprop.0+0x144/0x4dc xas_create+0x2b0/0x484 xas_store+0x60/0xa00 __xa_alloc+0x194/0x280 __xa_alloc_cyclic+0x104/0x2e0 dev_index_reserve+0xd8/0x18c register_netdevice+0x5e8/0xf90 register_netdev+0x28/0x50 loopback_net_init+0x68/0x114 ops_init+0x90/0x2c0 register_pernet_operations+0x20c/0x554 register_pernet_device+0x3c/0x8c net_dev_init+0x5cc/0x7d8 This transient leak can be traced to xas_shrink(): when the xarray's head is reassigned, kmemleak may have already started scanning the xarray. When this happens, if kmemleak fails to scan the new xa_head before it moves, kmemleak will see it as a leak until the xarray is scanned again. The report can be reproduced by running the xdp_bonding BPF selftest, although it doesn't appear consistently due to the bug's transience. In my testing, the following script has reliably triggered the report in under an hour on a debug kernel with kmemleak enabled, where KSELFTESTS is set to the install path for the kernel selftests: #!/bin/sh set -eu echo 1 >/sys/module/kmemleak/parameters/verbose echo scan=1 >/sys/kernel/debug/kmemleak while :; do $KSELFTESTS/bpf/test_progs -t xdp_bonding done To prevent this false positive report, mark the new xa_head in xas_shrink() as a transient leak. Link: https://lkml.kernel.org/r/20250512191707.245153-1-jkangas@redhat.com Signed-off-by: Jared Kangas <jkangas(a)redhat.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/xarray.c | 2 ++ 1 file changed, 2 insertions(+) --- a/lib/xarray.c~xarray-fix-kmemleak-false-positive-in-xas_shrink +++ a/lib/xarray.c @@ -8,6 +8,7 @@ #include <linux/bitmap.h> #include <linux/export.h> +#include <linux/kmemleak.h> #include <linux/list.h> #include <linux/slab.h> #include <linux/xarray.h> @@ -476,6 +477,7 @@ static void xas_shrink(struct xa_state * break; node = xa_to_node(entry); node->parent = NULL; + kmemleak_transient_leak(node); } } _ Patches currently in -mm which might be from jkangas(a)redhat.com are radix-tree-fix-kmemleak-false-positive-in-radix_tree_shrink.patch

3 months, 4 weeks

1
0
0 0

+ kasan-avoid-sleepable-page-allocation-from-atomic-context-v9.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kasan: avoid sleepable page allocation from atomic context has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-avoid-sleepable-page-allocation-from-atomic-context-v9.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Alexander Gordeev <agordeev(a)linux.ibm.com> Subject: kasan: avoid sleepable page allocation from atomic context Date: Thu, 15 May 2025 15:55:38 +0200 apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range. Link: https://lkml.kernel.org/r/c61d3560297c93ed044f0b1af085610353a06a58.17473169… Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shadow memory") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Suggested-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Reviewed-by: Harry Yoo <harry.yoo(a)oracle.com> Cc: Daniel Axtens <dja(a)axtens.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/shadow.c | 92 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 78 insertions(+), 14 deletions(-) --- a/mm/kasan/shadow.c~kasan-avoid-sleepable-page-allocation-from-atomic-context-v9 +++ a/mm/kasan/shadow.c @@ -292,33 +292,99 @@ void __init __weak kasan_populate_early_ { } +struct vmalloc_populate_data { + unsigned long start; + struct page **pages; +}; + static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, - void *unused) + void *_data) { - unsigned long page; + struct vmalloc_populate_data *data = _data; + struct page *page; pte_t pte; + int index; if (likely(!pte_none(ptep_get(ptep)))) return 0; - page = __get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE); - pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL); + index = PFN_DOWN(addr - data->start); + page = data->pages[index]; + __memset(page_to_virt(page), KASAN_VMALLOC_INVALID, PAGE_SIZE); + pte = pfn_pte(page_to_pfn(page), PAGE_KERNEL); spin_lock(&init_mm.page_table_lock); if (likely(pte_none(ptep_get(ptep)))) { set_pte_at(&init_mm, addr, ptep, pte); - page = 0; + data->pages[index] = NULL; } spin_unlock(&init_mm.page_table_lock); - if (page) - free_page(page); + + return 0; +} + +static void ___free_pages_bulk(struct page **pages, int nr_pages) +{ + int i; + + for (i = 0; i < nr_pages; i++) { + if (pages[i]) { + __free_pages(pages[i], 0); + pages[i] = NULL; + } + } +} + +static int ___alloc_pages_bulk(struct page **pages, int nr_pages) +{ + unsigned long nr_populated, nr_total = nr_pages; + struct page **page_array = pages; + + while (nr_pages) { + nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); + if (!nr_populated) { + ___free_pages_bulk(page_array, nr_total - nr_pages); + return -ENOMEM; + } + pages += nr_populated; + nr_pages -= nr_populated; + } + return 0; } +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) +{ + unsigned long nr_pages, nr_total = PFN_UP(end - start); + struct vmalloc_populate_data data; + int ret = 0; + + data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); + if (!data.pages) + return -ENOMEM; + + while (nr_total) { + nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); + ret = ___alloc_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + data.start = start; + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, + kasan_populate_vmalloc_pte, &data); + ___free_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + start += nr_pages * PAGE_SIZE; + nr_total -= nr_pages; + } + + free_page((unsigned long)data.pages); + + return ret; +} + int kasan_populate_vmalloc(unsigned long addr, unsigned long size) { unsigned long shadow_start, shadow_end; @@ -348,9 +414,7 @@ int kasan_populate_vmalloc(unsigned long shadow_start = PAGE_ALIGN_DOWN(shadow_start); shadow_end = PAGE_ALIGN(shadow_end); - ret = apply_to_page_range(&init_mm, shadow_start, - shadow_end - shadow_start, - kasan_populate_vmalloc_pte, NULL); + ret = __kasan_populate_vmalloc(shadow_start, shadow_end); if (ret) return ret; _ Patches currently in -mm which might be from agordeev(a)linux.ibm.com are kasan-avoid-sleepable-page-allocation-from-atomic-context-v9.patch

3 months, 4 weeks

1
0
0 0

FAILED: patch "[PATCH] iio: light: opt3001: fix deadlock due to concurrent flag" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x f063a28002e3350088b4577c5640882bf4ea17ea # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051215-economist-traffic-fa57@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f063a28002e3350088b4577c5640882bf4ea17ea Mon Sep 17 00:00:00 2001 From: Luca Ceresoli <luca.ceresoli(a)bootlin.com> Date: Fri, 21 Mar 2025 19:10:00 +0100 Subject: [PATCH] iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages. Fixes: 94a9b7b1809f ("iio: light: add support for TI's opt3001 light sensor") Cc: stable(a)vger.kernel.org Signed-off-by: Luca Ceresoli <luca.ceresoli(a)bootlin.com> Link: https://patch.msgid.link/20250321-opt3001-irq-fix-v1-1-6c520d851562@bootlin… Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/light/opt3001.c b/drivers/iio/light/opt3001.c index 65b295877b41..393a3d2fbe1d 100644 --- a/drivers/iio/light/opt3001.c +++ b/drivers/iio/light/opt3001.c @@ -788,8 +788,9 @@ static irqreturn_t opt3001_irq(int irq, void *_iio) int ret; bool wake_result_ready_queue = false; enum iio_chan_type chan_type = opt->chip_info->chan_type; + bool ok_to_ignore_lock = opt->ok_to_ignore_lock; - if (!opt->ok_to_ignore_lock) + if (!ok_to_ignore_lock) mutex_lock(&opt->lock); ret = i2c_smbus_read_word_swapped(opt->client, OPT3001_CONFIGURATION); @@ -826,7 +827,7 @@ static irqreturn_t opt3001_irq(int irq, void *_iio) } out: - if (!opt->ok_to_ignore_lock) + if (!ok_to_ignore_lock) mutex_unlock(&opt->lock); if (wake_result_ready_queue)

3 months, 4 weeks

3
5
0 0

Propuesla

by laraweer24＠gmail.com

Dear there [Email: linux-stable-mirror(a)lists.linaro.org], I came across your website and really think it has great potential. I'd love to share a proposal with you on how we can help improve your website's visibility on Google — possibly even get it to the first page. Would it be okay if I send you the proposal and pricing details? Thanks,

3 months, 4 weeks

1
0
0 0

[PATCH v9 0/1] kasan: Avoid sleepable page allocation from atomic context

by Alexander Gordeev

Hi All, I dropped Harry Yoo's Reviewed-by from this version. Chages since v8: - fixed page_owner=on issue preventing bulk allocations on x86 Chages since v7: - drop "unnecessary free pages" optimization - fix error path page leak Chages since v6: - do not unnecessary free pages across iterations Chages since v5: - full error message included into commit description Chages since v4: - unused pages leak is avoided Chages since v3: - pfn_to_virt() changed to page_to_virt() due to compile error Chages since v2: - page allocation moved out of the atomic context Chages since v1: - Fixes: and -stable tags added to the patch description Thanks! Alexander Gordeev (1): kasan: Avoid sleepable page allocation from atomic context mm/kasan/shadow.c | 92 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 78 insertions(+), 14 deletions(-) -- 2.45.2

3 months, 4 weeks

2
2
0 0

[PATCH v2 1/2] xhci: Add a quirk for full reset on removal

by Roy Luo

Commit 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") introduced an optimization to xhci_reset() during xhci removal, allowing it to bail out early without waiting for the reset to complete. This behavior can cause issues on SNPS DWC3 USB controller with dual-role capability. When the DWC3 controller exits host mode and removes xhci while a reset is still in progress, and then tries to configure its hardware for device mode, the ongoing reset leads to register access issues; specifically, all register reads returns 0. These issues extend beyond the xhci register space (which is expected during a reset) and affect the entire DWC3 IP block, causing the DWC3 device mode to malfunction. To address this, introduce the `XHCI_FULL_RESET_ON_REMOVE` quirk. When this quirk is set, xhci_reset() always completes its reset handshake, ensuring the controller is in a fully reset state before proceeding. Cc: stable(a)vger.kernel.org Fixes: 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") Signed-off-by: Roy Luo <royluo(a)google.com> --- drivers/usb/host/xhci-plat.c | 3 +++ drivers/usb/host/xhci.c | 8 +++++++- drivers/usb/host/xhci.h | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c index 3155e3a842da..19c5c26a8e63 100644 --- a/drivers/usb/host/xhci-plat.c +++ b/drivers/usb/host/xhci-plat.c @@ -265,6 +265,9 @@ int xhci_plat_probe(struct platform_device *pdev, struct device *sysdev, const s if (device_property_read_bool(tmpdev, "xhci-skip-phy-init-quirk")) xhci->quirks |= XHCI_SKIP_PHY_INIT; + if (device_property_read_bool(tmpdev, "xhci-full-reset-on-remove-quirk")) + xhci->quirks |= XHCI_FULL_RESET_ON_REMOVE; + device_property_read_u32(tmpdev, "imod-interval-ns", &xhci->imod_interval); } diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 90eb491267b5..4f091d618c01 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -198,6 +198,7 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) u32 command; u32 state; int ret; + unsigned int exit_state; state = readl(&xhci->op_regs->status); @@ -226,8 +227,13 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) if (xhci->quirks & XHCI_INTEL_HOST) udelay(1000); + if (xhci->quirks & XHCI_FULL_RESET_ON_REMOVE) + exit_state = 0; + else + exit_state = XHCI_STATE_REMOVING; + ret = xhci_handshake_check_state(xhci, &xhci->op_regs->command, - CMD_RESET, 0, timeout_us, XHCI_STATE_REMOVING); + CMD_RESET, 0, timeout_us, exit_state); if (ret) return ret; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 242ab9fbc8ae..ac65af788298 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1637,6 +1637,7 @@ struct xhci_hcd { #define XHCI_WRITE_64_HI_LO BIT_ULL(47) #define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) #define XHCI_ETRON_HOST BIT_ULL(49) +#define XHCI_FULL_RESET_ON_REMOVE BIT_ULL(50) unsigned int num_active_eps; unsigned int limit_active_eps; -- 2.49.0.1112.g889b7c5bd8-goog

3 months, 4 weeks

3
6
0 0

[PATCH v1 1/3] s390/uv: don't return 0 from make_hva_secure() if the operation was not successful

by David Hildenbrand

If s390_wiggle_split_folio() returns 0 because splitting a large folio succeeded, we will return 0 from make_hva_secure() even though a retry is required. Return -EAGAIN in that case. Otherwise, we'll return 0 from gmap_make_secure(), and consequently from unpack_one(). In kvm_s390_pv_unpack(), we assume that unpacking succeeded and skip unpacking this page. Later on, we run into issues and fail booting the VM. So far, this issue was only observed with follow-up patches where we split large pagecache XFS folios. Maybe it can also be triggered with shmem? We'll cleanup s390_wiggle_split_folio() a bit next, to also return 0 if no split was required. Fixes: d8dfda5af0be ("KVM: s390: pv: fix race when making a page secure") Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> --- arch/s390/kernel/uv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/s390/kernel/uv.c b/arch/s390/kernel/uv.c index 9a5d5be8acf41..2cc3b599c7fe3 100644 --- a/arch/s390/kernel/uv.c +++ b/arch/s390/kernel/uv.c @@ -393,8 +393,11 @@ int make_hva_secure(struct mm_struct *mm, unsigned long hva, struct uv_cb_header folio_walk_end(&fw, vma); mmap_read_unlock(mm); - if (rc == -E2BIG || rc == -EBUSY) + if (rc == -E2BIG || rc == -EBUSY) { rc = s390_wiggle_split_folio(mm, folio, rc == -E2BIG); + if (!rc) + rc = -EAGAIN; + } folio_put(folio); return rc; -- 2.49.0

3 months, 4 weeks

2
4
0 0

[PATCH v3 rc] iommu: Skip PASID validation for devices without PASID capability

by Tushar Dave

Generally PASID support requires ACS settings that usually create single device groups, but there are some niche cases where we can get multi-device groups and still have working PASID support. The primary issue is that PCI switches are not required to treat PASID tagged TLPs specially so appropriate ACS settings are required to route all TLPs to the host bridge if PASID is going to work properly. pci_enable_pasid() does check that each device that will use PASID has the proper ACS settings to achieve this routing. However, no-PASID devices can be combined with PASID capable devices within the same topology using non-uniform ACS settings. In this case the no-PASID devices may not have strict route to host ACS flags and end up being grouped with the PASID devices. This configuration fails to allow use of the PASID within the iommu core code which wrongly checks if the no-PASID device supports PASID. Fix this by ignoring no-PASID devices during the PASID validation. They will never issue a PASID TLP anyhow so they can be ignored. Fixes: c404f55c26fc ("iommu: Validate the PASID in iommu_attach_device_pasid()") Cc: stable(a)vger.kernel.org Signed-off-by: Tushar Dave <tdave(a)nvidia.com> --- changes in v3: - addressed review comment from Vasant. drivers/iommu/iommu.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 60aed01e54f2..636fc68a8ec0 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -3329,10 +3329,12 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain, int ret; for_each_group_device(group, device) { - ret = domain->ops->set_dev_pasid(domain, device->dev, - pasid, NULL); - if (ret) - goto err_revert; + if (device->dev->iommu->max_pasids > 0) { + ret = domain->ops->set_dev_pasid(domain, device->dev, + pasid, NULL); + if (ret) + goto err_revert; + } } return 0; @@ -3342,7 +3344,8 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain, for_each_group_device(group, device) { if (device == last_gdev) break; - iommu_remove_dev_pasid(device->dev, pasid, domain); + if (device->dev->iommu->max_pasids > 0) + iommu_remove_dev_pasid(device->dev, pasid, domain); } return ret; } @@ -3353,8 +3356,10 @@ static void __iommu_remove_group_pasid(struct iommu_group *group, { struct group_device *device; - for_each_group_device(group, device) - iommu_remove_dev_pasid(device->dev, pasid, domain); + for_each_group_device(group, device) { + if (device->dev->iommu->max_pasids > 0) + iommu_remove_dev_pasid(device->dev, pasid, domain); + } } /* @@ -3391,7 +3396,13 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, mutex_lock(&group->mutex); for_each_group_device(group, device) { - if (pasid >= device->dev->iommu->max_pasids) { + /* + * Skip PASID validation for devices without PASID support + * (max_pasids = 0). These devices cannot issue transactions + * with PASID, so they don't affect group's PASID usage. + */ + if ((device->dev->iommu->max_pasids > 0) && + (pasid >= device->dev->iommu->max_pasids)) { ret = -EINVAL; goto out_unlock; } -- 2.34.1

3 months, 4 weeks

6
8
0 0

[PATCH net v2] vmxnet3: update MTU after device quiesce

by Ronak Doshi

Currently, when device mtu is updated, vmxnet3 updates netdev mtu, quiesces the device and then reactivates it for the ESXi to know about the new mtu. So, technically the OS stack can start using the new mtu before ESXi knows about the new mtu. This can lead to issues for TSO packets which use mss as per the new mtu configured. This patch fixes this issue by moving the mtu write after device quiesce. Cc: stable(a)vger.kernel.org Fixes: d1a890fa37f2 ("net: VMware virtual Ethernet NIC driver: vmxnet3") Signed-off-by: Ronak Doshi <ronak.doshi(a)broadcom.com> Acked-by: Guolin Yang <guolin.yang(a)broadcom.com> Changes v1-> v2: Moved MTU write after destroy of rx rings --- drivers/net/vmxnet3/vmxnet3_drv.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c index 3df6aabc7e33..c676979c7ab9 100644 --- a/drivers/net/vmxnet3/vmxnet3_drv.c +++ b/drivers/net/vmxnet3/vmxnet3_drv.c @@ -3607,8 +3607,6 @@ vmxnet3_change_mtu(struct net_device *netdev, int new_mtu) struct vmxnet3_adapter *adapter = netdev_priv(netdev); int err = 0; - WRITE_ONCE(netdev->mtu, new_mtu); - /* * Reset_work may be in the middle of resetting the device, wait for its * completion. @@ -3622,6 +3620,7 @@ vmxnet3_change_mtu(struct net_device *netdev, int new_mtu) /* we need to re-create the rx queue based on the new mtu */ vmxnet3_rq_destroy_all(adapter); + WRITE_ONCE(netdev->mtu, new_mtu); vmxnet3_adjust_rx_ring_size(adapter); err = vmxnet3_rq_create_all(adapter); if (err) { @@ -3638,6 +3637,8 @@ vmxnet3_change_mtu(struct net_device *netdev, int new_mtu) "Closing it\n", err); goto out; } + } else { + WRITE_ONCE(netdev->mtu, new_mtu); } out: -- 2.45.2

3 months, 4 weeks

2
1
0 0

[PATCH net v3] net: dsa: microchip: linearize skb for tail-tagging switches

by Jakob Unterwurzacher

The pointer arithmentic for accessing the tail tag only works for linear skbs. For nonlinear skbs, it reads uninitialized memory inside the skb headroom, essentially randomizing the tag. I have observed it gets set to 6 most of the time. Example where ksz9477_rcv thinks that the packet from port 1 comes from port 6 (which does not exist for the ksz9896 that's in use), dropping the packet. Debug prints added by me (not included in this patch): [ 256.645337] ksz9477_rcv:323 tag0=6 [ 256.645349] skb len=47 headroom=78 headlen=0 tailroom=0 mac=(64,14) mac_len=14 net=(78,0) trans=78 shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0)) csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0) hash(0x0 sw=0 l4=0) proto=0x00f8 pkttype=1 iif=3 priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0 encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0) [ 256.645377] dev name=end1 feat=0x0002e10200114bb3 [ 256.645386] skb headroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 256.645395] skb headroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 256.645403] skb headroom: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 256.645411] skb headroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 256.645420] skb headroom: 00000040: ff ff ff ff ff ff 00 1c 19 f2 e2 db 08 06 [ 256.645428] skb frag: 00000000: 00 01 08 00 06 04 00 01 00 1c 19 f2 e2 db 0a 02 [ 256.645436] skb frag: 00000010: 00 83 00 00 00 00 00 00 0a 02 a0 2f 00 00 00 00 [ 256.645444] skb frag: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 [ 256.645452] ksz_common_rcv:92 dsa_conduit_find_user returned NULL Call skb_linearize before trying to access the tag. This patch fixes ksz9477_rcv which is used by the ksz9896 I have at hand, and also applies the same fix to ksz8795_rcv which seems to have the same problem. Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher(a)cherry.de> CC: stable(a)vger.kernel.org Fixes: 016e43a26bab ("net: dsa: ksz: Add KSZ8795 tag code") Fixes: 8b8010fb7876 ("dsa: add support for Microchip KSZ tail tagging") Reviewed-by: Vladimir Oltean <olteanv(a)gmail.com> --- v1: Initial submission https://lore.kernel.org/netdev/20250509071820.4100022-1-jakob.unterwurzache… v2: Add Fixes tags, Cc stable, "[PATCH net]" prefix https://lore.kernel.org/netdev/20250512144416.3697054-1-jakob.unterwurzache… v3: Move declarations before skb_linearize call, pick up Reviewed-By net/dsa/tag_ksz.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c index c33d4bf17929..0b7564b53790 100644 --- a/net/dsa/tag_ksz.c +++ b/net/dsa/tag_ksz.c @@ -140,7 +140,12 @@ static struct sk_buff *ksz8795_xmit(struct sk_buff *skb, struct net_device *dev) static struct sk_buff *ksz8795_rcv(struct sk_buff *skb, struct net_device *dev) { - u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; + u8 *tag; + + if (skb_linearize(skb)) + return NULL; + + tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; return ksz_common_rcv(skb, dev, tag[0] & KSZ8795_TAIL_TAG_EG_PORT_M, KSZ_EGRESS_TAG_LEN); @@ -311,10 +316,16 @@ static struct sk_buff *ksz9477_xmit(struct sk_buff *skb, static struct sk_buff *ksz9477_rcv(struct sk_buff *skb, struct net_device *dev) { - /* Tag decoding */ - u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; - unsigned int port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M; unsigned int len = KSZ_EGRESS_TAG_LEN; + unsigned int port; + u8 *tag; + + if (skb_linearize(skb)) + return NULL; + + /* Tag decoding */ + tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; + port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M; /* Extra 4-bytes PTP timestamp */ if (tag[0] & KSZ9477_PTP_TAG_INDICATION) { -- 2.39.5

3 months, 4 weeks

2
1
0 0

[PATCH] wifi: ath11k: fix rx completion meta data corruption

by Johan Hovold

Add the missing memory barrier to make sure that the REO dest ring descriptor is read after the head pointer to avoid using stale data on weakly ordered architectures like aarch64. This may fix the ring-buffer corruption worked around by commit f9fff67d2d7c ("wifi: ath11k: Fix SKB corruption in REO destination ring") by silently discarding data, and may possibly also address user reported errors like: ath11k_pci 0006:01:00.0: msdu_done bit in attention is not set Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org # 5.6 Link: https://bugzilla.kernel.org/show_bug.cgi?id=218005 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- As I reported here: https://lore.kernel.org/lkml/Z9G5zEOcTdGKm7Ei@hovoldconsulting.com/ the ath11k and ath12k appear to be missing a number of memory barriers that are required on weakly ordered architectures like aarch64 to avoid memory corruption issues. Here's a fix for one more such case which people already seem to be hitting. Note that I've seen one "msdu_done" bit not set warning also with this patch so whether it helps with that at all remains to be seen. I'm CCing Jens and Steev that see these warnings frequently and that may be able to help out with testing. Johan drivers/net/wireless/ath/ath11k/dp_rx.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 029ecf51c9ef..0a57b337e4c6 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -2646,7 +2646,7 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, struct ath11k *ar; struct hal_reo_dest_ring *desc; enum hal_reo_dest_ring_push_reason push_reason; - u32 cookie; + u32 cookie, info0, rx_msdu_info0, rx_mpdu_info0; int i; for (i = 0; i < MAX_RADIOS; i++) @@ -2659,11 +2659,14 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, try_again: ath11k_hal_srng_access_begin(ab, srng); + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while (likely(desc = (struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab, srng))) { cookie = FIELD_GET(BUFFER_ADDR_INFO1_SW_COOKIE, - desc->buf_addr_info.info1); + READ_ONCE(desc->buf_addr_info.info1)); buf_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_BUF_ID, cookie); mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie); @@ -2692,8 +2695,9 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, num_buffs_reaped[mac_id]++; + info0 = READ_ONCE(desc->info0); push_reason = FIELD_GET(HAL_REO_DEST_RING_INFO0_PUSH_REASON, - desc->info0); + info0); if (unlikely(push_reason != HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION)) { dev_kfree_skb_any(msdu); @@ -2701,18 +2705,21 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, continue; } - rxcb->is_first_msdu = !!(desc->rx_msdu_info.info0 & + rx_msdu_info0 = READ_ONCE(desc->rx_msdu_info.info0); + rx_mpdu_info0 = READ_ONCE(desc->rx_mpdu_info.info0); + + rxcb->is_first_msdu = !!(rx_msdu_info0 & RX_MSDU_DESC_INFO0_FIRST_MSDU_IN_MPDU); - rxcb->is_last_msdu = !!(desc->rx_msdu_info.info0 & + rxcb->is_last_msdu = !!(rx_msdu_info0 & RX_MSDU_DESC_INFO0_LAST_MSDU_IN_MPDU); - rxcb->is_continuation = !!(desc->rx_msdu_info.info0 & + rxcb->is_continuation = !!(rx_msdu_info0 & RX_MSDU_DESC_INFO0_MSDU_CONTINUATION); rxcb->peer_id = FIELD_GET(RX_MPDU_DESC_META_DATA_PEER_ID, - desc->rx_mpdu_info.meta_data); + READ_ONCE(desc->rx_mpdu_info.meta_data)); rxcb->seq_no = FIELD_GET(RX_MPDU_DESC_INFO0_SEQ_NUM, - desc->rx_mpdu_info.info0); + rx_mpdu_info0); rxcb->tid = FIELD_GET(HAL_REO_DEST_RING_INFO0_RX_QUEUE_NUM, - desc->info0); + info0); rxcb->mac_id = mac_id; __skb_queue_tail(&msdu_list[mac_id], msdu); -- 2.48.1

4 months

5
7
0 0

[PATCH] wifi: ath11k: fix ring-buffer corruption

by Johan Hovold

Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes breaks and the log fills up with errors like: ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492 ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484 which based on a quick look at the driver seemed to indicate some kind of ring-buffer corruption. Miaoqing Pan tracked it down to the host seeing the updated destination ring head pointer before the updated descriptor, and the error handling for that in turn leaves the ring buffer in an inconsistent state. Add the missing memory barrier to make sure that the descriptor is read after the head pointer to address the root cause of the corruption while fixing up the error handling in case there are ever any (ordering) bugs on the device side. Note that the READ_ONCE() are only needed to avoid compiler mischief in case the ring-buffer helpers are ever inlined. Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623 Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com Cc: Miaoqing Pan <quic_miaoqing(a)quicinc.com> Cc: stable(a)vger.kernel.org # 5.6 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/net/wireless/ath/ath11k/ce.c | 11 +++++------ drivers/net/wireless/ath/ath11k/hal.c | 4 ++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/ce.c b/drivers/net/wireless/ath/ath11k/ce.c index e66e86bdec20..9d8efec46508 100644 --- a/drivers/net/wireless/ath/ath11k/ce.c +++ b/drivers/net/wireless/ath/ath11k/ce.c @@ -393,11 +393,10 @@ static int ath11k_ce_completed_recv_next(struct ath11k_ce_pipe *pipe, goto err; } + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + *nbytes = ath11k_hal_ce_dst_status_get_length(desc); - if (*nbytes == 0) { - ret = -EIO; - goto err; - } *skb = pipe->dest_ring->skb[sw_index]; pipe->dest_ring->skb[sw_index] = NULL; @@ -430,8 +429,8 @@ static void ath11k_ce_recv_process_cb(struct ath11k_ce_pipe *pipe) dma_unmap_single(ab->dev, ATH11K_SKB_RXCB(skb)->paddr, max_nbytes, DMA_FROM_DEVICE); - if (unlikely(max_nbytes < nbytes)) { - ath11k_warn(ab, "rxed more than expected (nbytes %d, max %d)", + if (unlikely(max_nbytes < nbytes || nbytes == 0)) { + ath11k_warn(ab, "unexpected rx length (nbytes %d, max %d)", nbytes, max_nbytes); dev_kfree_skb_any(skb); continue; diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index 61f4b6dd5380..8cb1505a5a0c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -599,7 +599,7 @@ u32 ath11k_hal_ce_dst_status_get_length(void *buf) struct hal_ce_srng_dst_status_desc *desc = buf; u32 len; - len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, desc->flags); + len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, READ_ONCE(desc->flags)); desc->flags &= ~HAL_CE_DST_STATUS_DESC_FLAGS_LEN; return len; @@ -829,7 +829,7 @@ void ath11k_hal_srng_access_begin(struct ath11k_base *ab, struct hal_srng *srng) srng->u.src_ring.cached_tp = *(volatile u32 *)srng->u.src_ring.tp_addr; } else { - srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr; + srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); /* Try to prefetch the next descriptor in the ring */ if (srng->flags & HAL_SRNG_FLAGS_CACHED) -- 2.48.1

4 months

7
6
0 0

[PATCH stable 5.15/6.1/6.6] af_unix: Clear oob_skb in scan_inflight().

by Kuniyuki Iwashima

Embryo socket is not queued in gc_candidates, so we can't drop a reference held by its oob_skb. Let's say we create listener and embryo sockets, send the listener's fd to the embryo as OOB data, and close() them without recv()ing the OOB data. There is a self-reference cycle like listener -> embryo.oob_skb -> listener , so this must be cleaned up by GC. Otherwise, the listener's refcnt is not released and sockets are leaked: # unshare -n # cat /proc/net/protocols | grep UNIX-STREAM UNIX-STREAM 1024 0 -1 NI 0 yes kernel ... # python3 >>> from array import array >>> from socket import * >>> >>> s = socket(AF_UNIX, SOCK_STREAM) >>> s.bind('\0test\0') >>> s.listen() >>> >>> c = socket(AF_UNIX, SOCK_STREAM) >>> c.connect(s.getsockname()) >>> c.sendmsg([b'x'], [(SOL_SOCKET, SCM_RIGHTS, array('i', [s.fileno()]))], MSG_OOB) 1 >>> quit() # cat /proc/net/protocols | grep UNIX-STREAM UNIX-STREAM 1024 3 -1 NI 0 yes kernel ... ^^^ 3 sockets still in use after FDs are close()d Let's drop the embryo socket's oob_skb ref in scan_inflight(). This also fixes a racy access to oob_skb that commit 9841991a446c ("af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.") fixed for the new Tarjan's algo-based GC. Fixes: 314001f0bf92 ("af_unix: Add OOB support") Reported-by: Lei Lu <llfamsec(a)gmail.com> Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> --- This has no upstream commit because I replaced the entire GC in 6.10 and the new GC does not have this bug, and this fix is only applicable to the old GC (<= 6.9), thus for 5.15/6.1/6.6. --- --- net/unix/garbage.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/net/unix/garbage.c b/net/unix/garbage.c index 2a758531e102..b3fbdf129944 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c @@ -102,13 +102,14 @@ static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *), /* Process the descriptors of this socket */ int nfd = UNIXCB(skb).fp->count; struct file **fp = UNIXCB(skb).fp->fp; + struct unix_sock *u; while (nfd--) { /* Get the socket the fd matches if it indeed does so */ struct sock *sk = unix_get_socket(*fp++); if (sk) { - struct unix_sock *u = unix_sk(sk); + u = unix_sk(sk); /* Ignore non-candidates, they could * have been added to the queues after @@ -122,6 +123,13 @@ static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *), } } if (hit && hitlist != NULL) { +#if IS_ENABLED(CONFIG_AF_UNIX_OOB) + u = unix_sk(x); + if (u->oob_skb) { + WARN_ON_ONCE(skb_unref(u->oob_skb)); + u->oob_skb = NULL; + } +#endif __skb_unlink(skb, &x->sk_receive_queue); __skb_queue_tail(hitlist, skb); } @@ -299,17 +307,9 @@ void unix_gc(void) * which are creating the cycle(s). */ skb_queue_head_init(&hitlist); - list_for_each_entry(u, &gc_candidates, link) { + list_for_each_entry(u, &gc_candidates, link) scan_children(&u->sk, inc_inflight, &hitlist); -#if IS_ENABLED(CONFIG_AF_UNIX_OOB) - if (u->oob_skb) { - kfree_skb(u->oob_skb); - u->oob_skb = NULL; - } -#endif - } - /* not_cycle_list contains those sockets which do not make up a * cycle. Restore these to the inflight list. */ -- 2.39.5 (Apple Git-154)

4 months

5
8
0 0

[PATCH 5.10.y] fs: relax assertions on failure to encode file handles

by jianqi.ren.cn＠windriver.com

From: Amir Goldstein <amir73il(a)gmail.com> commit 974e3fe0ac61de85015bbe5a4990cf4127b304b2 upstream. Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. Reported-by: syzbot+ec07f6f5ce62b858579f(a)syzkaller.appspotmail.com Tested-by: syzbot+ec07f6f5ce62b858579f(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-unionfs/671fd40c.050a0220.4735a.024f.GAE@goog… Reported-by: Dmitry Safonov <dima(a)arista.com> Closes: https://lore.kernel.org/linux-fsdevel/CAGrbwDTLt6drB9eaUagnQVgdPBmhLfqqxAf3… Cc: stable(a)vger.kernel.org Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> Link: https://lore.kernel.org/r/20241219115301.465396-1-amir73il@gmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/notify/fdinfo.c | 4 +--- fs/overlayfs/copy_up.c | 5 ++--- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c index 55081ae3a6ec..dd5bc6ffae85 100644 --- a/fs/notify/fdinfo.c +++ b/fs/notify/fdinfo.c @@ -51,10 +51,8 @@ static void show_mark_fhandle(struct seq_file *m, struct inode *inode) size = f.handle.handle_bytes >> 2; ret = exportfs_encode_inode_fh(inode, (struct fid *)f.handle.f_handle, &size, NULL); - if ((ret == FILEID_INVALID) || (ret < 0)) { - WARN_ONCE(1, "Can't encode file handler for inotify: %d\n", ret); + if ((ret == FILEID_INVALID) || (ret < 0)) return; - } f.handle.handle_type = ret; f.handle.handle_bytes = size * sizeof(u32); diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index 65ac504595ba..8557180bd7e1 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -302,9 +302,8 @@ struct ovl_fh *ovl_encode_real_fh(struct dentry *real, bool is_upper) buflen = (dwords << 2); err = -EIO; - if (WARN_ON(fh_type < 0) || - WARN_ON(buflen > MAX_HANDLE_SZ) || - WARN_ON(fh_type == FILEID_INVALID)) + if (fh_type < 0 || fh_type == FILEID_INVALID || + WARN_ON(buflen > MAX_HANDLE_SZ)) goto out_err; fh->fb.version = OVL_FH_VERSION; -- 2.34.1

4 months

2
1
0 0

[PATCH 6.1.y] fs: relax assertions on failure to encode file handles

by jianqi.ren.cn＠windriver.com

From: Amir Goldstein <amir73il(a)gmail.com> commit 974e3fe0ac61de85015bbe5a4990cf4127b304b2 upstream. Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. Reported-by: syzbot+ec07f6f5ce62b858579f(a)syzkaller.appspotmail.com Tested-by: syzbot+ec07f6f5ce62b858579f(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-unionfs/671fd40c.050a0220.4735a.024f.GAE@goog… Reported-by: Dmitry Safonov <dima(a)arista.com> Closes: https://lore.kernel.org/linux-fsdevel/CAGrbwDTLt6drB9eaUagnQVgdPBmhLfqqxAf3… Cc: stable(a)vger.kernel.org Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> Link: https://lore.kernel.org/r/20241219115301.465396-1-amir73il@gmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/notify/fdinfo.c | 4 +--- fs/overlayfs/copy_up.c | 5 ++--- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c index 55081ae3a6ec..dd5bc6ffae85 100644 --- a/fs/notify/fdinfo.c +++ b/fs/notify/fdinfo.c @@ -51,10 +51,8 @@ static void show_mark_fhandle(struct seq_file *m, struct inode *inode) size = f.handle.handle_bytes >> 2; ret = exportfs_encode_inode_fh(inode, (struct fid *)f.handle.f_handle, &size, NULL); - if ((ret == FILEID_INVALID) || (ret < 0)) { - WARN_ONCE(1, "Can't encode file handler for inotify: %d\n", ret); + if ((ret == FILEID_INVALID) || (ret < 0)) return; - } f.handle.handle_type = ret; f.handle.handle_bytes = size * sizeof(u32); diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index 203b88293f6b..ced56696beeb 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -361,9 +361,8 @@ struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct dentry *real, buflen = (dwords << 2); err = -EIO; - if (WARN_ON(fh_type < 0) || - WARN_ON(buflen > MAX_HANDLE_SZ) || - WARN_ON(fh_type == FILEID_INVALID)) + if (fh_type < 0 || fh_type == FILEID_INVALID || + WARN_ON(buflen > MAX_HANDLE_SZ)) goto out_err; fh->fb.version = OVL_FH_VERSION; -- 2.34.1

4 months

2
1
0 0

[PATCH 5.15.y] fs: relax assertions on failure to encode file handles

by jianqi.ren.cn＠windriver.com

From: Amir Goldstein <amir73il(a)gmail.com> commit 974e3fe0ac61de85015bbe5a4990cf4127b304b2 upstream. Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. Reported-by: syzbot+ec07f6f5ce62b858579f(a)syzkaller.appspotmail.com Tested-by: syzbot+ec07f6f5ce62b858579f(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-unionfs/671fd40c.050a0220.4735a.024f.GAE@goog… Reported-by: Dmitry Safonov <dima(a)arista.com> Closes: https://lore.kernel.org/linux-fsdevel/CAGrbwDTLt6drB9eaUagnQVgdPBmhLfqqxAf3… Cc: stable(a)vger.kernel.org Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> Link: https://lore.kernel.org/r/20241219115301.465396-1-amir73il@gmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/notify/fdinfo.c | 4 +--- fs/overlayfs/copy_up.c | 5 ++--- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c index 55081ae3a6ec..dd5bc6ffae85 100644 --- a/fs/notify/fdinfo.c +++ b/fs/notify/fdinfo.c @@ -51,10 +51,8 @@ static void show_mark_fhandle(struct seq_file *m, struct inode *inode) size = f.handle.handle_bytes >> 2; ret = exportfs_encode_inode_fh(inode, (struct fid *)f.handle.f_handle, &size, NULL); - if ((ret == FILEID_INVALID) || (ret < 0)) { - WARN_ONCE(1, "Can't encode file handler for inotify: %d\n", ret); + if ((ret == FILEID_INVALID) || (ret < 0)) return; - } f.handle.handle_type = ret; f.handle.handle_bytes = size * sizeof(u32); diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index 5fc32483afed..c5d8ad610a37 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -366,9 +366,8 @@ struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct dentry *real, buflen = (dwords << 2); err = -EIO; - if (WARN_ON(fh_type < 0) || - WARN_ON(buflen > MAX_HANDLE_SZ) || - WARN_ON(fh_type == FILEID_INVALID)) + if (fh_type < 0 || fh_type == FILEID_INVALID || + WARN_ON(buflen > MAX_HANDLE_SZ)) goto out_err; fh->fb.version = OVL_FH_VERSION; -- 2.34.1

4 months

2
1
0 0

[PATCH 6.1.y] riscv: mm: Fix the out of bound issue of vmemmap address

by Zhaoyang Li

From: Xu Lu <luxu.kernel(a)bytedance.com> [ Upstream commit f754f27e98f88428aaf6be6e00f5cbce97f62d4b ] In sparse vmemmap model, the virtual address of vmemmap is calculated as: ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)). And the struct page's va can be calculated with an offset: (vmemmap + (pfn)). However, when initializing struct pages, kernel actually starts from the first page from the same section that phys_ram_base belongs to. If the first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then we get an va below VMEMMAP_START when calculating va for it's struct page. For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the first page in the same section is actually pfn 0x80000. During init_unavailable_range(), we will initialize struct page for pfn 0x80000 with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is below VMEMMAP_START as well as PCI_IO_END. This commit fixes this bug by introducing a new variable 'vmemmap_start_pfn' which is aligned with memory section size and using it to calculate vmemmap address instead of phys_ram_base. Fixes: a11dd49dcb93 ("riscv: Sparse-Memory/vmemmap out-of-bounds fix") Signed-off-by: Xu Lu <luxu.kernel(a)bytedance.com> Reviewed-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> Tested-by: Björn Töpel <bjorn(a)rivosinc.com> Reviewed-by: Björn Töpel <bjorn(a)rivosinc.com> Link: https://lore.kernel.org/r/20241209122617.53341-1-luxu.kernel@bytedance.com Signed-off-by: Palmer Dabbelt <palmer(a)rivosinc.com> Signed-off-by: Zhaoyang Li <lizy04(a)hust.edu.cn> --- arch/riscv/include/asm/page.h | 1 + arch/riscv/include/asm/pgtable.h | 2 +- arch/riscv/mm/init.c | 17 ++++++++++++++++- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/page.h b/arch/riscv/include/asm/page.h index 86048c60f700..fd861ac47a89 100644 --- a/arch/riscv/include/asm/page.h +++ b/arch/riscv/include/asm/page.h @@ -115,6 +115,7 @@ struct kernel_mapping { extern struct kernel_mapping kernel_map; extern phys_addr_t phys_ram_base; +extern unsigned long vmemmap_start_pfn; #define is_kernel_mapping(x) \ ((x) >= kernel_map.virt_addr && (x) < (kernel_map.virt_addr + kernel_map.size)) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 7d1688f850c3..bb19a643c5c2 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -79,7 +79,7 @@ * Define vmemmap for pfn_to_page & page_to_pfn calls. Needed if kernel * is configured with CONFIG_SPARSEMEM_VMEMMAP enabled. */ -#define vmemmap ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)) +#define vmemmap ((struct page *)VMEMMAP_START - vmemmap_start_pfn) #define PCI_IO_SIZE SZ_16M #define PCI_IO_END VMEMMAP_START diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c index ba2210b553f9..72b3462babbf 100644 --- a/arch/riscv/mm/init.c +++ b/arch/riscv/mm/init.c @@ -22,6 +22,7 @@ #include <linux/hugetlb.h> #include <asm/fixmap.h> +#include <asm/sparsemem.h> #include <asm/tlbflush.h> #include <asm/sections.h> #include <asm/soc.h> @@ -52,6 +53,13 @@ EXPORT_SYMBOL(pgtable_l5_enabled); phys_addr_t phys_ram_base __ro_after_init; EXPORT_SYMBOL(phys_ram_base); +#ifdef CONFIG_SPARSEMEM_VMEMMAP +#define VMEMMAP_ADDR_ALIGN (1ULL << SECTION_SIZE_BITS) + +unsigned long vmemmap_start_pfn __ro_after_init; +EXPORT_SYMBOL(vmemmap_start_pfn); +#endif + unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)] __page_aligned_bss; EXPORT_SYMBOL(empty_zero_page); @@ -210,8 +218,12 @@ static void __init setup_bootmem(void) memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start); phys_ram_end = memblock_end_of_DRAM(); - if (!IS_ENABLED(CONFIG_XIP_KERNEL)) + if (!IS_ENABLED(CONFIG_XIP_KERNEL)) { phys_ram_base = memblock_start_of_DRAM(); +#ifdef CONFIG_SPARSEMEM_VMEMMAP + vmemmap_start_pfn = round_down(phys_ram_base, VMEMMAP_ADDR_ALIGN) >> PAGE_SHIFT; +#endif +} /* * Reserve physical address space that would be mapped to virtual * addresses greater than (void *)(-PAGE_SIZE) because: @@ -946,6 +958,9 @@ asmlinkage void __init setup_vm(uintptr_t dtb_pa) kernel_map.xiprom_sz = (uintptr_t)(&_exiprom) - (uintptr_t)(&_xiprom); phys_ram_base = CONFIG_PHYS_RAM_BASE; +#ifdef CONFIG_SPARSEMEM_VMEMMAP + vmemmap_start_pfn = round_down(phys_ram_base, VMEMMAP_ADDR_ALIGN) >> PAGE_SHIFT; +#endif kernel_map.phys_addr = (uintptr_t)CONFIG_PHYS_RAM_BASE; kernel_map.size = (uintptr_t)(&_end) - (uintptr_t)(&_start); -- 2.25.1

4 months

2
1
0 0

[PATCH 6.1.y] spi: cadence-qspi: fix pointer reference in runtime PM hooks

by Zhaoyang Li

From: Théo Lebrun <theo.lebrun(a)bootlin.com> [ Upstream commit 32ce3bb57b6b402de2aec1012511e7ac4e7449dc ] dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI controller. Neither embed the other; this lead to memory corruption. On a given platform (Mobileye EyeQ5) the memory corruption is hidden inside cqspi->f_pdata. Also, this uninitialised memory is used as a mutex (ctlr->bus_lock_mutex) by spi_controller_suspend(). Fixes: 2087e85bb66e ("spi: cadence-quadspi: fix suspend-resume implementations") Reviewed-by: Dhruva Gole <d-gole(a)ti.com> Signed-off-by: Théo Lebrun <theo.lebrun(a)bootlin.com> Link: https://msgid.link/r/20240222-cdns-qspi-pm-fix-v4-1-6b6af8bcbf59@bootlin.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Zhaoyang Li <lizy04(a)hust.edu.cn> --- drivers/spi/spi-cadence-quadspi.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index 42861bc45073..02c5f00c8a57 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -1775,10 +1775,9 @@ static int cqspi_remove(struct platform_device *pdev) static int cqspi_suspend(struct device *dev) { struct cqspi_st *cqspi = dev_get_drvdata(dev); - struct spi_master *master = dev_get_drvdata(dev); int ret; - ret = spi_master_suspend(master); + ret = spi_master_suspend(cqspi->master); cqspi_controller_enable(cqspi, 0); clk_disable_unprepare(cqspi->clk); @@ -1789,7 +1788,6 @@ static int cqspi_suspend(struct device *dev) static int cqspi_resume(struct device *dev) { struct cqspi_st *cqspi = dev_get_drvdata(dev); - struct spi_master *master = dev_get_drvdata(dev); clk_prepare_enable(cqspi->clk); cqspi_wait_idle(cqspi); @@ -1798,7 +1796,7 @@ static int cqspi_resume(struct device *dev) cqspi->current_cs = -1; cqspi->sclk = 0; - return spi_master_resume(master); + return spi_master_resume(cqspi->master); } static DEFINE_SIMPLE_DEV_PM_OPS(cqspi_dev_pm_ops, cqspi_suspend, cqspi_resume); -- 2.25.1

4 months

2
1
0 0

Drive Results for MRO & Air Charter with Targeted Contact Solutions

by Jessica Garcia

Hi , I'm offering a resource that connects aviation outreach with data-backed direction. We provide a current and verified list of contacts, tailored specifically for your industry. (i) High-Net-Worth Individuals (HNWI) seeking seamless luxury travel and private charters (ii) MRO Professionals focused on enhancing maintenance and procurement strategies (iii) Executive Assistants managing the travel needs of high-ranking executives For businesses offering aviation products, maintenance services, or charter flights, these contacts are ideal for your campaign. Please let me know if you'd like to explore the lead counts and their pricing structure. Regards, Jessica Marketing Manager Campaign Data Leads., Please respond with an Remove if you don't wish to receive further emails.

4 months

1
0
0 0

[PATCH] x86/bugs: Don't warn when overwriting retbleed_return_thunk with srso_return_thunk

by Suraj Jitindar Singh

A warning is emitted in set_return_thunk() when the return thunk is overwritten since this is likely a bug and will result in mitigations not functioning and the mitigation information displayed in sysfs being incorrect. There is a special case when the return thunk is overwritten from retbleed_return_thunk to srso_return_thunk since srso_return_thunk provides a superset of the functionality of retbleed_return_thunk, and this is handled correctly in entry_untrain_ret(). Avoid emitting the warning in this scenario to clarify that this is not an issue. This situation occurs on certain AMD processors (e.g. Zen2) which are affected by both retbleed and srso. Fixes: f4818881c47fd ("x86/its: Enable Indirect Target Selection mitigation") Cc: stable(a)vger.kernel.org # 5.15.x- Signed-off-by: Suraj Jitindar Singh <surajjs(a)amazon.com> --- arch/x86/kernel/cpu/bugs.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 8596ce85026c..b7797636140f 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -69,7 +69,16 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk; static void __init set_return_thunk(void *thunk) { - if (x86_return_thunk != __x86_return_thunk) + /* + * There can only be one return thunk enabled at a time, so issue a + * warning when overwriting it. retbleed_return_thunk is a special case + * which is safe to be overwritten with srso_return_thunk since it + * provides a superset of the functionality and is handled correctly in + * entry_untrain_ret(). + */ + if ((x86_return_thunk != __x86_return_thunk) && + (thunk != srso_return_thunk || + x86_return_thunk != retbleed_return_thunk)) pr_warn("x86/bugs: return thunk changed\n"); x86_return_thunk = thunk; -- 2.34.1

4 months

5
12
0 0

[PATCH] perf/arm-cmn: Initialise cmn->cpu earlier

by Robin Murphy

For all the complexity of handling affinity for CPU hotplug, what we've apparently managed to overlook is that arm_cmn_init_irqs() has in fact always been setting the *initial* affinity of all IRQs to CPU 0, not the CPU we subsequently choose for event scheduling. Oh dear. Cc: stable(a)vger.kernel.org Fixes: 0ba64770a2f2 ("perf: Add Arm CMN-600 PMU driver") Signed-off-by: Robin Murphy <robin.murphy(a)arm.com> --- drivers/perf/arm-cmn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c index aa2908313558..e385f187a084 100644 --- a/drivers/perf/arm-cmn.c +++ b/drivers/perf/arm-cmn.c @@ -2558,6 +2558,7 @@ static int arm_cmn_probe(struct platform_device *pdev) cmn->dev = &pdev->dev; cmn->part = (unsigned long)device_get_match_data(cmn->dev); + cmn->cpu = cpumask_local_spread(0, dev_to_node(cmn->dev)); platform_set_drvdata(pdev, cmn); if (cmn->part == PART_CMN600 && has_acpi_companion(cmn->dev)) { @@ -2585,7 +2586,6 @@ static int arm_cmn_probe(struct platform_device *pdev) if (err) return err; - cmn->cpu = cpumask_local_spread(0, dev_to_node(cmn->dev)); cmn->pmu = (struct pmu) { .module = THIS_MODULE, .parent = cmn->dev, -- 2.39.2.101.g768bb238c484.dirty

4 months

3
2
0 0

[PATCH 6.1.y] net/sched: flower: Fix chain template offload

by jianqi.ren.cn＠windriver.com

From: Ido Schimmel <idosch(a)nvidia.com> [ Upstream commit 32f2a0afa95fae0d1ceec2ff06e0e816939964b8 ] When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab374e>] __kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90 [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0 [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0 [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev swp1 clsact # devlink dev reload pci/0000:06:00.0 Fixes: bbf73830cd48 ("net: sched: traverse chains in block with tcf_get_next_chain()") Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- include/net/sch_generic.h | 4 ++++ net/sched/cls_api.c | 9 ++++++++- net/sched/cls_flower.c | 23 +++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h index 80f657bf2e04..d7b76f486c44 100644 --- a/include/net/sch_generic.h +++ b/include/net/sch_generic.h @@ -377,6 +377,10 @@ struct tcf_proto_ops { struct nlattr **tca, struct netlink_ext_ack *extack); void (*tmplt_destroy)(void *tmplt_priv); + void (*tmplt_reoffload)(struct tcf_chain *chain, + bool add, + flow_setup_cb_t *cb, + void *cb_priv); /* rtnetlink specific */ int (*dump)(struct net*, struct tcf_proto*, void *, diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 89da596be1b8..8548220b6112 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -1431,6 +1431,9 @@ tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb, chain_prev = chain, chain = __tcf_get_next_chain(block, chain), tcf_chain_put(chain_prev)) { + if (chain->tmplt_ops && add) + chain->tmplt_ops->tmplt_reoffload(chain, true, cb, + cb_priv); for (tp = __tcf_get_next_proto(chain, NULL); tp; tp_prev = tp, tp = __tcf_get_next_proto(chain, tp), @@ -1446,6 +1449,9 @@ tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb, goto err_playback_remove; } } + if (chain->tmplt_ops && !add) + chain->tmplt_ops->tmplt_reoffload(chain, false, cb, + cb_priv); } return 0; @@ -2832,7 +2838,8 @@ static int tc_chain_tmplt_add(struct tcf_chain *chain, struct net *net, ops = tcf_proto_lookup_ops(name, true, extack); if (IS_ERR(ops)) return PTR_ERR(ops); - if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump) { + if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump || + !ops->tmplt_reoffload) { NL_SET_ERR_MSG(extack, "Chain templates are not supported with specified classifier"); module_put(ops->owner); return -EOPNOTSUPP; diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index a40a9e84c75f..42234a0101e7 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -2596,6 +2596,28 @@ static void fl_tmplt_destroy(void *tmplt_priv) kfree(tmplt); } +static void fl_tmplt_reoffload(struct tcf_chain *chain, bool add, + flow_setup_cb_t *cb, void *cb_priv) +{ + struct fl_flow_tmplt *tmplt = chain->tmplt_priv; + struct flow_cls_offload cls_flower = {}; + + cls_flower.rule = flow_rule_alloc(0); + if (!cls_flower.rule) + return; + + cls_flower.common.chain_index = chain->index; + cls_flower.command = add ? FLOW_CLS_TMPLT_CREATE : + FLOW_CLS_TMPLT_DESTROY; + cls_flower.cookie = (unsigned long) tmplt; + cls_flower.rule->match.dissector = &tmplt->dissector; + cls_flower.rule->match.mask = &tmplt->mask; + cls_flower.rule->match.key = &tmplt->dummy_key; + + cb(TC_SETUP_CLSFLOWER, &cls_flower, cb_priv); + kfree(cls_flower.rule); +} + static int fl_dump_key_val(struct sk_buff *skb, void *val, int val_type, void *mask, int mask_type, int len) @@ -3452,6 +3474,7 @@ static struct tcf_proto_ops cls_fl_ops __read_mostly = { .bind_class = fl_bind_class, .tmplt_create = fl_tmplt_create, .tmplt_destroy = fl_tmplt_destroy, + .tmplt_reoffload = fl_tmplt_reoffload, .tmplt_dump = fl_tmplt_dump, .owner = THIS_MODULE, .flags = TCF_PROTO_OPS_DOIT_UNLOCKED, -- 2.34.1

4 months

2
1
0 0

[PATCH 5.15.y] net/sched: flower: Fix chain template offload

by jianqi.ren.cn＠windriver.com

From: Ido Schimmel <idosch(a)nvidia.com> [ Upstream commit 32f2a0afa95fae0d1ceec2ff06e0e816939964b8 ] When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab374e>] __kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90 [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0 [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0 [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev swp1 clsact # devlink dev reload pci/0000:06:00.0 Fixes: bbf73830cd48 ("net: sched: traverse chains in block with tcf_get_next_chain()") Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- include/net/sch_generic.h | 4 ++++ net/sched/cls_api.c | 9 ++++++++- net/sched/cls_flower.c | 23 +++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h index 0919dfd3a67a..cdf8a21622ad 100644 --- a/include/net/sch_generic.h +++ b/include/net/sch_generic.h @@ -367,6 +367,10 @@ struct tcf_proto_ops { struct nlattr **tca, struct netlink_ext_ack *extack); void (*tmplt_destroy)(void *tmplt_priv); + void (*tmplt_reoffload)(struct tcf_chain *chain, + bool add, + flow_setup_cb_t *cb, + void *cb_priv); /* rtnetlink specific */ int (*dump)(struct net*, struct tcf_proto*, void *, diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index a5864ddfb890..c001909f009e 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -1412,6 +1412,9 @@ tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb, chain_prev = chain, chain = __tcf_get_next_chain(block, chain), tcf_chain_put(chain_prev)) { + if (chain->tmplt_ops && add) + chain->tmplt_ops->tmplt_reoffload(chain, true, cb, + cb_priv); for (tp = __tcf_get_next_proto(chain, NULL); tp; tp_prev = tp, tp = __tcf_get_next_proto(chain, tp), @@ -1427,6 +1430,9 @@ tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb, goto err_playback_remove; } } + if (chain->tmplt_ops && !add) + chain->tmplt_ops->tmplt_reoffload(chain, false, cb, + cb_priv); } return 0; @@ -2766,7 +2772,8 @@ static int tc_chain_tmplt_add(struct tcf_chain *chain, struct net *net, ops = tcf_proto_lookup_ops(name, true, extack); if (IS_ERR(ops)) return PTR_ERR(ops); - if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump) { + if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump || + !ops->tmplt_reoffload) { NL_SET_ERR_MSG(extack, "Chain templates are not supported with specified classifier"); module_put(ops->owner); return -EOPNOTSUPP; diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index af437be93e25..18f76f1cf944 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -2430,6 +2430,28 @@ static void fl_tmplt_destroy(void *tmplt_priv) kfree(tmplt); } +static void fl_tmplt_reoffload(struct tcf_chain *chain, bool add, + flow_setup_cb_t *cb, void *cb_priv) +{ + struct fl_flow_tmplt *tmplt = chain->tmplt_priv; + struct flow_cls_offload cls_flower = {}; + + cls_flower.rule = flow_rule_alloc(0); + if (!cls_flower.rule) + return; + + cls_flower.common.chain_index = chain->index; + cls_flower.command = add ? FLOW_CLS_TMPLT_CREATE : + FLOW_CLS_TMPLT_DESTROY; + cls_flower.cookie = (unsigned long) tmplt; + cls_flower.rule->match.dissector = &tmplt->dissector; + cls_flower.rule->match.mask = &tmplt->mask; + cls_flower.rule->match.key = &tmplt->dummy_key; + + cb(TC_SETUP_CLSFLOWER, &cls_flower, cb_priv); + kfree(cls_flower.rule); +} + static int fl_dump_key_val(struct sk_buff *skb, void *val, int val_type, void *mask, int mask_type, int len) @@ -3235,6 +3257,7 @@ static struct tcf_proto_ops cls_fl_ops __read_mostly = { .bind_class = fl_bind_class, .tmplt_create = fl_tmplt_create, .tmplt_destroy = fl_tmplt_destroy, + .tmplt_reoffload = fl_tmplt_reoffload, .tmplt_dump = fl_tmplt_dump, .owner = THIS_MODULE, .flags = TCF_PROTO_OPS_DOIT_UNLOCKED, -- 2.34.1

4 months

2
1
0 0

[PATCH 6.1.y] ipv6: Fix potential uninit-value access in __ip6_make_skb()

by Zhaoyang Li

From: Shigeru Yoshida <syoshida(a)redhat.com> [ Upstream commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c ] As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in __ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags instead of testing HDRINCL on the socket to avoid a race condition which causes uninit-value access. Fixes: ea30388baebc ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()") Signed-off-by: Shigeru Yoshida <syoshida(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Zhaoyang Li <lizy04(a)hust.edu.cn> --- net/ipv6/ip6_output.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index d7f7a714bd23..088487c5b548 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1985,7 +1985,8 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); u8 icmp6_type; - if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl) + if (sk->sk_socket->type == SOCK_RAW && + !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH)) icmp6_type = fl6->fl6_icmp_type; else icmp6_type = icmp6_hdr(skb)->icmp6_type; -- 2.25.1

4 months

2
1
0 0

[PATCH 5.10.y] net/sched: flower: Fix chain template offload

by jianqi.ren.cn＠windriver.com

From: Ido Schimmel <idosch(a)nvidia.com> [ Upstream commit 32f2a0afa95fae0d1ceec2ff06e0e816939964b8 ] When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab374e>] __kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90 [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0 [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0 [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev swp1 clsact # devlink dev reload pci/0000:06:00.0 Fixes: bbf73830cd48 ("net: sched: traverse chains in block with tcf_get_next_chain()") Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- include/net/sch_generic.h | 4 ++++ net/sched/cls_api.c | 9 ++++++++- net/sched/cls_flower.c | 23 +++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h index 4db11c4695cf..22d2f739692a 100644 --- a/include/net/sch_generic.h +++ b/include/net/sch_generic.h @@ -361,6 +361,10 @@ struct tcf_proto_ops { struct nlattr **tca, struct netlink_ext_ack *extack); void (*tmplt_destroy)(void *tmplt_priv); + void (*tmplt_reoffload)(struct tcf_chain *chain, + bool add, + flow_setup_cb_t *cb, + void *cb_priv); /* rtnetlink specific */ int (*dump)(struct net*, struct tcf_proto*, void *, diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index beedd0d2b509..521fd4d6eb31 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -1413,6 +1413,9 @@ tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb, chain_prev = chain, chain = __tcf_get_next_chain(block, chain), tcf_chain_put(chain_prev)) { + if (chain->tmplt_ops && add) + chain->tmplt_ops->tmplt_reoffload(chain, true, cb, + cb_priv); for (tp = __tcf_get_next_proto(chain, NULL); tp; tp_prev = tp, tp = __tcf_get_next_proto(chain, tp), @@ -1428,6 +1431,9 @@ tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb, goto err_playback_remove; } } + if (chain->tmplt_ops && !add) + chain->tmplt_ops->tmplt_reoffload(chain, false, cb, + cb_priv); } return 0; @@ -2772,7 +2778,8 @@ static int tc_chain_tmplt_add(struct tcf_chain *chain, struct net *net, ops = tcf_proto_lookup_ops(name, true, extack); if (IS_ERR(ops)) return PTR_ERR(ops); - if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump) { + if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump || + !ops->tmplt_reoffload) { NL_SET_ERR_MSG(extack, "Chain templates are not supported with specified classifier"); module_put(ops->owner); return -EOPNOTSUPP; diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index 9f6f8430d037..6c9d2afd91fe 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -2409,6 +2409,28 @@ static void fl_tmplt_destroy(void *tmplt_priv) kfree(tmplt); } +static void fl_tmplt_reoffload(struct tcf_chain *chain, bool add, + flow_setup_cb_t *cb, void *cb_priv) +{ + struct fl_flow_tmplt *tmplt = chain->tmplt_priv; + struct flow_cls_offload cls_flower = {}; + + cls_flower.rule = flow_rule_alloc(0); + if (!cls_flower.rule) + return; + + cls_flower.common.chain_index = chain->index; + cls_flower.command = add ? FLOW_CLS_TMPLT_CREATE : + FLOW_CLS_TMPLT_DESTROY; + cls_flower.cookie = (unsigned long) tmplt; + cls_flower.rule->match.dissector = &tmplt->dissector; + cls_flower.rule->match.mask = &tmplt->mask; + cls_flower.rule->match.key = &tmplt->dummy_key; + + cb(TC_SETUP_CLSFLOWER, &cls_flower, cb_priv); + kfree(cls_flower.rule); +} + static int fl_dump_key_val(struct sk_buff *skb, void *val, int val_type, void *mask, int mask_type, int len) @@ -3214,6 +3236,7 @@ static struct tcf_proto_ops cls_fl_ops __read_mostly = { .bind_class = fl_bind_class, .tmplt_create = fl_tmplt_create, .tmplt_destroy = fl_tmplt_destroy, + .tmplt_reoffload = fl_tmplt_reoffload, .tmplt_dump = fl_tmplt_dump, .owner = THIS_MODULE, .flags = TCF_PROTO_OPS_DOIT_UNLOCKED, -- 2.34.1

4 months

2
1
0 0

[PATCH 6.1.y] ipv4: Fix uninit-value access in __ip_make_skb()

by Zhaoyang Li

From: Shigeru Yoshida <syoshida(a)redhat.com> [ Upstream commit fc1092f51567277509563800a3c56732070b6aa4 ] KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb() tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL while __ip_make_skb() is running, the function will access icmphdr in the skb even if it is not included. This causes the issue reported by KMSAN. Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL on the socket. Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These are union in struct flowi4 and are implicitly initialized by flowi4_init_output(), but we should not rely on specific union layout. Initialize these explicitly in raw_sendmsg(). [1] BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 ip_finish_skb include/net/ip.h:243 [inline] ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508 raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128 ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365 raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 Fixes: 99e5acae193e ("ipv4: Fix potential uninit variable access bug in __ip_make_skb()") Reported-by: syzkaller <syzkaller(a)googlegroups.com> Signed-off-by: Shigeru Yoshida <syoshida(a)redhat.com> Link: https://lore.kernel.org/r/20240430123945.2057348-1-syoshida@redhat.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Zhaoyang Li <lizy04(a)hust.edu.cn> --- net/ipv4/ip_output.c | 3 ++- net/ipv4/raw.c | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index c82107bbd981..543d029102cf 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -1580,7 +1580,8 @@ struct sk_buff *__ip_make_skb(struct sock *sk, * so icmphdr does not in skb linear region and can not get icmp_type * by icmp_hdr(skb)->type. */ - if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl) + if (sk->sk_type == SOCK_RAW && + !(fl4->flowi4_flags & FLOWI_FLAG_KNOWN_NH)) icmp_type = fl4->fl4_icmp_type; else icmp_type = icmp_hdr(skb)->type; diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index ee0efd0efec4..c109bc376cc5 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -608,6 +608,9 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), daddr, saddr, 0, 0, sk->sk_uid); + fl4.fl4_icmp_type = 0; + fl4.fl4_icmp_code = 0; + if (!hdrincl) { rfv.msg = msg; rfv.hlen = 0; -- 2.25.1

4 months

2
1
0 0

[PATCH 6.1] userfaultfd: fix checks for huge PMDs

by Xiangyu Chen

From: Jann Horn <jannh(a)google.com> commit 71c186efc1b2cf1aeabfeff3b9bd5ac4c5ac14d8 upstream. Patch series "userfaultfd: fix races around pmd_trans_huge() check", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ <zap PMD> pmdp_get_lockless() [reads none pmd] <bail if trans_huge> <if none:> <pagefault creates transhuge zeropage> __pte_alloc [no-op] <zap PMD> <bail if pmd_trans_huge(*dst_pmd)> BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b ("mm/pgtable: allow pte_offset_map[_lock]() to fail"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no "struct page" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding "struct page" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels. Link: https://lkml.kernel.org/r/20240813-uffd-thp-flip-fix-v2-0-5efa61078a41@goog… Link: https://lkml.kernel.org/r/20240813-uffd-thp-flip-fix-v2-1-5efa61078a41@goog… Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation") Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Pavel Emelyanov <xemul(a)virtuozzo.com> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [ According to backport note in git comment message, using pmd_read_atomic() instead of pmdp_get_lockless() in older kernels ] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified on build test --- mm/userfaultfd.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 992a0a16846f..998c7075c62a 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -642,21 +642,23 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm, } dst_pmdval = pmd_read_atomic(dst_pmd); - /* - * If the dst_pmd is mapped as THP don't - * override it and just be strict. - */ - if (unlikely(pmd_trans_huge(dst_pmdval))) { - err = -EEXIST; - break; - } if (unlikely(pmd_none(dst_pmdval)) && unlikely(__pte_alloc(dst_mm, dst_pmd))) { err = -ENOMEM; break; } - /* If an huge pmd materialized from under us fail */ - if (unlikely(pmd_trans_huge(*dst_pmd))) { + dst_pmdval = pmd_read_atomic(dst_pmd); + /* + * If the dst_pmd is THP don't override it and just be strict. + * (This includes the case where the PMD used to be THP and + * changed back to none after __pte_alloc().) + */ + if (unlikely(!pmd_present(dst_pmdval) || pmd_trans_huge(dst_pmdval) || + pmd_devmap(dst_pmdval))) { + err = -EEXIST; + break; + } + if (unlikely(pmd_bad(dst_pmdval))) { err = -EFAULT; break; } -- 2.34.1

4 months

2
1
0 0

[PATCH 2/7] drm/xe/display: Add check for alloc_ordered_workqueue()

by Jani Nikula

From: Haoxiang Li <haoxiang_li2024(a)163.com> Add check for the return value of alloc_ordered_workqueue() in xe_display_create() to catch potential exception. Fixes: 44e694958b95 ("drm/xe/display: Implement display support") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> --- drivers/gpu/drm/xe/display/xe_display.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/xe/display/xe_display.c b/drivers/gpu/drm/xe/display/xe_display.c index 699f401eff10..df897d08255c 100644 --- a/drivers/gpu/drm/xe/display/xe_display.c +++ b/drivers/gpu/drm/xe/display/xe_display.c @@ -112,6 +112,8 @@ int xe_display_create(struct xe_device *xe) spin_lock_init(&display->fb_tracking.lock); display->hotplug.dp_wq = alloc_ordered_workqueue("xe-dp", 0); + if (!display->hotplug.dp_wq) + return -ENOMEM; return drmm_add_action_or_reset(&xe->drm, display_destroy, NULL); } -- 2.39.5

4 months

2
1
0 0

[PATCH RESEND] drm/xe/display: Add check for alloc_ordered_workqueue()

by Haoxiang Li

Add check for the return value of alloc_ordered_workqueue() in xe_display_create() to catch potential exception. Fixes: 44e694958b95 ("drm/xe/display: Implement display support") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/gpu/drm/xe/display/xe_display.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/xe/display/xe_display.c b/drivers/gpu/drm/xe/display/xe_display.c index 0b0aca7a25af..18062cfb265f 100644 --- a/drivers/gpu/drm/xe/display/xe_display.c +++ b/drivers/gpu/drm/xe/display/xe_display.c @@ -104,6 +104,8 @@ int xe_display_create(struct xe_device *xe) spin_lock_init(&xe->display.fb_tracking.lock); xe->display.hotplug.dp_wq = alloc_ordered_workqueue("xe-dp", 0); + if (!xe->display.hotplug.dp_wq) + return -ENOMEM; return drmm_add_action_or_reset(&xe->drm, display_destroy, NULL); } -- 2.25.1

4 months

2
1
0 0

[PATCH v2 RESEND] drm/i915/display: Add check for alloc_ordered_workqueue() and alloc_workqueue()

by Haoxiang Li

Add check for the return value of alloc_ordered_workqueue() and alloc_workqueue(). Furthermore, if some allocations fail, cleanup works are added to avoid potential memory leak problem. Fixes: 40053823baad ("drm/i915/display: move modeset probe/remove functions to intel_display_driver.c") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- Changes in v2: - Split the compound conditional statement into separate conditional statements to facilitate cleanup works. - Add cleanup works to destory work queues if allocations fail, and modify the later goto destination to do the full excercise. - modify the patch description. Thanks, Jani! --- .../drm/i915/display/intel_display_driver.c | 30 +++++++++++++++---- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_display_driver.c b/drivers/gpu/drm/i915/display/intel_display_driver.c index 31740a677dd8..ac94561715dc 100644 --- a/drivers/gpu/drm/i915/display/intel_display_driver.c +++ b/drivers/gpu/drm/i915/display/intel_display_driver.c @@ -241,31 +241,45 @@ int intel_display_driver_probe_noirq(struct intel_display *display) intel_dmc_init(display); display->wq.modeset = alloc_ordered_workqueue("i915_modeset", 0); + if (!display->wq.modeset) { + ret = -ENOMEM; + goto cleanup_vga_client_pw_domain_dmc; + } + display->wq.flip = alloc_workqueue("i915_flip", WQ_HIGHPRI | WQ_UNBOUND, WQ_UNBOUND_MAX_ACTIVE); + if (!display->wq.flip) { + ret = -ENOMEM; + goto cleanup_wq_modeset; + } + display->wq.cleanup = alloc_workqueue("i915_cleanup", WQ_HIGHPRI, 0); + if (!display->wq.cleanup) { + ret = -ENOMEM; + goto cleanup_wq_flip; + } intel_mode_config_init(display); ret = intel_cdclk_init(display); if (ret) - goto cleanup_vga_client_pw_domain_dmc; + goto cleanup_wq_cleanup; ret = intel_color_init(display); if (ret) - goto cleanup_vga_client_pw_domain_dmc; + goto cleanup_wq_cleanup; ret = intel_dbuf_init(i915); if (ret) - goto cleanup_vga_client_pw_domain_dmc; + goto cleanup_wq_cleanup; ret = intel_bw_init(i915); if (ret) - goto cleanup_vga_client_pw_domain_dmc; + goto cleanup_wq_cleanup; ret = intel_pmdemand_init(display); if (ret) - goto cleanup_vga_client_pw_domain_dmc; + goto cleanup_wq_cleanup; intel_init_quirks(display); @@ -273,6 +287,12 @@ int intel_display_driver_probe_noirq(struct intel_display *display) return 0; +cleanup_wq_cleanup: + destroy_workqueue(display->wq.cleanup); +cleanup_wq_flip: + destroy_workqueue(display->wq.flip); +cleanup_wq_modeset: + destroy_workqueue(display->wq.modeset); cleanup_vga_client_pw_domain_dmc: intel_dmc_fini(display); intel_power_domains_driver_remove(display); -- 2.25.1

4 months

2
1
0 0

[PATCH v3] fs: minix: Fix handling of corrupted directories

by Andrey Kriulin

If the directory is corrupted and the number of nlinks is less than 2 (valid nlinks have at least 2), then when the directory is deleted, the minix_rmdir will try to reduce the nlinks(unsigned int) to a negative value. Make nlinks validity check for directories. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Andrey Kriulin <kitotavrik.s(a)gmail.com> --- v3: Move nlinks validaty check to minix_rmdir and minix_rename per Jan Kara <jack(a)suse.cz> request. v2: Move nlinks validaty check to V[12]_minix_iget() per Jan Kara <jack(a)suse.cz> request. Change return error code to EUCLEAN. Don't block directory in r/o mode per Al Viro <viro(a)zeniv.linux.org.uk> request. fs/minix/namei.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/minix/namei.c b/fs/minix/namei.c index 8938536d8d3c..5a1e5f8ef443 100644 --- a/fs/minix/namei.c +++ b/fs/minix/namei.c @@ -161,8 +161,12 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry) static int minix_rmdir(struct inode * dir, struct dentry *dentry) { struct inode * inode = d_inode(dentry); - int err = -ENOTEMPTY; + int err = -EUCLEAN; + if (inode->i_nlink < 2) + return err; + + err = -ENOTEMPTY; if (minix_empty_dir(inode)) { err = minix_unlink(dir, dentry); if (!err) { @@ -235,6 +239,10 @@ static int minix_rename(struct mnt_idmap *idmap, mark_inode_dirty(old_inode); if (dir_de) { + if (old_dir->i_nlink <= 2) { + err = -EUCLEAN; + goto out_dir; + } err = minix_set_link(dir_de, dir_folio, new_dir); if (!err) inode_dec_link_count(old_dir); -- 2.47.2

4 months

3
2
0 0

[PATCH v2 0/5] rtc: Fix problems with missing UIE irqs

by Esben Haabendal

This fixes a couple of different problems, that can cause RTC (alarm) irqs to be missing when generating UIE interrupts. The first commit fixes a long-standing problem, which has been documented in a comment since 2010. This fixes a race that could cause UIE irqs to stop being generated, which was easily reproduced by timing the use of RTC_UIE_ON ioctl with the seconds tick in the RTC. The last commit ensures that RTC (alarm) irqs are enabled whenever RTC_UIE_ON ioctl is used. The driver specific commits avoids kernel warnings about unbalanced enable_irq/disable_irq, which gets triggered on first RTC_UIE_ON with the last commit. Before this series, the same warning should be seen on initial RTC_AIE_ON with those drivers. Signed-off-by: Esben Haabendal <esben(a)geanix.com> --- Changes in v2: - Dropped patch for rtc-st-lpc driver. - Link to v1: https://lore.kernel.org/r/20241203-rtc-uie-irq-fixes-v1-0-01286ecd9f3f@gean… --- Esben Haabendal (5): rtc: interface: Fix long-standing race when setting alarm rtc: isl12022: Fix initial enable_irq/disable_irq balance rtc: cpcap: Fix initial enable_irq/disable_irq balance rtc: tps6586x: Fix initial enable_irq/disable_irq balance rtc: interface: Ensure alarm irq is enabled when UIE is enabled drivers/rtc/interface.c | 27 +++++++++++++++++++++++++++ drivers/rtc/rtc-cpcap.c | 1 + drivers/rtc/rtc-isl12022.c | 1 + drivers/rtc/rtc-tps6586x.c | 1 + 4 files changed, 30 insertions(+) --- base-commit: 82f2b0b97b36ee3fcddf0f0780a9a0825d52fec3 change-id: 20241203-rtc-uie-irq-fixes-f2838782d0f8 Best regards, -- Esben Haabendal <esben(a)geanix.com>

4 months

1
2
0 0

[PATCH 6.14 000/197] 6.14.7-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.14.7 release. There are 197 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 16 May 2025 12:55:38 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.7-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.14.7-rc2 Peter Zijlstra <peterz(a)infradead.org> x86/its: FineIBT-paranoid vs ITS Eric Biggers <ebiggers(a)google.com> x86/its: Fix build errors when CONFIG_MODULES=n Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> selftest/x86/bugs: Add selftests for ITS Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for RSB stuffing mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Johannes Weiner <hannes(a)cmpxchg.org> mm: page_alloc: speed up fallbacks in rmqueue_bulk() Johannes Weiner <hannes(a)cmpxchg.org> mm: page_alloc: don't steal single pages from biggest buddy Hao Qin <hao.qin(a)mediatek.com> Bluetooth: btmtk: Remove the resetting step before downloading the fw Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint Miguel Ojeda <ojeda(a)kernel.org> rust: allow Rust 1.87.0's `clippy::ptr_eq` lint Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Gabriel Krisman Bertazi <krisman(a)suse.de> io_uring/sqpoll: Increase task_work submission batch size Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe: Release force wake first then runtime power Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs Samuel Holland <samuel.holland(a)sifive.com> riscv: Disallow PR_GET_TAGGED_ADDR_CTRL without Supm Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: enable IRQs while handling misaligned accesses Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: factorize trap handling Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Lizhi Xu <lizhi.xu(a)windriver.com> loop: Add sanity check for read/write_iter Christoph Hellwig <hch(a)lst.de> loop: factor out a loop_assign_backing_file helper Nylon Chen <nylon.chen(a)sifive.com> riscv: misaligned: Add handling for ZCB instructions Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Correct mutex unlock order in job submission Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation Thomas Gleixner <tglx(a)linutronix.de> timekeeping: Prevent coarse clocks going backwards Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Gustavo Silva <gustavograzs(a)gmail.com> iio: imu: bmi270: fix initial sampling frequency configuration Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix deadlock RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Lukasz Czechowski <lukasz.czechowski(a)thaumatec.com> usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Use get_status callback to set remote wakeup capability Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: f_ecm: Add get_status callback Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: dwc3: gadget: Make gadget_wakeup asynchronous Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the issue with discontiguous allocation in the global_bitmap Mark Tinguely <mark.tinguely(a)oracle.com> ocfs2: fix panic in failed foilio allocation Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode: Consolidate the loader enablement checking Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Tom Lendacky <thomas.lendacky(a)amd.com> memblock: Accept allocated memory before use in memblock_double_array() Sebastian Ott <sebott(a)redhat.com> KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Yeoreum Yun <yeoreum.yun(a)arm.com> arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to prevent wrong idmap generation Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Increase state dump msg timeout Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime John Ernberg <john.ernberg(a)actia.se> xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Paul Aurich <paul(a)darkrain42.org> smb: client: Avoid race in open_cached_dir with lease breaks Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive. Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: more liberal vmin/vmax update for freesync Roman Li <Roman.Li(a)amd.com> drm/amd/display: Fix invalid context error in dml helper Ruijing Dong <ruijing.dong(a)amd.com> drm/amdgpu/vcn: using separate VCN1_AON_SOC offset Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix pm notifier handling Matthew Brost <matthew.brost(a)intel.com> drm/xe: Add page queue multiplier Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd: Stop evicting resources on APUs in suspend" David Lechner <dlechner(a)baylibre.com> iio: pressure: mprls0025pa: use aligned_s64 for timestamp Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo David Lechner <dlechner(a)baylibre.com> iio: imu: inv_mpu6050: align buffer for timestamp Zhang Lixu <lixu.zhang(a)intel.com> iio: hid-sensor-prox: Fix incorrect OFFSET calculation Zhang Lixu <lixu.zhang(a)intel.com> iio: hid-sensor-prox: support multi-channel SCALE calculation Zhang Lixu <lixu.zhang(a)intel.com> iio: hid-sensor-prox: Restore lost scale assignments David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp David Lechner <dlechner(a)baylibre.com> iio: chemical: sps30: use aligned_s64 for timestamp Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Simon Xue <xxm(a)rock-chips.com> iio: adc: rockchip: Fix clock initialization sequence Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7266: Fix potential timestamp alignment issue. Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Fix insufficient alignment of timestamp. Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are flushed for multishot Nam Cao <namcao(a)linutronix.de> riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Mikhail Lobanov <m.lobanov(a)rosa.ru> KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Sean Christopherson <seanjc(a)google.com> KVM: x86/mmu: Prevent installing hugepages when mem attributes are changing Madhavan Srinivasan <maddy(a)linux.ibm.com> selftests/mm: fix build break when compiling pkey_util.c Nysal Jan K.A. <nysal(a)linux.ibm.com> selftests/mm: fix a build failure on powerpc Feng Tang <feng.tang(a)linux.alibaba.com> selftests/mm: compaction_test: support platform with huge mount of memory Peter Xu <peterx(a)redhat.com> mm/userfaultfd: fix uninitialized output field for -EAGAIN race Gavin Guo <gavinguo(a)igalia.com> mm/huge_memory: fix dereferencing invalid pmd migration entry Kees Cook <kees(a)kernel.org> mm: vmalloc: support more granular vrealloc() sizing Petr Vaněk <arkamar(a)atlas.cz> mm: fix folio_pte_batch() on XEN PV Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Dave Stevenson <dave.stevenson(a)raspberrypi.com> staging: bcm2835-camera: Initialise dev in v4l2_dev Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Naman Jain <namjain(a)linux.microsoft.com> uio_hv_generic: Fix sysfs creation path for ring buffer Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros` configuration Miguel Ojeda <ojeda(a)kernel.org> objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0 Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's `unnecessary_transmutes` lint Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Vicki Pfau <vi(a)endrift.com> Input: xpad - fix two controller table values Lode Willems <me(a)lodewillems.com> Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - fix Share button on Xbox One controllers Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Mikael Gonella-Bolduc <mgonellabolduc(a)dimonoff.com> Input: cyttsp5 - fix power control issue on wakeup Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Input: cyttsp5 - ensure minimum reset pulse width Jakub Kicinski <kuba(a)kernel.org> virtio-net: fix total qstat values Jakub Kicinski <kuba(a)kernel.org> net: export a helper for adding up queue stats Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Do not allow mailbox to toggle to ready outside fbnic_mbx_poll_tx_ready Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Cleanup handling of completions Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Actually flush_tx instead of stalling out Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Gate AXI read/write enabling on FW mailbox Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Fix initialization of mailbox descriptor rings Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not set learning and unicast/multicast on up Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix toggling vlan_filtering Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not program vlans when vlan filtering is off Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not allow to configure VLAN 0 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: keep CPU port always tagged again Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Gao Xiang <xiang(a)kernel.org> erofs: ensure the extra temporary copy is valid for shortened bvecs Przemek Kitszel <przemyslaw.kitszel(a)intel.com> ice: use DSN instead of PCI BDF for ice_adapter index Michael-CY Lee <michael-cy.lee(a)mediatek.com> wifi: mac80211: fix the type of status_code for negotiated TID to Link Mapping Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Antonios Salios <antonios(a)mwa.re> can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe Frank Wunderlich <frank-w(a)public-files.de> net: ethernet: mtk_eth_soc: do not reset PSE when setting FE Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Jakub Kicinski <kuba(a)kernel.org> virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() Jakub Kicinski <kuba(a)kernel.org> virtio-net: don't re-enable refill work too early when NAPI is disabled Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Heiko Carstens <hca(a)linux.ibm.com> s390/entry: Fix last breaking event handling in case of stack corruption Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix UAF in __close_file_table_ids Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent rename with empty string Marc Kleine-Budde <mkl(a)pengutronix.de> can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Align huge faults to order Veerendranath Jakkam <quic_vjakkam(a)quicinc.com> wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix missing check for zpci_create_device() error return Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Fix timeout checks on polling path Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Qu Wenruo <wqu(a)suse.com> Revert "btrfs: canonicalize the device path before adding it" Max Kellermann <max.kellermann(a)ionos.com> fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: .clippy.toml | 2 +- Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 168 ++++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 18 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/cpufeature.c | 9 +- arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/kvm/mmu.c | 13 +- arch/arm64/lib/insn.c | 76 +++++--- arch/arm64/net/bpf_jit_comp.c | 57 +++++- arch/mips/include/asm/ptrace.h | 3 +- arch/riscv/kernel/process.c | 6 + arch/riscv/kernel/traps.c | 64 ++++--- arch/riscv/kernel/traps_misaligned.c | 17 ++ arch/s390/kernel/entry.S | 3 +- arch/s390/pci/pci_clp.c | 2 + arch/x86/Kconfig | 12 ++ arch/x86/entry/entry_64.S | 20 +- arch/x86/include/asm/alternative.h | 32 ++++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/microcode.h | 2 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 10 + arch/x86/kernel/alternative.c | 208 +++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++++- arch/x86/kernel/cpu/common.c | 72 +++++-- arch/x86/kernel/cpu/microcode/amd.c | 6 +- arch/x86/kernel/cpu/microcode/core.c | 60 +++--- arch/x86/kernel/cpu/microcode/intel.c | 2 +- arch/x86/kernel/cpu/microcode/internal.h | 1 - arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/head32.c | 4 - arch/x86/kernel/module.c | 6 + arch/x86/kernel/static_call.c | 4 +- arch/x86/kernel/vmlinux.lds.S | 10 + arch/x86/kvm/mmu/mmu.c | 89 ++++++--- arch/x86/kvm/smm.c | 1 + arch/x86/kvm/svm/svm.c | 4 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 58 +++++- drivers/accel/ivpu/ivpu_hw.c | 2 +- drivers/accel/ivpu/ivpu_job.c | 90 ++++++--- drivers/base/cpu.c | 3 + drivers/block/loop.c | 43 ++++- drivers/bluetooth/btmtk.c | 10 - drivers/clocksource/i8253.c | 4 +- drivers/firmware/arm_scmi/driver.c | 13 +- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 - drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 18 -- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 29 +-- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 - drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v7_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 3 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 ++-- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- .../amd/display/dc/dml2/dml2_translation_helper.c | 14 +- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/gpu/drm/xe/tests/xe_mocs.c | 7 +- drivers/gpu/drm/xe/xe_gt_debugfs.c | 9 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 11 +- drivers/hv/hyperv_vmbus.h | 6 + drivers/hv/vmbus_drv.c | 100 +++++++++- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7266.c | 2 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/ad7768-1.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/adc/rockchip_saradc.c | 17 +- drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/chemical/sps30.c | 2 +- .../iio/common/hid-sensors/hid-sensor-attributes.c | 4 + drivers/iio/imu/bmi270/bmi270_core.c | 6 +- drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/light/hid-sensor-prox.c | 22 ++- drivers/iio/light/opt3001.c | 5 +- drivers/iio/pressure/mprls0025pa.h | 17 +- drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/joystick/xpad.c | 40 ++-- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/input/touchscreen/cyttsp5.c | 7 +- drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 3 +- drivers/net/can/rockchip/rockchip_canfd-core.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +++- drivers/net/dsa/b53/b53_common.c | 213 +++++++++++++++------ drivers/net/dsa/b53/b53_priv.h | 3 + drivers/net/dsa/bcm_sf2.c | 1 + drivers/net/ethernet/intel/ice/ice_adapter.c | 47 ++--- drivers/net/ethernet/intel/ice/ice_adapter.h | 6 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 +- drivers/net/ethernet/meta/fbnic/fbnic_csr.h | 2 + drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 197 +++++++++++-------- drivers/net/ethernet/meta/fbnic/fbnic_mac.c | 6 - drivers/net/virtio_net.c | 23 ++- drivers/nvme/host/core.c | 3 +- drivers/pci/hotplug/s390_pci_hpc.c | 1 - drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- .../vc04_services/bcm2835-camera/bcm2835-camera.c | 1 + drivers/uio/uio_hv_generic.c | 39 ++-- drivers/usb/cdns3/cdnsp-gadget.c | 31 +++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/dwc3/core.h | 4 + drivers/usb/dwc3/gadget.c | 60 +++--- drivers/usb/gadget/composite.c | 12 +- drivers/usb/gadget/function/f_ecm.c | 7 + drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-dbgcap.c | 19 +- drivers/usb/host/xhci-dbgcap.h | 3 + drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/misc/onboard_usb_dev.c | 10 +- drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 21 +- drivers/usb/typec/ucsi/ucsi.c | 34 ++++ drivers/usb/typec/ucsi/ucsi.h | 2 + drivers/vfio/pci/vfio_pci_core.c | 12 +- drivers/xen/swiotlb-xen.c | 1 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/btrfs/volumes.c | 91 +-------- fs/erofs/fileio.c | 4 +- fs/erofs/zdata.c | 29 ++- fs/namespace.c | 3 +- fs/ocfs2/alloc.c | 1 + fs/ocfs2/journal.c | 80 +++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/suballoc.c | 38 +++- fs/ocfs2/suballoc.h | 1 + fs/ocfs2/super.c | 3 + fs/smb/client/cached_dir.c | 10 +- fs/smb/server/oplock.c | 7 +- fs/smb/server/smb2pdu.c | 5 + fs/smb/server/vfs.c | 7 + fs/smb/server/vfs_cache.c | 33 +++- fs/userfaultfd.c | 28 ++- include/linux/cpu.h | 2 + include/linux/execmem.h | 3 + include/linux/hyperv.h | 6 + include/linux/ieee80211.h | 2 +- include/linux/module.h | 5 + include/linux/timekeeper_internal.h | 8 +- include/linux/vmalloc.h | 1 + include/net/netdev_queues.h | 6 + init/Kconfig | 3 + io_uring/io_uring.c | 58 +++--- io_uring/sqpoll.c | 2 +- kernel/params.c | 4 +- kernel/time/timekeeping.c | 50 ++++- kernel/time/vsyscall.c | 4 +- mm/huge_memory.c | 11 +- mm/internal.h | 27 ++- mm/memblock.c | 9 +- mm/page_alloc.c | 159 +++++++++------ mm/vmalloc.c | 31 ++- net/can/gw.c | 151 +++++++++------ net/core/filter.c | 1 + net/core/netdev-genl.c | 69 +++++-- net/ipv6/addrconf.c | 15 +- net/mac80211/mlme.c | 12 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 27 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/wireless/scan.c | 2 +- rust/bindings/lib.rs | 1 + rust/kernel/alloc/kvec.rs | 3 + rust/kernel/list.rs | 3 + rust/kernel/str.rs | 46 ++--- rust/macros/module.rs | 19 +- rust/macros/paste.rs | 2 +- rust/macros/pinned_drop.rs | 3 +- rust/uapi/lib.rs | 1 + tools/objtool/check.c | 1 + tools/testing/selftests/Makefile | 1 + tools/testing/selftests/mm/compaction_test.c | 19 +- tools/testing/selftests/mm/pkey-powerpc.h | 14 +- tools/testing/selftests/mm/pkey_util.c | 1 + tools/testing/selftests/x86/bugs/Makefile | 3 + tools/testing/selftests/x86/bugs/common.py | 164 ++++++++++++++++ .../selftests/x86/bugs/its_indirect_alignment.py | 150 +++++++++++++++ .../testing/selftests/x86/bugs/its_permutations.py | 109 +++++++++++ .../selftests/x86/bugs/its_ret_alignment.py | 139 ++++++++++++++ tools/testing/selftests/x86/bugs/its_sysfs.py | 65 +++++++ 215 files changed, 3586 insertions(+), 1234 deletions(-)

4 months

8
9
0 0

[PATCH 6.12 000/184] 6.12.29-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.29 release. There are 184 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 16 May 2025 12:55:38 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.29-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.29-rc2 Peter Zijlstra <peterz(a)infradead.org> x86/its: FineIBT-paranoid vs ITS Eric Biggers <ebiggers(a)google.com> x86/its: Fix build errors when CONFIG_MODULES=n Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> selftest/x86/bugs: Add selftests for ITS Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for RSB stuffing mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Omar Sandoval <osandov(a)fb.com> sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash Johannes Weiner <hannes(a)cmpxchg.org> mm: page_alloc: speed up fallbacks in rmqueue_bulk() Johannes Weiner <hannes(a)cmpxchg.org> mm: page_alloc: don't steal single pages from biggest buddy Hao Qin <hao.qin(a)mediatek.com> Bluetooth: btmtk: Remove the resetting step before downloading the fw Hao Qin <hao.qin(a)mediatek.com> Bluetooth: btmtk: Remove resetting mt7921 before downloading the fw Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint Miguel Ojeda <ojeda(a)kernel.org> rust: allow Rust 1.87.0's `clippy::ptr_eq` lint Christian Lamparter <chunkeey(a)gmail.com> Revert "um: work around sched_yield not yielding in time-travel mode" Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Gabriel Krisman Bertazi <krisman(a)suse.de> io_uring/sqpoll: Increase task_work submission batch size Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> drm/xe/tests/mocs: Update xe_force_wake_get() return handling Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: enable IRQs while handling misaligned accesses Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: factorize trap handling Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Lizhi Xu <lizhi.xu(a)windriver.com> loop: Add sanity check for read/write_iter Christoph Hellwig <hch(a)lst.de> loop: factor out a loop_assign_backing_file helper Christoph Hellwig <hch(a)lst.de> loop: refactor queue limits updates OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> loop: Fix ABBA locking race John Garry <john.g.garry(a)oracle.com> loop: Simplify discard granularity calc John Garry <john.g.garry(a)oracle.com> loop: Use bdev limit helpers for configuring discard Nylon Chen <nylon.chen(a)sifive.com> riscv: misaligned: Add handling for ZCB instructions Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Lukasz Czechowski <lukasz.czechowski(a)thaumatec.com> usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Use get_status callback to set remote wakeup capability Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: f_ecm: Add get_status callback Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: dwc3: gadget: Make gadget_wakeup asynchronous Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the issue with discontiguous allocation in the global_bitmap Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode: Consolidate the loader enablement checking Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Tom Lendacky <thomas.lendacky(a)amd.com> memblock: Accept allocated memory before use in memblock_double_array() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Yeoreum Yun <yeoreum.yun(a)arm.com> arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to prevent wrong idmap generation Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Increase state dump msg timeout Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime John Ernberg <john.ernberg(a)actia.se> xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Paul Aurich <paul(a)darkrain42.org> smb: client: Avoid race in open_cached_dir with lease breaks Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: more liberal vmin/vmax update for freesync Roman Li <Roman.Li(a)amd.com> drm/amd/display: Fix invalid context error in dml helper Ruijing Dong <ruijing.dong(a)amd.com> drm/amdgpu/vcn: using separate VCN1_AON_SOC offset Matthew Brost <matthew.brost(a)intel.com> drm/xe: Add page queue multiplier Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo David Lechner <dlechner(a)baylibre.com> iio: imu: inv_mpu6050: align buffer for timestamp Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Simon Xue <xxm(a)rock-chips.com> iio: adc: rockchip: Fix clock initialization sequence Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are flushed for multishot Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Mikhail Lobanov <m.lobanov(a)rosa.ru> KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Nysal Jan K.A. <nysal(a)linux.ibm.com> selftests/mm: fix a build failure on powerpc Feng Tang <feng.tang(a)linux.alibaba.com> selftests/mm: compaction_test: support platform with huge mount of memory Peter Xu <peterx(a)redhat.com> mm/userfaultfd: fix uninitialized output field for -EAGAIN race Gavin Guo <gavinguo(a)igalia.com> mm/huge_memory: fix dereferencing invalid pmd migration entry Kees Cook <kees(a)kernel.org> mm: vmalloc: support more granular vrealloc() sizing Petr Vaněk <arkamar(a)atlas.cz> mm: fix folio_pte_batch() on XEN PV Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Dave Stevenson <dave.stevenson(a)raspberrypi.com> staging: bcm2835-camera: Initialise dev in v4l2_dev Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros` configuration Miguel Ojeda <ojeda(a)kernel.org> objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0 Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's `unnecessary_transmutes` lint Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Vicki Pfau <vi(a)endrift.com> Input: xpad - fix two controller table values Lode Willems <me(a)lodewillems.com> Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - fix Share button on Xbox One controllers Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Mikael Gonella-Bolduc <mgonellabolduc(a)dimonoff.com> Input: cyttsp5 - fix power control issue on wakeup Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Input: cyttsp5 - ensure minimum reset pulse width Jakub Kicinski <kuba(a)kernel.org> virtio-net: fix total qstat values Jakub Kicinski <kuba(a)kernel.org> net: export a helper for adding up queue stats Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Do not allow mailbox to toggle to ready outside fbnic_mbx_poll_tx_ready Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Actually flush_tx instead of stalling out Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Gate AXI read/write enabling on FW mailbox Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Fix initialization of mailbox descriptor rings Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not set learning and unicast/multicast on up Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix toggling vlan_filtering Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not program vlans when vlan filtering is off Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not allow to configure VLAN 0 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: keep CPU port always tagged again Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Gao Xiang <xiang(a)kernel.org> erofs: ensure the extra temporary copy is valid for shortened bvecs Przemek Kitszel <przemyslaw.kitszel(a)intel.com> ice: use DSN instead of PCI BDF for ice_adapter index Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Initial support for E825C hardware in ice_adapter Michael-CY Lee <michael-cy.lee(a)mediatek.com> wifi: mac80211: fix the type of status_code for negotiated TID to Link Mapping Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Antonios Salios <antonios(a)mwa.re> can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe Frank Wunderlich <frank-w(a)public-files.de> net: ethernet: mtk_eth_soc: do not reset PSE when setting FE Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Jakub Kicinski <kuba(a)kernel.org> virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio_net: xsk: bind/unbind xsk for tx Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Heiko Carstens <hca(a)linux.ibm.com> s390/entry: Fix last breaking event handling in case of stack corruption Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix UAF in __close_file_table_ids Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent rename with empty string Marc Kleine-Budde <mkl(a)pengutronix.de> can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Align huge faults to order Veerendranath Jakkam <quic_vjakkam(a)quicinc.com> wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix missing check for zpci_create_device() error return Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Fix timeout checks on polling path Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Qu Wenruo <wqu(a)suse.com> Revert "btrfs: canonicalize the device path before adding it" Max Kellermann <max.kellermann(a)ionos.com> fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: .clippy.toml | 2 +- Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 168 ++++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 18 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/cpufeature.c | 9 +- arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/lib/insn.c | 76 +++++--- arch/arm64/net/bpf_jit_comp.c | 57 +++++- arch/mips/include/asm/ptrace.h | 3 +- arch/riscv/kernel/traps.c | 64 ++++--- arch/riscv/kernel/traps_misaligned.c | 17 ++ arch/s390/kernel/entry.S | 3 +- arch/s390/pci/pci_clp.c | 2 + arch/um/include/linux/time-internal.h | 2 - arch/um/kernel/skas/syscall.c | 11 -- arch/x86/Kconfig | 12 ++ arch/x86/entry/entry_64.S | 20 +- arch/x86/include/asm/alternative.h | 32 ++++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/microcode.h | 2 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 38 ++-- arch/x86/kernel/alternative.c | 208 +++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++++- arch/x86/kernel/cpu/common.c | 72 +++++-- arch/x86/kernel/cpu/microcode/amd.c | 6 +- arch/x86/kernel/cpu/microcode/core.c | 60 +++--- arch/x86/kernel/cpu/microcode/intel.c | 2 +- arch/x86/kernel/cpu/microcode/internal.h | 1 - arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/head32.c | 4 - arch/x86/kernel/module.c | 6 + arch/x86/kernel/static_call.c | 4 +- arch/x86/kernel/vmlinux.lds.S | 10 + arch/x86/kvm/smm.c | 1 + arch/x86/kvm/svm/svm.c | 4 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 58 +++++- drivers/accel/ivpu/ivpu_hw.c | 2 +- drivers/base/cpu.c | 3 + drivers/block/loop.c | 104 ++++++---- drivers/bluetooth/btmtk.c | 12 +- drivers/clocksource/i8253.c | 4 +- drivers/firmware/arm_scmi/driver.c | 13 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 - drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v7_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 3 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 ++-- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- .../amd/display/dc/dml2/dml2_translation_helper.c | 14 +- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/gpu/drm/xe/tests/xe_mocs.c | 21 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 11 +- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/adc/rockchip_saradc.c | 17 +- drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/joystick/xpad.c | 40 ++-- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/input/touchscreen/cyttsp5.c | 7 +- drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 3 +- drivers/net/can/rockchip/rockchip_canfd-core.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +++- drivers/net/dsa/b53/b53_common.c | 213 +++++++++++++++------ drivers/net/dsa/b53/b53_priv.h | 3 + drivers/net/dsa/bcm_sf2.c | 1 + drivers/net/ethernet/intel/ice/ice_adapter.c | 39 ++-- drivers/net/ethernet/intel/ice/ice_adapter.h | 6 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 +- drivers/net/ethernet/meta/fbnic/fbnic_csr.h | 2 + drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 180 +++++++++-------- drivers/net/ethernet/meta/fbnic/fbnic_mac.c | 6 - drivers/net/virtio_net.c | 61 ++++++ drivers/nvme/host/core.c | 3 +- drivers/pci/hotplug/s390_pci_hpc.c | 1 - drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- .../vc04_services/bcm2835-camera/bcm2835-camera.c | 1 + drivers/usb/cdns3/cdnsp-gadget.c | 31 +++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/dwc3/core.h | 4 + drivers/usb/dwc3/gadget.c | 60 +++--- drivers/usb/gadget/composite.c | 12 +- drivers/usb/gadget/function/f_ecm.c | 7 + drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/misc/onboard_usb_dev.c | 10 +- drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/vfio/pci/vfio_pci_core.c | 12 +- drivers/xen/swiotlb-xen.c | 1 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/btrfs/volumes.c | 91 +-------- fs/erofs/fileio.c | 4 +- fs/erofs/zdata.c | 29 ++- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 +++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/suballoc.c | 38 +++- fs/ocfs2/suballoc.h | 1 + fs/ocfs2/super.c | 3 + fs/smb/client/cached_dir.c | 10 +- fs/smb/server/oplock.c | 7 +- fs/smb/server/smb2pdu.c | 5 + fs/smb/server/vfs.c | 7 + fs/smb/server/vfs_cache.c | 33 +++- fs/userfaultfd.c | 28 ++- include/linux/cpu.h | 2 + include/linux/execmem.h | 3 + include/linux/ieee80211.h | 2 +- include/linux/module.h | 5 + include/linux/types.h | 3 +- include/linux/vmalloc.h | 1 + include/net/netdev_queues.h | 6 + include/uapi/linux/types.h | 1 + init/Kconfig | 3 + io_uring/io_uring.c | 58 +++--- io_uring/sqpoll.c | 2 +- kernel/params.c | 4 +- kernel/sched/fair.c | 4 +- mm/huge_memory.c | 11 +- mm/internal.h | 27 ++- mm/memblock.c | 9 +- mm/page_alloc.c | 159 +++++++++------ mm/vmalloc.c | 31 ++- net/can/gw.c | 151 +++++++++------ net/core/filter.c | 1 + net/core/netdev-genl.c | 69 +++++-- net/ipv6/addrconf.c | 15 +- net/mac80211/mlme.c | 12 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 27 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/wireless/scan.c | 2 +- rust/bindings/lib.rs | 1 + rust/kernel/alloc/kvec.rs | 3 + rust/kernel/list.rs | 3 + rust/kernel/str.rs | 46 ++--- rust/macros/module.rs | 19 +- rust/macros/pinned_drop.rs | 3 +- rust/uapi/lib.rs | 1 + tools/objtool/check.c | 1 + tools/testing/selftests/Makefile | 1 + tools/testing/selftests/mm/compaction_test.c | 19 +- tools/testing/selftests/mm/pkey-powerpc.h | 12 +- tools/testing/selftests/x86/bugs/Makefile | 3 + tools/testing/selftests/x86/bugs/common.py | 164 ++++++++++++++++ .../selftests/x86/bugs/its_indirect_alignment.py | 150 +++++++++++++++ .../testing/selftests/x86/bugs/its_permutations.py | 109 +++++++++++ .../selftests/x86/bugs/its_ret_alignment.py | 139 ++++++++++++++ tools/testing/selftests/x86/bugs/its_sysfs.py | 65 +++++++ 188 files changed, 3233 insertions(+), 1099 deletions(-)

4 months

8
7
0 0

[PATCH 6.1 00/96] 6.1.139-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.139 release. There are 96 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 16 May 2025 12:55:38 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.139-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.139-rc2 Peter Zijlstra <peterz(a)infradead.org> x86/its: FineIBT-paranoid vs ITS Josh Poimboeuf <jpoimboe(a)kernel.org> x86/alternatives: Remove faulty optimization Borislav Petkov (AMD) <bp(a)alien8.de> x86/alternative: Optimize returns patching Eric Biggers <ebiggers(a)google.com> x86/its: Fix build errors when CONFIG_MODULES=n Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are posted for multishot Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Guillaume Nault <gnault(a)redhat.com> ipv4: Drop tos parameter from flowi4_update_output() Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 +++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 15 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/lib/insn.c | 76 ++++--- arch/arm64/net/bpf_jit_comp.c | 57 ++++- arch/mips/include/asm/ptrace.h | 3 +- arch/x86/Kconfig | 11 + arch/x86/entry/entry_64.S | 20 +- arch/x86/include/asm/alternative.h | 32 +++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 38 ++-- arch/x86/kernel/alternative.c | 245 ++++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 144 +++++++++++- arch/x86/kernel/cpu/common.c | 72 ++++-- arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/module.c | 7 + arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 10 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 +- arch/x86/net/bpf_jit_comp.c | 60 ++++- drivers/base/cpu.c | 8 + drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- drivers/gpu/drm/panel/panel-simple.c | 25 ++- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +++- drivers/net/dsa/b53/b53_common.c | 36 ++- drivers/net/phy/microchip.c | 46 +++- drivers/nvme/host/core.c | 3 +- drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/usb/cdns3/cdnsp-gadget.c | 31 +++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++-- drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 +++++-- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + fs/smb/server/oplock.c | 7 +- fs/smb/server/vfs.c | 7 + include/linux/cpu.h | 2 + include/linux/module.h | 5 + include/linux/rcupdate.h | 3 + include/linux/types.h | 3 +- include/net/flow.h | 3 +- include/net/route.h | 6 +- include/uapi/linux/types.h | 1 + io_uring/io_uring.c | 61 ++--- kernel/params.c | 4 +- net/can/gw.c | 151 ++++++++----- net/core/filter.c | 1 + net/ipv6/addrconf.c | 15 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 29 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/sctp/protocol.c | 4 +- 93 files changed, 1578 insertions(+), 398 deletions(-)

4 months

7
6
0 0

[PATCH v2 2/2] usb: dwc3: Force full reset on xhci removal

by Roy Luo

During an xhci host controller reset (via `USBCMD.HCRST`), reading DWC3 registers can return zero instead of their actual values. This applies not only to registers within the xhci memory space but also those in the broader DWC3 IP block. By default, the xhci driver doesn't wait for the reset handshake to complete during teardown. This can cause problems when the DWC3 controller is operating as a dual role device and is switching from host to device mode, the invalid register read caused by ongoing HCRST could lead to gadget mode startup failures and unintended register overwrites. To mitigate this, enable xhci-full-reset-on-remove-quirk to ensure that xhci_reset() completes its full reset handshake during xhci removal. Cc: stable(a)vger.kernel.org Fixes: 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") Signed-off-by: Roy Luo <royluo(a)google.com> --- drivers/usb/dwc3/host.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c index b48e108fc8fe..ea865898308f 100644 --- a/drivers/usb/dwc3/host.c +++ b/drivers/usb/dwc3/host.c @@ -126,7 +126,7 @@ static int dwc3_host_get_irq(struct dwc3 *dwc) int dwc3_host_init(struct dwc3 *dwc) { - struct property_entry props[6]; + struct property_entry props[7]; struct platform_device *xhci; int ret, irq; int prop_idx = 0; @@ -182,6 +182,9 @@ int dwc3_host_init(struct dwc3 *dwc) if (DWC3_VER_IS_WITHIN(DWC3, ANY, 300A)) props[prop_idx++] = PROPERTY_ENTRY_BOOL("quirk-broken-port-ped"); + if (dwc->dr_mode == USB_DR_MODE_OTG) + props[prop_idx++] = PROPERTY_ENTRY_BOOL("xhci-full-reset-on-remove-quirk"); + if (prop_idx) { ret = device_create_managed_software_node(&xhci->dev, props, NULL); if (ret) { -- 2.49.0.1112.g889b7c5bd8-goog

4 months

1
0
0 0

[PATCH v4 0/2] iio: accel: fxls8962af: Fix temperature readings

by Sean Nyekjaer

Add the correct scale to get temperature in mili degree Celcius. Add sign component to temperature scan element. Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> --- Changes in v4: - Blindly Copy/Pasted Andy's comment. Use the correct MILLIDEGREE_PER_DEGREE - Link to v3: https://lore.kernel.org/r/20250505-fxls-v3-0-8c541bf0205c@geanix.com Changes in v3: - Dropping define infavor of inline scale value - Added using constants from units.h - Tweaked commit msg to make it more assertive - Link to v2: https://lore.kernel.org/r/20250502-fxls-v2-0-e1af65f1aa6c@geanix.com Changes in v2: - Correct offset is applied before scaling component - Added sign component to temperature scan element - Link to v1: https://lore.kernel.org/r/20250501-fxls-v1-1-f54061a07099@geanix.com --- Sean Nyekjaer (2): iio: accel: fxls8962af: Fix temperature calculation iio: accel: fxls8962af: Fix temperature scan element sign drivers/iio/accel/fxls8962af-core.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- base-commit: 609bc31eca06c7408e6860d8b46311ebe45c1fef change-id: 20250501-fxls-307ef3d6d065 Best regards, -- Sean Nyekjaer <sean(a)geanix.com>

4 months

2
3
0 0

[PATCH] drm: radeon: ci_dpm: Add error handling for ci_send_msg_to_smc_with_parameter()

by Wentao Liang

The ci_enable_uvd_dpm() calls ci_send_msg_to_smc_with_parameter() but does not check the return value. This could lead to the execution with potentially invalid data. A proper implementation can be found in the ci_fan_ctrl_start_smc_fan_control(). Add a check after calling ci_send_msg_to_smc_with_parameter(), return -EINVAL if the sending fails. Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") Cc: stable(a)vger.kernel.org # v3.12 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/gpu/drm/radeon/ci_dpm.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c index abe9d65cc460..3877863c6893 100644 --- a/drivers/gpu/drm/radeon/ci_dpm.c +++ b/drivers/gpu/drm/radeon/ci_dpm.c @@ -3889,6 +3889,7 @@ static int ci_enable_uvd_dpm(struct radeon_device *rdev, bool enable) struct ci_power_info *pi = ci_get_pi(rdev); const struct radeon_clock_and_voltage_limits *max_limits; int i; + PPSMC_Result result; if (rdev->pm.dpm.ac_power) max_limits = &rdev->pm.dpm.dyn_state.max_clock_voltage_on_ac; @@ -3907,24 +3908,30 @@ static int ci_enable_uvd_dpm(struct radeon_device *rdev, bool enable) } } - ci_send_msg_to_smc_with_parameter(rdev, + result = ci_send_msg_to_smc_with_parameter(rdev, PPSMC_MSG_UVDDPM_SetEnabledMask, pi->dpm_level_enable_mask.uvd_dpm_enable_mask); + if (result != PPSMC_Result_OK) + return -EINVAL; if (pi->last_mclk_dpm_enable_mask & 0x1) { pi->uvd_enabled = true; pi->dpm_level_enable_mask.mclk_dpm_enable_mask &= 0xFFFFFFFE; - ci_send_msg_to_smc_with_parameter(rdev, + result = ci_send_msg_to_smc_with_parameter(rdev, PPSMC_MSG_MCLKDPM_SetEnabledMask, pi->dpm_level_enable_mask.mclk_dpm_enable_mask); + if (result != PPSMC_Result_OK) + return -EINVAL; } } else { if (pi->last_mclk_dpm_enable_mask & 0x1) { pi->uvd_enabled = false; pi->dpm_level_enable_mask.mclk_dpm_enable_mask |= 1; - ci_send_msg_to_smc_with_parameter(rdev, + result = ci_send_msg_to_smc_with_parameter(rdev, PPSMC_MSG_MCLKDPM_SetEnabledMask, pi->dpm_level_enable_mask.mclk_dpm_enable_mask); + if (result != PPSMC_Result_OK) + return -EINVAL; } } -- 2.42.0.windows.2

4 months

1
0
0 0

[PATCH] arm64: Check pxd_leaf() instead of !pxd_table() while tearing down page tables

by Dev Jain

Commit 9c006972c3fe removes the pxd_present() checks because the caller checks pxd_present(). But, in case of vmap_try_huge_pud(), the caller only checks pud_present(); pud_free_pmd_page() recurses on each pmd through pmd_free_pte_page(), wherein the pmd may be none. Thus it is possible to hit a warning in the latter, since pmd_none => !pmd_table(). Thus, enforce these checks again through pxd_leaf(). This problem was found by code inspection. The patch is based on 6.15-rc6. Fixes: 9c006972c3fe (arm64: mmu: drop pXd_present() checks from pXd_free_pYd_table()) Cc: <stable(a)vger.kernel.org> Reported-by: Ryan Roberts <ryan.roberts(a)arm.com> Signed-off-by: Dev Jain <dev.jain(a)arm.com> --- arch/arm64/mm/mmu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index ea6695d53fb9..3d6789413a9b 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -1255,7 +1255,7 @@ int pmd_free_pte_page(pmd_t *pmdp, unsigned long addr) pmd = READ_ONCE(*pmdp); - if (!pmd_table(pmd)) { + if (pmd_leaf(pmd)) { VM_WARN_ON(1); return 1; } @@ -1276,7 +1276,7 @@ int pud_free_pmd_page(pud_t *pudp, unsigned long addr) pud = READ_ONCE(*pudp); - if (!pud_table(pud)) { + if (pud_leaf(pud)) { VM_WARN_ON(1); return 1; } -- 2.30.2

4 months

4
15
0 0

[PATCH v3] clk: meson-g12a: add missing fclk_div2 to spicc

by Da Xue

SPICC is missing fclk_div2 which causes the spicc module to output sclk at 2.5x the expected rate. Adding the missing fclk_div2 resolves this. Fixes: a18c8e0b7697 ("clk: meson: g12a: add support for the SPICC SCLK Source clocks") Cc: <stable(a)vger.kernel.org> # 6.1 Signed-off-by: Da Xue <da(a)libre.computer> --- Changelog: v2 -> v3: remove gp0 v1 -> v2: add Fixes as an older version of the patch was sent as v1 --- drivers/clk/meson/g12a.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c index 4f92b83965d5a..b72eebd0fa474 100644 --- a/drivers/clk/meson/g12a.c +++ b/drivers/clk/meson/g12a.c @@ -4099,6 +4099,7 @@ static const struct clk_parent_data spicc_sclk_parent_data[] = { { .hw = &g12a_clk81.hw }, { .hw = &g12a_fclk_div4.hw }, { .hw = &g12a_fclk_div3.hw }, + { .hw = &g12a_fclk_div2.hw }, { .hw = &g12a_fclk_div5.hw }, { .hw = &g12a_fclk_div7.hw }, }; -- 2.39.5

4 months

4
4
0 0

[PATCH v2 0/5] Fix onboard USB hub instability on RK3399 Puma SoM

by Lukasz Czechowski

The RK3399 Puma SoM contains the internal Cypress CYUSB3304 USB hub, that shows instability due to improper reset pin configuration. Currently reset pin is modeled as a vcc5v0_host regulator, that might result in too short reset pulse duration. Starting with the v6.6, the Onboard USB hub driver (later renamed to Onboard USB dev) contains support for Cypress HX3 hub family. It can be now used to correctly model the RK3399 Puma SoM hardware. The first commits in this series fix the onboard USB dev driver to support all HX3 hub variants, including the CYUSB3304 found in the RK3399 Puma SoM. This allows to introduce fix for internal USB hub instability on RK3399 Puma, by replacing the vcc5v0_host regulator with cy3304_reset, used inside the hub node. Please be aware that the patch that fixes USB hub instability in arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi can me merged only after updating the Onboard USB dev driver, otherwise the hub will not work. Two last commits in the series disable unrouted USB controllers and PHYs on RK3399 Puma SOM and Haikou carrier board, with no intended functional changes. This series depends on the patch: Link: https://lore.kernel.org/linux-usb/20250418-dt-binding-usb-device-compatible… ("dt-bindings: usb: usb-device: relax compatible pattern to a contains") Signed-off-by: Lukasz Czechowski <lukasz.czechowski(a)thaumatec.com> --- Changes in v2: - Removed additional entries from onboard_dev_match table and updated dt-bindings list, as suggested by Krzysztof and Conor. Fallback compatible entry in SoM's dtsi file is used instead. - Added vdd-supply and vdd2-supply entries to onboard hub nodes to satisfy bindings checks. - Changed the default cy3304-reset pin configuration to pcfg_output_high. - Added dependency to: change-id: 20250415-dt-binding-usb-device-compatibles-188f7b0a81b4 - Link to v1: https://lore.kernel.org/r/20250326-onboard_usb_dev-v1-0-a4b0a5d1b32c@thauma… --- Lukasz Czechowski (3): usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs dt-bindings: usb: cypress,hx3: Add support for all variants arm64: dts: rockchip: fix internal USB hub instability on RK3399 Puma Quentin Schulz (2): arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou .../devicetree/bindings/usb/cypress,hx3.yaml | 19 +++++++-- .../arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 ---- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 48 +++++++++++----------- drivers/usb/misc/onboard_usb_dev.c | 10 ++++- 4 files changed, 48 insertions(+), 37 deletions(-) --- base-commit: 834a4a689699090a406d1662b03affa8b155d025 change-id: 20250326-onboard_usb_dev-a7c063a8a515 prerequisite-change-id: 20250415-dt-binding-usb-device-compatibles-188f7b0a81b4:v2 prerequisite-patch-id: f5b90f95302ac9065fbbe5244cc7845c2a772ab6 Best regards, -- Lukasz Czechowski <lukasz.czechowski(a)thaumatec.com>

4 months

5
9
0 0

[PATCH] platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()

by Vladimir Moskovkin

If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Cc: stable(a)vger.kernel.org Signed-off-by: Vladimir Moskovkin <Vladimir.Moskovkin(a)kaspersky.com> --- drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c index 230e6ee96636..d8f1bf5e58a0 100644 --- a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c +++ b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c @@ -45,7 +45,7 @@ static ssize_t current_password_store(struct kobject *kobj, int length; length = strlen(buf); - if (buf[length-1] == '\n') + if (length && buf[length - 1] == '\n') length--; /* firmware does verifiation of min/max password length, -- 2.25.1

4 months

2
1
0 0

[PATCH net 0/5] hv_netvsc: Fix error "nvsp_rndis_pkt_complete error status: 2"

by mhkelley58＠gmail.com

From: Michael Kelley <mhklinux(a)outlook.com> Starting with commit dca5161f9bd0 in the 6.3 kernel, the Linux driver for Hyper-V synthetic networking (netvsc) occasionally reports "nvsp_rndis_pkt_complete error status: 2".[1] This error indicates that Hyper-V has rejected a network packet transmit request from the guest, and the outgoing network packet is dropped. Higher level network protocols presumably recover and resend the packet so there is no functional error, but performance is slightly impacted. Commit dca5161f9bd0 is not the cause of the error -- it only added reporting of an error that was already happening without any notice. The error has presumably been present since the netvsc driver was originally introduced into Linux. This patch set fixes the root cause of the problem, which is that the netvsc driver in Linux may send an incorrectly formatted VMBus message to Hyper-V when transmitting the network packet. The incorrect formatting occurs when the rndis header of the VMBus message crosses a page boundary due to how the Linux skb head memory is aligned. In such a case, two PFNs are required to describe the location of the rndis header, even though they are contiguous in guest physical address (GPA) space. Hyper-V requires that two PFNs be in a single "GPA range" data struture, but current netvsc code puts each PFN in its own GPA range, which Hyper-V rejects as an error in the case of the rndis header. The incorrect formatting occurs only for larger packets that netvsc must transmit via a VMBus "GPA Direct" message. There's no problem when netvsc transmits a smaller packet by copying it into a pre- allocated send buffer slot because the pre-allocated slots don't have page crossing issues. After commit 14ad6ed30a10 in the 6.14 kernel, the error occurs much more frequently in VMs with 16 or more vCPUs. It may occur every few seconds, or even more frequently, in a ssh session that outputs a lot of text. Commit 14ad6ed30a10 subtly changes how skb head memory is allocated, making it much more likely that the rndis header will cross a page boundary when the vCPU count is 16 or more. The changes in commit 14ad6ed30a10 are perfectly valid -- they just had the side effect of making the netvsc bug more prominent. One fix is to check for adjacent PFNs in vmbus_sendpacket_pagebuffer() and just combine them into a single GPA range. Such a fix is very contained. But conceptually it is fixing the problem at the wrong level. So this patch set takes the broader approach of maintaining the already known grouping of contiguous PFNs at a higher level in the netvsc driver code, and propagating that grouping down to the creation of the VMBus message to send to Hyper-V. Maintaining the grouping fixes this problem, and has the added benefit of allowing netvsc_dma_map() to make fewer calls to dma_map_single() to do bounce buffering in CoCo VMs. Patch 1 is a preparatory change to allow vmbus_sendpacket_mpb_desc() to specify multiple GPA ranges. In current code vmbus_sendpacket_mpb_desc() is used only by the storvsc synthetic SCSI driver, and it always creates a single GPA range. Patch 2 updates the netvsc driver to use vmbus_sendpacket_mpb_desc() instead of vmbus_sendpacket_pagebuffer(). Because the higher levels of netvsc still don't group contiguous PFNs, this patch is functionally neutral. The VMBus message to Hyper-V still has many GPA ranges, each with a single PFN. But it lays the groundwork for the next patch. Patch 3 changes the higher levels of netvsc to preserve the already known grouping of contiguous PFNs. When the contiguous groupings are passed to vmbus_sendpacket_mpb_desc(), GPA ranges containing multiple PFNs are produced, as expected by Hyper-V. This is point at which the core problem is fixed. Patches 4 and 5 remove code that is no longer necessary after the previous patches. These changes provide a net reduction of about 65 lines of code, which is an added benefit. These changes have been tested in normal VMs, in SEV-SNP and TDX CoCo VMs, and in Dv6-series VMs where the netvsp implementation is in the OpenHCL paravisor instead of the Hyper-V host. These changes are built against kernel version 6.15-rc6. [1] https://bugzilla.kernel.org/show_bug.cgi?id=217503 Michael Kelley (5): Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages hv_netvsc: Preserve contiguous PFN grouping in the page buffer array hv_netvsc: Remove rmsg_pgcnt Drivers: hv: vmbus: Remove vmbus_sendpacket_pagebuffer() drivers/hv/channel.c | 65 ++----------------------------- drivers/net/hyperv/hyperv_net.h | 13 ++++++- drivers/net/hyperv/netvsc.c | 57 ++++++++++++++++++++++----- drivers/net/hyperv/netvsc_drv.c | 62 +++++++---------------------- drivers/net/hyperv/rndis_filter.c | 24 +++--------- drivers/scsi/storvsc_drv.c | 1 + include/linux/hyperv.h | 7 ---- 7 files changed, 83 insertions(+), 146 deletions(-) -- 2.25.1

4 months

4
14
0 0

[PATCH] ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera

by Nicolas Chauvet

Microdia JP001 does not support reading the sample rate which leads to many lines of "cannot get freq at ep 0x84". This patch adds the USB ID to quirks.c and avoids those error messages. usb 7-4: New USB device found, idVendor=0c45, idProduct=636b, bcdDevice= 1.00 usb 7-4: New USB device strings: Mfr=2, Product=1, SerialNumber=3 usb 7-4: Product: JP001 usb 7-4: Manufacturer: JP001 usb 7-4: SerialNumber: JP001 usb 7-4: 3:1: cannot get freq at ep 0x84 Cc: <stable(a)vger.kernel.org> Signed-off-by: Nicolas Chauvet <kwizart(a)gmail.com> --- sound/usb/quirks.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 9112313a9dbc..d3e45240329d 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -2242,6 +2242,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { QUIRK_FLAG_CTL_MSG_DELAY_1M), DEVICE_FLG(0x0c45, 0x6340, /* Sonix HD USB Camera */ QUIRK_FLAG_GET_SAMPLE_RATE), + DEVICE_FLG(0x0c45, 0x636b, /* Microdia JP001 USB Camera */ + QUIRK_FLAG_GET_SAMPLE_RATE), DEVICE_FLG(0x0d8c, 0x0014, /* USB Audio Device */ QUIRK_FLAG_CTL_MSG_DELAY_1M), DEVICE_FLG(0x0ecb, 0x205c, /* JBL Quantum610 Wireless */ -- 2.49.0

4 months

2
1
0 0

[PATCH v8 0/1] kasan: Avoid sleepable page allocation from atomic context

by Alexander Gordeev

Hi All, Chages since v7: - drop "unnecessary free pages" optimization - fix error path page leak Chages since v6: - do not unnecessary free pages across iterations Chages since v5: - full error message included into commit description Chages since v4: - unused pages leak is avoided Chages since v3: - pfn_to_virt() changed to page_to_virt() due to compile error Chages since v2: - page allocation moved out of the atomic context Chages since v1: - Fixes: and -stable tags added to the patch description Thanks! Alexander Gordeev (1): kasan: Avoid sleepable page allocation from atomic context mm/kasan/shadow.c | 77 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 63 insertions(+), 14 deletions(-) -- 2.45.2

4 months

2
3
0 0

[PATCH v2] fs: minix: Fix handling of corrupted directories

by Andrey Kriulin

If the directory is corrupted and the number of nlinks is less than 2 (valid nlinks have at least 2), then when the directory is deleted, the minix_rmdir will try to reduce the nlinks(unsigned int) to a negative value. Make nlinks validity check for directory. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Andrey Kriulin <kitotavrik.media(a)gmail.com> Signed-off-by: Andrey Kriulin <kitotavrik.s(a)gmail.com> --- v2: Move nlinks validaty check to V[12]_minix_iget() per Jan Kara <jack(a)suse.cz> request. Change return error code to EUCLEAN. Don't block directory in r/o mode per Al Viro <viro(a)zeniv.linux.org.uk> request. fs/minix/inode.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/fs/minix/inode.c b/fs/minix/inode.c index f007e389d5d2..d815397b8b0d 100644 --- a/fs/minix/inode.c +++ b/fs/minix/inode.c @@ -517,6 +517,14 @@ static struct inode *V1_minix_iget(struct inode *inode) iget_failed(inode); return ERR_PTR(-ESTALE); } + if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks < 2) { + printk("MINIX-fs: inode directory with corrupted number of links"); + if (!sb_rdonly(inode->i_sb)) { + brelse(bh); + iget_failed(inode); + return ERR_PTR(-EUCLEAN); + } + } inode->i_mode = raw_inode->i_mode; i_uid_write(inode, raw_inode->i_uid); i_gid_write(inode, raw_inode->i_gid); @@ -555,6 +563,14 @@ static struct inode *V2_minix_iget(struct inode *inode) iget_failed(inode); return ERR_PTR(-ESTALE); } + if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks < 2) { + printk("MINIX-fs: inode directory with corrupted number of links"); + if (!sb_rdonly(inode->i_sb)) { + brelse(bh); + iget_failed(inode); + return ERR_PTR(-EUCLEAN); + } + } inode->i_mode = raw_inode->i_mode; i_uid_write(inode, raw_inode->i_uid); i_gid_write(inode, raw_inode->i_gid); -- 2.47.2

4 months

3
3
0 0

[PATCH] ASoC: Intel: avs: rt274: Add null pointer check for snd_soc_card_get_codec_dai()

by Wentao Liang

The avs_card_suspend_pre() and avs_card_resume_post() in rt274 calls the snd_soc_card_get_codec_dai(), but does not check its return value which is a null pointer if the function fails. This can result in a null pointer dereference. A proper implementation can be found in acp5x_nau8821_hw_params() and card_suspend_pre(). Add a null pointer check for snd_soc_card_get_codec_dai() to avoid null pointer dereference when the function fails. Fixes: a08797afc1f9 ("ASoC: Intel: avs: rt274: Refactor jack handling") Cc: stable(a)vger.kernel.org # v6.2 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- sound/soc/intel/avs/boards/rt274.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sound/soc/intel/avs/boards/rt274.c b/sound/soc/intel/avs/boards/rt274.c index 4b6c02a40204..7a8b6ee79f4c 100644 --- a/sound/soc/intel/avs/boards/rt274.c +++ b/sound/soc/intel/avs/boards/rt274.c @@ -194,6 +194,11 @@ static int avs_card_suspend_pre(struct snd_soc_card *card) { struct snd_soc_dai *codec_dai = snd_soc_card_get_codec_dai(card, RT274_CODEC_DAI); + if (!codec_dai) { + dev_err(card->dev, "Codec dai not found\n"); + return -EINVAL; + } + return snd_soc_component_set_jack(codec_dai->component, NULL, NULL); } @@ -202,6 +207,11 @@ static int avs_card_resume_post(struct snd_soc_card *card) struct snd_soc_dai *codec_dai = snd_soc_card_get_codec_dai(card, RT274_CODEC_DAI); struct snd_soc_jack *jack = snd_soc_card_get_drvdata(card); + if (!codec_dai) { + dev_err(card->dev, "Codec dai not found\n"); + return -EINVAL; + } + return snd_soc_component_set_jack(codec_dai->component, jack, NULL); } -- 2.42.0.windows.2

4 months

2
1
0 0

[PATCH] ASoC: Intel: avs: nau8825: Add null pointer check for snd_soc_card_get_codec_dai()

by Wentao Liang

The function avs_card_suspend_pre() in nau8825 calls the function snd_soc_card_get_codec_dai(), but does not check its return value which is a null pointer if the function fails. This can result in a null pointer dereference. A proper implementation can be found in acp5x_nau8821_hw_params() and card_suspend_pre(). Add a null pointer check for snd_soc_card_get_codec_dai() to avoid null pointer dereference when the function fails. Fixes: 9febcd7a0180 ("ASoC: Intel: avs: nau8825: Refactor jack handling") Cc: stable(a)vger.kernel.org # v6.2 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- sound/soc/intel/avs/boards/nau8825.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sound/soc/intel/avs/boards/nau8825.c b/sound/soc/intel/avs/boards/nau8825.c index bf902540744c..5baeb95cd5a6 100644 --- a/sound/soc/intel/avs/boards/nau8825.c +++ b/sound/soc/intel/avs/boards/nau8825.c @@ -220,6 +220,11 @@ static int avs_card_suspend_pre(struct snd_soc_card *card) { struct snd_soc_dai *codec_dai = snd_soc_card_get_codec_dai(card, SKL_NUVOTON_CODEC_DAI); + if (!codec_dai) { + dev_err(card->dev, "Codec dai not found\n"); + return -EINVAL; + } + return snd_soc_component_set_jack(codec_dai->component, NULL, NULL); } -- 2.42.0.windows.2

4 months

2
1
0 0

All-Energy Exhibition and Conference 2025 Attendee's List

by Jack Reacher

Hi, As an exhibiting company at All-Energy Exhibition and Conference 2025 we have access to the fully updated attendee list, including last-minute registrants who attended the show. This exclusive list can help you: ✅ Connect with high-intent leads ✅ Follow up with attendees who visited (or missed) your booth ✅ Maximize your ROI from the event If you're Interested, I’d love to share more details—and I can also provide pricing information. Looking forward to your thoughts. Regards, Jack Reacher Sr. Marketing Manager If you do not wish to receive this newsletter reply as "Not interested"

4 months

1
0
0 0

[PATCH 5.15.y] block: fix direct io NOWAIT flag not work

by Fengnan Chang

commit 8b44b4d81598 ("block: don't allow multiple bios for IOCB_NOWAIT issue") backport a upstream fix, but miss commit b77c88c2100c ("block: pass a block_device and opf to bio_alloc_kiocb"), and introduce this bug. commit b77c88c2100c ("block: pass a block_device and opf to bio_alloc_kiocb") have other depend patch, so just fix it. Fixes: 8b44b4d81598 ("block: don't allow multiple bios for IOCB_NOWAIT issue") Signed-off-by: Fengnan Chang <changfengnan(a)bytedance.com> --- block/fops.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/block/fops.c b/block/fops.c index 4c8948979921..72da501542f1 100644 --- a/block/fops.c +++ b/block/fops.c @@ -259,7 +259,6 @@ static ssize_t __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, blk_finish_plug(&plug); return -EAGAIN; } - bio->bi_opf |= REQ_NOWAIT; } if (is_read) { @@ -270,6 +269,10 @@ static ssize_t __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, bio->bi_opf = dio_bio_write_op(iocb); task_io_account_write(bio->bi_iter.bi_size); } + + if (iocb->ki_flags & IOCB_NOWAIT) + bio->bi_opf |= REQ_NOWAIT; + dio->size += bio->bi_iter.bi_size; pos += bio->bi_iter.bi_size; -- 2.39.2 (Apple Git-143)

4 months

2
2
0 0

[PATCH v2 0/7] pinctrl: armada-37xx: a couple of small fixes

by Gabor Juhos

The series contains several small patches to fix various issues in the pinctrl driver for Armada 3700. Signed-off-by: Gabor Juhos <j4g8y7(a)gmail.com> --- Changes in v2: - remove 'stable' and 'Fixes' tags from the error propagating patches - collect 'Reviewed-by' tags from Andrew - swap patches 2 and 3 so the bug fix in the latter can be applied cleanly without depending on the change in the former - Link to v1: https://lore.kernel.org/r/20250512-pinctrl-a37xx-fixes-v1-0-d470fb1116a5@gm… --- Gabor Juhos (7): pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 pinctrl: armada-37xx: set GPIO output value before setting direction pinctrl: armada-37xx: propagate error from armada_37xx_gpio_direction_output() pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 35 ++++++++++++++++------------- 1 file changed, 20 insertions(+), 15 deletions(-) --- base-commit: 82f2b0b97b36ee3fcddf0f0780a9a0825d52fec3 change-id: 20250512-pinctrl-a37xx-fixes-98fabc45cb11 Best regards, -- Gabor Juhos <j4g8y7(a)gmail.com>

4 months

2
4
0 0

[PATCH] LoongArch: Save and restore CSR.CNTC for hibernation

by Huacai Chen

Save and restore CSR.CNTC for hibernation which is similar to suspend. For host this is unnecessary because sched clock is ensured continuous, but for kvm guest sched clock isn't enough because rdtime.d should also be continuous. Host::rdtime.d = Host::CSR.CNTC + counter Guest::rdtime.d = Host::CSR.CNTC + Host::CSR.GCNTC + Guest::CSR.CNTC + counter so, Guest::rdtime.d = Host::rdtime.d + Host::CSR.GCNTC + Guest::CSR.CNTC To ensure Guest::rdtime.d continuous, Host::rdtime.d should be at first continuous, while Host::CSR.GCNTC / Guest::CSR.CNTC is maintained by KVM. Cc: stable(a)vger.kernel.org Signed-off-by: Xianglai Li <lixianglai(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/kernel/time.c | 2 +- arch/loongarch/power/hibernate.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/loongarch/kernel/time.c b/arch/loongarch/kernel/time.c index e2d3bfeb6366..bc75a3a69fc8 100644 --- a/arch/loongarch/kernel/time.c +++ b/arch/loongarch/kernel/time.c @@ -111,7 +111,7 @@ static unsigned long __init get_loops_per_jiffy(void) return lpj; } -static long init_offset __nosavedata; +static long init_offset; void save_counter(void) { diff --git a/arch/loongarch/power/hibernate.c b/arch/loongarch/power/hibernate.c index 1e0590542f98..e7b7346592cb 100644 --- a/arch/loongarch/power/hibernate.c +++ b/arch/loongarch/power/hibernate.c @@ -2,6 +2,7 @@ #include <asm/fpu.h> #include <asm/loongson.h> #include <asm/sections.h> +#include <asm/time.h> #include <asm/tlbflush.h> #include <linux/suspend.h> @@ -14,6 +15,7 @@ struct pt_regs saved_regs; void save_processor_state(void) { + save_counter(); saved_crmd = csr_read32(LOONGARCH_CSR_CRMD); saved_prmd = csr_read32(LOONGARCH_CSR_PRMD); saved_euen = csr_read32(LOONGARCH_CSR_EUEN); @@ -26,6 +28,7 @@ void save_processor_state(void) void restore_processor_state(void) { + sync_counter(); csr_write32(saved_crmd, LOONGARCH_CSR_CRMD); csr_write32(saved_prmd, LOONGARCH_CSR_PRMD); csr_write32(saved_euen, LOONGARCH_CSR_EUEN); -- 2.47.1

4 months

2
1
0 0

[PATCH v2] usb: cdnsp: Fix issue with detecting command completion event

by Pawel Laszczak

In some cases, there is a small-time gap in which CMD_RING_BUSY can be cleared by controller but adding command completion event to event ring will be delayed. As the result driver will return error code. This behavior has been detected on usbtest driver (test 9) with configuration including ep1in/ep1out bulk and ep2in/ep2out isoc endpoint. Probably this gap occurred because controller was busy with adding some other events to event ring. The CMD_RING_BUSY is cleared to '0' when the Command Descriptor has been executed and not when command completion event has been added to event ring. To fix this issue for this test the small delay is sufficient less than 10us) but to make sure the problem doesn't happen again in the future the patch introduces 10 retries to check with delay about 20us before returning error code. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: stable(a)vger.kernel.org Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- Changelog: v2: - replaced usleep_range with udelay - increased retry counter and decreased the udelay value drivers/usb/cdns3/cdnsp-gadget.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/drivers/usb/cdns3/cdnsp-gadget.c b/drivers/usb/cdns3/cdnsp-gadget.c index 4824a10df07e..58650b7f4173 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.c +++ b/drivers/usb/cdns3/cdnsp-gadget.c @@ -547,6 +547,7 @@ int cdnsp_wait_for_cmd_compl(struct cdnsp_device *pdev) dma_addr_t cmd_deq_dma; union cdnsp_trb *event; u32 cycle_state; + u32 retry = 10; int ret, val; u64 cmd_dma; u32 flags; @@ -578,8 +579,23 @@ int cdnsp_wait_for_cmd_compl(struct cdnsp_device *pdev) flags = le32_to_cpu(event->event_cmd.flags); /* Check the owner of the TRB. */ - if ((flags & TRB_CYCLE) != cycle_state) + if ((flags & TRB_CYCLE) != cycle_state) { + /* + * Give some extra time to get chance controller + * to finish command before returning error code. + * Checking CMD_RING_BUSY is not sufficient because + * this bit is cleared to '0' when the Command + * Descriptor has been executed by controller + * and not when command completion event has + * be added to event ring. + */ + if (retry--) { + udelay(20); + continue; + } + return -EINVAL; + } cmd_dma = le64_to_cpu(event->event_cmd.cmd_trb); -- 2.43.0

4 months

2
3
0 0

[PATCH 1/2] drm/xe/vm: move rebind_work init earlier

by Matthew Auld

In xe_vm_close_and_put() we need to be able to call flush_work(rebind_work), however during vm creation we can call this on the error path, before having actually set up the worker, leading to a splat from flush_work(). It looks like we can simply move the worker init step earlier to fix this. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_vm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index 5a978da411b0..168756fb140b 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -1704,8 +1704,10 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags) * scheduler drops all the references of it, hence protecting the VM * for this case is necessary. */ - if (flags & XE_VM_FLAG_LR_MODE) + if (flags & XE_VM_FLAG_LR_MODE) { + INIT_WORK(&vm->preempt.rebind_work, preempt_rebind_work_func); xe_pm_runtime_get_noresume(xe); + } vm_resv_obj = drm_gpuvm_resv_object_alloc(&xe->drm); if (!vm_resv_obj) { @@ -1750,10 +1752,8 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags) vm->batch_invalidate_tlb = true; } - if (vm->flags & XE_VM_FLAG_LR_MODE) { - INIT_WORK(&vm->preempt.rebind_work, preempt_rebind_work_func); + if (vm->flags & XE_VM_FLAG_LR_MODE) vm->batch_invalidate_tlb = false; - } /* Fill pt_root after allocating scratch tables */ for_each_tile(tile, xe, id) { -- 2.49.0

4 months

2
1
0 0

[PATCH 0/2] PCI: of: Fix OF device node refcount leakages

by Zijun Hu

This patch series is to fix OF device node refcount leakage for - of_irq_parse_and_map_pci() - of_pci_prop_intr_map() Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Zijun Hu (2): PCI: of: Fix OF device node refcount leakage in API of_irq_parse_and_map_pci() PCI: of: Fix OF device node refcount leakages in of_pci_prop_intr_map() drivers/pci/of.c | 2 ++ drivers/pci/of_property.c | 20 +++++++++++--------- 2 files changed, 13 insertions(+), 9 deletions(-) --- base-commit: 7d06015d936c861160803e020f68f413b5c3cd9d change-id: 20250407-fix_of_pci-20b45dcc26b5 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

4 months

1
2
0 0

+ highmem-add-folio_test_partial_kmap.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: highmem: add folio_test_partial_kmap() has been added to the -mm mm-hotfixes-unstable branch. Its filename is highmem-add-folio_test_partial_kmap.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Matthew Wilcox (Oracle)" <willy(a)infradead.org> Subject: highmem: add folio_test_partial_kmap() Date: Wed, 14 May 2025 18:06:02 +0100 In commit c749d9b7ebbc (iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP), Hugh correctly noted that if KMAP_LOCAL_FORCE_MAP is enabled, we must limit ourselves to PAGE_SIZE bytes per call to kmap_local(). The same problem exists in memcpy_from_folio(), memcpy_to_folio(), folio_zero_tail(), folio_fill_tail() and memcpy_from_file_folio(), so add folio_test_partial_kmap() to do this more succinctly. Link: https://lkml.kernel.org/r/20250514170607.3000994-2-willy@infradead.org Fixes: 00cdf76012ab ("mm: add memcpy_from_file_folio()") Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/highmem.h | 10 +++++----- include/linux/page-flags.h | 7 +++++++ 2 files changed, 12 insertions(+), 5 deletions(-) --- a/include/linux/highmem.h~highmem-add-folio_test_partial_kmap +++ a/include/linux/highmem.h @@ -461,7 +461,7 @@ static inline void memcpy_from_folio(cha const char *from = kmap_local_folio(folio, offset); size_t chunk = len; - if (folio_test_highmem(folio) && + if (folio_test_partial_kmap(folio) && chunk > PAGE_SIZE - offset_in_page(offset)) chunk = PAGE_SIZE - offset_in_page(offset); memcpy(to, from, chunk); @@ -489,7 +489,7 @@ static inline void memcpy_to_folio(struc char *to = kmap_local_folio(folio, offset); size_t chunk = len; - if (folio_test_highmem(folio) && + if (folio_test_partial_kmap(folio) && chunk > PAGE_SIZE - offset_in_page(offset)) chunk = PAGE_SIZE - offset_in_page(offset); memcpy(to, from, chunk); @@ -522,7 +522,7 @@ static inline __must_check void *folio_z { size_t len = folio_size(folio) - offset; - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { size_t max = PAGE_SIZE - offset_in_page(offset); while (len > max) { @@ -560,7 +560,7 @@ static inline void folio_fill_tail(struc VM_BUG_ON(offset + len > folio_size(folio)); - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { size_t max = PAGE_SIZE - offset_in_page(offset); while (len > max) { @@ -597,7 +597,7 @@ static inline size_t memcpy_from_file_fo size_t offset = offset_in_folio(folio, pos); char *from = kmap_local_folio(folio, offset); - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { offset = offset_in_page(offset); len = min_t(size_t, len, PAGE_SIZE - offset); } else --- a/include/linux/page-flags.h~highmem-add-folio_test_partial_kmap +++ a/include/linux/page-flags.h @@ -615,6 +615,13 @@ FOLIO_FLAG(dropbehind, FOLIO_HEAD_PAGE) PAGEFLAG_FALSE(HighMem, highmem) #endif +/* Does kmap_local_folio() only allow access to one page of the folio? */ +#ifdef CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP +#define folio_test_partial_kmap(f) true +#else +#define folio_test_partial_kmap(f) folio_test_highmem(f) +#endif + #ifdef CONFIG_SWAP static __always_inline bool folio_test_swapcache(const struct folio *folio) { _ Patches currently in -mm which might be from willy(a)infradead.org are highmem-add-folio_test_partial_kmap.patch mm-rename-page-index-to-page-__folio_index.patch

4 months

1
0
0 0

[PATCH] arm64: dts: qcom: sm8350: Fix typo in pil_camera_mem node

by Alok Tiwari

There is a typo in sm8350.dts where the node label mmeory@85200000 should be memory@85200000. This patch corrects the typo for clarity and consistency. Fixes: b7e8f433a673 ("arm64: dts: qcom: Add basic devicetree support for SM8350 SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Alok Tiwari <alok.a.tiwari(a)oracle.com> --- arch/arm64/boot/dts/qcom/sm8350.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi index f2e12da13e68..971c828a7555 100644 --- a/arch/arm64/boot/dts/qcom/sm8350.dtsi +++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi @@ -457,7 +457,7 @@ cdsp_secure_heap: memory@80c00000 { no-map; }; - pil_camera_mem: mmeory@85200000 { + pil_camera_mem: memory@85200000 { reg = <0x0 0x85200000 0x0 0x500000>; no-map; }; -- 2.47.1

4 months

2
1
0 0

[PATCH 5.15 v2 00/14] ITS mitigation

by Pawan Gupta

v2: - Added the missing "--from" during patch generation. - Added missing patch to 6.1 backport. This is a backport of mitigation for Indirect Target Selection (ITS). ITS is a bug in some Intel CPUs that affects indirect branches including RETs in the first half of a cacheline. Mitigation is to relocate the affected branches to an ITS-safe thunk. Below additional upstream commits are required to cover some of the special cases like indirects in asm and returns in static calls: cfceff8526a4 ("x86/speculation: Simplify and make CALL_NOSPEC consistent") 052040e34c08 ("x86/speculation: Add a conditional CS prefix to CALL_NOSPEC") c8c81458863a ("x86/speculation: Remove the extra #ifdef around CALL_NOSPEC") d2408e043e72 ("x86/alternative: Optimize returns patching") 4ba89dd6ddec ("x86/alternatives: Remove faulty optimization") [1] https://github.com/torvalds/linux/commit/6f5bf947bab06f37ff931c359fd5770c4d… --- Borislav Petkov (AMD) (1): x86/alternative: Optimize returns patching Josh Poimboeuf (1): x86/alternatives: Remove faulty optimization Pawan Gupta (10): x86/speculation: Simplify and make CALL_NOSPEC consistent x86/speculation: Add a conditional CS prefix to CALL_NOSPEC x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs x86/its: Align RETs in BHB clear sequence to avoid thunking Peter Zijlstra (2): x86,nospec: Simplify {JMP,CALL}_NOSPEC x86/its: Use dynamic thunks for indirect branches Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 ++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 15 ++ arch/x86/Kconfig | 11 + arch/x86/entry/entry_64.S | 20 +- arch/x86/include/asm/alternative.h | 24 +++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 57 ++++-- arch/x86/kernel/alternative.c | 226 ++++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 139 ++++++++++++- arch/x86/kernel/cpu/common.c | 63 ++++-- arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/module.c | 7 + arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 10 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/net/bpf_jit_comp.c | 8 +- drivers/base/cpu.c | 8 + include/linux/cpu.h | 2 + include/linux/module.h | 5 + 23 files changed, 768 insertions(+), 43 deletions(-) --- change-id: 20250512-its-5-15-0e0385221e32

4 months

2
28
0 0

[PATCH 6.1 0/3] ITS fixes

by Pawan Gupta

Two of the patches are older rethunk fixes and one is a build fix for CONFIG_MODULES=n. --- Borislav Petkov (AMD) (1): x86/alternative: Optimize returns patching Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Josh Poimboeuf (1): x86/alternatives: Remove faulty optimization arch/x86/kernel/alternative.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- change-id: 20250513-its-fixes-6-1-d21ce20b0d1d

4 months

2
6
0 0

[PATCH 6.1.y] bnxt_en: Fix receive ring space parameters when XDP is active

by Zhaoyang Li

From: Shravya KN <shravya.k-n(a)broadcom.com> [ Upstream commit 3051a77a09dfe3022aa012071346937fdf059033 ] The MTU setting at the time an XDP multi-buffer is attached determines whether the aggregation ring will be used and the rx_skb_func handler. This is done in bnxt_set_rx_skb_mode(). If the MTU is later changed, the aggregation ring setting may need to be changed and it may become out-of-sync with the settings initially done in bnxt_set_rx_skb_mode(). This may result in random memory corruption and crashes as the HW may DMA data larger than the allocated buffer size, such as: BUG: kernel NULL pointer dereference, address: 00000000000003c0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1 Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021 RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en] Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202 RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380 RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980 R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990 FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en] To address the issue, we now call bnxt_set_rx_skb_mode() within bnxt_change_mtu() to properly set the AGG rings configuration and update rx_skb_func based on the new MTU value. Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on the current MTU. Fixes: 08450ea98ae9 ("bnxt_en: Fix max_mtu setting for multi-buf XDP") Co-developed-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Signed-off-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Signed-off-by: Shravya KN <shravya.k-n(a)broadcom.com> Signed-off-by: Michael Chan <michael.chan(a)broadcom.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Zhaoyang Li <lizy04(a)hust.edu.cn> --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c index 393a983f6d69..6b1245a3ab4b 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -4041,7 +4041,7 @@ int bnxt_set_rx_skb_mode(struct bnxt *bp, bool page_mode) struct net_device *dev = bp->dev; if (page_mode) { - bp->flags &= ~BNXT_FLAG_AGG_RINGS; + bp->flags &= ~(BNXT_FLAG_AGG_RINGS | BNXT_FLAG_NO_AGG_RINGS); bp->flags |= BNXT_FLAG_RX_PAGE_MODE; if (bp->xdp_prog->aux->xdp_has_frags) @@ -12799,6 +12799,14 @@ static int bnxt_change_mtu(struct net_device *dev, int new_mtu) bnxt_close_nic(bp, true, false); dev->mtu = new_mtu; + + /* MTU change may change the AGG ring settings if an XDP multi-buffer + * program is attached. We need to set the AGG rings settings and + * rx_skb_func accordingly. + */ + if (READ_ONCE(bp->xdp_prog)) + bnxt_set_rx_skb_mode(bp, true); + bnxt_set_ring_params(bp); if (netif_running(dev)) -- 2.25.1

4 months

2
1
0 0

FAILED: patch "[PATCH] drm/xe/gsc: do not flush the GSC worker from the reset path" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 03552d8ac0afcc080c339faa0b726e2c0e9361cb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051239-ceremony-rehab-8e6c@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 03552d8ac0afcc080c339faa0b726e2c0e9361cb Mon Sep 17 00:00:00 2001 From: Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> Date: Fri, 2 May 2025 08:51:04 -0700 Subject: [PATCH] drm/xe/gsc: do not flush the GSC worker from the reset path The workqueue used for the reset worker is marked as WQ_MEM_RECLAIM, while the GSC one isn't (and can't be as we need to do memory allocations in the gsc worker). Therefore, we can't flush the latter from the former. The reason why we had such a flush was to avoid interrupting either the GSC FW load or in progress GSC proxy operations. GSC proxy operations fall into 2 categories: 1) GSC proxy init: this only happens once immediately after GSC FW load and does not support being interrupted. The only way to recover from an interruption of the proxy init is to do an FLR and re-load the GSC. 2) GSC proxy request: this can happen in response to a request that the driver sends to the GSC. If this is interrupted, the GSC FW will timeout and the driver request will be failed, but overall the GSC will keep working fine. Flushing the work allowed us to avoid interruption in both cases (unless the hang came from the GSC engine itself, in which case we're toast anyway). However, a failure on a proxy request is tolerable if we're in a scenario where we're triggering a GT reset (i.e., something is already gone pretty wrong), so what we really need to avoid is interrupting the init flow, which we can do by polling on the register that reports when the proxy init is complete (as that ensure us that all the load and init operations have been completed). Note that during suspend we still want to do a flush of the worker to make sure it completes any operations involving the HW before the power is cut. v2: fix spelling in commit msg, rename waiter function (Julia) Fixes: dd0e89e5edc2 ("drm/xe/gsc: GSC FW load") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4830 Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Alan Previn <alan.previn.teres.alexis(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Julia Filipchuk <julia.filipchuk(a)intel.com> Link: https://lore.kernel.org/r/20250502155104.2201469-1-daniele.ceraolospurio@in… (cherry picked from commit 12370bfcc4f0bdf70279ec5b570eb298963422b5) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_gsc.c b/drivers/gpu/drm/xe/xe_gsc.c index fd41113f8572..0bcf97063ff6 100644 --- a/drivers/gpu/drm/xe/xe_gsc.c +++ b/drivers/gpu/drm/xe/xe_gsc.c @@ -555,6 +555,28 @@ void xe_gsc_wait_for_worker_completion(struct xe_gsc *gsc) flush_work(&gsc->work); } +void xe_gsc_stop_prepare(struct xe_gsc *gsc) +{ + struct xe_gt *gt = gsc_to_gt(gsc); + int ret; + + if (!xe_uc_fw_is_loadable(&gsc->fw) || xe_uc_fw_is_in_error_state(&gsc->fw)) + return; + + xe_force_wake_assert_held(gt_to_fw(gt), XE_FW_GSC); + + /* + * If the GSC FW load or the proxy init are interrupted, the only way + * to recover it is to do an FLR and reload the GSC from scratch. + * Therefore, let's wait for the init to complete before stopping + * operations. The proxy init is the last step, so we can just wait on + * that + */ + ret = xe_gsc_wait_for_proxy_init_done(gsc); + if (ret) + xe_gt_err(gt, "failed to wait for GSC init completion before uc stop\n"); +} + /* * wa_14015076503: if the GSC FW is loaded, we need to alert it before doing a * GSC engine reset by writing a notification bit in the GS1 register and then diff --git a/drivers/gpu/drm/xe/xe_gsc.h b/drivers/gpu/drm/xe/xe_gsc.h index d99f66c38075..b8b8e0810ad9 100644 --- a/drivers/gpu/drm/xe/xe_gsc.h +++ b/drivers/gpu/drm/xe/xe_gsc.h @@ -16,6 +16,7 @@ struct xe_hw_engine; int xe_gsc_init(struct xe_gsc *gsc); int xe_gsc_init_post_hwconfig(struct xe_gsc *gsc); void xe_gsc_wait_for_worker_completion(struct xe_gsc *gsc); +void xe_gsc_stop_prepare(struct xe_gsc *gsc); void xe_gsc_load_start(struct xe_gsc *gsc); void xe_gsc_hwe_irq_handler(struct xe_hw_engine *hwe, u16 intr_vec); diff --git a/drivers/gpu/drm/xe/xe_gsc_proxy.c b/drivers/gpu/drm/xe/xe_gsc_proxy.c index 8cf70b228ff3..d0519cd6704a 100644 --- a/drivers/gpu/drm/xe/xe_gsc_proxy.c +++ b/drivers/gpu/drm/xe/xe_gsc_proxy.c @@ -71,6 +71,17 @@ bool xe_gsc_proxy_init_done(struct xe_gsc *gsc) HECI1_FWSTS1_PROXY_STATE_NORMAL; } +int xe_gsc_wait_for_proxy_init_done(struct xe_gsc *gsc) +{ + struct xe_gt *gt = gsc_to_gt(gsc); + + /* Proxy init can take up to 500ms, so wait double that for safety */ + return xe_mmio_wait32(&gt->mmio, HECI_FWSTS1(MTL_GSC_HECI1_BASE), + HECI1_FWSTS1_CURRENT_STATE, + HECI1_FWSTS1_PROXY_STATE_NORMAL, + USEC_PER_SEC, NULL, false); +} + static void __gsc_proxy_irq_rmw(struct xe_gsc *gsc, u32 clr, u32 set) { struct xe_gt *gt = gsc_to_gt(gsc); diff --git a/drivers/gpu/drm/xe/xe_gsc_proxy.h b/drivers/gpu/drm/xe/xe_gsc_proxy.h index fdef56995cd4..765602221dbc 100644 --- a/drivers/gpu/drm/xe/xe_gsc_proxy.h +++ b/drivers/gpu/drm/xe/xe_gsc_proxy.h @@ -12,6 +12,7 @@ struct xe_gsc; int xe_gsc_proxy_init(struct xe_gsc *gsc); bool xe_gsc_proxy_init_done(struct xe_gsc *gsc); +int xe_gsc_wait_for_proxy_init_done(struct xe_gsc *gsc); int xe_gsc_proxy_start(struct xe_gsc *gsc); int xe_gsc_proxy_request_handler(struct xe_gsc *gsc); diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c index 10a9e3c72b36..66198cf2662c 100644 --- a/drivers/gpu/drm/xe/xe_gt.c +++ b/drivers/gpu/drm/xe/xe_gt.c @@ -857,7 +857,7 @@ void xe_gt_suspend_prepare(struct xe_gt *gt) fw_ref = xe_force_wake_get(gt_to_fw(gt), XE_FORCEWAKE_ALL); - xe_uc_stop_prepare(&gt->uc); + xe_uc_suspend_prepare(&gt->uc); xe_force_wake_put(gt_to_fw(gt), fw_ref); } diff --git a/drivers/gpu/drm/xe/xe_uc.c b/drivers/gpu/drm/xe/xe_uc.c index c14bd2282044..3a8751a8b92d 100644 --- a/drivers/gpu/drm/xe/xe_uc.c +++ b/drivers/gpu/drm/xe/xe_uc.c @@ -244,7 +244,7 @@ void xe_uc_gucrc_disable(struct xe_uc *uc) void xe_uc_stop_prepare(struct xe_uc *uc) { - xe_gsc_wait_for_worker_completion(&uc->gsc); + xe_gsc_stop_prepare(&uc->gsc); xe_guc_stop_prepare(&uc->guc); } @@ -278,6 +278,12 @@ static void uc_reset_wait(struct xe_uc *uc) goto again; } +void xe_uc_suspend_prepare(struct xe_uc *uc) +{ + xe_gsc_wait_for_worker_completion(&uc->gsc); + xe_guc_stop_prepare(&uc->guc); +} + int xe_uc_suspend(struct xe_uc *uc) { /* GuC submission not enabled, nothing to do */ diff --git a/drivers/gpu/drm/xe/xe_uc.h b/drivers/gpu/drm/xe/xe_uc.h index 3813c1ede450..c23e6f5e2514 100644 --- a/drivers/gpu/drm/xe/xe_uc.h +++ b/drivers/gpu/drm/xe/xe_uc.h @@ -18,6 +18,7 @@ int xe_uc_reset_prepare(struct xe_uc *uc); void xe_uc_stop_prepare(struct xe_uc *uc); void xe_uc_stop(struct xe_uc *uc); int xe_uc_start(struct xe_uc *uc); +void xe_uc_suspend_prepare(struct xe_uc *uc); int xe_uc_suspend(struct xe_uc *uc); int xe_uc_sanitize_reset(struct xe_uc *uc); void xe_uc_declare_wedged(struct xe_uc *uc);

4 months

3
2
0 0

FAILED: patch "[PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f31fe8165d365379d858c53bef43254c7d6d1cfd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051209-overturn-supreme-26f1@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f31fe8165d365379d858c53bef43254c7d6d1cfd Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Fri, 2 May 2025 13:18:10 +0530 Subject: [PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer On regular bootup, devices get registered to VMBus first, so when uio_hv_generic driver for a particular device type is probed, the device is already initialized and added, so sysfs creation in hv_uio_probe() works fine. However, when the device is removed and brought back, the channel gets rescinded and the device again gets registered to VMBus. However this time, the uio_hv_generic driver is already registered to probe for that device and in this case sysfs creation is tried before the device's kobject gets initialized completely. Fix this by moving the core logic of sysfs creation of ring buffer, from uio_hv_generic to HyperV's VMBus driver, where the rest of the sysfs attributes for the channels are defined. While doing that, make use of attribute groups and macros, instead of creating sysfs directly, to ensure better error handling and code flow. Problematic path: vmbus_process_offer (A new offer comes for the VMBus device) vmbus_add_channel_work vmbus_device_register |-> device_register | |... | |-> hv_uio_probe | |... | |-> sysfs_create_bin_file (leads to a warning as | the primary channel's kobject, which is used to | create the sysfs file, is not yet initialized) |-> kset_create_and_add |-> vmbus_add_channel_kobj (initialization of the primary channel's kobject happens later) Above code flow is sequential and the warning is always reproducible in this path. Fixes: 9ab877a6ccf8 ("uio_hv_generic: make ring buffer attribute for primary channel") Cc: stable(a)kernel.org Suggested-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Suggested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Tested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250502074811.2022-2-namjain@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h index 29780f3a7478..0b450e53161e 100644 --- a/drivers/hv/hyperv_vmbus.h +++ b/drivers/hv/hyperv_vmbus.h @@ -477,4 +477,10 @@ static inline int hv_debug_add_dev_dir(struct hv_device *dev) #endif /* CONFIG_HYPERV_TESTING */ +/* Create and remove sysfs entry for memory mapped ring buffers for a channel */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)); +int hv_remove_ring_sysfs(struct vmbus_channel *channel); + #endif /* _HYPERV_VMBUS_H */ diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 8d3cff42bdbb..0f16a83cc2d6 100644 --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -1802,6 +1802,27 @@ static ssize_t subchannel_id_show(struct vmbus_channel *channel, } static VMBUS_CHAN_ATTR_RO(subchannel_id); +static int hv_mmap_ring_buffer_wrapper(struct file *filp, struct kobject *kobj, + const struct bin_attribute *attr, + struct vm_area_struct *vma) +{ + struct vmbus_channel *channel = container_of(kobj, struct vmbus_channel, kobj); + + /* + * hv_(create|remove)_ring_sysfs implementation ensures that mmap_ring_buffer + * is not NULL. + */ + return channel->mmap_ring_buffer(channel, vma); +} + +static struct bin_attribute chan_attr_ring_buffer = { + .attr = { + .name = "ring", + .mode = 0600, + }, + .size = 2 * SZ_2M, + .mmap = hv_mmap_ring_buffer_wrapper, +}; static struct attribute *vmbus_chan_attrs[] = { &chan_attr_out_mask.attr, &chan_attr_in_mask.attr, @@ -1821,6 +1842,11 @@ static struct attribute *vmbus_chan_attrs[] = { NULL }; +static struct bin_attribute *vmbus_chan_bin_attrs[] = { + &chan_attr_ring_buffer, + NULL +}; + /* * Channel-level attribute_group callback function. Returns the permission for * each attribute, and returns 0 if an attribute is not visible. @@ -1841,9 +1867,24 @@ static umode_t vmbus_chan_attr_is_visible(struct kobject *kobj, return attr->mode; } +static umode_t vmbus_chan_bin_attr_is_visible(struct kobject *kobj, + const struct bin_attribute *attr, int idx) +{ + const struct vmbus_channel *channel = + container_of(kobj, struct vmbus_channel, kobj); + + /* Hide ring attribute if channel's ring_sysfs_visible is set to false */ + if (attr == &chan_attr_ring_buffer && !channel->ring_sysfs_visible) + return 0; + + return attr->attr.mode; +} + static const struct attribute_group vmbus_chan_group = { .attrs = vmbus_chan_attrs, - .is_visible = vmbus_chan_attr_is_visible + .bin_attrs = vmbus_chan_bin_attrs, + .is_visible = vmbus_chan_attr_is_visible, + .is_bin_visible = vmbus_chan_bin_attr_is_visible, }; static const struct kobj_type vmbus_chan_ktype = { @@ -1851,6 +1892,63 @@ static const struct kobj_type vmbus_chan_ktype = { .release = vmbus_chan_release, }; +/** + * hv_create_ring_sysfs() - create "ring" sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * @hv_mmap_ring_buffer: function pointer for initializing the function to be called on mmap of + * channel's "ring" sysfs node, which is for the ring buffer of that channel. + * Function pointer is of below type: + * int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + * struct vm_area_struct *vma)) + * This has a pointer to the channel and a pointer to vm_area_struct, + * used for mmap, as arguments. + * + * Sysfs node for ring buffer of a channel is created along with other fields, however its + * visibility is disabled by default. Sysfs creation needs to be controlled when the use-case + * is running. + * For example, HV_NIC device is used either by uio_hv_generic or hv_netvsc at any given point of + * time, and "ring" sysfs is needed only when uio_hv_generic is bound to that device. To avoid + * exposing the ring buffer by default, this function is reponsible to enable visibility of + * ring for userspace to use. + * Note: Race conditions can happen with userspace and it is not encouraged to create new + * use-cases for this. This was added to maintain backward compatibility, while solving + * one of the race conditions in uio_hv_generic while creating sysfs. + * + * Returns 0 on success or error code on failure. + */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)) +{ + struct kobject *kobj = &channel->kobj; + + channel->mmap_ring_buffer = hv_mmap_ring_buffer; + channel->ring_sysfs_visible = true; + + return sysfs_update_group(kobj, &vmbus_chan_group); +} +EXPORT_SYMBOL_GPL(hv_create_ring_sysfs); + +/** + * hv_remove_ring_sysfs() - remove ring sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * + * Hide "ring" sysfs for a channel by changing its is_visible attribute and updating sysfs group. + * + * Returns 0 on success or error code on failure. + */ +int hv_remove_ring_sysfs(struct vmbus_channel *channel) +{ + struct kobject *kobj = &channel->kobj; + int ret; + + channel->ring_sysfs_visible = false; + ret = sysfs_update_group(kobj, &vmbus_chan_group); + channel->mmap_ring_buffer = NULL; + return ret; +} +EXPORT_SYMBOL_GPL(hv_remove_ring_sysfs); + /* * vmbus_add_channel_kobj - setup a sub-directory under device/channels */ diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 1b19b5647495..69c1df0f4ca5 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -131,15 +131,12 @@ static void hv_uio_rescind(struct vmbus_channel *channel) vmbus_device_unregister(channel->device_obj); } -/* Sysfs API to allow mmap of the ring buffers +/* Function used for mmap of ring buffer sysfs interface. * The ring buffer is allocated as contiguous memory by vmbus_open */ -static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, - const struct bin_attribute *attr, - struct vm_area_struct *vma) +static int +hv_uio_ring_mmap(struct vmbus_channel *channel, struct vm_area_struct *vma) { - struct vmbus_channel *channel - = container_of(kobj, struct vmbus_channel, kobj); void *ring_buffer = page_address(channel->ringbuffer_page); if (channel->state != CHANNEL_OPENED_STATE) @@ -149,15 +146,6 @@ static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, channel->ringbuffer_pagecount << PAGE_SHIFT); } -static const struct bin_attribute ring_buffer_bin_attr = { - .attr = { - .name = "ring", - .mode = 0600, - }, - .size = 2 * SZ_2M, - .mmap = hv_uio_ring_mmap, -}; - /* Callback from VMBUS subsystem when new channel created. */ static void hv_uio_new_channel(struct vmbus_channel *new_sc) @@ -178,8 +166,7 @@ hv_uio_new_channel(struct vmbus_channel *new_sc) /* Disable interrupts on sub channel */ new_sc->inbound.ring_buffer->interrupt_mask = 1; set_channel_read_mode(new_sc, HV_CALL_ISR); - - ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr); + ret = hv_create_ring_sysfs(new_sc, hv_uio_ring_mmap); if (ret) { dev_err(device, "sysfs create ring bin file failed; %d\n", ret); vmbus_close(new_sc); @@ -350,10 +337,18 @@ hv_uio_probe(struct hv_device *dev, goto fail_close; } - ret = sysfs_create_bin_file(&channel->kobj, &ring_buffer_bin_attr); - if (ret) - dev_notice(&dev->device, - "sysfs create ring bin file failed; %d\n", ret); + /* + * This internally calls sysfs_update_group, which returns a non-zero value if it executes + * before sysfs_create_group. This is expected as the 'ring' will be created later in + * vmbus_device_register() -> vmbus_add_channel_kobj(). Thus, no need to check the return + * value and print warning. + * + * Creating/exposing sysfs in driver probe is not encouraged as it can lead to race + * conditions with userspace. For backward compatibility, "ring" sysfs could not be removed + * or decoupled from uio_hv_generic probe. Userspace programs can make use of inotify + * APIs to make sure that ring is created. + */ + hv_create_ring_sysfs(channel, hv_uio_ring_mmap); hv_set_drvdata(dev, pdata); @@ -375,7 +370,7 @@ hv_uio_remove(struct hv_device *dev) if (!pdata) return; - sysfs_remove_bin_file(&dev->channel->kobj, &ring_buffer_bin_attr); + hv_remove_ring_sysfs(dev->channel); uio_unregister_device(&pdata->info); hv_uio_cleanup(dev, pdata); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 675959fb97ba..d6ffe01962c2 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -1002,6 +1002,12 @@ struct vmbus_channel { /* The max size of a packet on this channel */ u32 max_pkt_size; + + /* function to mmap ring buffer memory to the channel's sysfs ring attribute */ + int (*mmap_ring_buffer)(struct vmbus_channel *channel, struct vm_area_struct *vma); + + /* boolean to control visibility of sysfs for ring buffer */ + bool ring_sysfs_visible; }; #define lock_requestor(channel, flags) \

4 months

3
2
0 0

[PATCH 6.14] x86/its: Fix build errors when CONFIG_MODULES=n

by Pawan Gupta

From: Eric Biggers <ebiggers(a)google.com> commit 9f35e33144ae5377d6a8de86dd3bd4d995c6ac65 upstream. Fix several build errors when CONFIG_MODULES=n, including the following: ../arch/x86/kernel/alternative.c:195:25: error: incomplete definition of type 'struct module' 195 | for (int i = 0; i < mod->its_num_pages; i++) { Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> Acked-by: Dave Hansen <dave.hansen(a)intel.com> Tested-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Reviewed-by: Alexandre Chartre <alexandre.chartre(a)oracle.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- arch/x86/kernel/alternative.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 1cdcd79f302d15be44477c7350bf6537a5e42c22..c9b4f388a533530ca59846aea972fded66a37734 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -129,7 +129,9 @@ const unsigned char * const x86_nops[ASM_NOP_MAX+1] = #ifdef CONFIG_MITIGATION_ITS +#ifdef CONFIG_MODULES static struct module *its_mod; +#endif static void *its_page; static unsigned int its_offset; @@ -150,6 +152,7 @@ static void *its_init_thunk(void *thunk, int reg) return thunk; } +#ifdef CONFIG_MODULES void its_init_mod(struct module *mod) { if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) @@ -188,6 +191,7 @@ void its_free_mod(struct module *mod) } kfree(mod->its_page_array); } +#endif /* CONFIG_MODULES */ static void *its_alloc(void) { @@ -196,6 +200,7 @@ static void *its_alloc(void) if (!page) return NULL; +#ifdef CONFIG_MODULES if (its_mod) { void *tmp = krealloc(its_mod->its_page_array, (its_mod->its_num_pages+1) * sizeof(void *), @@ -206,6 +211,7 @@ static void *its_alloc(void) its_mod->its_page_array = tmp; its_mod->its_page_array[its_mod->its_num_pages++] = page; } +#endif /* CONFIG_MODULES */ return no_free_ptr(page); } --- base-commit: 982c0c8bc78be18914f38ae20ea0f55e268b88ca change-id: 20250513-its-fixes-6-14-53d0a7946250 Best regards, -- Thanks, Pawan

4 months

2
1
0 0

[PATCH 5.15.y] ibmvnic: Don't reference skb after sending to VIOS

by bin.lan.cn＠windriver.com

From: Nick Child <nnac123(a)linux.ibm.com> [ Upstream commit bdf5d13aa05ec314d4385b31ac974d6c7e0997c9 ] Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ================================================================== Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") Signed-off-by: Nick Child <nnac123(a)linux.ibm.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250214155233.235559-1-nnac123@linux.ibm.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [Minor context change fixed.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/net/ethernet/ibm/ibmvnic.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index 7f4539a2e551..4b87d9f59628 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.c +++ b/drivers/net/ethernet/ibm/ibmvnic.c @@ -1758,6 +1758,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) dma_addr_t data_dma_addr; struct netdev_queue *txq; unsigned long lpar_rc; + unsigned int skblen; union sub_crq tx_crq; unsigned int offset; int num_entries = 1; @@ -1843,6 +1844,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) tx_buff->skb = skb; tx_buff->index = index; tx_buff->pool_index = queue_num; + skblen = skb->len; memset(&tx_crq, 0, sizeof(tx_crq)); tx_crq.v1.first = IBMVNIC_CRQ_CMD; @@ -1919,7 +1921,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) } tx_packets++; - tx_bytes += skb->len; + tx_bytes += skblen; txq->trans_start = jiffies; ret = NETDEV_TX_OK; goto out; -- 2.34.1

4 months

2
1
0 0

[PATCH 5.10.y] ibmvnic: Don't reference skb after sending to VIOS

by bin.lan.cn＠windriver.com

From: Nick Child <nnac123(a)linux.ibm.com> [ Upstream commit bdf5d13aa05ec314d4385b31ac974d6c7e0997c9 ] Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ================================================================== Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") Signed-off-by: Nick Child <nnac123(a)linux.ibm.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250214155233.235559-1-nnac123@linux.ibm.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [Minor context change fixed.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/net/ethernet/ibm/ibmvnic.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index 84da6ccaf339..73e3165aa9ae 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.c +++ b/drivers/net/ethernet/ibm/ibmvnic.c @@ -1548,6 +1548,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) dma_addr_t data_dma_addr; struct netdev_queue *txq; unsigned long lpar_rc; + unsigned int skblen; union sub_crq tx_crq; unsigned int offset; int num_entries = 1; @@ -1631,6 +1632,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) tx_buff->index = index; tx_buff->pool_index = queue_num; tx_buff->last_frag = true; + skblen = skb->len; memset(&tx_crq, 0, sizeof(tx_crq)); tx_crq.v1.first = IBMVNIC_CRQ_CMD; @@ -1733,7 +1735,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) } tx_packets++; - tx_bytes += skb->len; + tx_bytes += skblen; txq->trans_start = jiffies; ret = NETDEV_TX_OK; goto out; -- 2.34.1

4 months

2
1
0 0

[PATCH] x86/its: Fix build errors when CONFIG_MODULES=n

by Pawan Gupta

From: Eric Biggers <ebiggers(a)google.com> commit 9f35e33144ae5377d6a8de86dd3bd4d995c6ac65 upstream. Fix several build errors when CONFIG_MODULES=n, including the following: ../arch/x86/kernel/alternative.c:195:25: error: incomplete definition of type 'struct module' 195 | for (int i = 0; i < mod->its_num_pages; i++) { Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> Acked-by: Dave Hansen <dave.hansen(a)intel.com> Tested-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Reviewed-by: Alexandre Chartre <alexandre.chartre(a)oracle.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- This patch applies on top of patches in stable-queue with ITS mitigation. arch/x86/kernel/alternative.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 01aa5a73c82fd8fe33a14a73ebace6d4e3b6b169..29482c52086577757d512942147db7f8d65a34bd 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -129,7 +129,9 @@ const unsigned char * const x86_nops[ASM_NOP_MAX+1] = #ifdef CONFIG_MITIGATION_ITS +#ifdef CONFIG_MODULES static struct module *its_mod; +#endif static void *its_page; static unsigned int its_offset; @@ -150,6 +152,7 @@ static void *its_init_thunk(void *thunk, int reg) return thunk; } +#ifdef CONFIG_MODULES void its_init_mod(struct module *mod) { if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) @@ -188,6 +191,7 @@ void its_free_mod(struct module *mod) } kfree(mod->its_page_array); } +#endif /* CONFIG_MODULES */ static void *its_alloc(void) { @@ -196,6 +200,7 @@ static void *its_alloc(void) if (!page) return NULL; +#ifdef CONFIG_MODULES if (its_mod) { void *tmp = krealloc(its_mod->its_page_array, (its_mod->its_num_pages+1) * sizeof(void *), @@ -206,6 +211,7 @@ static void *its_alloc(void) its_mod->its_page_array = tmp; its_mod->its_page_array[its_mod->its_num_pages++] = page; } +#endif /* CONFIG_MODULES */ return no_free_ptr(page); } --- change-id: 20250513-its-fixes-6-12-0a495cd71de4

4 months

2
1
0 0

[PATCH] xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive.

by Mathias Nyman

[ Upstream commit cab63934c33b12c0d1e9f4da7450928057f2c142 ] Backport for linux-6.12.y stable 6.12 kernel used older poll_interval of 1ms instead of 0 as described in the original commit message below. CPU hogging is not that bad with 1ms delay, fix it anyways, but don't touch poll_interval. Event polling delay is set to 0 if there are any pending requests in either rx or tx requests lists. Checking for pending requests does not work well for "IN" transfers as the tty driver always queues requests to the list and TRBs to the ring, preparing to receive data from the host. This causes unnecessary busylooping and cpu hogging. Only set the event polling delay to 0 if there are pending tx "write" transfers, or if it was less than 10ms since last active data transfer in any direction. Cc: Łukasz Bartosik <ukaszb(a)chromium.org> Fixes: fb18e5bb9660 ("xhci: dbc: poll at different rate depending on data transfer activity") Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-dbgcap.c | 19 ++++++++++++++++--- drivers/usb/host/xhci-dbgcap.h | 3 +++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-dbgcap.c b/drivers/usb/host/xhci-dbgcap.c index 241d7aa1fbc2..b12273f72c93 100644 --- a/drivers/usb/host/xhci-dbgcap.c +++ b/drivers/usb/host/xhci-dbgcap.c @@ -822,6 +822,7 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) { dma_addr_t deq; union xhci_trb *evt; + enum evtreturn ret = EVT_DONE; u32 ctrl, portsc; bool update_erdp = false; @@ -906,6 +907,7 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) break; case TRB_TYPE(TRB_TRANSFER): dbc_handle_xfer_event(dbc, evt); + ret = EVT_XFER_DONE; break; default: break; @@ -924,7 +926,7 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) lo_hi_writeq(deq, &dbc->regs->erdp); } - return EVT_DONE; + return ret; } static void xhci_dbc_handle_events(struct work_struct *work) @@ -933,6 +935,7 @@ static void xhci_dbc_handle_events(struct work_struct *work) struct xhci_dbc *dbc; unsigned long flags; unsigned int poll_interval; + unsigned long busypoll_timelimit; dbc = container_of(to_delayed_work(work), struct xhci_dbc, event_work); poll_interval = dbc->poll_interval; @@ -951,11 +954,21 @@ static void xhci_dbc_handle_events(struct work_struct *work) dbc->driver->disconnect(dbc); break; case EVT_DONE: - /* set fast poll rate if there are pending data transfers */ + /* + * Set fast poll rate if there are pending out transfers, or + * a transfer was recently processed + */ + busypoll_timelimit = dbc->xfer_timestamp + + msecs_to_jiffies(DBC_XFER_INACTIVITY_TIMEOUT); + if (!list_empty(&dbc->eps[BULK_OUT].list_pending) || - !list_empty(&dbc->eps[BULK_IN].list_pending)) + time_is_after_jiffies(busypoll_timelimit)) poll_interval = 1; break; + case EVT_XFER_DONE: + dbc->xfer_timestamp = jiffies; + poll_interval = 1; + break; default: dev_info(dbc->dev, "stop handling dbc events\n"); return; diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h index 9dc8f4d8077c..47ac72c2286d 100644 --- a/drivers/usb/host/xhci-dbgcap.h +++ b/drivers/usb/host/xhci-dbgcap.h @@ -96,6 +96,7 @@ struct dbc_ep { #define DBC_WRITE_BUF_SIZE 8192 #define DBC_POLL_INTERVAL_DEFAULT 64 /* milliseconds */ #define DBC_POLL_INTERVAL_MAX 5000 /* milliseconds */ +#define DBC_XFER_INACTIVITY_TIMEOUT 10 /* milliseconds */ /* * Private structure for DbC hardware state: */ @@ -142,6 +143,7 @@ struct xhci_dbc { enum dbc_state state; struct delayed_work event_work; unsigned int poll_interval; /* ms */ + unsigned long xfer_timestamp; unsigned resume_required:1; struct dbc_ep eps[2]; @@ -187,6 +189,7 @@ struct dbc_request { enum evtreturn { EVT_ERR = -1, EVT_DONE, + EVT_XFER_DONE, EVT_GSER, EVT_DISC, }; -- 2.43.0

4 months

2
1
0 0

[PATCH] x86/its: Fix build errors when CONFIG_MODULES=n

by Pawan Gupta

From: Eric Biggers <ebiggers(a)google.com> commit 9f35e33144ae5377d6a8de86dd3bd4d995c6ac65 upstream. Fix several build errors when CONFIG_MODULES=n, including the following: ../arch/x86/kernel/alternative.c:195:25: error: incomplete definition of type 'struct module' 195 | for (int i = 0; i < mod->its_num_pages; i++) { Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> Acked-by: Dave Hansen <dave.hansen(a)intel.com> Tested-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Reviewed-by: Alexandre Chartre <alexandre.chartre(a)oracle.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- arch/x86/kernel/alternative.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 6085919d3b3ebbf57b4c6f257eb30d0781569fe4..5a0b84e21285d16b7869b59c7d9e622a99c7ad7a 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -129,7 +129,9 @@ const unsigned char * const x86_nops[ASM_NOP_MAX+1] = #ifdef CONFIG_MITIGATION_ITS +#ifdef CONFIG_MODULES static struct module *its_mod; +#endif static void *its_page; static unsigned int its_offset; @@ -150,6 +152,7 @@ static void *its_init_thunk(void *thunk, int reg) return thunk; } +#ifdef CONFIG_MODULES void its_init_mod(struct module *mod) { if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) @@ -188,6 +191,7 @@ void its_free_mod(struct module *mod) } kfree(mod->its_page_array); } +#endif /* CONFIG_MODULES */ DEFINE_FREE(its_execmem, void *, if (_T) module_memfree(_T)); @@ -198,6 +202,7 @@ static void *its_alloc(void) if (!page) return NULL; +#ifdef CONFIG_MODULES if (its_mod) { void *tmp = krealloc(its_mod->its_page_array, (its_mod->its_num_pages+1) * sizeof(void *), @@ -208,6 +213,7 @@ static void *its_alloc(void) its_mod->its_page_array = tmp; its_mod->its_page_array[its_mod->its_num_pages++] = page; } +#endif /* CONFIG_MODULES */ return no_free_ptr(page); } --- change-id: 20250513-its-fixes-6-6-990e444d4d67

4 months

3
3
0 0

[PATCH 6.1.y] platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it

by Zhaoyang Li

From: "Maciej S. Szmigiero" <mail(a)maciej.szmigiero.name> [ Upstream commit dd410d784402c5775f66faf8b624e85e41c38aaf ] Wakeup for IRQ1 should be disabled only in cases where i8042 had actually enabled it, otherwise "wake_depth" for this IRQ will try to drop below zero and there will be an unpleasant WARN() logged: kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug kernel: ------------[ cut here ]------------ kernel: Unbalanced IRQ 1 wake disable kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0 The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and .poweroff handlers. i8042_pm_suspend(), however, is only set as the .suspend handler. Fix the issue by call PMC suspend handler only from the same set of dev_pm_ops handlers as i8042_pm_suspend(), which currently means just the .suspend handler. To reproduce this issue try hibernating (S4) the machine after a fresh boot without putting it into s2idle first. Fixes: 8e60615e8932 ("platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN") Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Maciej S. Szmigiero <mail(a)maciej.szmigiero.name> Link: https://lore.kernel.org/r/c8f28c002ca3c66fbeeb850904a1f43118e17200.17361846… [ij: edited the commit message.] Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Zhaoyang Li <lizy04(a)hust.edu.cn> --- drivers/platform/x86/amd/pmc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/amd/pmc.c b/drivers/platform/x86/amd/pmc.c index f237c1ea8d35..8eaeb1e8f975 100644 --- a/drivers/platform/x86/amd/pmc.c +++ b/drivers/platform/x86/amd/pmc.c @@ -834,6 +834,10 @@ static int __maybe_unused amd_pmc_suspend_handler(struct device *dev) { struct amd_pmc_dev *pdev = dev_get_drvdata(dev); + /* + * Must be called only from the same set of dev_pm_ops handlers + * as i8042_pm_suspend() is called: currently just from .suspend. + */ if (pdev->cpu_id == AMD_CPU_ID_CZN) { int rc = amd_pmc_czn_wa_irq1(pdev); @@ -846,7 +850,9 @@ static int __maybe_unused amd_pmc_suspend_handler(struct device *dev) return 0; } -static SIMPLE_DEV_PM_OPS(amd_pmc_pm, amd_pmc_suspend_handler, NULL); +static const struct dev_pm_ops amd_pmc_pm = { + .suspend = amd_pmc_suspend_handler, +}; #endif -- 2.25.1

4 months

2
1
0 0

[PATCH 5.10] bpf: Avoid overflows involving hash elem_size

by Daniil Dulov

From: Eric Dumazet <edumazet(a)google.com> commit e1868b9e36d0ca52e4e7c6c06953f191446e44df upstream. Use of bpf_map_charge_init() was making sure hash tables would not use more than 4GB of memory. Since the implicit check disappeared, we have to be more careful about overflows, to support big hash tables. syzbot triggers a panic using : bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_LRU_HASH, key_size=16384, value_size=8, max_entries=262200, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0}, 64) = ... BUG: KASAN: vmalloc-out-of-bounds in bpf_percpu_lru_populate kernel/bpf/bpf_lru_list.c:594 [inline] BUG: KASAN: vmalloc-out-of-bounds in bpf_lru_populate+0x4ef/0x5e0 kernel/bpf/bpf_lru_list.c:611 Write of size 2 at addr ffffc90017e4a020 by task syz-executor.5/19786 CPU: 0 PID: 19786 Comm: syz-executor.5 Not tainted 5.10.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 bpf_percpu_lru_populate kernel/bpf/bpf_lru_list.c:594 [inline] bpf_lru_populate+0x4ef/0x5e0 kernel/bpf/bpf_lru_list.c:611 prealloc_init kernel/bpf/hashtab.c:319 [inline] htab_map_alloc+0xf6e/0x1230 kernel/bpf/hashtab.c:507 find_and_alloc_map kernel/bpf/syscall.c:123 [inline] map_create kernel/bpf/syscall.c:829 [inline] __do_sys_bpf+0xa81/0x5170 kernel/bpf/syscall.c:4336 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd93fbc0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000001a40 RCX: 000000000045deb9 RDX: 0000000000000040 RSI: 0000000020000280 RDI: 0000000000000000 RBP: 000000000119bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf2c R13: 00007ffc08a7be8f R14: 00007fd93fbc19c0 R15: 000000000119bf2c Fixes: 755e5d55367a ("bpf: Eliminate rlimit-based memory accounting for hashtab maps") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Acked-by: Roman Gushchin <guro(a)fb.com> Link: https://lore.kernel.org/bpf/20201207182821.3940306-1-eric.dumazet@gmail.com Signed-off-by: Daniil Dulov <d.dulov(a)aladdin.ru> --- kernel/bpf/hashtab.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 4c7cab79d90e..829d6d3a8495 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -199,7 +199,7 @@ static void *fd_htab_map_get_ptr(const struct bpf_map *map, struct htab_elem *l) static struct htab_elem *get_htab_elem(struct bpf_htab *htab, int i) { - return (struct htab_elem *) (htab->elems + i * htab->elem_size); + return (struct htab_elem *) (htab->elems + i * (u64)htab->elem_size); } static void htab_free_elems(struct bpf_htab *htab) @@ -255,7 +255,7 @@ static int prealloc_init(struct bpf_htab *htab) if (!htab_is_percpu(htab) && !htab_is_lru(htab)) num_entries += num_possible_cpus(); - htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries, + htab->elems = bpf_map_area_alloc((u64)htab->elem_size * num_entries, htab->map.numa_node); if (!htab->elems) return -ENOMEM; -- 2.34.1

4 months

1
0
0 0

[RFC PATCH 1/7] efi: Add missing static initializer for efi_mm::cpus_allowed_lock

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> Initialize the cpus_allowed_lock struct member of efi_mm. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 7309394b8fc9..59a56661937c 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -73,6 +73,9 @@ struct mm_struct efi_mm = { .page_table_lock = __SPIN_LOCK_UNLOCKED(efi_mm.page_table_lock), .mmlist = LIST_HEAD_INIT(efi_mm.mmlist), .cpu_bitmap = { [BITS_TO_LONGS(NR_CPUS)] = 0}, +#ifdef CONFIG_SCHED_MM_CID + .cpus_allowed_lock = __RAW_SPIN_LOCK_UNLOCKED(efi_mm.cpus_allowed_lock), +#endif }; struct workqueue_struct *efi_rts_wq; -- 2.49.0.1101.gccaa498523-goog

4 months

1
0
0 0

[PATCH 5.15 00/54] 5.15.183-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.183 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 May 2025 17:19:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.183-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.183-rc1 Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Eric Dumazet <edumazet(a)google.com> can: gw: use call_rcu() instead of costly synchronize_rcu() Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls ------------- Diffstat: Makefile | 4 +- arch/mips/include/asm/ptrace.h | 3 +- arch/x86/kernel/cpu/bugs.c | 5 +- arch/x86/kernel/cpu/common.c | 9 +- arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 52 +++++++ .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 +++- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/input/mouse/synaptics.c | 5 + drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +- drivers/net/dsa/b53/b53_common.c | 36 +++-- drivers/net/phy/microchip.c | 46 +++++- drivers/nvme/host/core.c | 3 +- drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/usb/cdns3/cdnsp-gadget.c | 31 ++++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++++--- drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 ++- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 +++++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 ++- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + include/linux/rcupdate.h | 3 + include/linux/types.h | 3 +- include/uapi/linux/types.h | 1 + kernel/params.c | 4 +- net/can/gw.c | 167 +++++++++++++-------- net/ipv6/addrconf.c | 15 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/openvswitch/actions.c | 3 +- 49 files changed, 538 insertions(+), 204 deletions(-)

4 months

9
62
0 0

[PATCH 6.1 00/92] 6.1.139-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.139 release. There are 92 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 May 2025 17:19:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.139-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.139-rc1 Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are posted for multishot Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Guillaume Nault <gnault(a)redhat.com> ipv4: Drop tos parameter from flowi4_update_output() Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 ++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 15 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/lib/insn.c | 76 ++++--- arch/arm64/net/bpf_jit_comp.c | 57 +++++- arch/mips/include/asm/ptrace.h | 3 +- arch/x86/Kconfig | 11 + arch/x86/entry/entry_64.S | 20 +- arch/x86/include/asm/alternative.h | 24 +++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 38 ++-- arch/x86/kernel/alternative.c | 226 ++++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 144 ++++++++++++- arch/x86/kernel/cpu/common.c | 72 +++++-- arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/module.c | 7 + arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 10 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 60 +++++- drivers/base/cpu.c | 8 + drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +++- drivers/net/dsa/b53/b53_common.c | 36 ++-- drivers/net/phy/microchip.c | 46 ++++- drivers/nvme/host/core.c | 3 +- drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/usb/cdns3/cdnsp-gadget.c | 31 +++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 ++++++-- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + fs/smb/server/oplock.c | 7 +- fs/smb/server/vfs.c | 7 + include/linux/cpu.h | 2 + include/linux/module.h | 5 + include/linux/rcupdate.h | 3 + include/linux/types.h | 3 +- include/net/flow.h | 3 +- include/net/route.h | 6 +- include/uapi/linux/types.h | 1 + io_uring/io_uring.c | 61 +++--- kernel/params.c | 4 +- net/can/gw.c | 151 ++++++++------ net/core/filter.c | 1 + net/ipv6/addrconf.c | 15 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 29 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/sctp/protocol.c | 4 +- 93 files changed, 1554 insertions(+), 395 deletions(-)

4 months

10
101
0 0

[PATCH 6.6 000/113] 6.6.91-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.91 release. There are 113 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 May 2025 17:19:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.91-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.91-rc1 Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for RSB stuffing mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are posted for multishot Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Marco Crivellari <marco.crivellari(a)suse.com> MIPS: Move r4k_wait() to .cpuidle.text section Marco Crivellari <marco.crivellari(a)suse.com> MIPS: Fix idle VS timer enqueue Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Use get_status callback to set remote wakeup capability Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: f_ecm: Add get_status callback Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode: Consolidate the loader enablement checking Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime John Ernberg <john.ernberg(a)actia.se> xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Paul Aurich <paul(a)darkrain42.org> smb: client: Avoid race in open_cached_dir with lease breaks Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: more liberal vmin/vmax update for freesync Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Simon Xue <xxm(a)rock-chips.com> iio: adc: rockchip: Fix clock initialization sequence Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Vicki Pfau <vi(a)endrift.com> Input: xpad - fix two controller table values Lode Willems <me(a)lodewillems.com> Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - fix Share button on Xbox One controllers Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Mikael Gonella-Bolduc <mgonellabolduc(a)dimonoff.com> Input: cyttsp5 - fix power control issue on wakeup Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Input: cyttsp5 - ensure minimum reset pulse width Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Alexander Lobakin <aleksander.lobakin(a)intel.com> netdevice: add netdev_tx_reset_subqueue() shorthand Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix UAF in __close_file_table_ids Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent rename with empty string Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Veerendranath Jakkam <quic_vjakkam(a)quicinc.com> wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 168 +++++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 18 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/lib/insn.c | 76 ++++---- arch/arm64/net/bpf_jit_comp.c | 57 +++++- arch/mips/include/asm/idle.h | 3 +- arch/mips/include/asm/ptrace.h | 3 +- arch/mips/kernel/genex.S | 63 ++++--- arch/mips/kernel/idle.c | 7 - arch/x86/Kconfig | 11 ++ arch/x86/entry/entry_64.S | 20 ++- arch/x86/include/asm/alternative.h | 24 +++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/microcode.h | 2 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 44 +++-- arch/x86/kernel/alternative.c | 198 ++++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 178 +++++++++++++++++- arch/x86/kernel/cpu/common.c | 72 ++++++-- arch/x86/kernel/cpu/microcode/amd.c | 6 +- arch/x86/kernel/cpu/microcode/core.c | 60 ++++--- arch/x86/kernel/cpu/microcode/intel.c | 2 +- arch/x86/kernel/cpu/microcode/internal.h | 1 - arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/head32.c | 4 - arch/x86/kernel/module.c | 7 + arch/x86/kernel/static_call.c | 4 +- arch/x86/kernel/vmlinux.lds.S | 10 ++ arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 61 ++++++- drivers/base/cpu.c | 3 + drivers/clocksource/i8253.c | 4 +- drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 ++-- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/adc/rockchip_saradc.c | 17 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/joystick/xpad.c | 40 +++-- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/input/touchscreen/cyttsp5.c | 7 +- drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 ++++- drivers/net/dsa/b53/b53_common.c | 36 ++-- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 16 +- drivers/nvme/host/core.c | 3 +- drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/usb/cdns3/cdnsp-gadget.c | 31 ++++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/gadget/composite.c | 12 +- drivers/usb/gadget/function/f_ecm.c | 7 + drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/xen/swiotlb-xen.c | 1 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 ++++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + fs/smb/client/cached_dir.c | 10 +- fs/smb/server/oplock.c | 7 +- fs/smb/server/smb2pdu.c | 5 + fs/smb/server/vfs.c | 7 + fs/smb/server/vfs_cache.c | 33 +++- include/linux/cpu.h | 2 + include/linux/module.h | 5 + include/linux/netdevice.h | 13 +- include/linux/types.h | 3 +- include/uapi/linux/types.h | 1 + io_uring/io_uring.c | 61 +++---- kernel/params.c | 4 +- net/can/gw.c | 151 +++++++++------- net/core/filter.c | 1 + net/ipv6/addrconf.c | 15 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 27 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/wireless/scan.c | 2 +- 113 files changed, 1733 insertions(+), 529 deletions(-)

4 months

10
122
0 0

[PATCH 1/3] highmem: Add folio_test_partial_kmap()

by Matthew Wilcox (Oracle)

In commit c749d9b7ebbc (iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP), Hugh correctly noted that if KMAP_LOCAL_FORCE_MAP is enabled, we must limit ourselves to PAGE_SIZE bytes per call to kmap_local(). The same problem exists in memcpy_from_folio(), memcpy_to_folio(), folio_zero_tail(), folio_fill_tail() and memcpy_from_file_folio(), so add folio_test_partial_kmap() to do this more succinctly. Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Fixes: 00cdf76012ab (mm: add memcpy_from_file_folio()) Cc: stable(a)vger.kernel.org --- include/linux/highmem.h | 10 +++++----- include/linux/page-flags.h | 7 +++++++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/linux/highmem.h b/include/linux/highmem.h index 5c6bea81a90e..c698f8415675 100644 --- a/include/linux/highmem.h +++ b/include/linux/highmem.h @@ -461,7 +461,7 @@ static inline void memcpy_from_folio(char *to, struct folio *folio, const char *from = kmap_local_folio(folio, offset); size_t chunk = len; - if (folio_test_highmem(folio) && + if (folio_test_partial_kmap(folio) && chunk > PAGE_SIZE - offset_in_page(offset)) chunk = PAGE_SIZE - offset_in_page(offset); memcpy(to, from, chunk); @@ -489,7 +489,7 @@ static inline void memcpy_to_folio(struct folio *folio, size_t offset, char *to = kmap_local_folio(folio, offset); size_t chunk = len; - if (folio_test_highmem(folio) && + if (folio_test_partial_kmap(folio) && chunk > PAGE_SIZE - offset_in_page(offset)) chunk = PAGE_SIZE - offset_in_page(offset); memcpy(to, from, chunk); @@ -522,7 +522,7 @@ static inline __must_check void *folio_zero_tail(struct folio *folio, { size_t len = folio_size(folio) - offset; - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { size_t max = PAGE_SIZE - offset_in_page(offset); while (len > max) { @@ -560,7 +560,7 @@ static inline void folio_fill_tail(struct folio *folio, size_t offset, VM_BUG_ON(offset + len > folio_size(folio)); - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { size_t max = PAGE_SIZE - offset_in_page(offset); while (len > max) { @@ -597,7 +597,7 @@ static inline size_t memcpy_from_file_folio(char *to, struct folio *folio, size_t offset = offset_in_folio(folio, pos); char *from = kmap_local_folio(folio, offset); - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { offset = offset_in_page(offset); len = min_t(size_t, len, PAGE_SIZE - offset); } else diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index e6a21b62dcce..3b814ce08331 100644 --- a/include/linux/page-flags.h +++ b/include/linux/page-flags.h @@ -615,6 +615,13 @@ FOLIO_FLAG(dropbehind, FOLIO_HEAD_PAGE) PAGEFLAG_FALSE(HighMem, highmem) #endif +/* Does kmap_local_folio() only allow access to one page of the folio? */ +#ifdef CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP +#define folio_test_partial_kmap(f) true +#else +#define folio_test_partial_kmap(f) folio_test_highmem(f) +#endif + #ifdef CONFIG_SWAP static __always_inline bool folio_test_swapcache(const struct folio *folio) { -- 2.47.2

4 months

1
0
0 0

[PATCH 6.12 000/184] 6.12.29-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.29 release. There are 184 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 May 2025 17:19:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.29-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.29-rc1 Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> selftest/x86/bugs: Add selftests for ITS Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for RSB stuffing mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Omar Sandoval <osandov(a)fb.com> sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash Johannes Weiner <hannes(a)cmpxchg.org> mm: page_alloc: speed up fallbacks in rmqueue_bulk() Johannes Weiner <hannes(a)cmpxchg.org> mm: page_alloc: don't steal single pages from biggest buddy Hao Qin <hao.qin(a)mediatek.com> Bluetooth: btmtk: Remove the resetting step before downloading the fw Hao Qin <hao.qin(a)mediatek.com> Bluetooth: btmtk: Remove resetting mt7921 before downloading the fw Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint Miguel Ojeda <ojeda(a)kernel.org> rust: allow Rust 1.87.0's `clippy::ptr_eq` lint Christian Lamparter <chunkeey(a)gmail.com> Revert "um: work around sched_yield not yielding in time-travel mode" Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Gabriel Krisman Bertazi <krisman(a)suse.de> io_uring/sqpoll: Increase task_work submission batch size Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> drm/xe/tests/mocs: Update xe_force_wake_get() return handling Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: enable IRQs while handling misaligned accesses Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: factorize trap handling Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Lizhi Xu <lizhi.xu(a)windriver.com> loop: Add sanity check for read/write_iter Christoph Hellwig <hch(a)lst.de> loop: factor out a loop_assign_backing_file helper Christoph Hellwig <hch(a)lst.de> loop: refactor queue limits updates OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> loop: Fix ABBA locking race John Garry <john.g.garry(a)oracle.com> loop: Simplify discard granularity calc John Garry <john.g.garry(a)oracle.com> loop: Use bdev limit helpers for configuring discard Nylon Chen <nylon.chen(a)sifive.com> riscv: misaligned: Add handling for ZCB instructions Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Marco Crivellari <marco.crivellari(a)suse.com> MIPS: Move r4k_wait() to .cpuidle.text section Marco Crivellari <marco.crivellari(a)suse.com> MIPS: Fix idle VS timer enqueue Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Lukasz Czechowski <lukasz.czechowski(a)thaumatec.com> usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Use get_status callback to set remote wakeup capability Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: f_ecm: Add get_status callback Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: dwc3: gadget: Make gadget_wakeup asynchronous Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the issue with discontiguous allocation in the global_bitmap Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode: Consolidate the loader enablement checking Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Tom Lendacky <thomas.lendacky(a)amd.com> memblock: Accept allocated memory before use in memblock_double_array() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Yeoreum Yun <yeoreum.yun(a)arm.com> arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to prevent wrong idmap generation Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Increase state dump msg timeout Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime John Ernberg <john.ernberg(a)actia.se> xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Paul Aurich <paul(a)darkrain42.org> smb: client: Avoid race in open_cached_dir with lease breaks Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: more liberal vmin/vmax update for freesync Roman Li <Roman.Li(a)amd.com> drm/amd/display: Fix invalid context error in dml helper Ruijing Dong <ruijing.dong(a)amd.com> drm/amdgpu/vcn: using separate VCN1_AON_SOC offset Matthew Brost <matthew.brost(a)intel.com> drm/xe: Add page queue multiplier Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo David Lechner <dlechner(a)baylibre.com> iio: imu: inv_mpu6050: align buffer for timestamp Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Simon Xue <xxm(a)rock-chips.com> iio: adc: rockchip: Fix clock initialization sequence Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are flushed for multishot Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Mikhail Lobanov <m.lobanov(a)rosa.ru> KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Nysal Jan K.A. <nysal(a)linux.ibm.com> selftests/mm: fix a build failure on powerpc Feng Tang <feng.tang(a)linux.alibaba.com> selftests/mm: compaction_test: support platform with huge mount of memory Peter Xu <peterx(a)redhat.com> mm/userfaultfd: fix uninitialized output field for -EAGAIN race Gavin Guo <gavinguo(a)igalia.com> mm/huge_memory: fix dereferencing invalid pmd migration entry Kees Cook <kees(a)kernel.org> mm: vmalloc: support more granular vrealloc() sizing Petr Vaněk <arkamar(a)atlas.cz> mm: fix folio_pte_batch() on XEN PV Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Dave Stevenson <dave.stevenson(a)raspberrypi.com> staging: bcm2835-camera: Initialise dev in v4l2_dev Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros` configuration Miguel Ojeda <ojeda(a)kernel.org> objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0 Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's `unnecessary_transmutes` lint Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Vicki Pfau <vi(a)endrift.com> Input: xpad - fix two controller table values Lode Willems <me(a)lodewillems.com> Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - fix Share button on Xbox One controllers Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Mikael Gonella-Bolduc <mgonellabolduc(a)dimonoff.com> Input: cyttsp5 - fix power control issue on wakeup Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Input: cyttsp5 - ensure minimum reset pulse width Jakub Kicinski <kuba(a)kernel.org> virtio-net: fix total qstat values Jakub Kicinski <kuba(a)kernel.org> net: export a helper for adding up queue stats Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Do not allow mailbox to toggle to ready outside fbnic_mbx_poll_tx_ready Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Actually flush_tx instead of stalling out Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Gate AXI read/write enabling on FW mailbox Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Fix initialization of mailbox descriptor rings Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not set learning and unicast/multicast on up Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix toggling vlan_filtering Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not program vlans when vlan filtering is off Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not allow to configure VLAN 0 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: keep CPU port always tagged again Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Gao Xiang <xiang(a)kernel.org> erofs: ensure the extra temporary copy is valid for shortened bvecs Przemek Kitszel <przemyslaw.kitszel(a)intel.com> ice: use DSN instead of PCI BDF for ice_adapter index Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Initial support for E825C hardware in ice_adapter Michael-CY Lee <michael-cy.lee(a)mediatek.com> wifi: mac80211: fix the type of status_code for negotiated TID to Link Mapping Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Antonios Salios <antonios(a)mwa.re> can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe Frank Wunderlich <frank-w(a)public-files.de> net: ethernet: mtk_eth_soc: do not reset PSE when setting FE Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Jakub Kicinski <kuba(a)kernel.org> virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio_net: xsk: bind/unbind xsk for tx Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Heiko Carstens <hca(a)linux.ibm.com> s390/entry: Fix last breaking event handling in case of stack corruption Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix UAF in __close_file_table_ids Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent rename with empty string Marc Kleine-Budde <mkl(a)pengutronix.de> can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Align huge faults to order Veerendranath Jakkam <quic_vjakkam(a)quicinc.com> wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix missing check for zpci_create_device() error return Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Fix timeout checks on polling path Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Qu Wenruo <wqu(a)suse.com> Revert "btrfs: canonicalize the device path before adding it" Max Kellermann <max.kellermann(a)ionos.com> fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: .clippy.toml | 2 +- Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 168 ++++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 18 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/cpufeature.c | 9 +- arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/lib/insn.c | 76 +++++--- arch/arm64/net/bpf_jit_comp.c | 57 +++++- arch/mips/include/asm/idle.h | 3 +- arch/mips/include/asm/ptrace.h | 3 +- arch/mips/kernel/genex.S | 63 +++--- arch/mips/kernel/idle.c | 7 - arch/riscv/kernel/traps.c | 64 ++++--- arch/riscv/kernel/traps_misaligned.c | 17 ++ arch/s390/kernel/entry.S | 3 +- arch/s390/pci/pci_clp.c | 2 + arch/um/include/linux/time-internal.h | 2 - arch/um/kernel/skas/syscall.c | 11 -- arch/x86/Kconfig | 12 ++ arch/x86/entry/entry_64.S | 20 +- arch/x86/include/asm/alternative.h | 24 +++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/microcode.h | 2 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 38 ++-- arch/x86/kernel/alternative.c | 195 ++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++++- arch/x86/kernel/cpu/common.c | 72 +++++-- arch/x86/kernel/cpu/microcode/amd.c | 6 +- arch/x86/kernel/cpu/microcode/core.c | 60 +++--- arch/x86/kernel/cpu/microcode/intel.c | 2 +- arch/x86/kernel/cpu/microcode/internal.h | 1 - arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/head32.c | 4 - arch/x86/kernel/module.c | 6 + arch/x86/kernel/static_call.c | 4 +- arch/x86/kernel/vmlinux.lds.S | 10 + arch/x86/kvm/smm.c | 1 + arch/x86/kvm/svm/svm.c | 4 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 58 +++++- drivers/accel/ivpu/ivpu_hw.c | 2 +- drivers/base/cpu.c | 3 + drivers/block/loop.c | 104 ++++++---- drivers/bluetooth/btmtk.c | 12 +- drivers/clocksource/i8253.c | 4 +- drivers/firmware/arm_scmi/driver.c | 13 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 - drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v7_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 3 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 ++-- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- .../amd/display/dc/dml2/dml2_translation_helper.c | 14 +- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/gpu/drm/xe/tests/xe_mocs.c | 21 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 11 +- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/adc/rockchip_saradc.c | 17 +- drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/joystick/xpad.c | 40 ++-- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/input/touchscreen/cyttsp5.c | 7 +- drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 3 +- drivers/net/can/rockchip/rockchip_canfd-core.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +++- drivers/net/dsa/b53/b53_common.c | 213 +++++++++++++++------ drivers/net/dsa/b53/b53_priv.h | 3 + drivers/net/dsa/bcm_sf2.c | 1 + drivers/net/ethernet/intel/ice/ice_adapter.c | 39 ++-- drivers/net/ethernet/intel/ice/ice_adapter.h | 6 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 +- drivers/net/ethernet/meta/fbnic/fbnic_csr.h | 2 + drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 180 +++++++++-------- drivers/net/ethernet/meta/fbnic/fbnic_mac.c | 6 - drivers/net/virtio_net.c | 61 ++++++ drivers/nvme/host/core.c | 3 +- drivers/pci/hotplug/s390_pci_hpc.c | 1 - drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- .../vc04_services/bcm2835-camera/bcm2835-camera.c | 1 + drivers/usb/cdns3/cdnsp-gadget.c | 31 +++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/dwc3/core.h | 4 + drivers/usb/dwc3/gadget.c | 60 +++--- drivers/usb/gadget/composite.c | 12 +- drivers/usb/gadget/function/f_ecm.c | 7 + drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/misc/onboard_usb_dev.c | 10 +- drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/vfio/pci/vfio_pci_core.c | 12 +- drivers/xen/swiotlb-xen.c | 1 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/btrfs/volumes.c | 91 +-------- fs/erofs/fileio.c | 4 +- fs/erofs/zdata.c | 29 ++- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 +++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/suballoc.c | 38 +++- fs/ocfs2/suballoc.h | 1 + fs/ocfs2/super.c | 3 + fs/smb/client/cached_dir.c | 10 +- fs/smb/server/oplock.c | 7 +- fs/smb/server/smb2pdu.c | 5 + fs/smb/server/vfs.c | 7 + fs/smb/server/vfs_cache.c | 33 +++- fs/userfaultfd.c | 28 ++- include/linux/cpu.h | 2 + include/linux/execmem.h | 3 + include/linux/ieee80211.h | 2 +- include/linux/module.h | 5 + include/linux/types.h | 3 +- include/linux/vmalloc.h | 1 + include/net/netdev_queues.h | 6 + include/uapi/linux/types.h | 1 + init/Kconfig | 3 + io_uring/io_uring.c | 58 +++--- io_uring/sqpoll.c | 2 +- kernel/params.c | 4 +- kernel/sched/fair.c | 4 +- mm/huge_memory.c | 11 +- mm/internal.h | 27 ++- mm/memblock.c | 9 +- mm/page_alloc.c | 159 +++++++++------ mm/vmalloc.c | 31 ++- net/can/gw.c | 151 +++++++++------ net/core/filter.c | 1 + net/core/netdev-genl.c | 69 +++++-- net/ipv6/addrconf.c | 15 +- net/mac80211/mlme.c | 12 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 27 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/wireless/scan.c | 2 +- rust/bindings/lib.rs | 1 + rust/kernel/alloc/kvec.rs | 3 + rust/kernel/list.rs | 3 + rust/kernel/str.rs | 46 ++--- rust/macros/module.rs | 19 +- rust/macros/pinned_drop.rs | 3 +- rust/uapi/lib.rs | 1 + tools/objtool/check.c | 1 + tools/testing/selftests/Makefile | 1 + tools/testing/selftests/mm/compaction_test.c | 19 +- tools/testing/selftests/mm/pkey-powerpc.h | 12 +- tools/testing/selftests/x86/bugs/Makefile | 3 + tools/testing/selftests/x86/bugs/common.py | 164 ++++++++++++++++ .../selftests/x86/bugs/its_indirect_alignment.py | 150 +++++++++++++++ .../testing/selftests/x86/bugs/its_permutations.py | 109 +++++++++++ .../selftests/x86/bugs/its_ret_alignment.py | 139 ++++++++++++++ tools/testing/selftests/x86/bugs/its_sysfs.py | 65 +++++++ 191 files changed, 3250 insertions(+), 1134 deletions(-)

4 months

10
193
0 0

[PATCH v2] dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()

by Qiu-ji Chen

Fix a potential deadlock bug. Observe that in the mtk-cqdma.c file, functions like mtk_cqdma_issue_pending() and mtk_cqdma_free_active_desc() properly acquire the pc lock before the vc lock when handling pc and vc fields. However, mtk_cqdma_tx_status() violates this order by first acquiring the vc lock before invoking mtk_cqdma_find_active_desc(), which subsequently takes the pc lock. This reversed locking sequence (vc → pc) contradicts the established pc → vc order and creates deadlock risks. Fix the issue by moving the vc lock acquisition code from mtk_cqdma_find_active_desc() to mtk_cqdma_tx_status(). Ensure the pc lock is acquired before the vc lock in the calling function to maintain correct locking hierarchy. Note that since mtk_cqdma_find_active_desc() is a static function with only one caller (mtk_cqdma_tx_status()), this modification safely eliminates the deadlock possibility without affecting other components. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including deadlocks, data races and atomicity violations. Fixes: b1f01e48df5a ("dmaengine: mediatek: Add MediaTek Command-Queue DMA controller for MT6765 SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- V2: Revised the fix approach and updated the description to address the reduced protection scope of the vc lock in the V1 solution. --- drivers/dma/mediatek/mtk-cqdma.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c index d5ddb4e30e71..e35271ac1eed 100644 --- a/drivers/dma/mediatek/mtk-cqdma.c +++ b/drivers/dma/mediatek/mtk-cqdma.c @@ -422,13 +422,10 @@ static struct virt_dma_desc *mtk_cqdma_find_active_desc(struct dma_chan *c, struct virt_dma_desc *vd; unsigned long flags; - spin_lock_irqsave(&cvc->pc->lock, flags); list_for_each_entry(vd, &cvc->pc->queue, node) if (vd->tx.cookie == cookie) { - spin_unlock_irqrestore(&cvc->pc->lock, flags); return vd; } - spin_unlock_irqrestore(&cvc->pc->lock, flags); list_for_each_entry(vd, &cvc->vc.desc_issued, node) if (vd->tx.cookie == cookie) @@ -452,9 +449,11 @@ static enum dma_status mtk_cqdma_tx_status(struct dma_chan *c, if (ret == DMA_COMPLETE || !txstate) return ret; + spin_lock_irqsave(&cvc->pc->lock, flags); spin_lock_irqsave(&cvc->vc.lock, flags); vd = mtk_cqdma_find_active_desc(c, cookie); spin_unlock_irqrestore(&cvc->vc.lock, flags); + spin_unlock_irqrestore(&cvc->pc->lock, flags); if (vd) { cvd = to_cqdma_vdesc(vd); -- 2.34.1

4 months

3
2
0 0

[PATCH] ASoC: Intel: avs: Add null pointer check for es8366

by Wentao Liang

The avs_card_suspend_pre() and avs_card_resume_post() in es8336 calls the snd_soc_card_get_codec_dai(), but does not check its return value which is a null pointer if the function fails. This can result in a null pointer dereference. A proper implementation can be found in acp5x_nau8821_hw_params() and card_suspend_pre(). Add a null pointer check for snd_soc_card_get_codec_dai() to avoid null pointer dereference when the function fails. Fixes: 32e40c8d6ff9 ("ASoC: Intel: avs: Add es8336 machine board") Cc: stable(a)vger.kernel.org # v6.6 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- sound/soc/intel/avs/boards/es8336.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sound/soc/intel/avs/boards/es8336.c b/sound/soc/intel/avs/boards/es8336.c index 426ce37105ae..e31cc656f076 100644 --- a/sound/soc/intel/avs/boards/es8336.c +++ b/sound/soc/intel/avs/boards/es8336.c @@ -243,6 +243,9 @@ static int avs_card_suspend_pre(struct snd_soc_card *card) { struct snd_soc_dai *codec_dai = snd_soc_card_get_codec_dai(card, ES8336_CODEC_DAI); + if (!codec_dai) + return -EINVAL; + return snd_soc_component_set_jack(codec_dai->component, NULL, NULL); } @@ -251,6 +254,9 @@ static int avs_card_resume_post(struct snd_soc_card *card) struct snd_soc_dai *codec_dai = snd_soc_card_get_codec_dai(card, ES8336_CODEC_DAI); struct avs_card_drvdata *data = snd_soc_card_get_drvdata(card); + if (!codec_dai) + return -EINVAL; + return snd_soc_component_set_jack(codec_dai->component, &data->jack, NULL); } -- 2.42.0.windows.2

4 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror