- Linux-stable-mirror - lists.linaro.org

[PATCH 0/3] HID: core: fix __hid_request when no report ID is used

by Benjamin Tissoires

[Ideally I'd like to have tests in selftests, but I couldn't extract them out of the syzbot reproducer, so sending that first series to check against syzbot] Followup of https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@ro… This initial series attempt at fixing the various bugs discovered by Alan regarding __hid_request(). Syzbot managed to create a report descriptor which presents a feature request of size 0 (still trying to extract it) and this exposed the fact that __hid_request() was incorrectly handling the case when the report ID is not used. Send a first batch of fixes now so we get the feedback from syzbot ASAP. Note: in the series, I also mentioned that the report of size 0 should be stripped out of the HID device, but without a local reproducer this is going to be difficult to implement. Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> --- Benjamin Tissoires (3): HID: core: ensure the allocated report buffer can contain the reserved report ID HID: core: ensure __hid_request reserves the report ID as the first byte HID: core: do not bypass hid_hw_raw_request drivers/hid/hid-core.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) --- base-commit: 1f988d0788f50d8464f957e793fab356e2937369 change-id: 20250709-report-size-null-37619ea20288 Best regards, -- Benjamin Tissoires <bentiss(a)kernel.org>

4 months, 1 week

2
4
0 0

[PATCH 1/2] drm/gem: Fix race in drm_gem_handle_create_tail()

by Simona Vetter

Object creation is a careful dance where we must guarantee that the object is fully constructed before it is visible to other threads, and GEM buffer objects are no difference. Final publishing happens by calling drm_gem_handle_create(). After that the only allowed thing to do is call drm_gem_object_put() because a concurrent call to the GEM_CLOSE ioctl with a correctly guessed id (which is trivial since we have a linear allocator) can already tear down the object again. Luckily most drivers get this right, the very few exceptions I've pinged the relevant maintainers for. Unfortunately we also need drm_gem_handle_create() when creating additional handles for an already existing object (e.g. GETFB ioctl or the various bo import ioctl), and hence we cannot have a drm_gem_handle_create_and_put() as the only exported function to stop these issues from happening. Now unfortunately the implementation of drm_gem_handle_create() isn't living up to standards: It does correctly finishe object initialization at the global level, and hence is safe against a concurrent tear down. But it also sets up the file-private aspects of the handle, and that part goes wrong: We fully register the object in the drm_file.object_idr before calling drm_vma_node_allow() or obj->funcs->open, which opens up races against concurrent removal of that handle in drm_gem_handle_delete(). Fix this with the usual two-stage approach of first reserving the handle id, and then only registering the object after we've completed the file-private setup. Jacek reported this with a testcase of concurrently calling GEM_CLOSE on a freshly-created object (which also destroys the object), but it should be possible to hit this with just additional handles created through import or GETFB without completed destroying the underlying object with the concurrent GEM_CLOSE ioctl calls. Note that the close-side of this race was fixed in f6cd7daecff5 ("drm: Release driver references to handle before making it available again"), which means a cool 9 years have passed until someone noticed that we need to make this symmetry or there's still gaps left :-/ Without the 2-stage close approach we'd still have a race, therefore that's an integral part of this bugfix. More importantly, this means we can have NULL pointers behind allocated id in our drm_file.object_idr. We need to check for that now: - drm_gem_handle_delete() checks for ERR_OR_NULL already - drm_gem.c:object_lookup() also chekcs for NULL - drm_gem_release() should never be called if there's another thread still existing that could call into an IOCTL that creates a new handle, so cannot race. For paranoia I added a NULL check to drm_gem_object_release_handle() though. - most drivers (etnaviv, i915, msm) are find because they use idr_find(), which maps both ENOENT and NULL to NULL. - drivers using idr_for_each_entry() should also be fine, because idr_get_next does filter out NULL entries and continues the iteration. - The same holds for drm_show_memory_stats(). v2: Use drm_WARN_ON (Thomas) Reported-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Tested-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: stable(a)vger.kernel.org Cc: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: Simona Vetter <simona(a)ffwll.ch> Signed-off-by: Simona Vetter <simona.vetter(a)intel.com> Signed-off-by: Simona Vetter <simona.vetter(a)ffwll.ch> --- drivers/gpu/drm/drm_gem.c | 10 +++++++++- include/drm/drm_file.h | 3 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index bc505d938b3e..1aa9192c4cc6 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -316,6 +316,9 @@ drm_gem_object_release_handle(int id, void *ptr, void *data) struct drm_file *file_priv = data; struct drm_gem_object *obj = ptr; + if (drm_WARN_ON(obj->dev, !data)) + return 0; + if (obj->funcs->close) obj->funcs->close(obj, file_priv); @@ -436,7 +439,7 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, idr_preload(GFP_KERNEL); spin_lock(&file_priv->table_lock); - ret = idr_alloc(&file_priv->object_idr, obj, 1, 0, GFP_NOWAIT); + ret = idr_alloc(&file_priv->object_idr, NULL, 1, 0, GFP_NOWAIT); spin_unlock(&file_priv->table_lock); idr_preload_end(); @@ -457,6 +460,11 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, goto err_revoke; } + /* mirrors drm_gem_handle_delete to avoid races */ + spin_lock(&file_priv->table_lock); + obj = idr_replace(&file_priv->object_idr, obj, handle); + WARN_ON(obj != NULL); + spin_unlock(&file_priv->table_lock); *handlep = handle; return 0; diff --git a/include/drm/drm_file.h b/include/drm/drm_file.h index eab7546aad79..115763799625 100644 --- a/include/drm/drm_file.h +++ b/include/drm/drm_file.h @@ -300,6 +300,9 @@ struct drm_file { * * Mapping of mm object handles to object pointers. Used by the GEM * subsystem. Protected by @table_lock. + * + * Note that allocated entries might be NULL as a transient state when + * creating or deleting a handle. */ struct idr object_idr; -- 2.49.0

4 months, 2 weeks

1
1
0 0

Backport perf makefile fix to linux-6.6.y

by Alexis Lothoré

Hello stable team, could you please backport commit 440cf77625e3 ("perf: build: Setup PKG_CONFIG_LIBDIR for cross compilation") to linux-6.6.y ? Its absence prevents some people from building the perf tool in cross-compile environment with this kernel. The patch applies cleanly on linux-6.6.y Thanks, Alexis -- Alexis Lothoré, Bootlin Embedded Linux and Kernel engineering https://bootlin.com

4 months, 2 weeks

2
3
0 0

[RFC V1 PATCH mm-hotfixes 3/3] x86/mm: convert {pgd,p4d}_populate{,_init} to _kernel variant

by Harry Yoo

Introduce {pgd,p4d}_populate_kernel_safe() and convert {pgd,p4d}_populate{,_init}() to {pgd,p4d}_populate_kernel{,_init}(). By converting them, we no longer need to worry about forgetting to synchronize top level page tables. With all {pgd,p4d}_populate{,_init}() converted to {pgd,p4d}_populate_kernel{,_init}(), it is now safe to drop sync_global_pgds(). Let's remove it. Cc: <stable(a)vger.kernel.org> Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- arch/x86/include/asm/pgalloc.h | 19 +++++ arch/x86/mm/init_64.c | 129 ++++++--------------------------- arch/x86/mm/kasan_init_64.c | 8 +- 3 files changed, 46 insertions(+), 110 deletions(-) diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index d66f2db54b16..98439b9ca293 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -132,6 +132,15 @@ static inline void p4d_populate_safe(struct mm_struct *mm, p4d_t *p4d, pud_t *pu set_p4d_safe(p4d, __p4d(_PAGE_TABLE | __pa(pud))); } +static inline void p4d_populate_kernel_safe(unsigned long addr, + p4d_t *p4d, pud_t *pud) +{ + paravirt_alloc_pud(&init_mm, __pa(pud) >> PAGE_SHIFT); + set_p4d_safe(p4d, __p4d(_PAGE_TABLE | __pa(pud))); + if (!pgtable_l5_enabled()) + arch_sync_kernel_pagetables(addr); +} + extern void ___pud_free_tlb(struct mmu_gather *tlb, pud_t *pud); static inline void __pud_free_tlb(struct mmu_gather *tlb, pud_t *pud, @@ -167,6 +176,16 @@ static inline void pgd_populate_safe(struct mm_struct *mm, pgd_t *pgd, p4d_t *p4 set_pgd_safe(pgd, __pgd(_PAGE_TABLE | __pa(p4d))); } +static inline void pgd_populate_kernel_safe(unsigned long addr, + pgd_t *pgd, p4d_t *p4d) +{ + if (!pgtable_l5_enabled()) + return; + paravirt_alloc_p4d(&init_mm, __pa(p4d) >> PAGE_SHIFT); + set_pgd_safe(pgd, __pgd(_PAGE_TABLE | __pa(p4d))); + arch_sync_kernel_pagetables(addr); +} + extern void ___p4d_free_tlb(struct mmu_gather *tlb, p4d_t *p4d); static inline void __p4d_free_tlb(struct mmu_gather *tlb, p4d_t *p4d, diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index cbddbef434d5..00608ab36936 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -75,6 +75,19 @@ DEFINE_POPULATE(pgd_populate, pgd, p4d, init) DEFINE_POPULATE(pud_populate, pud, pmd, init) DEFINE_POPULATE(pmd_populate_kernel, pmd, pte, init) +#define DEFINE_POPULATE_KERNEL(fname, type1, type2, init) \ +static inline void fname##_init(unsigned long addr, \ + type1##_t *arg1, type2##_t *arg2, bool init) \ +{ \ + if (init) \ + fname##_safe(addr, arg1, arg2); \ + else \ + fname(addr, arg1, arg2); \ +} + +DEFINE_POPULATE_KERNEL(pgd_populate_kernel, pgd, p4d, init) +DEFINE_POPULATE_KERNEL(p4d_populate_kernel, p4d, pud, init) + #define DEFINE_ENTRY(type1, type2, init) \ static inline void set_##type1##_init(type1##_t *arg1, \ type2##_t arg2, bool init) \ @@ -130,99 +143,6 @@ static int __init nonx32_setup(char *str) } __setup("noexec32=", nonx32_setup); -static void sync_global_pgds_l5(unsigned long start, unsigned long end) -{ - unsigned long addr; - - for (addr = start; addr <= end; addr = ALIGN(addr + 1, PGDIR_SIZE)) { - const pgd_t *pgd_ref = pgd_offset_k(addr); - struct page *page; - - /* Check for overflow */ - if (addr < start) - break; - - if (pgd_none(*pgd_ref)) - continue; - - spin_lock(&pgd_lock); - list_for_each_entry(page, &pgd_list, lru) { - pgd_t *pgd; - spinlock_t *pgt_lock; - - pgd = (pgd_t *)page_address(page) + pgd_index(addr); - /* the pgt_lock only for Xen */ - pgt_lock = &pgd_page_get_mm(page)->page_table_lock; - spin_lock(pgt_lock); - - if (!pgd_none(*pgd_ref) && !pgd_none(*pgd)) - BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); - - if (pgd_none(*pgd)) - set_pgd(pgd, *pgd_ref); - - spin_unlock(pgt_lock); - } - spin_unlock(&pgd_lock); - } -} - -static void sync_global_pgds_l4(unsigned long start, unsigned long end) -{ - unsigned long addr; - - for (addr = start; addr <= end; addr = ALIGN(addr + 1, PGDIR_SIZE)) { - pgd_t *pgd_ref = pgd_offset_k(addr); - const p4d_t *p4d_ref; - struct page *page; - - /* - * With folded p4d, pgd_none() is always false, we need to - * handle synchronization on p4d level. - */ - MAYBE_BUILD_BUG_ON(pgd_none(*pgd_ref)); - p4d_ref = p4d_offset(pgd_ref, addr); - - if (p4d_none(*p4d_ref)) - continue; - - spin_lock(&pgd_lock); - list_for_each_entry(page, &pgd_list, lru) { - pgd_t *pgd; - p4d_t *p4d; - spinlock_t *pgt_lock; - - pgd = (pgd_t *)page_address(page) + pgd_index(addr); - p4d = p4d_offset(pgd, addr); - /* the pgt_lock only for Xen */ - pgt_lock = &pgd_page_get_mm(page)->page_table_lock; - spin_lock(pgt_lock); - - if (!p4d_none(*p4d_ref) && !p4d_none(*p4d)) - BUG_ON(p4d_pgtable(*p4d) - != p4d_pgtable(*p4d_ref)); - - if (p4d_none(*p4d)) - set_p4d(p4d, *p4d_ref); - - spin_unlock(pgt_lock); - } - spin_unlock(&pgd_lock); - } -} - -/* - * When memory was added make sure all the processes MM have - * suitable PGD entries in the local PGD level page. - */ -static void sync_global_pgds(unsigned long start, unsigned long end) -{ - if (pgtable_l5_enabled()) - sync_global_pgds_l5(start, end); - else - sync_global_pgds_l4(start, end); -} - static void sync_kernel_pagetables_l4(unsigned long addr) { pgd_t *pgd_ref = pgd_offset_k(addr); @@ -295,6 +215,10 @@ static void sync_kernel_pagetables_l5(unsigned long addr) spin_unlock(&pgd_lock); } +/* + * When memory was added make sure all the processes MM have + * suitable PGD entries in the local PGD level page. + */ void arch_sync_kernel_pagetables(unsigned long addr) { if (pgtable_l5_enabled()) @@ -330,7 +254,7 @@ static p4d_t *fill_p4d(pgd_t *pgd, unsigned long vaddr) { if (pgd_none(*pgd)) { p4d_t *p4d = (p4d_t *)spp_getpage(); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(vaddr, pgd, p4d); if (p4d != p4d_offset(pgd, 0)) printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n", p4d, p4d_offset(pgd, 0)); @@ -342,7 +266,7 @@ static pud_t *fill_pud(p4d_t *p4d, unsigned long vaddr) { if (p4d_none(*p4d)) { pud_t *pud = (pud_t *)spp_getpage(); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(vaddr, p4d, pud); if (pud != pud_offset(p4d, 0)) printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n", pud, pud_offset(p4d, 0)); @@ -795,7 +719,7 @@ phys_p4d_init(p4d_t *p4d_page, unsigned long paddr, unsigned long paddr_end, page_size_mask, prot, init); spin_lock(&init_mm.page_table_lock); - p4d_populate_init(&init_mm, p4d, pud, init); + p4d_populate_kernel_init(vaddr, p4d, pud, init); spin_unlock(&init_mm.page_table_lock); } @@ -808,7 +732,6 @@ __kernel_physical_mapping_init(unsigned long paddr_start, unsigned long page_size_mask, pgprot_t prot, bool init) { - bool pgd_changed = false; unsigned long vaddr, vaddr_start, vaddr_end, vaddr_next, paddr_last; paddr_last = paddr_end; @@ -837,18 +760,14 @@ __kernel_physical_mapping_init(unsigned long paddr_start, spin_lock(&init_mm.page_table_lock); if (pgtable_l5_enabled()) - pgd_populate_init(&init_mm, pgd, p4d, init); + pgd_populate_kernel_init(vaddr, pgd, p4d, init); else - p4d_populate_init(&init_mm, p4d_offset(pgd, vaddr), - (pud_t *) p4d, init); + p4d_populate_kernel_init(vaddr, p4d_offset(pgd, vaddr), + (pud_t *) p4d, init); spin_unlock(&init_mm.page_table_lock); - pgd_changed = true; } - if (pgd_changed) - sync_global_pgds(vaddr_start, vaddr_end - 1); - return paddr_last; } @@ -1642,8 +1561,6 @@ int __meminit vmemmap_populate(unsigned long start, unsigned long end, int node, err = -ENOMEM; } else err = vmemmap_populate_basepages(start, end, node, NULL); - if (!err) - sync_global_pgds(start, end - 1); return err; } diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c index 0539efd0d216..e825952d25b2 100644 --- a/arch/x86/mm/kasan_init_64.c +++ b/arch/x86/mm/kasan_init_64.c @@ -108,7 +108,7 @@ static void __init kasan_populate_p4d(p4d_t *p4d, unsigned long addr, if (p4d_none(*p4d)) { void *p = early_alloc(PAGE_SIZE, nid, true); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } pud = pud_offset(p4d, addr); @@ -128,7 +128,7 @@ static void __init kasan_populate_pgd(pgd_t *pgd, unsigned long addr, if (pgd_none(*pgd)) { p = early_alloc(PAGE_SIZE, nid, true); - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } p4d = p4d_offset(pgd, addr); @@ -255,7 +255,7 @@ static void __init kasan_shallow_populate_p4ds(pgd_t *pgd, if (p4d_none(*p4d)) { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE, true); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } while (p4d++, addr = next, addr != end); } @@ -273,7 +273,7 @@ static void __init kasan_shallow_populate_pgds(void *start, void *end) if (pgd_none(*pgd)) { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE, true); - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } /* -- 2.43.0

4 months, 2 weeks

1
0
0 0

Re: [PATCH 5.15] fs/proc: do_task_stat: use __for_each_thread()

by Harshit Mogalapalli

Hi, + stable On 05/06/25 19:37, Heyne, Maximilian wrote: > From: Oleg Nesterov <oleg(a)redhat.com> > > [ Upstream commit 7904e53ed5a20fc678c01d5d1b07ec486425bb6a ] > > do/while_each_thread should be avoided when possible. > > Link: https://lkml.kernel.org/r/20230909164501.GA11581@redhat.com > Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> > Cc: Eric W. Biederman <ebiederm(a)xmission.com> > Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> > Stable-dep-of: 7601df8031fd ("fs/proc: do_task_stat: use sig->stats_lock to=ather the threads/children stats") > [mheyne: adjusted context] > Signed-off-by: Maximilian Heyne <mheyne(a)amazon.de> > --- > > Compile-tested only. > We're seeing soft lock-ups with 5.10.237 because of the backport of > commit 4fe85bdaabd6 ("fs/proc: do_task_stat: use sig->stats_lock to > gather the threads/children stats"). I'm assuming this is broken on 5.15 > too. > Note: We saw this as well after backporting the above mentioned commit from 5.15.y and your backport resolves it for us as well on 5.15.y based branch. Thanks, Harshit > --- > fs/proc/array.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/fs/proc/array.c b/fs/proc/array.c > index 2cb01aaa67187..2ff568dc58387 100644 > --- a/fs/proc/array.c > +++ b/fs/proc/array.c > @@ -530,18 +530,18 @@ static int do_task_stat(struct seq_file *m, struct pi=_namespace *ns, > cgtime = sig->cgtime; > = if (whole) { > - struct task_struct *t = task; > + struct task_struct *t; > = min_flt = sig->min_flt; > maj_flt = sig->maj_flt; > gtime = sig->gtime; > = rcu_read_lock(); > - do { > + __for_each_thread(sig, t) { > min_flt += t->min_flt; > maj_flt += t->maj_flt; > gtime += task_gtime(t); > - } while_each_thread(task, t); > + } > rcu_read_unlock(); > } > } while (need_seqretry(&sig->stats_lock, seq)); > -- =2.47.1 > > > > > Amazon Web Services Development Center Germany GmbH > Tamara-Danz-Str. 13 > 10243 Berlin > Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss > Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B > Sitz: Berlin > Ust-ID: DE 365 538 597 > >

4 months, 2 weeks

2
1
0 0

v6.16-rc5: ttys: auto login failed Login incorrect

by Naresh Kamboju

Approximately 20% of devices are experiencing intermittent boot failures with this kernel version. The issue appears to be related to auto login failures, where an incorrect password is being detected on the serial console during the login process. This intermittent regression is noticed on stable-rc 6.15.5-rc2 and Linux mainline master v6.16-rc5. This regressions is only specific to the devices not on the qemu's. Test environments: - dragonboard-410c - dragonboard-845c - e850-96 - juno-r2 - rk3399-rock-pi-4b - x86 Regression Analysis: - New regression? Yes - Reproducibility? 20% only Test regression: 6.15.5-rc2 v6.16-rc5 auto login failed Login incorrect Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> ## log in problem runner-ns46nmmj-project-40964107-concurrent-0 login: # Password: Login incorrect runner-ns46nmmj-project-40964107-concurrent-0 login: ## Investigation The following three patches were reverted and the system was re-tested. The previously reported issues are no longer observed after applying the reverts. serial: imx: Restore original RXTL for console to fix data loss commit f23c52aafb1675ab1d1f46914556d8e29cbbf7b3 upstream. serial: core: restore of_node information in sysfs commit d36f0e9a0002f04f4d6dd9be908d58fe5bd3a279 upstream. tty: serial: uartlite: register uart driver in init [ Upstream commit 6bd697b5fc39fd24e2aa418c7b7d14469f550a93 ] Reference bug report lore link, - https://lore.kernel.org/stable/CA+G9fYvidpyHTQ179dAJ4TSdhthC-Mtjuks5iQjMf+o… ## Test links * log 1: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.15.y/build/v6.15… * log 2: https://qa-reports.linaro.org/api/testruns/29021720/log_file/ * log 3: https://qa-reports.linaro.org/lkft/linux-mainline-master/build/v6.16-rc5/te… * Boot test: https://regressions.linaro.org/lkft/linux-stable-rc-linux-6.15.y/v6.15.4-26… * LAVA jobs 1: https://lkft.validation.linaro.org/scheduler/job/8344153#L1186 * LAVA jobs 2: https://lkft.validation.linaro.org/scheduler/job/8343870#L1266 ## Build * kernel: 6.15.5-rc2 * git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git * git commit: f6977c36decb0875e78bdb8599749bce1e84c753 * git describe: v6.15.4-264-gf6977c36decb * test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.15.y/build/v6.15… ## Test Regressions (compared to v6.15.3-590-gd93bc5feded1) * dragonboard-410c, boot - clang-20-lkftconfig - clang-nightly-lkftconfig-kselftest - gcc-13-lkftconfig-debug * dragonboard-845c, boot - clang-20-lkftconfig - korg-clang-20-lkftconfig-lto-thing * dragonboard-845c-compat, boot - gcc-13-lkftconfig-compat * e850-96, boot - gcc-13-lkftconfig-no-kselftest-frag * juno-r2, boot - clang-20-lkftconfig - gcc-13-lkftconfig-debug - gcc-13-lkftconfig-kselftest * rk3399-rock-pi-4b, boot - clang-20-lkftconfig * x86, boot - clang-20-lkftconfig - clang-20-lkftconfig-no-kselftest-frag - clang-nightly-lkftconfig-kselftest - clang-nightly-lkftconfig-lto-thing - gcc-13-defconfig-preempt_rt - gcc-13-lkftconfig-no-kselftest-frag -- Linaro LKFT https://lkft.linaro.org

4 months, 2 weeks

2
2
0 0

[PATCH v2 1/2] KVM: arm64: Fix enforcement of upper bound on MDCR_EL2.HPMN

by Ben Horgan

Previously, u64_replace_bits() was used to no effect as the return value was ignored. Convert to u64p_replace_bits() so the value is updated in place. Reviewed-by: Zenghui Yu <yuzenghui(a)huawei.com> Signed-off-by: Ben Horgan <ben.horgan(a)arm.com> Fixes: efff9dd2fee7 ("KVM: arm64: Handle out-of-bound write to MDCR_EL2.HPMN") Cc: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/sys_regs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index 76c2f0da821f..c20bd6f21e60 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -2624,7 +2624,7 @@ static bool access_mdcr(struct kvm_vcpu *vcpu, */ if (hpmn > vcpu->kvm->arch.nr_pmu_counters) { hpmn = vcpu->kvm->arch.nr_pmu_counters; - u64_replace_bits(val, hpmn, MDCR_EL2_HPMN); + u64p_replace_bits(&val, hpmn, MDCR_EL2_HPMN); } __vcpu_assign_sys_reg(vcpu, MDCR_EL2, val); -- 2.43.0

4 months, 2 weeks

2
1
0 0

[PATCH net 1/3] net: libwx: remove duplicate page_pool_put_full_page()

by Jiawen Wu

page_pool_put_full_page() should only be invoked when freeing Rx buffers or building a skb if the size is too short. At other times, the pages need to be reused. So remove the redundant page put. In the original code, double free pages cause kernel panic: [ 876.949834] __irq_exit_rcu+0xc7/0x130 [ 876.949836] common_interrupt+0xb8/0xd0 [ 876.949838] </IRQ> [ 876.949838] <TASK> [ 876.949840] asm_common_interrupt+0x22/0x40 [ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420 [ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246 [ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000 [ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e [ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed [ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580 [ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000 [ 876.949852] ? cpuidle_enter_state+0xb3/0x420 [ 876.949855] cpuidle_enter+0x29/0x40 [ 876.949857] cpuidle_idle_call+0xfd/0x170 [ 876.949859] do_idle+0x7a/0xc0 [ 876.949861] cpu_startup_entry+0x25/0x30 [ 876.949862] start_secondary+0x117/0x140 [ 876.949864] common_startup_64+0x13e/0x148 [ 876.949867] </TASK> [ 876.949868] ---[ end trace 0000000000000000 ]--- [ 876.949869] ------------[ cut here ]------------ [ 876.949870] list_del corruption, ffffead40445a348->next is NULL [ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120 [ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E) [ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi [ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary) [ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE [ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120 [ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8 [ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282 [ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000 [ 876.949942] RDX: 0000000000000105 RSI: 0000000000000001 RDI: 00000000ffffffff [ 876.949943] RBP: 0000000000000000 R08: 000000010006dfde R09: ffffffff8a47d150 [ 876.949944] R10: ffffffff8a47d150 R11: 0000000000000003 R12: dead000000000122 [ 876.949945] R13: ffff9e3e9e5af700 R14: ffffead40445a348 R15: ffff9e3e9e5af720 [ 876.949946] FS: 0000000000000000(0000) GS:ffff9e3f135be000(0000) knlGS:0000000000000000 [ 876.949947] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 876.949948] CR2: 00007fa58b480048 CR3: 0000000156724000 CR4: 0000000000750ef0 [ 876.949949] PKRU: 55555554 [ 876.949950] Call Trace: [ 876.949951] <IRQ> [ 876.949952] __rmqueue_pcplist+0x53/0x2c0 [ 876.949955] alloc_pages_bulk_noprof+0x2e0/0x660 [ 876.949958] __page_pool_alloc_pages_slow+0xa9/0x400 [ 876.949961] page_pool_alloc_pages+0xa/0x20 [ 876.949963] wx_alloc_rx_buffers+0xd7/0x110 [libwx] [ 876.949967] wx_clean_rx_irq+0x262/0x430 [libwx] [ 876.949971] wx_poll+0x92/0x130 [libwx] [ 876.949975] __napi_poll+0x28/0x190 [ 876.949977] net_rx_action+0x301/0x3f0 [ 876.949980] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949981] ? profile_tick+0x30/0x70 [ 876.949983] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949984] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949986] ? timerqueue_add+0xa3/0xc0 [ 876.949988] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949989] ? __raise_softirq_irqoff+0x16/0x70 [ 876.949991] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949993] ? srso_alias_return_thunk+0x5/0xfbef5 [ 876.949994] ? wx_msix_clean_rings+0x41/0x50 [libwx] [ 876.949998] handle_softirqs+0xf9/0x2c0 Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c index 55e252789db3..7e3d7fb61a52 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c @@ -174,10 +174,6 @@ static void wx_dma_sync_frag(struct wx_ring *rx_ring, skb_frag_off(frag), skb_frag_size(frag), DMA_FROM_DEVICE); - - /* If the page was released, just unmap it. */ - if (unlikely(WX_CB(skb)->page_released)) - page_pool_put_full_page(rx_ring->page_pool, rx_buffer->page, false); } static struct wx_rx_buffer *wx_get_rx_buffer(struct wx_ring *rx_ring, @@ -227,10 +223,6 @@ static void wx_put_rx_buffer(struct wx_ring *rx_ring, struct sk_buff *skb, int rx_buffer_pgcnt) { - if (!IS_ERR(skb) && WX_CB(skb)->dma == rx_buffer->dma) - /* the page has been released from the ring */ - WX_CB(skb)->page_released = true; - /* clear contents of rx_buffer */ rx_buffer->page = NULL; rx_buffer->skb = NULL; @@ -2423,9 +2415,6 @@ static void wx_clean_rx_ring(struct wx_ring *rx_ring) if (rx_buffer->skb) { struct sk_buff *skb = rx_buffer->skb; - if (WX_CB(skb)->page_released) - page_pool_put_full_page(rx_ring->page_pool, rx_buffer->page, false); - dev_kfree_skb(skb); } -- 2.48.1

4 months, 2 weeks

2
1
0 0

[PATCH net 3/3] net: libwx: properly reset Rx ring descriptor

by Jiawen Wu

When device reset is triggered by feature changes such as toggling Rx VLAN offload, wx->do_reset() is called to reinitialize Rx rings. The hardware descriptor ring may retain stale values from previous sessions. And only set the length to 0 in rx_desc[0] would result in building malformed SKBs. Fix it to ensure a clean slate after device reset. [ 549.186435] [ C16] ------------[ cut here ]------------ [ 549.186457] [ C16] kernel BUG at net/core/skbuff.c:2814! [ 549.186468] [ C16] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 549.186472] [ C16] CPU: 16 UID: 0 PID: 0 Comm: swapper/16 Kdump: loaded Not tainted 6.16.0-rc4+ #23 PREEMPT(voluntary) [ 549.186476] [ C16] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 549.186478] [ C16] RIP: 0010:__pskb_pull_tail+0x3ff/0x510 [ 549.186484] [ C16] Code: 06 f0 ff 4f 34 74 7b 4d 8b 8c 24 c8 00 00 00 45 8b 84 24 c0 00 00 00 e9 c8 fd ff ff 48 c7 44 24 08 00 00 00 00 e9 5e fe ff ff <0f> 0b 31 c0 e9 23 90 5b ff 41 f7 c6 ff 0f 00 00 75 bf 49 8b 06 a8 [ 549.186487] [ C16] RSP: 0018:ffffb391c0640d70 EFLAGS: 00010282 [ 549.186490] [ C16] RAX: 00000000fffffff2 RBX: ffff8fe7e4d40200 RCX: 00000000fffffff2 [ 549.186492] [ C16] RDX: ffff8fe7c3a4bf8e RSI: 0000000000000180 RDI: ffff8fe7c3a4bf40 [ 549.186494] [ C16] RBP: ffffb391c0640da8 R08: ffff8fe7c3a4c0c0 R09: 000000000000000e [ 549.186496] [ C16] R10: ffffb391c0640d88 R11: 000000000000000e R12: ffff8fe7e4d40200 [ 549.186497] [ C16] R13: 00000000fffffff2 R14: ffff8fe7fa01a000 R15: 00000000fffffff2 [ 549.186499] [ C16] FS: 0000000000000000(0000) GS:ffff8fef5ae40000(0000) knlGS:0000000000000000 [ 549.186502] [ C16] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 549.186503] [ C16] CR2: 00007f77d81d6000 CR3: 000000051a032000 CR4: 0000000000750ef0 [ 549.186505] [ C16] PKRU: 55555554 [ 549.186507] [ C16] Call Trace: [ 549.186510] [ C16] <IRQ> [ 549.186513] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186517] [ C16] __skb_pad+0xc7/0xf0 [ 549.186523] [ C16] wx_clean_rx_irq+0x355/0x3b0 [libwx] [ 549.186533] [ C16] wx_poll+0x92/0x120 [libwx] [ 549.186540] [ C16] __napi_poll+0x28/0x190 [ 549.186544] [ C16] net_rx_action+0x301/0x3f0 [ 549.186548] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186551] [ C16] ? __raw_spin_lock_irqsave+0x1e/0x50 [ 549.186554] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186557] [ C16] ? wake_up_nohz_cpu+0x35/0x160 [ 549.186559] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186563] [ C16] handle_softirqs+0xf9/0x2c0 [ 549.186568] [ C16] __irq_exit_rcu+0xc7/0x130 [ 549.186572] [ C16] common_interrupt+0xb8/0xd0 [ 549.186576] [ C16] </IRQ> [ 549.186577] [ C16] <TASK> [ 549.186579] [ C16] asm_common_interrupt+0x22/0x40 [ 549.186582] [ C16] RIP: 0010:cpuidle_enter_state+0xc2/0x420 [ 549.186585] [ C16] Code: 00 00 e8 11 0e 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 0d ed 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 549.186587] [ C16] RSP: 0018:ffffb391c0277e78 EFLAGS: 00000246 [ 549.186590] [ C16] RAX: ffff8fef5ae40000 RBX: 0000000000000003 RCX: 0000000000000000 [ 549.186591] [ C16] RDX: 0000007fde0faac5 RSI: ffffffff826e53f6 RDI: ffffffff826fa9b3 [ 549.186593] [ C16] RBP: ffff8fe7c3a20800 R08: 0000000000000002 R09: 0000000000000000 [ 549.186595] [ C16] R10: 0000000000000000 R11: 000000000000ffff R12: ffffffff82ed7a40 [ 549.186596] [ C16] R13: 0000007fde0faac5 R14: 0000000000000003 R15: 0000000000000000 [ 549.186601] [ C16] ? cpuidle_enter_state+0xb3/0x420 [ 549.186605] [ C16] cpuidle_enter+0x29/0x40 [ 549.186609] [ C16] cpuidle_idle_call+0xfd/0x170 [ 549.186613] [ C16] do_idle+0x7a/0xc0 [ 549.186616] [ C16] cpu_startup_entry+0x25/0x30 [ 549.186618] [ C16] start_secondary+0x117/0x140 [ 549.186623] [ C16] common_startup_64+0x13e/0x148 [ 549.186628] [ C16] </TASK> Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 +++---- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 5 +++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index a9519997286b..9002b97e148e 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -1912,7 +1912,6 @@ static void wx_configure_rx_ring(struct wx *wx, struct wx_ring *ring) { u16 reg_idx = ring->reg_idx; - union wx_rx_desc *rx_desc; u64 rdba = ring->dma; u32 rxdctl; @@ -1942,9 +1941,9 @@ static void wx_configure_rx_ring(struct wx *wx, memset(ring->rx_buffer_info, 0, sizeof(struct wx_rx_buffer) * ring->count); - /* initialize Rx descriptor 0 */ - rx_desc = WX_RX_DESC(ring, 0); - rx_desc->wb.upper.length = 0; + /* reset ntu and ntc to place SW in sync with hardwdare */ + ring->next_to_clean = 0; + ring->next_to_use = 0; /* enable receive descriptor ring */ wr32m(wx, WX_PX_RR_CFG(reg_idx), diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c index c91487909811..0213ad5a6ceb 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c @@ -357,6 +357,8 @@ void wx_alloc_rx_buffers(struct wx_ring *rx_ring, u16 cleaned_count) /* clear the status bits for the next_to_use descriptor */ rx_desc->wb.upper.status_error = 0; + /* clear the length for the next_to_use descriptor */ + rx_desc->wb.upper.length = 0; cleaned_count--; } while (cleaned_count); @@ -2438,6 +2440,9 @@ static void wx_clean_rx_ring(struct wx_ring *rx_ring) } } + /* Zero out the descriptor ring */ + memset(rx_ring->desc, 0, rx_ring->size); + rx_ring->next_to_alloc = 0; rx_ring->next_to_clean = 0; rx_ring->next_to_use = 0; -- 2.48.1

4 months, 2 weeks

2
1
0 0

[PATCH net 2/3] net: libwx: fix the using of Rx buffer DMA

by Jiawen Wu

The wx_rx_buffer structure contained two DMA address fields: 'dma' and 'page_dma'. However, only 'page_dma' was actually initialized and used to program the Rx descriptor. But 'dma' was uninitialized and used in some paths. This could lead to undefined behavior, including DMA errors or use-after-free, if the uninitialized 'dma' was used. Althrough such error has not yet occurred, it is worth fixing in the code. Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 4 ++-- drivers/net/ethernet/wangxun/libwx/wx_type.h | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c index 7e3d7fb61a52..c91487909811 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c @@ -307,7 +307,7 @@ static bool wx_alloc_mapped_page(struct wx_ring *rx_ring, return false; dma = page_pool_get_dma_addr(page); - bi->page_dma = dma; + bi->dma = dma; bi->page = page; bi->page_offset = 0; @@ -344,7 +344,7 @@ void wx_alloc_rx_buffers(struct wx_ring *rx_ring, u16 cleaned_count) DMA_FROM_DEVICE); rx_desc->read.pkt_addr = - cpu_to_le64(bi->page_dma + bi->page_offset); + cpu_to_le64(bi->dma + bi->page_offset); rx_desc++; bi++; diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h index c363379126c0..f5a8ce681a68 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_type.h +++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h @@ -998,7 +998,6 @@ struct wx_tx_buffer { struct wx_rx_buffer { struct sk_buff *skb; dma_addr_t dma; - dma_addr_t page_dma; struct page *page; unsigned int page_offset; }; -- 2.48.1

4 months, 2 weeks

2
1
0 0

[PATCH 04/12] drm/amdkfd: fix MQD settings for GFX12

by Lijo Lazar

From: Alex Deucher <alexander.deucher(a)amd.com> User queues should not set the priv bit. Fixes: 48f0bdf4e38e ("drm/amdkfd: Added MQD manager files for GFX12.") Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v12.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v12.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v12.c index 565858b9044d..2db0b78da294 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v12.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v12.c @@ -123,7 +123,6 @@ static void init_mqd(struct mqd_manager *mm, void **mqd, m->cp_hqd_pq_control = 5 << CP_HQD_PQ_CONTROL__RPTR_BLOCK_SIZE__SHIFT; m->cp_hqd_pq_control |= CP_HQD_PQ_CONTROL__UNORD_DISPATCH_MASK; - m->cp_mqd_control = 1 << CP_MQD_CONTROL__PRIV_STATE__SHIFT; m->cp_mqd_base_addr_lo = lower_32_bits(addr); m->cp_mqd_base_addr_hi = upper_32_bits(addr); -- 2.49.0

4 months, 2 weeks

1
0
0 0

[BACKPORT][PATCH 6.12.y 1/2] firmware: arm_ffa: Move memory allocation outside the mutex locking

by Sudeep Holla

[ Upstream commit 27e850c88df0e25474a8caeb2903e2e90b62c1dc ] The notifier callback node allocation is currently done while holding the notify_lock mutex. While this is safe even if memory allocation may sleep, we need to move the allocation outside the locked region in preparation to move from using muxtes to rwlocks. Move the memory allocation to avoid potential sleeping in atomic context once the locks are moved from mutex to rwlocks. Fixes: e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks") Message-Id: <20250528-ffa_notif_fix-v1-2-5ed7bc7f8437(a)arm.com> Reviewed-by: Jens Wiklander <jens.wiklander(a)linaro.org> Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> --- drivers/firmware/arm_ffa/driver.c | 40 ++++++++++++++++--------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c index c0f3b7cdb6ed..b0d92f411334 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1141,12 +1141,11 @@ notifier_hash_node_get(u16 notify_id, enum notify_type type) return NULL; } -static int -update_notifier_cb(int notify_id, enum notify_type type, ffa_notifier_cb cb, - void *cb_data, bool is_registration) +static int update_notifier_cb(int notify_id, enum notify_type type, + struct notifier_cb_info *cb) { struct notifier_cb_info *cb_info = NULL; - bool cb_found; + bool cb_found, is_registration = !!cb; cb_info = notifier_hash_node_get(notify_id, type); cb_found = !!cb_info; @@ -1155,15 +1154,7 @@ update_notifier_cb(int notify_id, enum notify_type type, ffa_notifier_cb cb, return -EINVAL; if (is_registration) { - cb_info = kzalloc(sizeof(*cb_info), GFP_KERNEL); - if (!cb_info) - return -ENOMEM; - - cb_info->type = type; - cb_info->cb = cb; - cb_info->cb_data = cb_data; - - hash_add(drv_info->notifier_hash, &cb_info->hnode, notify_id); + hash_add(drv_info->notifier_hash, &cb->hnode, notify_id); } else { hash_del(&cb_info->hnode); kfree(cb_info); @@ -1193,7 +1184,7 @@ static int ffa_notify_relinquish(struct ffa_device *dev, int notify_id) mutex_lock(&drv_info->notify_lock); - rc = update_notifier_cb(notify_id, type, NULL, NULL, false); + rc = update_notifier_cb(notify_id, type, NULL); if (rc) { pr_err("Could not unregister notification callback\n"); mutex_unlock(&drv_info->notify_lock); @@ -1212,6 +1203,7 @@ static int ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu, { int rc; u32 flags = 0; + struct notifier_cb_info *cb_info = NULL; enum notify_type type = ffa_notify_type_get(dev->vm_id); if (ffa_notifications_disabled()) @@ -1220,24 +1212,34 @@ static int ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu, if (notify_id >= FFA_MAX_NOTIFICATIONS) return -EINVAL; + cb_info = kzalloc(sizeof(*cb_info), GFP_KERNEL); + if (!cb_info) + return -ENOMEM; + + cb_info->type = type; + cb_info->cb_data = cb_data; + cb_info->cb = cb; + mutex_lock(&drv_info->notify_lock); if (is_per_vcpu) flags = PER_VCPU_NOTIFICATION_FLAG; rc = ffa_notification_bind(dev->vm_id, BIT(notify_id), flags); - if (rc) { - mutex_unlock(&drv_info->notify_lock); - return rc; - } + if (rc) + goto out_unlock_free; - rc = update_notifier_cb(notify_id, type, cb, cb_data, true); + rc = update_notifier_cb(notify_id, type, cb_info); if (rc) { pr_err("Failed to register callback for %d - %d\n", notify_id, rc); ffa_notification_unbind(dev->vm_id, BIT(notify_id)); } + +out_unlock_free: mutex_unlock(&drv_info->notify_lock); + if (rc) + kfree(cb_info); return rc; } -- 2.34.1

4 months, 2 weeks

2
3
0 0

[PATCH 6.12,6.15] crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2

by Eric Biggers

commit 68279380266a5fa70e664de754503338e2ec3f43 upstream. Commit 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements") added the field s390_sha_ctx::first_message_part and made it be used by s390_sha_update() (now s390_sha_update_blocks()). At the time, s390_sha_update() was used by all the s390 SHA-1, SHA-2, and SHA-3 algorithms. However, only the initialization functions for SHA-3 were updated, leaving SHA-1 and SHA-2 using first_message_part uninitialized. This could cause e.g. the function code CPACF_KIMD_SHA_512 | CPACF_KIMD_NIP to be used instead of just CPACF_KIMD_SHA_512. This apparently was harmless, as the SHA-1 and SHA-2 function codes ignore CPACF_KIMD_NIP; it is recognized only by the SHA-3 function codes (https://lore.kernel.org/r/73477fe9-a1dc-4e38-98a6-eba9921e8afa@linux.ibm.co…). Therefore, this bug was found only when first_message_part was later converted to a boolean and UBSAN detected its uninitialized use. Regardless, let's fix this by just initializing to zero. Note: in 6.16, we need to patch SHA-1, SHA-384, and SHA-512. In 6.15 and earlier, we'll also need to patch SHA-224 and SHA-256, as they hadn't yet been librarified (which incidentally fixed this bug). Fixes: 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements") Cc: stable(a)vger.kernel.org Reported-by: Ingo Franzki <ifranzki(a)linux.ibm.com> Closes: https://lore.kernel.org/r/12740696-595c-4604-873e-aefe8b405fbf@linux.ibm.com Acked-by: Heiko Carstens <hca(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250703172316.7914-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/s390/crypto/sha1_s390.c | 2 ++ arch/s390/crypto/sha256_s390.c | 3 +++ arch/s390/crypto/sha512_s390.c | 3 +++ 3 files changed, 8 insertions(+) diff --git a/arch/s390/crypto/sha1_s390.c b/arch/s390/crypto/sha1_s390.c index bc3a22704e09..10950953429e 100644 --- a/arch/s390/crypto/sha1_s390.c +++ b/arch/s390/crypto/sha1_s390.c @@ -36,10 +36,11 @@ static int s390_sha1_init(struct shash_desc *desc) sctx->state[2] = SHA1_H2; sctx->state[3] = SHA1_H3; sctx->state[4] = SHA1_H4; sctx->count = 0; sctx->func = CPACF_KIMD_SHA_1; + sctx->first_message_part = 0; return 0; } static int s390_sha1_export(struct shash_desc *desc, void *out) @@ -60,10 +61,11 @@ static int s390_sha1_import(struct shash_desc *desc, const void *in) sctx->count = ictx->count; memcpy(sctx->state, ictx->state, sizeof(ictx->state)); memcpy(sctx->buf, ictx->buffer, sizeof(ictx->buffer)); sctx->func = CPACF_KIMD_SHA_1; + sctx->first_message_part = 0; return 0; } static struct shash_alg alg = { .digestsize = SHA1_DIGEST_SIZE, diff --git a/arch/s390/crypto/sha256_s390.c b/arch/s390/crypto/sha256_s390.c index 6f1ccdf93d3e..0204d4bca340 100644 --- a/arch/s390/crypto/sha256_s390.c +++ b/arch/s390/crypto/sha256_s390.c @@ -29,10 +29,11 @@ static int s390_sha256_init(struct shash_desc *desc) sctx->state[5] = SHA256_H5; sctx->state[6] = SHA256_H6; sctx->state[7] = SHA256_H7; sctx->count = 0; sctx->func = CPACF_KIMD_SHA_256; + sctx->first_message_part = 0; return 0; } static int sha256_export(struct shash_desc *desc, void *out) @@ -53,10 +54,11 @@ static int sha256_import(struct shash_desc *desc, const void *in) sctx->count = ictx->count; memcpy(sctx->state, ictx->state, sizeof(ictx->state)); memcpy(sctx->buf, ictx->buf, sizeof(ictx->buf)); sctx->func = CPACF_KIMD_SHA_256; + sctx->first_message_part = 0; return 0; } static struct shash_alg sha256_alg = { .digestsize = SHA256_DIGEST_SIZE, @@ -88,10 +90,11 @@ static int s390_sha224_init(struct shash_desc *desc) sctx->state[5] = SHA224_H5; sctx->state[6] = SHA224_H6; sctx->state[7] = SHA224_H7; sctx->count = 0; sctx->func = CPACF_KIMD_SHA_256; + sctx->first_message_part = 0; return 0; } static struct shash_alg sha224_alg = { diff --git a/arch/s390/crypto/sha512_s390.c b/arch/s390/crypto/sha512_s390.c index 04f11c407763..b53a7793bd24 100644 --- a/arch/s390/crypto/sha512_s390.c +++ b/arch/s390/crypto/sha512_s390.c @@ -30,10 +30,11 @@ static int sha512_init(struct shash_desc *desc) *(__u64 *)&ctx->state[10] = SHA512_H5; *(__u64 *)&ctx->state[12] = SHA512_H6; *(__u64 *)&ctx->state[14] = SHA512_H7; ctx->count = 0; ctx->func = CPACF_KIMD_SHA_512; + ctx->first_message_part = 0; return 0; } static int sha512_export(struct shash_desc *desc, void *out) @@ -58,10 +59,11 @@ static int sha512_import(struct shash_desc *desc, const void *in) sctx->count = ictx->count[0]; memcpy(sctx->state, ictx->state, sizeof(ictx->state)); memcpy(sctx->buf, ictx->buf, sizeof(ictx->buf)); sctx->func = CPACF_KIMD_SHA_512; + sctx->first_message_part = 0; return 0; } static struct shash_alg sha512_alg = { .digestsize = SHA512_DIGEST_SIZE, @@ -95,10 +97,11 @@ static int sha384_init(struct shash_desc *desc) *(__u64 *)&ctx->state[10] = SHA384_H5; *(__u64 *)&ctx->state[12] = SHA384_H6; *(__u64 *)&ctx->state[14] = SHA384_H7; ctx->count = 0; ctx->func = CPACF_KIMD_SHA_512; + ctx->first_message_part = 0; return 0; } static struct shash_alg sha384_alg = { base-commit: 7b59ab988c01c190f1b528cf750d6f33b738d1e2 -- 2.50.0.727.gbf7dc18ff4-goog

4 months, 2 weeks

2
1
0 0

[PATCH] arm64: dts: ti: k3-j722s-evm: Fix USB gpio-hog level for Type-C

by Siddharth Vadapalli

According to the "GPIO Expander Map / Table" section of the J722S EVM Schematic within the Evaluation Module Design Files package [0], the GPIO Pin P05 located on the GPIO Expander 1 (I2C0/0x23) has to be pulled down to select the Type-C interface. Since commit under Fixes claims to enable the Type-C interface, update the property within "p05-hog" from "output-high" to "output-low", thereby switching from the Type-A interface to the Type-C interface. [0]: https://www.ti.com/lit/zip/sprr495 Cc: <stable(a)vger.kernel.org> Fixes: 485705df5d5f ("arm64: dts: ti: k3-j722s: Enable PCIe and USB support on J722S-EVM") Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- Hello, This patch is based on commit 86731a2a651e Linux 6.16-rc3 of Mainline Linux. Regards, Siddharth. arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/ti/k3-j722s-evm.dts b/arch/arm64/boot/dts/ti/k3-j722s-evm.dts index a47852fdca70..d0533723412a 100644 --- a/arch/arm64/boot/dts/ti/k3-j722s-evm.dts +++ b/arch/arm64/boot/dts/ti/k3-j722s-evm.dts @@ -634,7 +634,7 @@ p05-hog { /* P05 - USB2.0_MUX_SEL */ gpio-hog; gpios = <5 GPIO_ACTIVE_LOW>; - output-high; + output-low; }; p01_hog: p01-hog { -- 2.34.1

4 months, 2 weeks

2
1
0 0

[PATCH] drm/panfrost: Fix scheduler workqueue bug

by Philipp Stanner

When the GPU scheduler was ported to using a struct for its initialization parameters, it was overlooked that panfrost creates a distinct workqueue for timeout handling. The pointer to this new workqueue is not initialized to the struct, resulting in NULL being passed to the scheduler, which then uses the system_wq for timeout handling. Set the correct workqueue to the init args struct. Cc: stable(a)vger.kernel.org # 6.15+ Fixes: 796a9f55a8d1 ("drm/sched: Use struct for drm_sched_init() params") Reported-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Closes: https://lore.kernel.org/dri-devel/b5d0921c-7cbf-4d55-aa47-c35cd7861c02@igal… Signed-off-by: Philipp Stanner <phasta(a)kernel.org> --- drivers/gpu/drm/panfrost/panfrost_job.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/panfrost/panfrost_job.c b/drivers/gpu/drm/panfrost/panfrost_job.c index 5657106c2f7d..15e2d505550f 100644 --- a/drivers/gpu/drm/panfrost/panfrost_job.c +++ b/drivers/gpu/drm/panfrost/panfrost_job.c @@ -841,7 +841,6 @@ int panfrost_job_init(struct panfrost_device *pfdev) .num_rqs = DRM_SCHED_PRIORITY_COUNT, .credit_limit = 2, .timeout = msecs_to_jiffies(JOB_TIMEOUT_MS), - .timeout_wq = pfdev->reset.wq, .name = "pan_js", .dev = pfdev->dev, }; @@ -879,6 +878,7 @@ int panfrost_job_init(struct panfrost_device *pfdev) pfdev->reset.wq = alloc_ordered_workqueue("panfrost-reset", 0); if (!pfdev->reset.wq) return -ENOMEM; + args.timeout_wq = pfdev->reset.wq; for (j = 0; j < NUM_JOB_SLOTS; j++) { js->queue[j].fence_context = dma_fence_context_alloc(1); -- 2.49.0

4 months, 2 weeks

3
2
0 0

[PATCH wireless v1] wifi: mwifiex: discard erroneous disassoc frames on STA interface

by Vitor Soares

From: Vitor Soares <vitor.soares(a)toradex.com> When operating in concurrent STA/AP mode with host MLME enabled, the firmware incorrectly sends disassociation frames to the STA interface when clients disconnect from the AP interface. This causes kernel warnings as the STA interface processes disconnect events that don't apply to it: [ 1303.240540] WARNING: CPU: 0 PID: 513 at net/wireless/mlme.c:141 cfg80211_process_disassoc+0x78/0xec [cfg80211] [ 1303.250861] Modules linked in: 8021q garp stp mrp llc rfcomm bnep btnxpuart nls_iso8859_1 nls_cp437 onboard_us [ 1303.327651] CPU: 0 UID: 0 PID: 513 Comm: kworker/u9:2 Not tainted 6.16.0-rc1+ #3 PREEMPT [ 1303.335937] Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT) [ 1303.343588] Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex] [ 1303.350856] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1303.357904] pc : cfg80211_process_disassoc+0x78/0xec [cfg80211] [ 1303.364065] lr : cfg80211_process_disassoc+0x70/0xec [cfg80211] [ 1303.370221] sp : ffff800083053be0 [ 1303.373590] x29: ffff800083053be0 x28: 0000000000000000 x27: 0000000000000000 [ 1303.380855] x26: 0000000000000000 x25: 00000000ffffffff x24: ffff000002c5b8ae [ 1303.388120] x23: ffff000002c5b884 x22: 0000000000000001 x21: 0000000000000008 [ 1303.395382] x20: ffff000002c5b8ae x19: ffff0000064dd408 x18: 0000000000000006 [ 1303.402646] x17: 3a36333a61623a30 x16: 32206d6f72662063 x15: ffff800080bfe048 [ 1303.409910] x14: ffff000003625300 x13: 0000000000000001 x12: 0000000000000000 [ 1303.417173] x11: 0000000000000002 x10: ffff000003958600 x9 : ffff000003625300 [ 1303.424434] x8 : ffff00003fd9ef40 x7 : ffff0000039fc280 x6 : 0000000000000002 [ 1303.431695] x5 : ffff0000038976d4 x4 : 0000000000000000 x3 : 0000000000003186 [ 1303.438956] x2 : 000000004836ba20 x1 : 0000000000006986 x0 : 00000000d00479de [ 1303.446221] Call trace: [ 1303.448722] cfg80211_process_disassoc+0x78/0xec [cfg80211] (P) [ 1303.454894] cfg80211_rx_mlme_mgmt+0x64/0xf8 [cfg80211] [ 1303.460362] mwifiex_process_mgmt_packet+0x1ec/0x460 [mwifiex] [ 1303.466380] mwifiex_process_sta_rx_packet+0x1bc/0x2a0 [mwifiex] [ 1303.472573] mwifiex_handle_rx_packet+0xb4/0x13c [mwifiex] [ 1303.478243] mwifiex_rx_work_queue+0x158/0x198 [mwifiex] [ 1303.483734] process_one_work+0x14c/0x28c [ 1303.487845] worker_thread+0x2cc/0x3d4 [ 1303.491680] kthread+0x12c/0x208 [ 1303.495014] ret_from_fork+0x10/0x20 Add validation in the STA receive path to verify that disassoc/deauth frames originate from the connected AP. Frames that fail this check are discarded early, preventing them from reaching the MLME layer and triggering WARN_ON(). This filtering logic is similar with that used in the ieee80211_rx_mgmt_disassoc() function in mac80211, which drops disassoc frames that don't match the current BSSID (!ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr)), ensuring only relevant frames are processed. Tested on: - 8997 with FW 16.68.1.p197 Fixes: 36995892c271 ("wifi: mwifiex: add host mlme for client mode") Cc: stable(a)vger.kernel.org Signed-off-by: Vitor Soares <vitor.soares(a)toradex.com> --- drivers/net/wireless/marvell/mwifiex/util.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c index 4c5b1de0e936..6882e90e90b2 100644 --- a/drivers/net/wireless/marvell/mwifiex/util.c +++ b/drivers/net/wireless/marvell/mwifiex/util.c @@ -459,7 +459,9 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv, "auth: receive authentication from %pM\n", ieee_hdr->addr3); } else { - if (!priv->wdev.connected) + if (!priv->wdev.connected || + !ether_addr_equal(ieee_hdr->addr3, + priv->curr_bss_params.bss_descriptor.mac_address)) return 0; if (ieee80211_is_deauth(ieee_hdr->frame_control)) { -- 2.34.1

4 months, 2 weeks

4
4
0 0

[PATCH 6.15 000/263] 6.15.5-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.15.5 release. There are 263 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 06 Jul 2025 12:55:09 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.5-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.15.5-rc2 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix AMDGPU_MAX_BL_LEVEL value Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Export full brightness range to userspace Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Optimize custom brightness curve Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Only read ACPI backlight caps once Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix default DC and AC levels Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add debugging message for brightness caps Cyril Bur <cyrilbur(a)tenstorrent.com> riscv: uaccess: Only restore the CSR_STATUS SUM bit Jens Axboe <axboe(a)kernel.dk> io_uring: gate REQ_F_ISREG on !S_ANON_INODE as well Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: flag partial buffer mappings Heiko Carstens <hca(a)linux.ibm.com> s390/ptrace: Fix pointer dereferencing in regs_get_kernel_stack_nth() Chang S. Bae <chang.seok.bae(a)intel.com> x86/pkeys: Simplify PKRU update in signal frame Chang S. Bae <chang.seok.bae(a)intel.com> x86/fpu: Refactor xfeature bitmask update code for sigframe XSAVE Danilo Krummrich <dakr(a)kernel.org> rust: devres: do not dereference to the internal Revocable Danilo Krummrich <dakr(a)kernel.org> rust: devres: fix race in Devres::drop() Danilo Krummrich <dakr(a)kernel.org> rust: revocable: indicate whether `data` has been revoked already Danilo Krummrich <dakr(a)kernel.org> rust: completion: implement initial abstraction Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Get LTTPR IEEE OUI/Device ID From Closest LTTPR To Host Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Add early 8b/10b channel equalization test pattern sequence Sasha Levin <sashal(a)kernel.org> sched_ext: Make scx_group_set_weight() always update tg->scx.weight Sasha Levin <sashal(a)kernel.org> arm64: dts: qcom: x1e78100-t14s: fix missing HID supplies Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/mes: add missing locking in helper functions Eric Biggers <ebiggers(a)google.com> crypto: powerpc/poly1305 - add depends on BROKEN for now Stephan Gerhold <stephan.gerhold(a)linaro.org> arm64: dts: qcom: x1-crd: Fix vreg_l2j_1p2 voltage Sasha Levin <sashal(a)kernel.org> arm64: dts: qcom: x1e78100-t14s: mark l12b and l15b always-on Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-crd: mark l12b and l15b always-on Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: Commonize X1 CRD DTSI Alex Hung <alex.hung(a)amd.com> drm/amd/display: Fix mpv playback corruption on weston Peichen Huang <PeiChen.Huang(a)amd.com> drm/amd/display: Add dc cap for dp tunneling Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> drm/amd/display: Add more checks for DSC / HUBP ONO guarantees Frank Min <Frank.Min(a)amd.com> drm/amdgpu: add kicker fws loading for gfx11/smu13/psp13 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: switch job hw_fence to amdgpu_fence Jesse Zhang <jesse.zhang(a)amd.com> drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: Fix early wedge on GuC load failure Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Fix taking invalid lock on wedge Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Fix memset on iomem Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check dce_hwseq before dereferencing it Frank Min <Frank.Min(a)amd.com> drm/amdgpu: Add kicker device detection Sonny Jiang <sonny.jiang(a)amd.com> drm/amdgpu: VCN v5_0_1 to prevent FW checking RB during DPG pause Yihan Zhu <Yihan.Zhu(a)amd.com> drm/amd/display: Fix RMCM programming seq errors Matthew Auld <matthew.auld(a)intel.com> drm/xe/guc_submit: add back fix Matthew Auld <matthew.auld(a)intel.com> drm/xe/sched: stop re-submitting signalled jobs Matthew Auld <matthew.auld(a)intel.com> drm/xe/vm: move rebind_work init earlier Zhongwei Zhang <Zhongwei.Zhang(a)amd.com> drm/amd/display: Correct non-OLED pre_T11_delay. Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: disable workload profile switching when OD is enabled John Olender <john.olender(a)gmail.com> drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram Wentao Liang <vulab(a)iscas.ac.cn> drm/amd/display: Add null pointer check for get_first_active_display() Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix phy de-init and flag it so Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Imre Deak <imre.deak(a)intel.com> drm/i915/dp_mst: Work around Thunderbolt sink disconnect after SINK_COUNT_ESI read Imre Deak <imre.deak(a)intel.com> drm/i915/ptl: Use everywhere the correct DDI port clock select mask Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Stephan Gerhold <stephan.gerhold(a)linaro.org> drm/msm/gpu: Fix crash when throttling GPU immediately during boot Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Thomas Zimmermann <tzimmermann(a)suse.de> drm/simpledrm: Do not upcast in release helpers Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/panel: simple: Tianma TM070JDHG34-00: add delays Maíra Canal <mcanal(a)igalia.com> drm/etnaviv: Protect the scheduler's pending list with its lock Thomas Zimmermann <tzimmermann(a)suse.de> drm/cirrus-qemu: Fix pitch programming Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Fix comment on modeset lock Karan Tilak Kumar <kartilak(a)cisco.com> scsi: fnic: Turn off FDMI ACTIVE flags on link down Karan Tilak Kumar <kartilak(a)cisco.com> scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out anvithdosapati <anvithdosapati(a)google.com> scsi: ufs: core: Fix clk scaling to be conditional in reset and restore Chen Yu <yu.c.chen(a)intel.com> scsi: megaraid_sas: Fix invalid node index Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Iusico Maxim <iusico.maxim(a)libero.it> HID: lenovo: Restrict F7/9/11 mode to compact keyboards only Qasim Ijaz <qasdev00(a)gmail.com> HID: appletb-kbd: fix "appletb_backlight" backlight device reference counting Chao Yu <chao(a)kernel.org> f2fs: fix to zero post-eof page David Hildenbrand <david(a)redhat.com> mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" Kairui Song <kasong(a)tencent.com> mm/shmem, swap: fix softlockup with mTHP swapin Kairui Song <kasong(a)tencent.com> mm: userfaultfd: fix race of userfaultfd_move and swap cache Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix the creation of page_pool Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> spi: spi-cadence-quadspi: Fix pm runtime unbalance Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: change security_compute_sid to return the ssid or tsid on match Kuan-Wei Chiu <visitorckw(a)gmail.com> Revert "bcache: remove heap-related macros and switch to generic min_heap" Kuan-Wei Chiu <visitorckw(a)gmail.com> Revert "bcache: update min_heap_callbacks to use default builtin swap" Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid inode pointer dereferences during log replay Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Filipe Manana <fdmanana(a)suse.com> btrfs: fix a race between renames and directory logging Kuan-Wei Chiu <visitorckw(a)gmail.com> bcache: remove unnecessary select MIN_HEAP Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Fabio Estevam <festevam(a)gmail.com> serial: imx: Restore original RXTL for console to fix data loss Aidan Stewart <astewart(a)tektelic.com> serial: core: restore of_node information in sysfs Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Xin Li (Intel) <xin(a)zytor.com> x86/traps: Initialize DR6 by writing its architectural reset value Avadhut Naik <avadhut.naik(a)amd.com> EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs Paulo Alcantara <pc(a)manguebit.org> smb: client: fix potential deadlock when reconnecting channels Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe: Process deferred GGTT node removals on device unwind Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/guc: Explicitly exit CT safe mode on unwind Jayesh Choudhary <j-choudhary(a)ti.com> drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type Wolfram Sang <wsa+renesas(a)sang-engineering.com> drm/bridge: ti-sn65dsi86: make use of debugfs_init callback Arnd Bergmann <arnd(a)arndb.de> drm/i915: fix build error some more Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Adjust output for discovery error handling Louis Chauvet <louis.chauvet(a)bootlin.com> drm: writeback: Fix drm_writeback_connector_cleanup signature Charles Mirabile <cmirabil(a)redhat.com> riscv: fix runtime constant support for nommu kernels Christoph Hellwig <hch(a)lst.de> nvme: fix atomic write size validation Christoph Hellwig <hch(a)lst.de> nvme: refactor the atomic write unit detection Jakub Kicinski <kuba(a)kernel.org> net: selftests: fix TCP packet checksum Salvatore Bonaccorso <carnil(a)debian.org> ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Jakub Kicinski <kuba(a)kernel.org> netlink: specs: tc: replace underscores with dashes in names Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Adin Scannell <amscanne(a)meta.com> libbpf: Fix possible use-after-free for externs Jens Axboe <axboe(a)kernel.dk> io_uring/net: mark iov as dynamically allocated even for single segments Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Yan Zhai <yan(a)cloudflare.com> bnxt: properly flush XDP redirect lists Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Al Viro <viro(a)zeniv.linux.org.uk> userns and mnt_idmap leak in open_tree_attr(2) Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: finish link init before RCU publish Muna Sinada <muna.sinada(a)oss.qualcomm.com> wifi: mac80211: Create separate links for VLAN interfaces Muna Sinada <muna.sinada(a)oss.qualcomm.com> wifi: mac80211: Add link iteration macro for link data Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't set -ECONNRESET for consumed OOB skb. Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Ido Schimmel <idosch(a)nvidia.com> bridge: mcast: Fix use-after-free during router port configuration Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: ionic: Fix DMA mapping tests Breno Leitao <leitao(a)debian.org> net: netpoll: Initialize UDP checksum field before checksumming Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: hci_core: Fix use-after-free in vhci_flush() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: ps: fix for soundwire failures during hibernation exit sequence Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: fnic: Fix missing DMA mapping error in fnic_send_frame() Dan Williams <dan.j.williams(a)intel.com> cxl/ras: Fix CPER handler device confusion Thomas Zeitlhofer <thomas.zeitlhofer+lkml(a)ze-it.at> HID: wacom: fix crash in wacom_aes_battery_handler() Even Xu <even.xu(a)intel.com> HID: Intel-thc-hid: Intel-quicki2c: Enhance QuickI2C reset flow Matthew Auld <matthew.auld(a)intel.com> drm/xe: move DPT l2 flush to a more sensible place Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> drm/xe: Move DSB l2 flush to a more sensible place Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> drm/i915/snps_hdmi_pll: Fix 64-bit divisor truncation by using div64_u64 Haoxiang Li <haoxiang_li2024(a)163.com> drm/xe/display: Add check for alloc_ordered_workqueue() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/mes: add compatibility checks for set_hw_resource_1 Takashi Iwai <tiwai(a)suse.de> drm/amd/display: Add sanity checks for drm_edid_raw() Nam Cao <namcao(a)linutronix.de> Revert "riscv: misaligned: fix sleeping function called during misaligned access handling" Nam Cao <namcao(a)linutronix.de> Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" Yu Kuai <yukuai3(a)huawei.com> lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() David Hildenbrand <david(a)redhat.com> fs/proc/task_mmu: fix PAGE_IS_PFNZERO detection for the huge zero folio Pavel Begunkov <asml.silence(a)gmail.com> io_uring: don't assume uaddr alignment in io_vec_fill_bvec Pavel Begunkov <asml.silence(a)gmail.com> io_uring/rsrc: don't rely on user vaddr alignment Pavel Begunkov <asml.silence(a)gmail.com> io_uring/rsrc: fix folio unpinning Fedor Pchelkin <pchelkin(a)ispras.ru> s390/pkey: Prevent overflow in size calculation for memdup_user() Klara Modin <klarasmodin(a)gmail.com> riscv: export boot_cpu_hartid Oliver Schramm <oliver.schramm97(a)gmail.com> ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 Han Gao <rabenda.cn(a)gmail.com> riscv: vector: Fix context save/restore with xtheadvector Paulo Alcantara <pc(a)manguebit.org> smb: client: fix regression with native SMB symlinks SeongJae Park <sj(a)kernel.org> mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write Stefan Metzmacher <metze(a)samba.org> smb: client: remove \t from TP_printk statements Niklas Cassel <cassel(a)kernel.org> ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix dentry_name() lookup Haiyue Wang <haiyuewa(a)163.com> fuse: fix runtime warning on truncate_folio_batch_exceptionals() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Check interrupt route from physical CPU Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix interrupt route update with EIOINTC Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Add address alignment check for IOCSR emulation Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Disable updating of "num_cpu" and "feature" Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Check validity of "num_cpu" from user space Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid overflow with array index Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Lukasz Kucharczyk <lukasz.kucharczyk(a)leica-geosystems.com> i2c: imx: fix emulated smbus block read Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: omap: Fix an error handling path in omap_i2c_probe() Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't leave consecutive consumed OOB skbs. Haoxiang Li <haoxiang_li2024(a)163.com> drm/i915/display: Add check for alloc_ordered_workqueue() and alloc_workqueue() Pavel Begunkov <asml.silence(a)gmail.com> io_uring/zcrx: fix area release on registration failure Pavel Begunkov <asml.silence(a)gmail.com> io_uring/zcrx: split out memory holders from area Pavel Begunkov <asml.silence(a)gmail.com> io_uring/zcrx: improve area validation Pavel Begunkov <asml.silence(a)gmail.com> io_uring/zcrx: move io_zcrx_iov_page Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9335: Fix missing free of regulator supplies Peng Fan <peng.fan(a)nxp.com> ASoC: codec: wcd9335: Convert to GPIO descriptors Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Increase/decrease the PM counter per IOCTL Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Create uvc_pm_(get|put) functions Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Keep streaming state in the file handle Filipe Manana <fdmanana(a)suse.com> btrfs: fix qgroup reservation leak on failure to allocate ordered extent David Sterba <dsterba(a)suse.com> btrfs: use unsigned types for constants defined as bit shifts Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Qu Wenruo <wqu(a)suse.com> btrfs: handle csum tree error with rescue=ibadroots correctly Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between async reclaim worker and close_ctree() Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Ben Dooks <ben.dooks(a)codethink.co.uk> riscv: save the SR_SUM status over switches Ziqi Chen <quic_ziqichen(a)quicinc.com> scsi: ufs: core: Don't perform UFS clkscaling during host async scan Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Shuming Fan <shumingf(a)realtek.com> ASoC: rt1320: fix speaker noise when volume bar is 100% Mario Limonciello <mario.limonciello(a)amd.com> ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: declare misaligned_access_speed under CONFIG_RISCV_MISALIGNED Heiko Carstens <hca(a)linux.ibm.com> s390/mm: Fix in_atomic() handling in do_secure_storage_access() Andy Chiu <andybnac(a)gmail.com> riscv: add a data fence for CMODX in the kernel mode Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> usb: typec: tipd: Fix wakeup source leaks on device unbind Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> usb: typec: tcpci: Fix wakeup source leaks on device unbind Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Peter Korsgaard <peter(a)korsgaard.com> usb: gadget: f_hid: wake up readers on disable/unbind Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Jakub Lewalski <jakub.lewalski(a)nokia.com> tty: serial: uartlite: register uart driver in init Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Chenyuan Yang <chenyuan0y(a)gmail.com> misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() Zhang Lixu <lixu.zhang(a)intel.com> iio: hid-sensor-prox: Add support for 16-bit report size David Lechner <dlechner(a)baylibre.com> iio: adc: ad7606_spi: check error in ad7606B_sw_mode_config() David Heidelberg <david(a)ixit.cz> iio: light: al3000a: Fix an error handling path in al3000a_probe() Angelo Dureghello <adureghello(a)baylibre.com> iio: dac: adi-axi-dac: add cntrl chan check Purva Yeshi <purvayeshi550(a)gmail.com> iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: dwc2: also exit clock_gating when stopping udc while suspended James Clark <james.clark(a)linaro.org> coresight: Only check bottom two claim bits Rengarajan S <rengarajan.s(a)microchip.com> 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev C0 and later devices Benjamin Berg <benjamin.berg(a)intel.com> um: use proper care when taking mmap lock during segfault Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Daniele Palmas <dnlplm(a)gmail.com> bus: mhi: host: pci_generic: Add Telit FN920C04 modem support Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Lin.Cao <lincao12(a)amd.com> drm/scheduler: signal scheduled fence when kill job Philip Yang <Philip.Yang(a)amd.com> drm/amdgpu: seq64 memory unmap uses uninterruptible lock Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amdgpu/vcn2.5: read back register after written David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amdgpu/vcn3: read back register after written David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amdgpu/vcn4: read back register after written David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amdgpu/vcn5.0.1: read back register after written Yifan Zhang <yifan1.zhang(a)amd.com> amd/amdkfd: fix a kfd_process ref leak Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Hannes Reinecke <hare(a)kernel.org> nvme-tcp: sanitize request list handling Hannes Reinecke <hare(a)kernel.org> nvme-tcp: fix I/O stalls on congested sockets Ilan Peer <ilan.peer(a)intel.com> wifi: iwlwifi: mld: Move regulatory domain initialization Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Add workaround for errata ERR051624 Hector Martin <marcan(a)marcan.st> PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Wenbin Yao <quic_wenbyao(a)quicinc.com> PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using Rudraksha Gupta <guptarud(a)gmail.com> rust: arm: fix unknown (to Clang) argument '-mno-fdpic' FUJITA Tomonori <fujita.tomonori(a)gmail.com> rust: module: place cleanup_module() in .exit.text section Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: provide zero as a unique ID to the Mac client Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Scott Mayhew <smayhew(a)redhat.com> NFSv4: xattr handlers should check for absent nfs filehandles Gregory Price <gourry(a)gourry.net> cxl: core/region - ignore interleave granularity when ways=1 Robert Richter <rrichter(a)amd.com> cxl/region: Add a dev_err() on missing target list entries Guang Yuan Wu <gwu(a)ddn.com> fuse: fix race between concurrent setattrs from multiple nodes Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Matthew Sakai <msakai(a)redhat.com> dm vdo indexer: don't read request structure after enqueuing Yikai Tsai <yikai.tsai.wiwynn(a)gmail.com> hwmon: (isl28022) Fix current reading calculation Nikhil Jha <njha(a)janestreet.com> sunrpc: don't immediately retransmit on seqno miss Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: sprd-sc27xx: Fix wakeup source leaks on device unbind Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: 88pm886: Fix wakeup source leaks on device unbind Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max77705: Fix wakeup source leaks on device unbind Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max77541: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Sagi Grimberg <sagi(a)grimberg.me> NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Han Young <hanyang.tony(a)bytedance.com> NFSv4: Always set NLINK even if the server doesn't support it Pali Rohár <pali(a)kernel.org> cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in non-UNICODE mode Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers Pali Rohár <pali(a)kernel.org> cifs: Correctly set SMB1 SessionKey field in Session Setup Request ------------- Diffstat: Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Documentation/netlink/specs/tc.yaml | 4 +- Makefile | 4 +- arch/arm64/boot/dts/qcom/x1-crd.dtsi | 1277 ++++++++++++++++++++ .../dts/qcom/x1e78100-lenovo-thinkpad-t14s.dts | 45 + arch/arm64/boot/dts/qcom/x1e80100-crd.dts | 1270 +------------------ arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 +- arch/loongarch/kvm/intc/eiointc.c | 89 +- arch/powerpc/crypto/Kconfig | 1 + arch/riscv/include/asm/cpufeature.h | 5 +- arch/riscv/include/asm/pgtable.h | 1 - arch/riscv/include/asm/processor.h | 1 + arch/riscv/include/asm/runtime-const.h | 2 +- arch/riscv/include/asm/vector.h | 12 +- arch/riscv/kernel/asm-offsets.c | 5 + arch/riscv/kernel/entry.S | 9 + arch/riscv/kernel/setup.c | 1 + arch/riscv/kernel/traps_misaligned.c | 6 +- arch/riscv/mm/cacheflush.c | 15 +- arch/s390/kernel/ptrace.c | 2 +- arch/s390/mm/fault.c | 2 + arch/um/drivers/ubd_user.c | 2 +- arch/um/include/asm/asm-prototypes.h | 5 + arch/um/kernel/trap.c | 129 +- arch/x86/include/uapi/asm/debugreg.h | 21 +- arch/x86/kernel/cpu/common.c | 24 +- arch/x86/kernel/fpu/signal.c | 11 +- arch/x86/kernel/fpu/xstate.h | 22 +- arch/x86/kernel/traps.c | 34 +- arch/x86/um/asm/checksum.h | 3 + drivers/ata/ahci.c | 2 +- drivers/bus/mhi/host/pci_generic.c | 39 + drivers/cxl/core/ras.c | 47 +- drivers/cxl/core/region.c | 9 +- drivers/dma/idxd/cdev.c | 4 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/edac/amd64_edac.c | 57 +- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 28 +- drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 30 +- drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 12 +- drivers/gpu/drm/amd/amdgpu/amdgpu_job.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 16 + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 16 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 16 + drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | 17 + drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 6 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 5 + drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 9 +- drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 3 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 2 + drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 6 +- drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 19 + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 20 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 20 + drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 21 +- drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 97 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 + drivers/gpu/drm/amd/display/dc/core/dc.c | 33 + drivers/gpu/drm/amd/display/dc/dc.h | 8 +- drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 4 +- .../dc/dml2/dml21/dml21_translation_helper.c | 1 + .../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 5 +- .../amd/display/dc/dml2/dml2_translation_helper.c | 1 + .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 9 +- .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 28 + .../display/dc/link/protocols/link_dp_capability.c | 46 +- .../display/dc/link/protocols/link_dp_capability.h | 3 + .../display/dc/link/protocols/link_dp_training.c | 1 - .../dc/link/protocols/link_dp_training_8b_10b.c | 52 +- .../amd/display/dc/resource/dcn31/dcn31_resource.c | 3 + .../display/dc/resource/dcn314/dcn314_resource.c | 3 + .../amd/display/dc/resource/dcn35/dcn35_resource.c | 3 + .../display/dc/resource/dcn351/dcn351_resource.c | 3 + .../amd/display/dc/resource/dcn36/dcn36_resource.c | 3 + .../drm/amd/display/include/link_service_types.h | 2 + .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 + drivers/gpu/drm/amd/pm/amdgpu_dpm.c | 22 + drivers/gpu/drm/amd/pm/inc/amdgpu_dpm.h | 1 + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 12 +- drivers/gpu/drm/ast/ast_mode.c | 6 +- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 32 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 109 +- drivers/gpu/drm/drm_writeback.c | 7 +- drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 +- drivers/gpu/drm/i915/display/intel_cx0_phy.c | 27 +- drivers/gpu/drm/i915/display/intel_cx0_phy_regs.h | 15 +- .../gpu/drm/i915/display/intel_display_driver.c | 30 +- drivers/gpu/drm/i915/display/intel_dp.c | 17 + drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c | 4 +- drivers/gpu/drm/i915/display/vlv_dsi.c | 4 +- drivers/gpu/drm/i915/i915_pmu.c | 2 +- drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 + drivers/gpu/drm/panel/panel-simple.c | 6 + drivers/gpu/drm/scheduler/sched_entity.c | 1 + drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/tiny/cirrus-qemu.c | 1 - drivers/gpu/drm/tiny/simpledrm.c | 4 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/xe/display/xe_display.c | 2 + drivers/gpu/drm/xe/display/xe_dsb_buffer.c | 11 +- drivers/gpu/drm/xe/display/xe_fb_pin.c | 5 +- drivers/gpu/drm/xe/xe_ggtt.c | 11 + drivers/gpu/drm/xe/xe_gpu_scheduler.h | 10 +- drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 8 + drivers/gpu/drm/xe/xe_guc_ct.c | 17 +- drivers/gpu/drm/xe/xe_guc_ct.h | 5 + drivers/gpu/drm/xe/xe_guc_pc.c | 2 +- drivers/gpu/drm/xe/xe_guc_submit.c | 23 + drivers/gpu/drm/xe/xe_guc_types.h | 5 + drivers/gpu/drm/xe/xe_vm.c | 8 +- drivers/hid/hid-appletb-kbd.c | 5 + drivers/hid/hid-lenovo.c | 11 +- .../intel-quicki2c/quicki2c-protocol.c | 26 +- drivers/hid/wacom_sys.c | 7 +- drivers/hwmon/isl28022.c | 6 +- drivers/hwmon/pmbus/max34440.c | 48 +- drivers/hwtracing/coresight/coresight-core.c | 3 +- drivers/hwtracing/coresight/coresight-priv.h | 1 + drivers/i2c/busses/i2c-imx.c | 3 +- drivers/i2c/busses/i2c-omap.c | 7 +- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/adc/ad7606_spi.c | 8 +- drivers/iio/adc/ad_sigma_delta.c | 4 + drivers/iio/dac/adi-axi-dac.c | 24 + drivers/iio/light/al3000a.c | 9 +- drivers/iio/light/hid-sensor-prox.c | 3 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/Kconfig | 1 - drivers/md/bcache/alloc.c | 57 +- drivers/md/bcache/bcache.h | 2 +- drivers/md/bcache/bset.c | 116 +- drivers/md/bcache/bset.h | 40 +- drivers/md/bcache/btree.c | 69 +- drivers/md/bcache/extents.c | 43 +- drivers/md/bcache/movinggc.c | 33 +- drivers/md/bcache/super.c | 10 +- drivers/md/bcache/sysfs.c | 4 +- drivers/md/bcache/util.h | 67 +- drivers/md/bcache/writeback.c | 13 +- drivers/md/dm-raid.c | 2 +- drivers/md/dm-vdo/indexer/volume.c | 24 +- drivers/md/md-bitmap.c | 2 +- drivers/media/usb/uvc/uvc_ctrl.c | 70 +- drivers/media/usb/uvc/uvc_v4l2.c | 93 +- drivers/media/usb/uvc/uvcvideo.h | 5 + drivers/mfd/88pm886.c | 6 +- drivers/mfd/max14577.c | 1 + drivers/mfd/max77541.c | 2 +- drivers/mfd/max77705.c | 4 +- drivers/mfd/sprd-sc27xx-spi.c | 5 +- drivers/misc/tps6594-pfsm.c | 3 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +- drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 12 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 2 +- drivers/net/wireless/intel/iwlwifi/mld/fw.c | 8 +- drivers/nvme/host/core.c | 83 +- drivers/nvme/host/nvme.h | 3 +- drivers/nvme/host/tcp.c | 22 +- drivers/pci/controller/dwc/pci-imx6.c | 15 + drivers/pci/controller/dwc/pcie-designware.c | 5 +- drivers/pci/controller/pcie-apple.c | 3 + drivers/s390/crypto/pkey_api.c | 2 +- drivers/scsi/fnic/fdls_disc.c | 122 +- drivers/scsi/fnic/fnic.h | 2 +- drivers/scsi/fnic/fnic_fcs.c | 2 + drivers/scsi/fnic/fnic_fdls.h | 1 + drivers/scsi/megaraid/megaraid_sas_base.c | 6 +- drivers/spi/spi-cadence-quadspi.c | 12 +- drivers/staging/rtl8723bs/core/rtw_security.c | 44 +- drivers/tty/serial/8250/8250_pci1xxxx.c | 10 + drivers/tty/serial/imx.c | 17 +- drivers/tty/serial/serial_base_bus.c | 1 + drivers/tty/serial/uartlite.c | 25 +- drivers/ufs/core/ufshcd.c | 6 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/usb.c | 14 +- drivers/usb/dwc2/gadget.c | 6 + drivers/usb/gadget/function/f_hid.c | 19 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/typec/altmodes/displayport.c | 4 + drivers/usb/typec/mux.c | 4 +- drivers/usb/typec/tcpm/tcpci_maxim_core.c | 5 +- drivers/usb/typec/tipd/core.c | 2 +- fs/btrfs/backref.h | 4 +- fs/btrfs/direct-io.c | 4 +- fs/btrfs/disk-io.c | 25 +- fs/btrfs/extent_io.h | 2 +- fs/btrfs/inode.c | 95 +- fs/btrfs/ordered-data.c | 14 +- fs/btrfs/raid56.c | 5 +- fs/btrfs/tests/extent-io-tests.c | 6 +- fs/btrfs/tree-log.c | 14 +- fs/btrfs/volumes.c | 6 + fs/btrfs/zstd.c | 2 +- fs/ceph/file.c | 2 +- fs/f2fs/file.c | 38 + fs/f2fs/super.c | 30 +- fs/fuse/dir.c | 11 + fs/fuse/inode.c | 4 + fs/namespace.c | 18 +- fs/nfs/inode.c | 51 +- fs/nfs/nfs4proc.c | 25 +- fs/overlayfs/util.c | 4 +- fs/proc/task_mmu.c | 2 +- fs/smb/client/cifsglob.h | 2 + fs/smb/client/cifspdu.h | 6 +- fs/smb/client/cifssmb.c | 1 + fs/smb/client/connect.c | 58 +- fs/smb/client/misc.c | 8 + fs/smb/client/reparse.c | 20 +- fs/smb/client/sess.c | 21 +- fs/smb/client/trace.h | 24 +- fs/smb/server/connection.h | 1 + fs/smb/server/smb2pdu.c | 72 +- fs/smb/server/smb2pdu.h | 3 + include/net/bluetooth/hci_core.h | 2 + include/uapi/linux/vm_sockets.h | 4 + io_uring/io_uring.c | 3 +- io_uring/kbuf.c | 1 + io_uring/kbuf.h | 1 + io_uring/net.c | 34 +- io_uring/rsrc.c | 57 +- io_uring/rsrc.h | 3 +- io_uring/zcrx.c | 101 +- io_uring/zcrx.h | 11 +- kernel/sched/ext.c | 12 +- lib/group_cpus.c | 9 +- lib/maple_tree.c | 4 +- mm/damon/sysfs-schemes.c | 1 + mm/gup.c | 14 +- mm/memory.c | 20 - mm/shmem.c | 6 +- mm/swap.h | 23 + mm/userfaultfd.c | 33 +- net/atm/clip.c | 11 +- net/atm/resources.c | 3 +- net/bluetooth/hci_core.c | 34 +- net/bluetooth/l2cap_core.c | 9 +- net/bridge/br_multicast.c | 9 + net/core/netpoll.c | 2 +- net/core/selftests.c | 5 +- net/mac80211/chan.c | 3 + net/mac80211/ieee80211_i.h | 12 + net/mac80211/iface.c | 12 +- net/mac80211/link.c | 94 +- net/mac80211/util.c | 2 +- net/sunrpc/clnt.c | 9 +- net/unix/af_unix.c | 31 +- rust/Makefile | 2 +- rust/bindings/bindings_helper.h | 1 + rust/helpers/completion.c | 8 + rust/helpers/helpers.c | 1 + rust/kernel/devres.rs | 53 +- rust/kernel/revocable.rs | 18 +- rust/kernel/sync.rs | 2 + rust/kernel/sync/completion.rs | 112 ++ rust/macros/module.rs | 1 + scripts/gdb/linux/vfs.py | 2 +- security/selinux/ss/services.c | 16 +- sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/ps/acp63.h | 4 + sound/soc/amd/ps/ps-common.c | 18 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/rt1320-sdw.c | 17 +- sound/soc/codecs/wcd9335.c | 40 +- sound/usb/quirks.c | 2 + sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + tools/lib/bpf/libbpf.c | 10 +- .../selftests/bpf/progs/test_global_map_resize.c | 16 + 287 files changed, 4526 insertions(+), 2534 deletions(-)

4 months, 2 weeks

13
15
0 0

[PATCH v4 2/2] PCI: imx6: Align EP link start behavior with documentation

by Richard Zhu

According to PCI/endpoint/pci-endpoint-cfs.rst, the endpoint (EP) should only link up after `echo 1 > start` is executed. To match the documented behavior, do not start the link automatically when adding the EP controller. Fixes: 75c2f26da03f ("PCI: imx6: Add i.MX PCIe EP mode support") Cc: stable(a)vger.kernel.org Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pci-imx6.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index f5f2ac638f4b..fda03512944d 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -1468,9 +1468,6 @@ static int imx_add_pcie_ep(struct imx_pcie *imx_pcie, pci_epc_init_notify(ep->epc); - /* Start LTSSM. */ - imx_pcie_ltssm_enable(dev); - return 0; } -- 2.37.1

4 months, 2 weeks

1
0
0 0

[PATCH v4 1/2] PCI: imx6: Remove apps_reset toggle in _core_reset functions

by Richard Zhu

apps_reset is LTSSM_EN on i.MX7, i.MX8MQ, i.MX8MM and i.MX8MP platforms. Since the assertion/de-assertion of apps_reset(LTSSM_EN bit) had been wrappered in imx_pcie_ltssm_enable() and imx_pcie_ltssm_disable(); Remove apps_reset toggle in imx_pcie_assert_core_reset() and imx_pcie_deassert_core_reset() functions. Use imx_pcie_ltssm_enable() and imx_pcie_ltssm_disable() to configure apps_reset directly. Fix fail to enumerate reliably PI7C9X2G608GP (hotplug) at i.MX8MM, which reported By Tim. Only i.MX7D, i.MX8MQ, i.MX8MM, and i.MX8MP have the apps_reset. With this change, the assertion/deassertion of LTSSM_EN bit are unified into imx_pcie_ltssm_enable() and imx_pcie_ltssm_disable() functions, and aligned with other i.MX platforms. Reported-by: Tim Harvey <tharvey(a)gateworks.com> Closes: https://lore.kernel.org/all/CAJ+vNU3ohR2YKTwC4xoYrc1z-neDoH2TTZcMHDy+poj9=j… Fixes: ef61c7d8d032 ("PCI: imx6: Deassert apps_reset in imx_pcie_deassert_core_reset()") Cc: stable(a)vger.kernel.org Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> Tested-by: Tim Harvey <tharvey(a)gateworks.com> # imx8mp-venice-gw74xx (i.MX8MP + hotplug capable switch) --- drivers/pci/controller/dwc/pci-imx6.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index 9754cc6e09b9..f5f2ac638f4b 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -860,7 +860,6 @@ static int imx95_pcie_core_reset(struct imx_pcie *imx_pcie, bool assert) static void imx_pcie_assert_core_reset(struct imx_pcie *imx_pcie) { reset_control_assert(imx_pcie->pciephy_reset); - reset_control_assert(imx_pcie->apps_reset); if (imx_pcie->drvdata->core_reset) imx_pcie->drvdata->core_reset(imx_pcie, true); @@ -872,7 +871,6 @@ static void imx_pcie_assert_core_reset(struct imx_pcie *imx_pcie) static int imx_pcie_deassert_core_reset(struct imx_pcie *imx_pcie) { reset_control_deassert(imx_pcie->pciephy_reset); - reset_control_deassert(imx_pcie->apps_reset); if (imx_pcie->drvdata->core_reset) imx_pcie->drvdata->core_reset(imx_pcie, false); @@ -1247,6 +1245,9 @@ static int imx_pcie_host_init(struct dw_pcie_rp *pp) } } + /* Make sure that PCIe LTSSM is cleared */ + imx_pcie_ltssm_disable(dev); + ret = imx_pcie_deassert_core_reset(imx_pcie); if (ret < 0) { dev_err(dev, "pcie deassert core reset failed: %d\n", ret); -- 2.37.1

4 months, 2 weeks

1
0
0 0

+ mm-damon-core-commit-damos-target_nid.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm/damon/core: commit damos->target_nid has been added to the -mm mm-new branch. Its filename is mm-damon-core-commit-damos-target_nid.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Bijan Tabatabai <bijantabatab(a)micron.com> Subject: mm/damon/core: commit damos->target_nid Date: Tue, 8 Jul 2025 19:47:29 -0500 When committing new scheme parameters from the sysfs, the target_nid field of the damos struct would not be copied. This would result in the target_nid field to retain its original value, despite being updated in the sysfs interface. This patch fixes this issue by copying target_nid in damos_commit(). Link: https://lkml.kernel.org/r/20250709004729.17252-1-bijan311@gmail.com Fixes: 83dc7bbaecae ("mm/damon/sysfs: use damon_commit_ctx()") Signed-off-by: Bijan Tabatabai <bijantabatab(a)micron.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Ravi Shankar Jonnalagadda <ravis.opensrc(a)micron.com> Cc: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 1 + 1 file changed, 1 insertion(+) --- a/mm/damon/core.c~mm-damon-core-commit-damos-target_nid +++ a/mm/damon/core.c @@ -978,6 +978,7 @@ static int damos_commit(struct damos *ds return err; dst->wmarks = src->wmarks; + dst->target_nid = src->target_nid; err = damos_commit_filters(dst, src); return err; _ Patches currently in -mm which might be from bijantabatab(a)micron.com are mm-damon-core-commit-damos-target_nid.patch mm-damon-core-commit-damos-migrate_dests.patch mm-damon-move-migration-helpers-from-paddr-to-ops-common.patch mm-damon-vaddr-add-vaddr-versions-of-migrate_hotcold.patch docs-mm-damon-design-document-vaddr-support-for-migrate_hotcold.patch mm-damon-vaddr-use-damos-migrate_dests-in-migrate_hotcold.patch mm-damon-move-folio-filtering-from-paddr-to-ops-common.patch mm-damon-vaddr-apply-filters-in-migrate_hot-cold.patch

4 months, 2 weeks

1
0
0 0

[PATCH] mm/damon/core: Commit damos->target_nid

by Bijan Tabatabai

From: Bijan Tabatabai <bijantabatab(a)micron.com> When committing new scheme parameters from the sysfs, the target_nid field of the damos struct would not be copied. This would result in the target_nid field to retain its original value, despite being updated in the sysfs interface. This patch fixes this issue by copying target_nid in damos_commit(). Cc: stable(a)vger.kernel.org Fixes: 83dc7bbaecae ("mm/damon/sysfs: use damon_commit_ctx()") Signed-off-by: Bijan Tabatabai <bijantabatab(a)micron.com> --- mm/damon/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/damon/core.c b/mm/damon/core.c index 5357a18066b0..ab28ab5d08f6 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -978,6 +978,7 @@ static int damos_commit(struct damos *dst, struct damos *src) return err; dst->wmarks = src->wmarks; + dst->target_nid = src->target_nid; err = damos_commit_filters(dst, src); return err; -- 2.43.0

4 months, 2 weeks

2
1
0 0

+ selftests-mm-fix-split_huge_page_test-for-folio_split-tests.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: selftests/mm: fix split_huge_page_test for folio_split() tests. has been added to the -mm mm-hotfixes-unstable branch. Its filename is selftests-mm-fix-split_huge_page_test-for-folio_split-tests.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Zi Yan <ziy(a)nvidia.com> Subject: selftests/mm: fix split_huge_page_test for folio_split() tests. Date: Tue, 8 Jul 2025 21:27:59 -0400 PID_FMT does not have an offset field, so folio_split() tests are not performed. Add PID_FMT_OFFSET with an offset field and use it to perform folio_split() tests. Link: https://lkml.kernel.org/r/20250709012800.3225727-1-ziy@nvidia.com Fixes: 80a5c494c89f ("selftests/mm: add tests for folio_split(), buddy allocator like split") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/split_huge_page_test.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/tools/testing/selftests/mm/split_huge_page_test.c~selftests-mm-fix-split_huge_page_test-for-folio_split-tests +++ a/tools/testing/selftests/mm/split_huge_page_test.c @@ -31,6 +31,7 @@ uint64_t pmd_pagesize; #define INPUT_MAX 80 #define PID_FMT "%d,0x%lx,0x%lx,%d" +#define PID_FMT_OFFSET "%d,0x%lx,0x%lx,%d,%d" #define PATH_FMT "%s,0x%lx,0x%lx,%d" #define PFN_MASK ((1UL<<55)-1) @@ -483,7 +484,7 @@ void split_thp_in_pagecache_to_order_at( write_debugfs(PID_FMT, getpid(), (uint64_t)addr, (uint64_t)addr + fd_size, order); else - write_debugfs(PID_FMT, getpid(), (uint64_t)addr, + write_debugfs(PID_FMT_OFFSET, getpid(), (uint64_t)addr, (uint64_t)addr + fd_size, order, offset); for (i = 0; i < fd_size; i++) _ Patches currently in -mm which might be from ziy(a)nvidia.com are selftests-mm-fix-split_huge_page_test-for-folio_split-tests.patch mm-rename-config_page_block_order-to-config_page_block_max_order.patch mm-page_alloc-pageblock-flags-functions-clean-up.patch mm-page_isolation-make-page-isolation-a-standalone-bit.patch mm-page_alloc-add-support-for-initializing-pageblock-as-isolated.patch mm-page_isolation-remove-migratetype-from-move_freepages_block_isolate.patch mm-page_isolation-remove-migratetype-from-undo_isolate_page_range.patch mm-page_isolation-remove-migratetype-parameter-from-more-functions.patch

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: userfaultfd: fix race of userfaultfd_move and swap cache" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 0ea148a799198518d8ebab63ddd0bb6114a103bc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025063052-strive-fabulous-239b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0ea148a799198518d8ebab63ddd0bb6114a103bc Mon Sep 17 00:00:00 2001 From: Kairui Song <kasong(a)tencent.com> Date: Wed, 4 Jun 2025 23:10:38 +0800 Subject: [PATCH] mm: userfaultfd: fix race of userfaultfd_move and swap cache This commit fixes two kinds of races, they may have different results: Barry reported a BUG_ON in commit c50f8e6053b0, we may see the same BUG_ON if the filemap lookup returned NULL and folio is added to swap cache after that. If another kind of race is triggered (folio changed after lookup) we may see RSS counter is corrupted: [ 406.893936] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0 type:MM_ANONPAGES val:-1 [ 406.894071] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0 type:MM_SHMEMPAGES val:1 Because the folio is being accounted to the wrong VMA. I'm not sure if there will be any data corruption though, seems no. The issues above are critical already. On seeing a swap entry PTE, userfaultfd_move does a lockless swap cache lookup, and tries to move the found folio to the faulting vma. Currently, it relies on checking the PTE value to ensure that the moved folio still belongs to the src swap entry and that no new folio has been added to the swap cache, which turns out to be unreliable. While working and reviewing the swap table series with Barry, following existing races are observed and reproduced [1]: In the example below, move_pages_pte is moving src_pte to dst_pte, where src_pte is a swap entry PTE holding swap entry S1, and S1 is not in the swap cache: CPU1 CPU2 userfaultfd_move move_pages_pte() entry = pte_to_swp_entry(orig_src_pte); // Here it got entry = S1 ... < interrupted> ... <swapin src_pte, alloc and use folio A> // folio A is a new allocated folio // and get installed into src_pte <frees swap entry S1> // src_pte now points to folio A, S1 // has swap count == 0, it can be freed // by folio_swap_swap or swap // allocator's reclaim. <try to swap out another folio B> // folio B is a folio in another VMA. <put folio B to swap cache using S1 > // S1 is freed, folio B can use it // for swap out with no problem. ... folio = filemap_get_folio(S1) // Got folio B here !!! ... < interrupted again> ... <swapin folio B and free S1> // Now S1 is free to be used again. <swapout src_pte & folio A using S1> // Now src_pte is a swap entry PTE // holding S1 again. folio_trylock(folio) move_swap_pte double_pt_lock is_pte_pages_stable // Check passed because src_pte == S1 folio_move_anon_rmap(...) // Moved invalid folio B here !!! The race window is very short and requires multiple collisions of multiple rare events, so it's very unlikely to happen, but with a deliberately constructed reproducer and increased time window, it can be reproduced easily. This can be fixed by checking if the folio returned by filemap is the valid swap cache folio after acquiring the folio lock. Another similar race is possible: filemap_get_folio may return NULL, but folio (A) could be swapped in and then swapped out again using the same swap entry after the lookup. In such a case, folio (A) may remain in the swap cache, so it must be moved too: CPU1 CPU2 userfaultfd_move move_pages_pte() entry = pte_to_swp_entry(orig_src_pte); // Here it got entry = S1, and S1 is not in swap cache folio = filemap_get_folio(S1) // Got NULL ... < interrupted again> ... <swapin folio A and free S1> <swapout folio A re-using S1> move_swap_pte double_pt_lock is_pte_pages_stable // Check passed because src_pte == S1 folio_move_anon_rmap(...) // folio A is ignored !!! Fix this by checking the swap cache again after acquiring the src_pte lock. And to avoid the filemap overhead, we check swap_map directly [2]. The SWP_SYNCHRONOUS_IO path does make the problem more complex, but so far we don't need to worry about that, since folios can only be exposed to the swap cache in the swap out path, and this is covered in this patch by checking the swap cache again after acquiring the src_pte lock. Testing with a simple C program that allocates and moves several GB of memory did not show any observable performance change. Link: https://lkml.kernel.org/r/20250604151038.21968-1-ryncsn@gmail.com Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Kairui Song <kasong(a)tencent.com> Closes: https://lore.kernel.org/linux-mm/CAMgjq7B1K=6OOrK2OUZ0-tqCzi+EJt+2_K97TPGoS… [1] Link: https://lore.kernel.org/all/CAGsJ_4yJhJBo16XhiC-nUzSheyX-V3-nFE+tAi=8Y560K8… [2] Reviewed-by: Lokesh Gidra <lokeshgidra(a)google.com> Acked-by: Peter Xu <peterx(a)redhat.com> Reviewed-by: Suren Baghdasaryan <surenb(a)google.com> Reviewed-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Chris Li <chrisl(a)kernel.org> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Kairui Song <kasong(a)tencent.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index bc473ad21202..8253978ee0fb 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1084,8 +1084,18 @@ static int move_swap_pte(struct mm_struct *mm, struct vm_area_struct *dst_vma, pte_t orig_dst_pte, pte_t orig_src_pte, pmd_t *dst_pmd, pmd_t dst_pmdval, spinlock_t *dst_ptl, spinlock_t *src_ptl, - struct folio *src_folio) + struct folio *src_folio, + struct swap_info_struct *si, swp_entry_t entry) { + /* + * Check if the folio still belongs to the target swap entry after + * acquiring the lock. Folio can be freed in the swap cache while + * not locked. + */ + if (src_folio && unlikely(!folio_test_swapcache(src_folio) || + entry.val != src_folio->swap.val)) + return -EAGAIN; + double_pt_lock(dst_ptl, src_ptl); if (!is_pte_pages_stable(dst_pte, src_pte, orig_dst_pte, orig_src_pte, @@ -1102,6 +1112,25 @@ static int move_swap_pte(struct mm_struct *mm, struct vm_area_struct *dst_vma, if (src_folio) { folio_move_anon_rmap(src_folio, dst_vma); src_folio->index = linear_page_index(dst_vma, dst_addr); + } else { + /* + * Check if the swap entry is cached after acquiring the src_pte + * lock. Otherwise, we might miss a newly loaded swap cache folio. + * + * Check swap_map directly to minimize overhead, READ_ONCE is sufficient. + * We are trying to catch newly added swap cache, the only possible case is + * when a folio is swapped in and out again staying in swap cache, using the + * same entry before the PTE check above. The PTL is acquired and released + * twice, each time after updating the swap_map's flag. So holding + * the PTL here ensures we see the updated value. False positive is possible, + * e.g. SWP_SYNCHRONOUS_IO swapin may set the flag without touching the + * cache, or during the tiny synchronization window between swap cache and + * swap_map, but it will be gone very quickly, worst result is retry jitters. + */ + if (READ_ONCE(si->swap_map[swp_offset(entry)]) & SWAP_HAS_CACHE) { + double_pt_unlock(dst_ptl, src_ptl); + return -EAGAIN; + } } orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); @@ -1412,7 +1441,7 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, } err = move_swap_pte(mm, dst_vma, dst_addr, src_addr, dst_pte, src_pte, orig_dst_pte, orig_src_pte, dst_pmd, dst_pmdval, - dst_ptl, src_ptl, src_folio); + dst_ptl, src_ptl, src_folio, si, entry); } out:

4 months, 2 weeks

3
2
0 0

Online support team

by hdhdjsgshsjs222＠gmail.com

Hello stable(a)vger.kernel.org Here is your Invoice details.

4 months, 2 weeks

1
0
0 0

[PATCH 2/2] crypto: x86/aegis - Add missing error checks

by Eric Biggers

The skcipher_walk functions can allocate memory and can fail, so checking for errors is necessary. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/x86/crypto/aegis128-aesni-glue.c | 36 +++++++++++++++++++-------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index 3cb5c193038bb..f1adfba1a76ea 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -102,14 +102,16 @@ static void crypto_aegis128_aesni_process_ad( memset(buf.bytes + pos, 0, AEGIS128_BLOCK_SIZE - pos); aegis128_aesni_ad(state, buf.bytes, AEGIS128_BLOCK_SIZE); } } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_process_crypt(struct aegis_state *state, struct skcipher_walk *walk, bool enc) { + int err = 0; + while (walk->nbytes >= AEGIS128_BLOCK_SIZE) { if (enc) aegis128_aesni_enc(state, walk->src.virt.addr, walk->dst.virt.addr, round_down(walk->nbytes, @@ -118,11 +120,12 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, aegis128_aesni_dec(state, walk->src.virt.addr, walk->dst.virt.addr, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); kernel_fpu_end(); - skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + err = skcipher_walk_done(walk, + walk->nbytes % AEGIS128_BLOCK_SIZE); kernel_fpu_begin(); } if (walk->nbytes) { if (enc) @@ -132,13 +135,14 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, else aegis128_aesni_dec_tail(state, walk->src.virt.addr, walk->dst.virt.addr, walk->nbytes); kernel_fpu_end(); - skcipher_walk_done(walk, 0); + err = skcipher_walk_done(walk, 0); kernel_fpu_begin(); } + return err; } static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) { u8 *ctx = crypto_aead_ctx(aead); @@ -167,43 +171,50 @@ static int crypto_aegis128_aesni_setauthsize(struct crypto_aead *tfm, if (authsize < AEGIS128_MIN_AUTH_SIZE) return -EINVAL; return 0; } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_block *tag_xor, unsigned int cryptlen, bool enc) { struct crypto_aead *tfm = crypto_aead_reqtfm(req); struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); struct skcipher_walk walk; struct aegis_state state; + int err; if (enc) - skcipher_walk_aead_encrypt(&walk, req, false); + err = skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, false); + err = skcipher_walk_aead_decrypt(&walk, req, false); + if (err) + return err; kernel_fpu_begin(); aegis128_aesni_init(&state, &ctx->key, req->iv); crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); - crypto_aegis128_aesni_process_crypt(&state, &walk, enc); - aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); - + err = crypto_aegis128_aesni_process_crypt(&state, &walk, enc); + if (err == 0) + aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); kernel_fpu_end(); + return err; } static int crypto_aegis128_aesni_encrypt(struct aead_request *req) { struct crypto_aead *tfm = crypto_aead_reqtfm(req); struct aegis_block tag = {}; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen; + int err; - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + if (err) + return err; scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen, authsize, 1); return 0; } @@ -214,15 +225,18 @@ static int crypto_aegis128_aesni_decrypt(struct aead_request *req) struct crypto_aead *tfm = crypto_aead_reqtfm(req); struct aegis_block tag; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen - authsize; + int err; scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen, authsize, 0); - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + if (err) + return err; return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0; } static struct aead_alg crypto_aegis128_aesni_alg = { -- 2.50.0

4 months, 2 weeks

1
0
0 0

[PATCH 1/2] crypto: x86/aegis - Fix sleeping when disallowed on PREEMPT_RT

by Eric Biggers

skcipher_walk_done() can call kfree(), which takes a spinlock, which makes it incorrect to call while preemption is disabled on PREEMPT_RT. Therefore, end the kernel-mode FPU section before calling skcipher_walk_done(), and restart it afterwards. Moreover, pass atomic=false to skcipher_walk_aead_encrypt() instead of atomic=true. The point of atomic=true was to make skcipher_walk_done() safe to call while in a kernel-mode FPU section, but that does not actually work. So just use the usual atomic=false. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/x86/crypto/aegis128-aesni-glue.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index f1b6d40154e35..3cb5c193038bb 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -117,11 +117,13 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, else aegis128_aesni_dec(state, walk->src.virt.addr, walk->dst.virt.addr, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); + kernel_fpu_end(); skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + kernel_fpu_begin(); } if (walk->nbytes) { if (enc) aegis128_aesni_enc_tail(state, walk->src.virt.addr, @@ -129,11 +131,13 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->nbytes); else aegis128_aesni_dec_tail(state, walk->src.virt.addr, walk->dst.virt.addr, walk->nbytes); + kernel_fpu_end(); skcipher_walk_done(walk, 0); + kernel_fpu_begin(); } } static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) { @@ -174,13 +178,13 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); struct skcipher_walk walk; struct aegis_state state; if (enc) - skcipher_walk_aead_encrypt(&walk, req, true); + skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, true); + skcipher_walk_aead_decrypt(&walk, req, false); kernel_fpu_begin(); aegis128_aesni_init(&state, &ctx->key, req->iv); crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); -- 2.50.0

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-5.15.y: (build) undefined reference to `cpu_show_tsa' in drivers/base/cpu (drivers...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.15.y: --- undefined reference to `cpu_show_tsa' in drivers/base/cpu (drivers/base/cpu.c) [logspec:kbuild,kbuild.compiler.linker_error] --- - dashboard: https://d.kernelci.org/i/maestro:64dffa8d7ec37a4cc39ef1929ca500d06c7d1ab1 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 57a10c76a9922f216165558513b1e0f5a2eae559 Log excerpt: ===================================================== arm-linux-gnueabihf-ld: drivers/base/cpu.o: in function `.LANCHOR2': cpu.c:(.data+0xbc): undefined reference to `cpu_show_tsa' ===================================================== # Builds where the incident occurred: ## multi_v7_defconfig on (arm): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d492434612746bbb51ead #kernelci issue maestro:64dffa8d7ec37a4cc39ef1929ca500d06c7d1ab1 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[PATCH 5.15 000/160] 5.15.187-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.187 release. There are 160 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 10 Jul 2025 18:08:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.187-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.187-rc2 Borislav Petkov (AMD) <bp(a)alien8.de> x86/process: Move the buffer clearing before MONITOR Borislav Petkov (AMD) <bp(a)alien8.de> KVM: SVM: Advertise TSA CPUID bits to guests Paolo Bonzini <pbonzini(a)redhat.com> KVM: x86: add support for CPUID leaf 0x80000021 Borislav Petkov (AMD) <bp(a)alien8.de> x86/bugs: Add a Transient Scheduler Attacks mitigation Borislav Petkov (AMD) <bp(a)alien8.de> x86/bugs: Rename MDS machinery to something more generic Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Kurt Borja <kuurtb(a)gmail.com> platform/x86: think-lmi: Create ksets consecutively Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Michael J. Ruhl <michael.j.ruhl(a)intel.com> i2c/designware: Fix an initialization issue Peter Chen <peter.chen(a)cixtech.com> usb: cdnsp: do not disable slot for disabled slot Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Flush queued requests before stopping dbc Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbctty: disable ECHO flag by default Kurt Borja <kuurtb(a)gmail.com> platform/x86: dell-wmi-sysman: Fix class device unregistration Kurt Borja <kuurtb(a)gmail.com> platform/x86: think-lmi: Fix class device unregistration Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Ioana Ciornei <ioana.ciornei(a)nxp.com> net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update SINGLE_STEP register access Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update dpni_get_single_step_cfg command Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Jerome Neanne <jneanne(a)baylibre.com> regulator: gpio: Add input_supply support in gpio_regulator_config Avri Altman <avri.altman(a)sandisk.com> mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu: Return early if callback is not specified Pablo Martin-Gomez <pmartin-gomez(a)freebox.fr> mtd: spinand: fix memory leak of ECC engine conf Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Maurizio Lombardi <mlombard(a)redhat.com> scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Don't allow changing the DMA mode during operations Rob Clark <robdclark(a)chromium.org> drm/msm: Fix a fence leak in submit error path Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Vitaly Lifshits <vitaly.lifshits(a)intel.com> igc: disable L1.2 PCI-E link substate to avoid performance issue Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Kurt Borja <kuurtb(a)gmail.com> platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() Benjamin Coddington <bcodding(a)redhat.com> NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Mateusz Jończyk <mat.jonczyk(a)o2.pl> rtc: cmos: use spin_lock_irqsave in cmos_interrupt Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: 9354/1: ptrace: Use bitfield helpers Josef Bacik <josef(a)toxicpanda.com> btrfs: don't drop extent_map for free space inode on write error Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Brett A C Sheffield (Librecast) <bacs(a)librecast.net> Revert "ipv6: save dontfrag in cork" Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Heiko Carstens <hca(a)linux.ibm.com> s390/entry: Fix last breaking event handling in case of stack corruption Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time Wentao Liang <vulab(a)iscas.ac.cn> drm/amd/display: Add null pointer check for get_first_active_display() Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Jakub Kicinski <kuba(a)kernel.org> net: selftests: fix TCP packet checksum Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't set -ECONNRESET for consumed OOB skb. Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Fedor Pchelkin <pchelkin(a)ispras.ru> s390/pkey: Prevent overflow in size calculation for memdup_user() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Rong Zhang <i(a)rong.moe> platform/x86: ideapad-laptop: use usleep_range() for EC polling Thomas Zimmermann <tzimmermann(a)suse.de> dummycon: Trigger redraw when switching consoles with deferred takeover Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: make consw::con_switch() return a bool Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: sanitize arguments of consw::con_clear() Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: make init parameter of consw::con_init() a bool Jiri Slaby (SUSE) <jirislaby(a)kernel.org> vgacon: remove unneeded forward declarations Jiri Slaby (SUSE) <jirislaby(a)kernel.org> vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen() Jiri Slaby <jirislaby(a)kernel.org> tty/vt: consolemap: rename and document struct uni_pagedir Daniel Vetter <daniel.vetter(a)ffwll.ch> fbcon: delete a few unneeded forward decl Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Query the ringbuffer size for device Saurabh Sengar <ssengar(a)linux.microsoft.com> Drivers: hv: vmbus: Add utility function for querying ring size Vitaly Kuznetsov <vkuznets(a)redhat.com> Drivers: hv: Rename 'alloced' to 'allocated' Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var Daniel Vetter <daniel.vetter(a)ffwll.ch> fbcon: Move console_lock for register/unlink/unregister Daniel Vetter <daniel.vetter(a)ffwll.ch> fbcon: use lock_fb_info in fbcon_open/release Daniel Vetter <daniel.vetter(a)ffwll.ch> fbcon: move more common code into fb_open() Daniel Vetter <daniel.vetter(a)ffwll.ch> fbcon: Extract fbcon_open/release helpers Daniel Vetter <daniel.vetter(a)ffwll.ch> fbcon: Use delayed work for cursor Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9335: Fix missing free of regulator supplies Peng Fan <peng.fan(a)nxp.com> ASoC: codec: wcd9335: Convert to GPIO descriptors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() Matti Vaittinen <mazziesaccount(a)gmail.com> regulator: Add devm helpers for get and enable Douglas Anderson <dianders(a)chromium.org> regulator: core: Allow drivers to define their init data as const Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Drop the first error frames Miquel Raynal <miquel.raynal(a)bootlin.com> clk: ti: am43xx: Add clkctrl data for am43xx ADC1 Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Dmitry Nikiforov <Dm1tryNk(a)yandex.ru> media: davinci: vpif: Fix memory leak in probe error path Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Mario Limonciello <mario.limonciello(a)amd.com> ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Jakub Lewalski <jakub.lewalski(a)nokia.com> tty: serial: uartlite: register uart driver in init Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: dwc2: also exit clock_gating when stopping udc while suspended James Clark <james.clark(a)linaro.org> coresight: Only check bottom two claim bits Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Han Young <hanyang.tony(a)bytedance.com> NFSv4: Always set NLINK even if the server doesn't support it Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/ABI/testing/sysfs-driver-ufs | 2 +- .../hw-vuln/processor_mmio_stale_data.rst | 4 +- Documentation/admin-guide/kernel-parameters.txt | 13 + Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm/include/asm/ptrace.h | 5 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/kernel/entry.S | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/include/asm/asm-prototypes.h | 5 + arch/x86/Kconfig | 9 + arch/x86/entry/entry.S | 8 +- arch/x86/include/asm/cpu.h | 13 + arch/x86/include/asm/cpufeatures.h | 6 + arch/x86/include/asm/irqflags.h | 4 +- arch/x86/include/asm/mwait.h | 19 +- arch/x86/include/asm/nospec-branch.h | 39 ++- arch/x86/kernel/cpu/amd.c | 58 ++++ arch/x86/kernel/cpu/bugs.c | 133 +++++++- arch/x86/kernel/cpu/common.c | 14 +- arch/x86/kernel/cpu/scattered.c | 2 + arch/x86/kernel/process.c | 15 +- arch/x86/kvm/cpuid.c | 25 +- arch/x86/kvm/reverse_cpuid.h | 8 + arch/x86/kvm/svm/vmenter.S | 6 + arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/um/asm/checksum.h | 3 + drivers/acpi/acpica/dsmethod.c | 7 + drivers/ata/pata_cs5536.c | 2 +- drivers/base/cpu.c | 7 + drivers/clk/ti/clk-43xx.c | 1 + drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 + drivers/gpu/drm/bridge/cdns-dsi.c | 27 +- drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/msm/msm_gem_submit.c | 9 + drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/v3d/v3d_drv.h | 8 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 39 ++- drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 33 +- drivers/hv/hyperv_vmbus.h | 19 +- drivers/hv/vmbus_drv.c | 2 +- drivers/hwmon/pmbus/max34440.c | 48 ++- drivers/hwtracing/coresight/coresight-core.c | 3 +- drivers/hwtracing/coresight/coresight-priv.h | 1 + drivers/i2c/busses/i2c-designware-master.c | 1 + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/hw/mlx5/counters.c | 2 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/media/platform/davinci/vpif.c | 4 +- drivers/media/platform/imx-jpeg/mxc-jpeg.c | 12 +- drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 42 ++- drivers/mfd/max14577.c | 1 + drivers/mmc/core/quirks.h | 16 +- drivers/mmc/host/mtk-sd.c | 21 +- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 + drivers/mtd/nand/spi/core.c | 1 + drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 +++-- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 115 ++++++- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 14 +- .../net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 +- drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 +- drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 + drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/intel/igc/igc_main.c | 10 + drivers/net/ethernet/sun/niu.c | 31 +- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/pci/controller/pci-hyperv.c | 17 +- drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- .../x86/dell/dell-wmi-sysman/dell-wmi-sysman.h | 5 + .../x86/dell/dell-wmi-sysman/enum-attributes.c | 5 +- .../x86/dell/dell-wmi-sysman/int-attributes.c | 5 +- .../x86/dell/dell-wmi-sysman/passobj-attributes.c | 5 +- .../x86/dell/dell-wmi-sysman/string-attributes.c | 5 +- drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 12 +- drivers/platform/x86/ideapad-laptop.c | 19 +- drivers/platform/x86/think-lmi.c | 18 +- drivers/regulator/devres.c | 192 ++++++++++++ drivers/regulator/gpio-regulator.c | 19 +- drivers/rtc/rtc-cmos.c | 10 +- drivers/s390/crypto/pkey_api.c | 2 +- drivers/scsi/qla2xxx/qla_mbx.c | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 11 +- drivers/staging/rtl8723bs/core/rtw_security.c | 44 +-- drivers/target/target_core_pr.c | 4 +- drivers/tty/serial/uartlite.c | 25 +- drivers/tty/vt/consolemap.c | 47 +-- drivers/tty/vt/vt.c | 12 +- drivers/uio/uio_hv_generic.c | 10 +- drivers/usb/cdns3/cdnsp-ring.c | 4 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/dwc2/gadget.c | 6 + drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/host/xhci-dbgcap.c | 4 + drivers/usb/host/xhci-dbgtty.c | 1 + drivers/usb/typec/altmodes/displayport.c | 5 +- drivers/video/console/dummycon.c | 24 +- drivers/video/console/mdacon.c | 21 +- drivers/video/console/newport_con.c | 12 +- drivers/video/console/sticon.c | 14 +- drivers/video/console/vgacon.c | 38 +-- drivers/video/fbdev/core/fbcon.c | 336 ++++++++++----------- drivers/video/fbdev/core/fbcon.h | 4 +- drivers/video/fbdev/core/fbmem.c | 43 +-- fs/btrfs/inode.c | 19 +- fs/btrfs/tree-log.c | 4 +- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +-- fs/ksmbd/smb2pdu.c | 53 ++-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 121 +++++--- fs/nfs/inode.c | 19 +- fs/nfs/nfs4proc.c | 12 +- fs/nfs/pnfs.c | 4 +- fs/overlayfs/util.c | 4 +- include/dt-bindings/clock/am4.h | 1 + include/linux/console.h | 13 +- include/linux/console_struct.h | 6 +- include/linux/cpu.h | 1 + include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/linux/regulator/consumer.h | 31 ++ include/linux/regulator/gpio-regulator.h | 2 + include/linux/usb/typec_dp.h | 1 + include/uapi/linux/vm_sockets.h | 4 + kernel/rcu/tree.c | 4 + lib/test_objagg.c | 4 +- net/atm/clip.c | 11 +- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/core/selftests.c | 5 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/rose/rose_route.c | 15 +- net/sched/sch_api.c | 19 +- net/unix/af_unix.c | 18 +- net/vmw_vsock/vmci_transport.c | 4 +- sound/isa/sb/sb16_main.c | 7 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/soc/codecs/wcd9335.c | 62 ++-- sound/usb/quirks.c | 2 + sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 182 files changed, 1976 insertions(+), 847 deletions(-)

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-5.15.y: (build) undefined reference to `cpu_show_tsa' in drivers/base/cpu (drivers...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.15.y: --- undefined reference to `cpu_show_tsa' in drivers/base/cpu (drivers/base/cpu.c) [logspec:kbuild,kbuild.compiler.linker_error] --- - dashboard: https://d.kernelci.org/i/maestro:ed59ade8431fd2103ddcaa4aecf2bf1e5a305aa2 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 57a10c76a9922f216165558513b1e0f5a2eae559 Log excerpt: ===================================================== arm-linux-gnueabihf-ld: drivers/base/cpu.o: in function `.LANCHOR2': cpu.c:(.data+0xac): undefined reference to `cpu_show_tsa' ===================================================== # Builds where the incident occurred: ## vexpress_defconfig on (arm): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d532134612746bbb53941 #kernelci issue maestro:ed59ade8431fd2103ddcaa4aecf2bf1e5a305aa2 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-5.15.y: (build) in vmlinux (Makefile:1246) [logspec:kbuild,kbuild.other]

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.15.y: --- in vmlinux (Makefile:1246) [logspec:kbuild,kbuild.other] --- - dashboard: https://d.kernelci.org/i/maestro:16639fda313460b17cc53ce3fe28a6a8157c0596 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 57a10c76a9922f216165558513b1e0f5a2eae559 Log excerpt: ===================================================== .lds aarch64-linux-gnu-ld: drivers/base/cpu.o:(.data+0x178): undefined reference to `cpu_show_tsa' ===================================================== # Builds where the incident occurred: ## defconfig+arm64-chromebook+kcidebug+lab-setup on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d533334612746bbb53969 ## defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d52c134612746bbb538ca ## defconfig+lab-setup+kselftest on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d494334612746bbb51edf ## imx_v6_v7_defconfig on (arm): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d492934612746bbb51eb3 #kernelci issue maestro:16639fda313460b17cc53ce3fe28a6a8157c0596 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.6.y: (build) initialization of ‘int (*)(struct iommu_domain *, long unsigned in...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.6.y: --- initialization of ‘int (*)(struct iommu_domain *, long unsigned int, size_t)’ {aka ‘int (*)(struct iommu_domain *, long unsigned int, unsigned int)’} from incompatible pointer type ‘void (*)(struct iommu_domain *, long unsigned int, size_t)’ {aka ‘void (*)(struct iommu_domain *, long unsigned int, unsigned int)’} [-Werror=incompatible-pointer-types] in drivers/iommu/tegra-gart.o (drivers/iommu/tegra-gart.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:09d85088a9b9d1ca7627ec9c7a3e1ea69a47f790 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: b5872ed076bddad62df34a0ff4cbe4bbdfe45a67 Log excerpt: ===================================================== drivers/iommu/tegra-gart.c:281:35: error: initialization of ‘int (*)(struct iommu_domain *, long unsigned int, size_t)’ {aka ‘int (*)(struct iommu_domain *, long unsigned int, unsigned int)’} from incompatible pointer type ‘void (*)(struct iommu_domain *, long unsigned int, size_t)’ {aka ‘void (*)(struct iommu_domain *, long unsigned int, unsigned int)’} [-Werror=incompatible-pointer-types] 281 | .iotlb_sync_map = gart_iommu_sync_map, | ^~~~~~~~~~~~~~~~~~~ drivers/iommu/tegra-gart.c:281:35: note: (near initialization for ‘(anonymous).iotlb_sync_map’) CC drivers/gpu/host1x/hw/host1x05.o AR drivers/tty/serial/8250/built-in.a CC drivers/tty/serial/serial_core.o cc1: some warnings being treated as errors ===================================================== # Builds where the incident occurred: ## multi_v7_defconfig on (arm): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d54c434612746bbb54a0f #kernelci issue maestro:09d85088a9b9d1ca7627ec9c7a3e1ea69a47f790 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.6.y: (build) incompatible function pointer types initializing 'int (*)(struct i...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.6.y: --- incompatible function pointer types initializing 'int (*)(struct iommu_domain *, unsigned long, size_t)' (aka 'int (*)(struct iommu_domain *, unsigned long, unsigned int)') with an expression of type 'void (struct iommu_domain *, unsigned long, size_t)' (aka 'void (struct iommu_domain *, unsigned long, unsigned int)') [-Wincompatible-function-pointer-types] in drivers/iommu/tegra-gart.o (drivers/iommu/tegra-gart.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:387fac999fdadaaca0ca80ad07047ef2d702c09a - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: b5872ed076bddad62df34a0ff4cbe4bbdfe45a67 Log excerpt: ===================================================== drivers/iommu/tegra-gart.c:281:21: error: incompatible function pointer types initializing 'int (*)(struct iommu_domain *, unsigned long, size_t)' (aka 'int (*)(struct iommu_domain *, unsigned long, unsigned int)') with an expression of type 'void (struct iommu_domain *, unsigned long, size_t)' (aka 'void (struct iommu_domain *, unsigned long, unsigned int)') [-Wincompatible-function-pointer-types] 281 | .iotlb_sync_map = gart_iommu_sync_map, | ^~~~~~~~~~~~~~~~~~~ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:686d4a9e34612746bbb52198 #kernelci issue maestro:387fac999fdadaaca0ca80ad07047ef2d702c09a Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.1.y: (build) undefined reference to `cpu_show_tsa' in drivers/base/cpu (drivers...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.1.y: --- undefined reference to `cpu_show_tsa' in drivers/base/cpu (drivers/base/cpu.c) [logspec:kbuild,kbuild.compiler.linker_error] --- - dashboard: https://d.kernelci.org/i/maestro:634dca9c0041633c75d4d5ce3cb61da4d05029f1 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 16a0c0f862e842e4269c2142fabfece05c2380b1 Log excerpt: ===================================================== arm-linux-gnueabihf-ld: drivers/base/cpu.o: in function `.LANCHOR2': cpu.c:(.data+0xc0): undefined reference to `cpu_show_tsa' ===================================================== # Builds where the incident occurred: ## multi_v7_defconfig on (arm): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d53f934612746bbb53f15 ## multi_v7_defconfig+kselftest on (arm): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d49fc34612746bbb51ff1 #kernelci issue maestro:634dca9c0041633c75d4d5ce3cb61da4d05029f1 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.1.y: (build) undefined reference to `cpu_show_tsa' in drivers/base/cpu (drivers...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.1.y: --- undefined reference to `cpu_show_tsa' in drivers/base/cpu (drivers/base/cpu.c) [logspec:kbuild,kbuild.compiler.linker_error] --- - dashboard: https://d.kernelci.org/i/maestro:320f186cf70d8d6a8155682d995d1860d2ef3445 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 16a0c0f862e842e4269c2142fabfece05c2380b1 Log excerpt: ===================================================== arm-linux-gnueabihf-ld: drivers/base/cpu.o: in function `.LANCHOR2': cpu.c:(.data+0xb0): undefined reference to `cpu_show_tsa' ===================================================== # Builds where the incident occurred: ## vexpress_defconfig on (arm): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:686d4a0d34612746bbb52003 #kernelci issue maestro:320f186cf70d8d6a8155682d995d1860d2ef3445 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.1.y: (build) ld.lld: error: undefined symbol: cpu_show_tsa in vmlinux (scripts/...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.1.y: --- ld.lld: error: undefined symbol: cpu_show_tsa in vmlinux (scripts/Makefile.vmlinux:34) [logspec:kbuild,kbuild.other] --- - dashboard: https://d.kernelci.org/i/maestro:6b1157158f4d95650fb3e4447503581fbc3320c8 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 16a0c0f862e842e4269c2142fabfece05c2380b1 Log excerpt: ===================================================== .lds ....+...+..+. HDRTEST usr/include/linux/if_x25.h .............. CC arch/arm64/kernel/debug-monitors.o +......... HDRTEST usr/include/linux/msg.h ....+.....+.......+.. HDRTEST usr/include/linux/sonypi.h .+........+...+ CC mm/kasan/generic.o .+.. HDRTEST usr/include/linux/const.h ...+...+.............. HDRTEST usr/include/linux/affs_hardblocks.h ..+...........+...+.... HDRTEST usr/include/linux/loadpin.h ........+.+............ HDRTEST usr/include/linux/route.h +.....+.+..+............ HDRTEST usr/include/linux/v4l2-subdev.h +.+..+....+...+.. HDRTEST usr/include/linux/if_eql.h .........+....+..+.... HDRTEST usr/include/linux/netfilter_ipv4.h .....+.......+........+... HDRTEST usr/include/linux/smiapp.h ......+......+.......+ HDRTEST usr/include/linux/bsg.h ...+..+............+. HDRTEST usr/include/linux/agpgart.h .........+..+............ HDRTEST usr/include/linux/aspeed-p2a-ctrl.h .........+.............+..... CC init/do_mounts_initrd.o + HDRTEST usr/include/linux/media-bus-format.h ..........+..+...+.... HDRTEST usr/include/linux/fiemap.h ..+...+............+.... HDRTEST usr/include/linux/vfio_zdev.h ..+.........+......+..................+.+ HDRTEST usr/include/linux/socket.h ........+.......+...+.. HDRTEST usr/include/linux/lp.h .+..............+.+..... HDRTEST usr/include/linux/serio.h ...............+...+....+ HDRTEST usr/include/linux/vbox_vmmdev_types.h ..+.+...+.....+..... HDRTEST usr/include/linux/seg6_genl.h ..............+......+.. HDRTEST usr/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h ........................+... HDRTEST usr/include/linux/netfilter_ipv4/ipt_ah.h +.+.....+.+...........+ HDRTEST usr/include/linux/netfilter_ipv4/ipt_TTL.h .......+..+......+... HDRTEST usr/include/linux/netfilter_ipv4/ipt_ecn.h .+...+..+.............. HDRTEST usr/include/linux/netfilter_ipv4/ipt_LOG.h .....+..+....+.....+ HDRTEST usr/include/linux/netfilter_ipv4/ipt_ECN.h ............................+ HDRTEST usr/include/linux/netfilter_ipv4/ipt_REJECT.h ..+...+......+....... HDRTEST usr/include/linux/netfilter_ipv4/ipt_ttl.h ........................+......+........... HDRTEST usr/include/linux/netfilter_ipv4/ip_tables.h ....+...+..+ AR fs/notify/fanotify/built-in.a ....+...+. CC fs/notify/fsnotify.o ....+ HDRTEST usr/include/linux/serial.h ......+.+........+..... HDRTEST usr/include/linux/btf.h .+.......+.........+... HDRTEST usr/include/linux/batadv_packet.h ...+..+...+...+......... HDRTEST usr/include/linux/filter.h ...........................+ HDRTEST usr/include/linux/fsi.h ...............+....+.. HDRTEST usr/include/linux/sysctl.h ...+++++++++++ HDRTEST usr/include/linux/smc.h +++ AS arch/arm64/kernel/entry.o ++++++ HDRTEST usr/include/linux/dqblk_xfs.h ++++++++++++++++++++++ HDRTEST usr/include/linux/apm_bios.h ++++++++++ HDRTEST usr/include/linux/virtio_bt.h ++++++++++ HDRTEST usr/include/linux/major.h +++ ......+....+.....+.+........+.+......+........+....+.....+.......+...+......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......... HDRTEST usr/include/linux/loop.h ...... CC arch/arm64/kernel/irq.o ..........+..+ CC init/initramfs.o ...... HDRTEST usr/include/linux/if_macsec.h ....+...+......+..+... HDRTEST usr/include/linux/misc/bcm_vk.h .......+.....+...............+...+....+. HDRTEST usr/include/linux/kcmp.h ..+.........+.... CC ipc/shm.o ..+.........+..............+.+. HDRTEST usr/include/linux/fsverity.h .....+............+......+.........+ HDRTEST usr/include/linux/fsmap.h .....+.+..+.........+....+..............+.......+ HDRTEST usr/include/linux/ip_vs.h .....+..........+.....+ HDRTEST usr/include/linux/fdreg.h ......+.......+........+ HDRTEST usr/include/linux/virtio_input.h .............+......... HDRTEST usr/include/linux/rseq.h ...+...+..+.......+... CC kernel/sched/fair.o .. HDRTEST usr/include/linux/veth.h .....................+... HDRTEST usr/include/linux/reboot.h ............+......+.. HDRTEST usr/include/linux/nsfs.h ..+..+....+.......... HDRTEST usr/include/linux/nfc.h ........+..+ CC mm/kasan/report_generic.o .+........ HDRTEST usr/include/linux/nfs4_mount.h ....+..+...............+... HDRTEST usr/include/linux/nfsd/debug.h .+.....+....+............+. HDRTEST usr/include/linux/nfsd/cld.h ..+...+....................+ HDRTEST usr/include/linux/nfsd/stats.h ...............+...............+. HDRTEST usr/include/linux/nfsd/export.h ......+............+.........+ HDRTEST usr/include/linux/utime.h ..+...+..........+..+ HDRTEST usr/include/linux/bt-bmc.h .......+...+........+ HDRTEST usr/include/linux/oom.h .+........+........ HDRTEST usr/include/linux/ioam6.h .....+..+............+. HDRTEST usr/include/linux/wmi.h ...............+........ HDRTEST usr/include/linux/gameport.h ....+......+++++++++++++ HDRTEST usr/include/linux/rxrpc.h ++++++++++++ HDRTEST usr/include/linux/surface_aggregator/dtx.h +++++++++ HDRTEST usr/include/linux/surface_aggregator/cdev.h +++++++++ HDRTEST usr/include/linux/if_link.h ++++++ CC arch/arm64/kernel/fpsimd.o ++++ HDRTEST usr/include/linux/fib_rules.h ++++++++++ HDRTEST usr/include/linux/zorro.h ++ ----- ld.lld: error: undefined symbol: cpu_show_tsa >>> referenced by cpu.c >>> drivers/base/cpu.o:(dev_attr_tsa) in archive vmlinux.a ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig on (arm64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:686d49d034612746bbb51fb8 ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:686d49cb34612746bbb51fb2 #kernelci issue maestro:6b1157158f4d95650fb3e4447503581fbc3320c8 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-5.15.y: (build) ld.lld: error: undefined symbol: cpu_show_tsa in vmlinux (Makefile...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.15.y: --- ld.lld: error: undefined symbol: cpu_show_tsa in vmlinux (Makefile:1246) [logspec:kbuild,kbuild.other] --- - dashboard: https://d.kernelci.org/i/maestro:37759c63a97e01566b3769ef90482ca5ec2daa9f - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 57a10c76a9922f216165558513b1e0f5a2eae559 Log excerpt: ===================================================== .lds ld.lld: error: undefined symbol: cpu_show_tsa >>> referenced by cpu.c >>> base/cpu.o:(dev_attr_tsa) in archive drivers/built-in.a ===================================================== # Builds where the incident occurred: ## defconfig+arm64-chromebook+kselftest on (arm64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:686d490a34612746bbb51e76 #kernelci issue maestro:37759c63a97e01566b3769ef90482ca5ec2daa9f Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[PATCH v5 1/4] scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out

by Karan Tilak Kumar

When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to send ABTS for each of them. On send completion, this causes an attempt to free the same frame twice that leads to a crash. Fix crash by allocating separate frames for RHBA and RPA, and modify ABTS logic accordingly. Tested by checking MDS for FDMI information. Tested by using instrumented driver to: Drop PLOGI response Drop RHBA response Drop RPA response Drop RHBA and RPA response Drop PLOGI response + ABTS response Drop RHBA response + ABTS response Drop RPA response + ABTS response Drop RHBA and RPA response + ABTS response for both of them Fixes: 09c1e6ab4ab2 ("scsi: fnic: Add and integrate support for FDMI") Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Tested-by: Arun Easi <aeasi(a)cisco.com> Co-developed-by: Arun Easi <aeasi(a)cisco.com> Signed-off-by: Arun Easi <aeasi(a)cisco.com> Tested-by: Karan Tilak Kumar <kartilak(a)cisco.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- Changes between v4 and v5: - Incorporate review comments from John: - Refactor patches Changes between v3 and v4: - Incorporate review comments from Dan: - Remove comments from Cc tag Changes between v2 and v3: - Incorporate review comments from Dan: - Add Cc to stable Changes between v1 and v2: - Incorporate review comments from Dan: - Add Fixes tag --- drivers/scsi/fnic/fdls_disc.c | 113 +++++++++++++++++++++++++--------- drivers/scsi/fnic/fnic.h | 2 +- drivers/scsi/fnic/fnic_fdls.h | 1 + 3 files changed, 87 insertions(+), 29 deletions(-) diff --git a/drivers/scsi/fnic/fdls_disc.c b/drivers/scsi/fnic/fdls_disc.c index c2b6f4eb338e..0ee1b74967b9 100644 --- a/drivers/scsi/fnic/fdls_disc.c +++ b/drivers/scsi/fnic/fdls_disc.c @@ -763,47 +763,69 @@ static void fdls_send_fabric_abts(struct fnic_iport_s *iport) iport->fabric.timer_pending = 1; } -static void fdls_send_fdmi_abts(struct fnic_iport_s *iport) +static uint8_t *fdls_alloc_init_fdmi_abts_frame(struct fnic_iport_s *iport, + uint16_t oxid) { - uint8_t *frame; + struct fc_frame_header *pfdmi_abts; uint8_t d_id[3]; + uint8_t *frame; struct fnic *fnic = iport->fnic; - struct fc_frame_header *pfabric_abts; - unsigned long fdmi_tov; - uint16_t oxid; - uint16_t frame_size = FNIC_ETH_FCOE_HDRS_OFFSET + - sizeof(struct fc_frame_header); frame = fdls_alloc_frame(iport); if (frame == NULL) { FNIC_FCS_DBG(KERN_ERR, fnic->host, fnic->fnic_num, "Failed to allocate frame to send FDMI ABTS"); - return; + return NULL; } - pfabric_abts = (struct fc_frame_header *) (frame + FNIC_ETH_FCOE_HDRS_OFFSET); + pfdmi_abts = (struct fc_frame_header *) (frame + FNIC_ETH_FCOE_HDRS_OFFSET); fdls_init_fabric_abts_frame(frame, iport); hton24(d_id, FC_FID_MGMT_SERV); - FNIC_STD_SET_D_ID(*pfabric_abts, d_id); + FNIC_STD_SET_D_ID(*pfdmi_abts, d_id); + FNIC_STD_SET_OX_ID(*pfdmi_abts, oxid); + + return frame; +} + +static void fdls_send_fdmi_abts(struct fnic_iport_s *iport) +{ + uint8_t *frame; + unsigned long fdmi_tov; + uint16_t frame_size = FNIC_ETH_FCOE_HDRS_OFFSET + + sizeof(struct fc_frame_header); if (iport->fabric.fdmi_pending & FDLS_FDMI_PLOGI_PENDING) { - oxid = iport->active_oxid_fdmi_plogi; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_plogi); + if (frame == NULL) + return; + fnic_send_fcoe_frame(iport, frame, frame_size); } else { if (iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING) { - oxid = iport->active_oxid_fdmi_rhba; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_rhba); + if (frame == NULL) + return; + fnic_send_fcoe_frame(iport, frame, frame_size); } if (iport->fabric.fdmi_pending & FDLS_FDMI_RPA_PENDING) { - oxid = iport->active_oxid_fdmi_rpa; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_rpa); + if (frame == NULL) { + if (iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING) + goto arm_timer; + else + return; + } + fnic_send_fcoe_frame(iport, frame, frame_size); } } +arm_timer: fdmi_tov = jiffies + msecs_to_jiffies(2 * iport->e_d_tov); mod_timer(&iport->fabric.fdmi_timer, round_jiffies(fdmi_tov)); iport->fabric.fdmi_pending |= FDLS_FDMI_ABORT_PENDING; @@ -2244,6 +2266,21 @@ void fdls_fabric_timer_callback(struct timer_list *t) spin_unlock_irqrestore(&fnic->fnic_lock, flags); } +void fdls_fdmi_retry_plogi(struct fnic_iport_s *iport) +{ + struct fnic *fnic = iport->fnic; + + iport->fabric.fdmi_pending = 0; + /* If max retries not exhausted, start over from fdmi plogi */ + if (iport->fabric.fdmi_retry < FDLS_FDMI_MAX_RETRY) { + iport->fabric.fdmi_retry++; + FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, + "Retry FDMI PLOGI. FDMI retry: %d", + iport->fabric.fdmi_retry); + fdls_send_fdmi_plogi(iport); + } +} + void fdls_fdmi_timer_callback(struct timer_list *t) { struct fnic_fdls_fabric_s *fabric = from_timer(fabric, t, fdmi_timer); @@ -2289,14 +2326,7 @@ void fdls_fdmi_timer_callback(struct timer_list *t) FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, "fdmi timer callback : 0x%x\n", iport->fabric.fdmi_pending); - iport->fabric.fdmi_pending = 0; - /* If max retries not exhaused, start over from fdmi plogi */ - if (iport->fabric.fdmi_retry < FDLS_FDMI_MAX_RETRY) { - iport->fabric.fdmi_retry++; - FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, - "retry fdmi timer %d", iport->fabric.fdmi_retry); - fdls_send_fdmi_plogi(iport); - } + fdls_fdmi_retry_plogi(iport); FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, "fdmi timer callback : 0x%x\n", iport->fabric.fdmi_pending); spin_unlock_irqrestore(&fnic->fnic_lock, flags); @@ -3714,11 +3744,32 @@ static void fdls_process_fdmi_abts_rsp(struct fnic_iport_s *iport, switch (FNIC_FRAME_TYPE(oxid)) { case FNIC_FRAME_TYPE_FDMI_PLOGI: fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_plogi); + + iport->fabric.fdmi_pending &= ~FDLS_FDMI_PLOGI_PENDING; + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; break; case FNIC_FRAME_TYPE_FDMI_RHBA: + iport->fabric.fdmi_pending &= ~FDLS_FDMI_REG_HBA_PENDING; + + /* If RPA is still pending, don't turn off ABORT PENDING. + * We count on the timer to detect the ABTS timeout and take + * corrective action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_RPA_PENDING)) + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; + fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_rhba); break; case FNIC_FRAME_TYPE_FDMI_RPA: + iport->fabric.fdmi_pending &= ~FDLS_FDMI_RPA_PENDING; + + /* If RHBA is still pending, don't turn off ABORT PENDING. + * We count on the timer to detect the ABTS timeout and take + * corrective action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING)) + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; + fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_rpa); break; default: @@ -3728,10 +3779,16 @@ static void fdls_process_fdmi_abts_rsp(struct fnic_iport_s *iport, break; } - timer_delete_sync(&iport->fabric.fdmi_timer); - iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; - - fdls_send_fdmi_plogi(iport); + /* + * Only if ABORT PENDING is off, delete the timer, and if no other + * operations are pending, retry FDMI. + * Otherwise, let the timer pop and take the appropriate action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_ABORT_PENDING)) { + timer_delete_sync(&iport->fabric.fdmi_timer); + if (!iport->fabric.fdmi_pending) + fdls_fdmi_retry_plogi(iport); + } } static void diff --git a/drivers/scsi/fnic/fnic.h b/drivers/scsi/fnic/fnic.h index 6c5f6046b1f5..86e293ce530d 100644 --- a/drivers/scsi/fnic/fnic.h +++ b/drivers/scsi/fnic/fnic.h @@ -30,7 +30,7 @@ #define DRV_NAME "fnic" #define DRV_DESCRIPTION "Cisco FCoE HBA Driver" -#define DRV_VERSION "1.8.0.0" +#define DRV_VERSION "1.8.0.1" #define PFX DRV_NAME ": " #define DFX DRV_NAME "%d: " diff --git a/drivers/scsi/fnic/fnic_fdls.h b/drivers/scsi/fnic/fnic_fdls.h index 8e610b65ad57..531d0b37e450 100644 --- a/drivers/scsi/fnic/fnic_fdls.h +++ b/drivers/scsi/fnic/fnic_fdls.h @@ -394,6 +394,7 @@ void fdls_send_tport_abts(struct fnic_iport_s *iport, bool fdls_delete_tport(struct fnic_iport_s *iport, struct fnic_tport_s *tport); void fdls_fdmi_timer_callback(struct timer_list *t); +void fdls_fdmi_retry_plogi(struct fnic_iport_s *iport); /* fnic_fcs.c */ void fnic_fdls_init(struct fnic *fnic, int usefip); -- 2.47.1

4 months, 2 weeks

3
3
0 0

[PATCH v2] net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe()

by Haoxiang Li

Add check for the return value of rcar_gen4_ptp_alloc() to prevent potential null pointer dereference. Fixes: b0d3969d2b4d ("net: ethernet: rtsn: Add support for Renesas Ethernet-TSN") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- Changes in v2: - Add a blank line to make the grouping similar to the style of other error checks in probe. Thanks, Niklas! --- drivers/net/ethernet/renesas/rtsn.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/renesas/rtsn.c b/drivers/net/ethernet/renesas/rtsn.c index 6b3f7fca8d15..05c4b6c8c9c3 100644 --- a/drivers/net/ethernet/renesas/rtsn.c +++ b/drivers/net/ethernet/renesas/rtsn.c @@ -1259,7 +1259,12 @@ static int rtsn_probe(struct platform_device *pdev) priv = netdev_priv(ndev); priv->pdev = pdev; priv->ndev = ndev; + priv->ptp_priv = rcar_gen4_ptp_alloc(pdev); + if (!priv->ptp_priv) { + ret = -ENOMEM; + goto error_free; + } spin_lock_init(&priv->lock); platform_set_drvdata(pdev, priv); -- 2.25.1

4 months, 2 weeks

3
2
0 0

Re: Patch "crypto: powerpc/poly1305 - add depends on BROKEN for now" has been added to the 6.12-stable tree

by Eric Biggers

On Mon, Jul 07, 2025 at 12:34:45AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > crypto: powerpc/poly1305 - add depends on BROKEN for now > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… You forgot to Cc the relevant mailing lists. > diff --git a/arch/powerpc/lib/crypto/Kconfig b/arch/powerpc/lib/crypto/Kconfig > new file mode 100644 > index 0000000000000..3f9e1bbd9905b > --- /dev/null > +++ b/arch/powerpc/lib/crypto/Kconfig > @@ -0,0 +1,22 @@ > +# SPDX-License-Identifier: GPL-2.0-only > + > +config CRYPTO_CHACHA20_P10 > + tristate > + depends on PPC64 && CPU_LITTLE_ENDIAN && VSX > + default CRYPTO_LIB_CHACHA > + select CRYPTO_LIB_CHACHA_GENERIC > + select CRYPTO_ARCH_HAVE_LIB_CHACHA > + > +config CRYPTO_POLY1305_P10 > + tristate > + depends on PPC64 && CPU_LITTLE_ENDIAN && VSX > + depends on BROKEN # Needs to be fixed to work in softirq context > + default CRYPTO_LIB_POLY1305 > + select CRYPTO_ARCH_HAVE_LIB_POLY1305 > + select CRYPTO_LIB_POLY1305_GENERIC > + > +config CRYPTO_SHA256_PPC_SPE > + tristate > + depends on SPE > + default CRYPTO_LIB_SHA256 > + select CRYPTO_ARCH_HAVE_LIB_SHA256 Really? - Eric

4 months, 2 weeks

2
2
0 0

Please apply commit 93bd4a80efeb to v6.6.y and v6.12.y

by Guenter Roeck

Hi Greg, v6.6.y and v6.12.y fail to build corenet64_smp_defconfig. powerpc64-linux-ld: arch/powerpc/kernel/irq_64.o: in function `__replay_soft_interrupts': /opt/buildbot/slave/qemu-ppc64/build/arch/powerpc/kernel/irq_64.c:119:(.text+0x50): undefined reference to `ppc_save_regs' This is caused by the backport of upstream commit 497b7794aef0 ("powerpc: do not build ppc_save_regs.o always"). That commit made some wrong assumptions and causes the build failure. Please apply commit 93bd4a80efeb ("powerpc/kernel: Fix ppc_save_regs inclusion in build") to both branches to fix the problem. Thanks, Guenter --- bisect: # bad: [a5df3a702b2cba82bcfb066fa9f5e4a349c33924] Linux 6.6.96 # good: [c2603c511feb427b2b09f74b57816a81272932a1] Linux 6.6.93 git bisect start 'HEAD' 'c2603c511feb' # bad: [36318ff3d6bf94ea01b2caa0967f2b366c7daea6] media: venus: Fix probe error handling git bisect bad 36318ff3d6bf94ea01b2caa0967f2b366c7daea6 # bad: [c64a16344c5258dcaaa6caf2bbe2298e6e3e469c] randstruct: gcc-plugin: Remove bogus void member git bisect bad c64a16344c5258dcaaa6caf2bbe2298e6e3e469c # bad: [cb4b9369463eb6f6d0f4bdeaf35d183a935c2573] Use thread-safe function pointer in libbpf_print git bisect bad cb4b9369463eb6f6d0f4bdeaf35d183a935c2573 # bad: [aa7b90057bc3f8d9ddf50e7397facdd613de5610] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() git bisect bad aa7b90057bc3f8d9ddf50e7397facdd613de5610 # good: [cb1e26f53e598a3946dd9b3014d6bcddd8609a47] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions git bisect good cb1e26f53e598a3946dd9b3014d6bcddd8609a47 # bad: [5810e9d402c43a63c16ce949f9d9ff59fe6832e7] crypto: sun8i-ce - move fallback ahash_request to the end of the struct git bisect bad 5810e9d402c43a63c16ce949f9d9ff59fe6832e7 # bad: [3cf4d9cae4356c2a0610d82c13c957e4a88d6d94] crypto: marvell/cesa - Avoid empty transfer descriptor git bisect bad 3cf4d9cae4356c2a0610d82c13c957e4a88d6d94 # bad: [ce167ff4cd172bb85b834d671f37151b0f7f734a] x86/microcode/AMD: Do not return error when microcode update is not necessary git bisect bad ce167ff4cd172bb85b834d671f37151b0f7f734a # bad: [4fb22310892c9bba3a170d0873e95886fbadf064] powerpc/crash: Fix non-smp kexec preparation git bisect bad 4fb22310892c9bba3a170d0873e95886fbadf064 # bad: [fdc39b3ad8a7791792408212507683bfae9f2dc5] powerpc: do not build ppc_save_regs.o always git bisect bad fdc39b3ad8a7791792408212507683bfae9f2dc5 # first bad commit: [fdc39b3ad8a7791792408212507683bfae9f2dc5] powerpc: do not build ppc_save_regs.o always

4 months, 2 weeks

2
1
0 0

[PATCH 1/1] drm/i915/dp: Refine TPS4-based HBR3 rejection and add quirk to limit eDP to HBR2

by Ankit Nautiyal

Refine the logic introduced in commit 584cf613c24a ("drm/i915/dp: Reject HBR3 when sink doesn't support TPS4") to allow HBR3 on eDP panels that report DPCD revision 1.4, even if TPS4 is not supported. This aligns with the DisplayPort specification, which does not mandate TPS4 support for eDP with DPCD rev 1.4. This change avoids regressions on panels that require HBR3 to operate at their native resolution but do not advertise TPS4 support. Additionally, some ICL/TGL platforms with combo PHY ports suffer from signal integrity issues at HBR3. While certain systems include a Parade PS8461 mux to mitigate this, its presence cannot be reliably detected. Furthermore, broken or missing VBT entries make it unsafe to rely on VBT for enforcing link rate limits. To address the HBR3-related issues on such platforms and eDP panels, introduce a device specific quirk to cap the eDP link rate to HBR2 (540000 kHz). This will override any higher advertised rates from the sink or DPCD for specific devices. Currently, the quirk is added for Dell XPS 13 7390 2-in-1 which is reported in gitlab issue #5969 [1]. [1] https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/5969 [2] https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14517 Fixes: 584cf613c24a ("drm/i915/dp: Reject HBR3 when sink doesn't support TPS4") Cc: Jani Nikula <jani.nikula(a)linux.intel.com> Cc: Ville Syrj_l_ <ville.syrjala(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v6.15+ Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/5969 Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14517 Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> --- drivers/gpu/drm/i915/display/intel_dp.c | 31 +++++++++++++++++++-- drivers/gpu/drm/i915/display/intel_quirks.c | 9 ++++++ drivers/gpu/drm/i915/display/intel_quirks.h | 1 + 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index f48912f308df..362e376fca27 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -171,6 +171,15 @@ int intel_dp_link_symbol_clock(int rate) return DIV_ROUND_CLOSEST(rate * 10, intel_dp_link_symbol_size(rate)); } +static bool intel_dp_reject_hbr3_due_to_tps4(struct intel_dp *intel_dp) +{ + /* TPS4 is not mandatory for eDP with DPCD rev 1.4 */ + if (intel_dp_is_edp(intel_dp) && intel_dp->dpcd[DP_DPCD_REV] == 0x14) + return false; + + return !drm_dp_tps4_supported(intel_dp->dpcd); +} + static int max_dprx_rate(struct intel_dp *intel_dp) { struct intel_display *display = to_intel_display(intel_dp); @@ -187,13 +196,22 @@ static int max_dprx_rate(struct intel_dp *intel_dp) * HBR3 without TPS4, and are unable to produce a stable * output. Reject HBR3 when TPS4 is not available. */ - if (max_rate >= 810000 && !drm_dp_tps4_supported(intel_dp->dpcd)) { + if (max_rate >= 810000 && intel_dp_reject_hbr3_due_to_tps4(intel_dp)) { drm_dbg_kms(display->drm, "[ENCODER:%d:%s] Rejecting HBR3 due to missing TPS4 support\n", encoder->base.base.id, encoder->base.name); max_rate = 540000; } + /* + * Some platforms + eDP panels may not reliably support HBR3 + * due to signal integrity limitations, despite advertising it. + * Cap the link rate to HBR2 to avoid unstable configurations for the + * known machines. + */ + if (intel_dp_is_edp(intel_dp) && intel_has_quirk(display, QUIRK_EDP_LIMIT_RATE_HBR2)) + max_rate = min(max_rate, 540000); + return max_rate; } @@ -4304,13 +4322,22 @@ intel_edp_set_sink_rates(struct intel_dp *intel_dp) * HBR3 without TPS4, and are unable to produce a stable * output. Reject HBR3 when TPS4 is not available. */ - if (rate >= 810000 && !drm_dp_tps4_supported(intel_dp->dpcd)) { + if (rate >= 810000 && intel_dp_reject_hbr3_due_to_tps4(intel_dp)) { drm_dbg_kms(display->drm, "[ENCODER:%d:%s] Rejecting HBR3 due to missing TPS4 support\n", encoder->base.base.id, encoder->base.name); break; } + /* + * Some platforms cannot reliably drive HBR3 rates due to PHY limitations, + * even if the sink advertises support. Reject any sink rates above HBR2 on + * the known machines for stable output. + */ + if (rate >= 810000 && + intel_has_quirk(display, QUIRK_EDP_LIMIT_RATE_HBR2)) + break; + intel_dp->sink_rates[i] = rate; } intel_dp->num_sink_rates = i; diff --git a/drivers/gpu/drm/i915/display/intel_quirks.c b/drivers/gpu/drm/i915/display/intel_quirks.c index a32fae510ed2..d2e16b79d6be 100644 --- a/drivers/gpu/drm/i915/display/intel_quirks.c +++ b/drivers/gpu/drm/i915/display/intel_quirks.c @@ -80,6 +80,12 @@ static void quirk_fw_sync_len(struct intel_dp *intel_dp) drm_info(display->drm, "Applying Fast Wake sync pulse count quirk\n"); } +static void quirk_edp_limit_rate_hbr2(struct intel_display *display) +{ + intel_set_quirk(display, QUIRK_EDP_LIMIT_RATE_HBR2); + drm_info(display->drm, "Applying eDP Limit rate to HBR2 quirk\n"); +} + struct intel_quirk { int device; int subsystem_vendor; @@ -231,6 +237,9 @@ static struct intel_quirk intel_quirks[] = { { 0x3184, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, /* HP Notebook - 14-r206nv */ { 0x0f31, 0x103c, 0x220f, quirk_invert_brightness }, + + /* Dell XPS 13 7390 2-in-1 */ + { 0x8a12, 0x1028, 0x08b0, quirk_edp_limit_rate_hbr2 }, }; static const struct intel_dpcd_quirk intel_dpcd_quirks[] = { diff --git a/drivers/gpu/drm/i915/display/intel_quirks.h b/drivers/gpu/drm/i915/display/intel_quirks.h index cafdebda7535..06da0e286c67 100644 --- a/drivers/gpu/drm/i915/display/intel_quirks.h +++ b/drivers/gpu/drm/i915/display/intel_quirks.h @@ -20,6 +20,7 @@ enum intel_quirk_id { QUIRK_LVDS_SSC_DISABLE, QUIRK_NO_PPS_BACKLIGHT_POWER_HOOK, QUIRK_FW_SYNC_LEN, + QUIRK_EDP_LIMIT_RATE_HBR2, }; void intel_init_quirks(struct intel_display *display); -- 2.45.2

4 months, 2 weeks

3
5
0 0

FAILED: patch "[PATCH] cifs: all initializations for tcon should happen in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 74ebd02163fde05baa23129e06dde4b8f0f2377a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070801-extended-myspace-c081@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 74ebd02163fde05baa23129e06dde4b8f0f2377a Mon Sep 17 00:00:00 2001 From: Shyam Prasad N <sprasad(a)microsoft.com> Date: Mon, 30 Jun 2025 23:09:34 +0530 Subject: [PATCH] cifs: all initializations for tcon should happen in tcon_info_alloc Today, a few work structs inside tcon are initialized inside cifs_get_tcon and not in tcon_info_alloc. As a result, if a tcon is obtained from tcon_info_alloc, but not called as a part of cifs_get_tcon, we may trip over. Cc: <stable(a)vger.kernel.org> Signed-off-by: Shyam Prasad N <sprasad(a)microsoft.com> Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/cifsproto.h b/fs/smb/client/cifsproto.h index 66093fa78aed..045227ed4efc 100644 --- a/fs/smb/client/cifsproto.h +++ b/fs/smb/client/cifsproto.h @@ -136,6 +136,7 @@ extern int SendReceiveBlockingLock(const unsigned int xid, struct smb_hdr *out_buf, int *bytes_returned); +void smb2_query_server_interfaces(struct work_struct *work); void cifs_signal_cifsd_for_reconnect(struct TCP_Server_Info *server, bool all_channels); diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 685c65dcb8c4..484b677143fd 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -97,7 +97,7 @@ static int reconn_set_ipaddr_from_hostname(struct TCP_Server_Info *server) return rc; } -static void smb2_query_server_interfaces(struct work_struct *work) +void smb2_query_server_interfaces(struct work_struct *work) { int rc; int xid; @@ -2880,20 +2880,14 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb3_fs_context *ctx) tcon->max_cached_dirs = ctx->max_cached_dirs; tcon->nodelete = ctx->nodelete; tcon->local_lease = ctx->local_lease; - INIT_LIST_HEAD(&tcon->pending_opens); tcon->status = TID_GOOD; - INIT_DELAYED_WORK(&tcon->query_interfaces, - smb2_query_server_interfaces); if (ses->server->dialect >= SMB30_PROT_ID && (ses->server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { /* schedule query interfaces poll */ queue_delayed_work(cifsiod_wq, &tcon->query_interfaces, (SMB_INTERFACE_POLL_INTERVAL * HZ)); } -#ifdef CONFIG_CIFS_DFS_UPCALL - INIT_DELAYED_WORK(&tcon->dfs_cache_work, dfs_cache_refresh); -#endif spin_lock(&cifs_tcp_ses_lock); list_add(&tcon->tcon_list, &ses->tcon_list); spin_unlock(&cifs_tcp_ses_lock); diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index e77017f47084..da23cc12a52c 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -151,6 +151,12 @@ tcon_info_alloc(bool dir_leases_enabled, enum smb3_tcon_ref_trace trace) #ifdef CONFIG_CIFS_DFS_UPCALL INIT_LIST_HEAD(&ret_buf->dfs_ses_list); #endif + INIT_LIST_HEAD(&ret_buf->pending_opens); + INIT_DELAYED_WORK(&ret_buf->query_interfaces, + smb2_query_server_interfaces); +#ifdef CONFIG_CIFS_DFS_UPCALL + INIT_DELAYED_WORK(&ret_buf->dfs_cache_work, dfs_cache_refresh); +#endif return ret_buf; }

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: typec: tcpm: apply vbus before data bringup in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x bec15191d52300defa282e3fd83820f69e447116 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070816-impatient-condiment-51e9@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bec15191d52300defa282e3fd83820f69e447116 Mon Sep 17 00:00:00 2001 From: RD Babiera <rdbabiera(a)google.com> Date: Wed, 18 Jun 2025 23:06:04 +0000 Subject: [PATCH] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect SNKAS. tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance testers can interpret the TryWait.Src to Attached.Src transition after Try.Snk as being in Attached.Src the entire time, so ~170ms is lost to the debounce timer. Setting the data role can be a costly operation in host mode, and when completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4 to fail. Turn VBUS on before tcpm_set_roles to meet timing requirement. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable <stable(a)kernel.org> Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250618230606.3272497-2-rdbabiera@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 1a1f9e1f8e4e..1f6fdfaa34bf 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4410,17 +4410,6 @@ static int tcpm_src_attach(struct tcpm_port *port) tcpm_enable_auto_vbus_discharge(port, true); - ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, - TYPEC_SOURCE, tcpm_data_role_for_source(port)); - if (ret < 0) - return ret; - - if (port->pd_supported) { - ret = port->tcpc->set_pd_rx(port->tcpc, true); - if (ret < 0) - goto out_disable_mux; - } - /* * USB Type-C specification, version 1.2, * chapter 4.5.2.2.8.1 (Attached.SRC Requirements) @@ -4430,13 +4419,24 @@ static int tcpm_src_attach(struct tcpm_port *port) (polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) { ret = tcpm_set_vconn(port, true); if (ret < 0) - goto out_disable_pd; + return ret; } ret = tcpm_set_vbus(port, true); if (ret < 0) goto out_disable_vconn; + ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE, + tcpm_data_role_for_source(port)); + if (ret < 0) + goto out_disable_vbus; + + if (port->pd_supported) { + ret = port->tcpc->set_pd_rx(port->tcpc, true); + if (ret < 0) + goto out_disable_mux; + } + port->pd_capable = false; port->partner = NULL; @@ -4447,14 +4447,14 @@ static int tcpm_src_attach(struct tcpm_port *port) return 0; -out_disable_vconn: - tcpm_set_vconn(port, false); -out_disable_pd: - if (port->pd_supported) - port->tcpc->set_pd_rx(port->tcpc, false); out_disable_mux: tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE, TYPEC_ORIENTATION_NONE); +out_disable_vbus: + tcpm_set_vbus(port, false); +out_disable_vconn: + tcpm_set_vconn(port, false); + return ret; }

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: typec: tcpm: apply vbus before data bringup in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x bec15191d52300defa282e3fd83820f69e447116 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070816-transpose-wharf-eb6a@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bec15191d52300defa282e3fd83820f69e447116 Mon Sep 17 00:00:00 2001 From: RD Babiera <rdbabiera(a)google.com> Date: Wed, 18 Jun 2025 23:06:04 +0000 Subject: [PATCH] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect SNKAS. tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance testers can interpret the TryWait.Src to Attached.Src transition after Try.Snk as being in Attached.Src the entire time, so ~170ms is lost to the debounce timer. Setting the data role can be a costly operation in host mode, and when completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4 to fail. Turn VBUS on before tcpm_set_roles to meet timing requirement. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable <stable(a)kernel.org> Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250618230606.3272497-2-rdbabiera@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 1a1f9e1f8e4e..1f6fdfaa34bf 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4410,17 +4410,6 @@ static int tcpm_src_attach(struct tcpm_port *port) tcpm_enable_auto_vbus_discharge(port, true); - ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, - TYPEC_SOURCE, tcpm_data_role_for_source(port)); - if (ret < 0) - return ret; - - if (port->pd_supported) { - ret = port->tcpc->set_pd_rx(port->tcpc, true); - if (ret < 0) - goto out_disable_mux; - } - /* * USB Type-C specification, version 1.2, * chapter 4.5.2.2.8.1 (Attached.SRC Requirements) @@ -4430,13 +4419,24 @@ static int tcpm_src_attach(struct tcpm_port *port) (polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) { ret = tcpm_set_vconn(port, true); if (ret < 0) - goto out_disable_pd; + return ret; } ret = tcpm_set_vbus(port, true); if (ret < 0) goto out_disable_vconn; + ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE, + tcpm_data_role_for_source(port)); + if (ret < 0) + goto out_disable_vbus; + + if (port->pd_supported) { + ret = port->tcpc->set_pd_rx(port->tcpc, true); + if (ret < 0) + goto out_disable_mux; + } + port->pd_capable = false; port->partner = NULL; @@ -4447,14 +4447,14 @@ static int tcpm_src_attach(struct tcpm_port *port) return 0; -out_disable_vconn: - tcpm_set_vconn(port, false); -out_disable_pd: - if (port->pd_supported) - port->tcpc->set_pd_rx(port->tcpc, false); out_disable_mux: tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE, TYPEC_ORIENTATION_NONE); +out_disable_vbus: + tcpm_set_vbus(port, false); +out_disable_vconn: + tcpm_set_vconn(port, false); + return ret; }

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] platform/x86: think-lmi: Fix sysfs group cleanup" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 4f30f946f27b7f044cf8f3f1f353dee1dcd3517a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070829-barometer-imagines-9277@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4f30f946f27b7f044cf8f3f1f353dee1dcd3517a Mon Sep 17 00:00:00 2001 From: Kurt Borja <kuurtb(a)gmail.com> Date: Mon, 30 Jun 2025 14:31:21 -0300 Subject: [PATCH] platform/x86: think-lmi: Fix sysfs group cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Many error paths in tlmi_sysfs_init() lead to sysfs groups being removed when they were not even created. Fix this by letting the kobject core manage these groups through their kobj_type's defult_groups. Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms") Cc: stable(a)vger.kernel.org Reviewed-by: Mark Pearson <mpearson-lenovo(a)squebb.ca> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Kurt Borja <kuurtb(a)gmail.com> Link: https://lore.kernel.org/r/20250630-lmi-fix-v3-3-ce4f81c9c481@gmail.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c index 69f361f21f0f..b73b84fdb15e 100644 --- a/drivers/platform/x86/think-lmi.c +++ b/drivers/platform/x86/think-lmi.c @@ -973,6 +973,7 @@ static const struct attribute_group auth_attr_group = { .is_visible = auth_attr_is_visible, .attrs = auth_attrs, }; +__ATTRIBUTE_GROUPS(auth_attr); /* ---- Attributes sysfs --------------------------------------------------------- */ static ssize_t display_name_show(struct kobject *kobj, struct kobj_attribute *attr, @@ -1188,6 +1189,7 @@ static const struct attribute_group tlmi_attr_group = { .is_visible = attr_is_visible, .attrs = tlmi_attrs, }; +__ATTRIBUTE_GROUPS(tlmi_attr); static void tlmi_attr_setting_release(struct kobject *kobj) { @@ -1207,11 +1209,13 @@ static void tlmi_pwd_setting_release(struct kobject *kobj) static const struct kobj_type tlmi_attr_setting_ktype = { .release = &tlmi_attr_setting_release, .sysfs_ops = &kobj_sysfs_ops, + .default_groups = tlmi_attr_groups, }; static const struct kobj_type tlmi_pwd_setting_ktype = { .release = &tlmi_pwd_setting_release, .sysfs_ops = &kobj_sysfs_ops, + .default_groups = auth_attr_groups, }; static ssize_t pending_reboot_show(struct kobject *kobj, struct kobj_attribute *attr, @@ -1381,14 +1385,8 @@ static struct kobj_attribute debug_cmd = __ATTR_WO(debug_cmd); static void tlmi_release_attr(void) { struct kobject *pos, *n; - int i; /* Attribute structures */ - for (i = 0; i < TLMI_SETTINGS_COUNT; i++) { - if (tlmi_priv.setting[i]) { - sysfs_remove_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); - } - } sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr); @@ -1405,15 +1403,6 @@ static void tlmi_release_attr(void) kfree(tlmi_priv.pwd_admin->save_signature); /* Authentication structures */ - sysfs_remove_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); - sysfs_remove_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); - - if (tlmi_priv.opcode_support) { - sysfs_remove_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); - sysfs_remove_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); - sysfs_remove_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); - } - list_for_each_entry_safe(pos, n, &tlmi_priv.authentication_kset->list, entry) kobject_put(pos); @@ -1484,10 +1473,6 @@ static int tlmi_sysfs_init(void) NULL, "%s", tlmi_priv.setting[i]->display_name); if (ret) goto fail_create_attr; - - ret = sysfs_create_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); - if (ret) - goto fail_create_attr; } ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); @@ -1511,20 +1496,12 @@ static int tlmi_sysfs_init(void) if (ret) goto fail_create_attr; - ret = sysfs_create_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; - tlmi_priv.pwd_power->kobj.kset = tlmi_priv.authentication_kset; ret = kobject_init_and_add(&tlmi_priv.pwd_power->kobj, &tlmi_pwd_setting_ktype, NULL, "%s", "Power-on"); if (ret) goto fail_create_attr; - ret = sysfs_create_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; - if (tlmi_priv.opcode_support) { tlmi_priv.pwd_system->kobj.kset = tlmi_priv.authentication_kset; ret = kobject_init_and_add(&tlmi_priv.pwd_system->kobj, &tlmi_pwd_setting_ktype, @@ -1532,29 +1509,17 @@ static int tlmi_sysfs_init(void) if (ret) goto fail_create_attr; - ret = sysfs_create_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; - tlmi_priv.pwd_hdd->kobj.kset = tlmi_priv.authentication_kset; ret = kobject_init_and_add(&tlmi_priv.pwd_hdd->kobj, &tlmi_pwd_setting_ktype, NULL, "%s", "HDD"); if (ret) goto fail_create_attr; - ret = sysfs_create_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; - tlmi_priv.pwd_nvme->kobj.kset = tlmi_priv.authentication_kset; ret = kobject_init_and_add(&tlmi_priv.pwd_nvme->kobj, &tlmi_pwd_setting_ktype, NULL, "%s", "NVMe"); if (ret) goto fail_create_attr; - - ret = sysfs_create_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; } return ret;

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] platform/x86: think-lmi: Fix sysfs group cleanup" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 4f30f946f27b7f044cf8f3f1f353dee1dcd3517a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070828-depose-reaffirm-f1ea@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4f30f946f27b7f044cf8f3f1f353dee1dcd3517a Mon Sep 17 00:00:00 2001 From: Kurt Borja <kuurtb(a)gmail.com> Date: Mon, 30 Jun 2025 14:31:21 -0300 Subject: [PATCH] platform/x86: think-lmi: Fix sysfs group cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Many error paths in tlmi_sysfs_init() lead to sysfs groups being removed when they were not even created. Fix this by letting the kobject core manage these groups through their kobj_type's defult_groups. Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms") Cc: stable(a)vger.kernel.org Reviewed-by: Mark Pearson <mpearson-lenovo(a)squebb.ca> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Kurt Borja <kuurtb(a)gmail.com> Link: https://lore.kernel.org/r/20250630-lmi-fix-v3-3-ce4f81c9c481@gmail.com Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c index 69f361f21f0f..b73b84fdb15e 100644 --- a/drivers/platform/x86/think-lmi.c +++ b/drivers/platform/x86/think-lmi.c @@ -973,6 +973,7 @@ static const struct attribute_group auth_attr_group = { .is_visible = auth_attr_is_visible, .attrs = auth_attrs, }; +__ATTRIBUTE_GROUPS(auth_attr); /* ---- Attributes sysfs --------------------------------------------------------- */ static ssize_t display_name_show(struct kobject *kobj, struct kobj_attribute *attr, @@ -1188,6 +1189,7 @@ static const struct attribute_group tlmi_attr_group = { .is_visible = attr_is_visible, .attrs = tlmi_attrs, }; +__ATTRIBUTE_GROUPS(tlmi_attr); static void tlmi_attr_setting_release(struct kobject *kobj) { @@ -1207,11 +1209,13 @@ static void tlmi_pwd_setting_release(struct kobject *kobj) static const struct kobj_type tlmi_attr_setting_ktype = { .release = &tlmi_attr_setting_release, .sysfs_ops = &kobj_sysfs_ops, + .default_groups = tlmi_attr_groups, }; static const struct kobj_type tlmi_pwd_setting_ktype = { .release = &tlmi_pwd_setting_release, .sysfs_ops = &kobj_sysfs_ops, + .default_groups = auth_attr_groups, }; static ssize_t pending_reboot_show(struct kobject *kobj, struct kobj_attribute *attr, @@ -1381,14 +1385,8 @@ static struct kobj_attribute debug_cmd = __ATTR_WO(debug_cmd); static void tlmi_release_attr(void) { struct kobject *pos, *n; - int i; /* Attribute structures */ - for (i = 0; i < TLMI_SETTINGS_COUNT; i++) { - if (tlmi_priv.setting[i]) { - sysfs_remove_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); - } - } sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr); @@ -1405,15 +1403,6 @@ static void tlmi_release_attr(void) kfree(tlmi_priv.pwd_admin->save_signature); /* Authentication structures */ - sysfs_remove_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); - sysfs_remove_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); - - if (tlmi_priv.opcode_support) { - sysfs_remove_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); - sysfs_remove_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); - sysfs_remove_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); - } - list_for_each_entry_safe(pos, n, &tlmi_priv.authentication_kset->list, entry) kobject_put(pos); @@ -1484,10 +1473,6 @@ static int tlmi_sysfs_init(void) NULL, "%s", tlmi_priv.setting[i]->display_name); if (ret) goto fail_create_attr; - - ret = sysfs_create_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); - if (ret) - goto fail_create_attr; } ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); @@ -1511,20 +1496,12 @@ static int tlmi_sysfs_init(void) if (ret) goto fail_create_attr; - ret = sysfs_create_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; - tlmi_priv.pwd_power->kobj.kset = tlmi_priv.authentication_kset; ret = kobject_init_and_add(&tlmi_priv.pwd_power->kobj, &tlmi_pwd_setting_ktype, NULL, "%s", "Power-on"); if (ret) goto fail_create_attr; - ret = sysfs_create_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; - if (tlmi_priv.opcode_support) { tlmi_priv.pwd_system->kobj.kset = tlmi_priv.authentication_kset; ret = kobject_init_and_add(&tlmi_priv.pwd_system->kobj, &tlmi_pwd_setting_ktype, @@ -1532,29 +1509,17 @@ static int tlmi_sysfs_init(void) if (ret) goto fail_create_attr; - ret = sysfs_create_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; - tlmi_priv.pwd_hdd->kobj.kset = tlmi_priv.authentication_kset; ret = kobject_init_and_add(&tlmi_priv.pwd_hdd->kobj, &tlmi_pwd_setting_ktype, NULL, "%s", "HDD"); if (ret) goto fail_create_attr; - ret = sysfs_create_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; - tlmi_priv.pwd_nvme->kobj.kset = tlmi_priv.authentication_kset; ret = kobject_init_and_add(&tlmi_priv.pwd_nvme->kobj, &tlmi_pwd_setting_ktype, NULL, "%s", "NVMe"); if (ret) goto fail_create_attr; - - ret = sysfs_create_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); - if (ret) - goto fail_create_attr; } return ret;

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 964209202ebe1569c858337441e87ef0f9d71416 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070819-upturned-grope-5b8e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 964209202ebe1569c858337441e87ef0f9d71416 Mon Sep 17 00:00:00 2001 From: Zhang Rui <rui.zhang(a)intel.com> Date: Thu, 19 Jun 2025 15:13:40 +0800 Subject: [PATCH] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed PL1 cannot be disabled on some platforms. The ENABLE bit is still set after software clears it. This behavior leads to a scenario where, upon user request to disable the Power Limit through the powercap sysfs, the ENABLE bit remains set while the CLAMPING bit is inadvertently cleared. According to the Intel Software Developer's Manual, the CLAMPING bit, "When set, allows the processor to go below the OS requested P states in order to maintain the power below specified Platform Power Limit value." Thus this means the system may operate at higher power levels than intended on such platforms. Enhance the code to check ENABLE bit after writing to it, and stop further processing if ENABLE bit cannot be changed. Reported-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Fixes: 2d281d8196e3 ("PowerCap: Introduce Intel RAPL power capping driver") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Zhang Rui <rui.zhang(a)intel.com> Link: https://patch.msgid.link/20250619071340.384782-1-rui.zhang@intel.com [ rjw: Use str_enabled_disabled() instead of open-coded equivalent ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c index e3be40adc0d7..faa0b6bc5b53 100644 --- a/drivers/powercap/intel_rapl_common.c +++ b/drivers/powercap/intel_rapl_common.c @@ -341,12 +341,28 @@ static int set_domain_enable(struct powercap_zone *power_zone, bool mode) { struct rapl_domain *rd = power_zone_to_rapl_domain(power_zone); struct rapl_defaults *defaults = get_defaults(rd->rp); + u64 val; int ret; cpus_read_lock(); ret = rapl_write_pl_data(rd, POWER_LIMIT1, PL_ENABLE, mode); - if (!ret && defaults->set_floor_freq) + if (ret) + goto end; + + ret = rapl_read_pl_data(rd, POWER_LIMIT1, PL_ENABLE, false, &val); + if (ret) + goto end; + + if (mode != val) { + pr_debug("%s cannot be %s\n", power_zone->name, + str_enabled_disabled(mode)); + goto end; + } + + if (defaults->set_floor_freq) defaults->set_floor_freq(rd, mode); + +end: cpus_read_unlock(); return ret;

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 964209202ebe1569c858337441e87ef0f9d71416 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070819-mourner-tingling-cd53@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 964209202ebe1569c858337441e87ef0f9d71416 Mon Sep 17 00:00:00 2001 From: Zhang Rui <rui.zhang(a)intel.com> Date: Thu, 19 Jun 2025 15:13:40 +0800 Subject: [PATCH] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed PL1 cannot be disabled on some platforms. The ENABLE bit is still set after software clears it. This behavior leads to a scenario where, upon user request to disable the Power Limit through the powercap sysfs, the ENABLE bit remains set while the CLAMPING bit is inadvertently cleared. According to the Intel Software Developer's Manual, the CLAMPING bit, "When set, allows the processor to go below the OS requested P states in order to maintain the power below specified Platform Power Limit value." Thus this means the system may operate at higher power levels than intended on such platforms. Enhance the code to check ENABLE bit after writing to it, and stop further processing if ENABLE bit cannot be changed. Reported-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Fixes: 2d281d8196e3 ("PowerCap: Introduce Intel RAPL power capping driver") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Zhang Rui <rui.zhang(a)intel.com> Link: https://patch.msgid.link/20250619071340.384782-1-rui.zhang@intel.com [ rjw: Use str_enabled_disabled() instead of open-coded equivalent ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c index e3be40adc0d7..faa0b6bc5b53 100644 --- a/drivers/powercap/intel_rapl_common.c +++ b/drivers/powercap/intel_rapl_common.c @@ -341,12 +341,28 @@ static int set_domain_enable(struct powercap_zone *power_zone, bool mode) { struct rapl_domain *rd = power_zone_to_rapl_domain(power_zone); struct rapl_defaults *defaults = get_defaults(rd->rp); + u64 val; int ret; cpus_read_lock(); ret = rapl_write_pl_data(rd, POWER_LIMIT1, PL_ENABLE, mode); - if (!ret && defaults->set_floor_freq) + if (ret) + goto end; + + ret = rapl_read_pl_data(rd, POWER_LIMIT1, PL_ENABLE, false, &val); + if (ret) + goto end; + + if (mode != val) { + pr_debug("%s cannot be %s\n", power_zone->name, + str_enabled_disabled(mode)); + goto end; + } + + if (defaults->set_floor_freq) defaults->set_floor_freq(rd, mode); + +end: cpus_read_unlock(); return ret;

4 months, 2 weeks

1
0
0 0

[PATCH v3] drm/framebuffer: Acquire internal references on GEM handles

by Thomas Zimmermann

Acquire GEM handles in drm_framebuffer_init() and release them in the corresponding drm_framebuffer_cleanup(). Ties the handle's lifetime to the framebuffer. Not all GEM buffer objects have GEM handles. If not set, no refcounting takes place. This is the case for some fbdev emulation. This is not a problem as these GEM objects do not use dma-bufs and drivers will not release them while fbdev emulation is running. Framebuffer flags keep a bit per color plane of which the framebuffer holds a GEM handle reference. As all drivers use drm_framebuffer_init(), they will now all hold dma-buf references as fixed in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers"). In the GEM framebuffer helpers, restore the original ref counting on buffer objects. As the helpers for handle refcounting are now no longer called from outside the DRM core, unexport the symbols. v3: - don't mix internal flags with mode flags (Christian) v2: - track framebuffer handle refs by flag - drop gma500 cleanup (Christian) Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") Reported-by: Bert Karwatzki <spasswolf(a)web.de> Closes: https://lore.kernel.org/dri-devel/20250703115915.3096-1-spasswolf@web.de/ Tested-by: Bert Karwatzki <spasswolf(a)web.de> Tested-by: Mario Limonciello <superm1(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Anusha Srivatsa <asrivats(a)redhat.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: "Christian König" <christian.koenig(a)amd.com> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org Cc: <stable(a)vger.kernel.org> --- drivers/gpu/drm/drm_framebuffer.c | 31 ++++++++++++++-- drivers/gpu/drm/drm_gem.c | 38 ++++++++++++-------- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 16 ++++----- drivers/gpu/drm/drm_internal.h | 2 +- include/drm/drm_framebuffer.h | 7 ++++ 5 files changed, 68 insertions(+), 26 deletions(-) diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c index b781601946db..63a70f285cce 100644 --- a/drivers/gpu/drm/drm_framebuffer.c +++ b/drivers/gpu/drm/drm_framebuffer.c @@ -862,11 +862,23 @@ EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_framebuffer_free); int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, const struct drm_framebuffer_funcs *funcs) { + unsigned int i; int ret; + bool exists; if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) return -EINVAL; + for (i = 0; i < fb->format->num_planes; i++) { + if (drm_WARN_ON_ONCE(dev, fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i))) + fb->internal_flags &= ~DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + if (fb->obj[i]) { + exists = drm_gem_object_handle_get_if_exists_unlocked(fb->obj[i]); + if (exists) + fb->internal_flags |= DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + } + } + INIT_LIST_HEAD(&fb->filp_head); fb->funcs = funcs; @@ -875,7 +887,7 @@ int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, false, drm_framebuffer_free); if (ret) - goto out; + goto err; mutex_lock(&dev->mode_config.fb_lock); dev->mode_config.num_fb++; @@ -883,7 +895,16 @@ int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, mutex_unlock(&dev->mode_config.fb_lock); drm_mode_object_register(dev, &fb->base); -out: + + return 0; + +err: + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i)) { + drm_gem_object_handle_put_unlocked(fb->obj[i]); + fb->internal_flags &= ~DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + } + } return ret; } EXPORT_SYMBOL(drm_framebuffer_init); @@ -960,6 +981,12 @@ EXPORT_SYMBOL(drm_framebuffer_unregister_private); void drm_framebuffer_cleanup(struct drm_framebuffer *fb) { struct drm_device *dev = fb->dev; + unsigned int i; + + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i)) + drm_gem_object_handle_put_unlocked(fb->obj[i]); + } mutex_lock(&dev->mode_config.fb_lock); list_del(&fb->head); diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index bc505d938b3e..41cdab6088ae 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -224,23 +224,34 @@ static void drm_gem_object_handle_get(struct drm_gem_object *obj) } /** - * drm_gem_object_handle_get_unlocked - acquire reference on user-space handles + * drm_gem_object_handle_get_if_exists_unlocked - acquire reference on user-space handle, if any * @obj: GEM object * - * Acquires a reference on the GEM buffer object's handle. Required - * to keep the GEM object alive. Call drm_gem_object_handle_put_unlocked() - * to release the reference. + * Acquires a reference on the GEM buffer object's handle. Required to keep + * the GEM object alive. Call drm_gem_object_handle_put_if_exists_unlocked() + * to release the reference. Does nothing if the buffer object has no handle. + * + * Returns: + * True if a handle exists, or false otherwise */ -void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj) +bool drm_gem_object_handle_get_if_exists_unlocked(struct drm_gem_object *obj) { struct drm_device *dev = obj->dev; guard(mutex)(&dev->object_name_lock); - drm_WARN_ON(dev, !obj->handle_count); /* first ref taken in create-tail helper */ + /* + * First ref taken during GEM object creation, if any. Some + * drivers set up internal framebuffers with GEM objects that + * do not have a GEM handle. Hence, this counter can be zero. + */ + if (!obj->handle_count) + return false; + drm_gem_object_handle_get(obj); + + return true; } -EXPORT_SYMBOL(drm_gem_object_handle_get_unlocked); /** * drm_gem_object_handle_free - release resources bound to userspace handles @@ -273,7 +284,7 @@ static void drm_gem_object_exported_dma_buf_free(struct drm_gem_object *obj) } /** - * drm_gem_object_handle_put_unlocked - releases reference on user-space handles + * drm_gem_object_handle_put_unlocked - releases reference on user-space handle * @obj: GEM object * * Releases a reference on the GEM buffer object's handle. Possibly releases @@ -284,14 +295,14 @@ void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) struct drm_device *dev = obj->dev; bool final = false; - if (WARN_ON(READ_ONCE(obj->handle_count) == 0)) + if (drm_WARN_ON(dev, READ_ONCE(obj->handle_count) == 0)) return; /* - * Must bump handle count first as this may be the last - * ref, in which case the object would disappear before we - * checked for a name - */ + * Must bump handle count first as this may be the last + * ref, in which case the object would disappear before + * we checked for a name. + */ mutex_lock(&dev->object_name_lock); if (--obj->handle_count == 0) { @@ -304,7 +315,6 @@ void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) if (final) drm_gem_object_put(obj); } -EXPORT_SYMBOL(drm_gem_object_handle_put_unlocked); /* * Called at device or object close to release the file's diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index c60d0044d036..618ce725cd75 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -100,7 +100,7 @@ void drm_gem_fb_destroy(struct drm_framebuffer *fb) unsigned int i; for (i = 0; i < fb->format->num_planes; i++) - drm_gem_object_handle_put_unlocked(fb->obj[i]); + drm_gem_object_put(fb->obj[i]); drm_framebuffer_cleanup(fb); kfree(fb); @@ -183,10 +183,8 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, if (!objs[i]) { drm_dbg_kms(dev, "Failed to lookup GEM object\n"); ret = -ENOENT; - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; } - drm_gem_object_handle_get_unlocked(objs[i]); - drm_gem_object_put(objs[i]); min_size = (height - 1) * mode_cmd->pitches[i] + drm_format_info_min_pitch(info, i, width) @@ -196,22 +194,22 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, drm_dbg_kms(dev, "GEM object size (%zu) smaller than minimum size (%u) for plane %d\n", objs[i]->size, min_size, i); - drm_gem_object_handle_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); ret = -EINVAL; - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; } } ret = drm_gem_fb_init(dev, fb, mode_cmd, objs, i, funcs); if (ret) - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; return 0; -err_gem_object_handle_put_unlocked: +err_gem_object_put: while (i > 0) { --i; - drm_gem_object_handle_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); } return ret; } diff --git a/drivers/gpu/drm/drm_internal.h b/drivers/gpu/drm/drm_internal.h index f921cc73f8b8..e79c3c623c9a 100644 --- a/drivers/gpu/drm/drm_internal.h +++ b/drivers/gpu/drm/drm_internal.h @@ -161,7 +161,7 @@ void drm_sysfs_lease_event(struct drm_device *dev); /* drm_gem.c */ int drm_gem_init(struct drm_device *dev); -void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj); +bool drm_gem_object_handle_get_if_exists_unlocked(struct drm_gem_object *obj); void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj); int drm_gem_handle_create_tail(struct drm_file *file_priv, struct drm_gem_object *obj, diff --git a/include/drm/drm_framebuffer.h b/include/drm/drm_framebuffer.h index 668077009fce..38b24fc8978d 100644 --- a/include/drm/drm_framebuffer.h +++ b/include/drm/drm_framebuffer.h @@ -23,6 +23,7 @@ #ifndef __DRM_FRAMEBUFFER_H__ #define __DRM_FRAMEBUFFER_H__ +#include <linux/bits.h> #include <linux/ctype.h> #include <linux/list.h> #include <linux/sched.h> @@ -100,6 +101,8 @@ struct drm_framebuffer_funcs { unsigned num_clips); }; +#define DRM_FRAMEBUFFER_HAS_HANDLE_REF(_i) BIT(0u + (_i)) + /** * struct drm_framebuffer - frame buffer object * @@ -188,6 +191,10 @@ struct drm_framebuffer { * DRM_MODE_FB_MODIFIERS. */ int flags; + /** + * @internal_flags: Framebuffer flags like DRM_FRAMEBUFFER_HAS_HANDLE_REF. + */ + unsigned int internal_flags; /** * @filp_head: Placed on &drm_file.fbs, protected by &drm_file.fbs_lock. */ -- 2.50.0

4 months, 2 weeks

3
3
0 0

[PATCH] comedi: comedi_test: Fix possible deletion of uninitialized timers

by Ian Abbott

In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and `&devpriv->ao_timer` are initialized after the allocation of the device private data by `comedi_alloc_devpriv()` and the subdevices by `comedi_alloc_subdevices()`. The function may return with an error between those function calls. In that case, `waveform_detach()` will be called by the Comedi core to clean up. The check that `waveform_detach()` uses to decide whether to delete the timers is incorrect. It only checks that the device private data was allocated, but that does not guarantee that the timers were initialized. It also needs to check that the subdevices were allocated. Fix it. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Cc: <stable(a)vger.kernel.org> # 6.15+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch fails to apply to kernels before 6.15, requiring backports. --- drivers/comedi/drivers/comedi_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/comedi_test.c b/drivers/comedi/drivers/comedi_test.c index 9747e6d1f6eb..7984950f0f99 100644 --- a/drivers/comedi/drivers/comedi_test.c +++ b/drivers/comedi/drivers/comedi_test.c @@ -792,7 +792,7 @@ static void waveform_detach(struct comedi_device *dev) { struct waveform_private *devpriv = dev->private; - if (devpriv) { + if (devpriv && dev->n_subdevices) { timer_delete_sync(&devpriv->ai_timer); timer_delete_sync(&devpriv->ao_timer); } -- 2.47.2

4 months, 2 weeks

1
0
0 0

[PATCH 5.10/5.15] mm/hugetlb: fix assertion splat in hugetlb_split()

by Fedor Pchelkin

No upstream commit exists for this patch. The following assertion is firing on 5.10 to 6.1 stable kernels after backport of upstream commit 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before"): WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 i_mmap_assert_write_locked include/linux/fs.h:503 [inline] WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Modules linked in: CPU: 0 PID: 11489 Comm: syz-executor.4 Not tainted 6.1.142-syzkaller-00296-gfd0df5221577 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:i_mmap_assert_write_locked include/linux/fs.h:503 [inline] RIP: 0010:hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Call Trace: <TASK> __vma_adjust+0xd73/0x1c10 mm/mmap.c:736 vma_adjust include/linux/mm.h:2745 [inline] __split_vma+0x459/0x540 mm/mmap.c:2385 do_mas_align_munmap+0x5f2/0xf10 mm/mmap.c:2497 do_mas_munmap+0x26c/0x2c0 mm/mmap.c:2646 __mmap_region mm/mmap.c:2694 [inline] mmap_region+0x19f/0x1770 mm/mmap.c:2912 do_mmap+0x84b/0xf20 mm/mmap.c:1432 vm_mmap_pgoff+0x1af/0x280 mm/util.c:520 ksys_mmap_pgoff+0x41f/0x5a0 mm/mmap.c:1478 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x46a269 </TASK> Those branches lack commit ccf1d78d8b86 ("mm/mmap: move vma_prepare before vma_adjust_trans_huge") so the needed locks are taken just after the newly added hugetlb_split(). Adjust the position of vma_adjust_trans_huge() blocks with the lock-taking code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before") Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Tested with testcases/kernel/mem/hugetlb/hugemmap suite provided by LTP. For the report see: https://lore.kernel.org/stable/CAG48ez3LqUwXxhRY56tqQCpfGJsJ-GeXFG9FCcTZEBo… mm/mmap.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 8c188ed3738a..13669a33a515 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -832,16 +832,6 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, } } again: - /* - * Get rid of huge pages and shared page tables straddling the split - * boundary. - */ - vma_adjust_trans_huge(orig_vma, start, end, adjust_next); - if (is_vm_hugetlb_page(orig_vma)) { - hugetlb_split(orig_vma, start); - hugetlb_split(orig_vma, end); - } - if (file) { mapping = file->f_mapping; root = &mapping->i_mmap; @@ -881,6 +871,16 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, vma_interval_tree_remove(next, root); } + /* + * Get rid of huge pages and shared page tables straddling the split + * boundary. + */ + vma_adjust_trans_huge(orig_vma, start, end, adjust_next); + if (is_vm_hugetlb_page(orig_vma)) { + hugetlb_split(orig_vma, start); + hugetlb_split(orig_vma, end); + } + if (start != vma->vm_start) { vma->vm_start = start; start_changed = true; -- 2.50.0

4 months, 2 weeks

1
0
0 0

[PATCH 6.1] mm/hugetlb: fix assertion splat in hugetlb_split()

by Fedor Pchelkin

No upstream commit exists for this patch. The following assertion is firing on 5.10 to 6.1 stable kernels after backport of upstream commit 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before"): WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 i_mmap_assert_write_locked include/linux/fs.h:503 [inline] WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Modules linked in: CPU: 0 PID: 11489 Comm: syz-executor.4 Not tainted 6.1.142-syzkaller-00296-gfd0df5221577 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:i_mmap_assert_write_locked include/linux/fs.h:503 [inline] RIP: 0010:hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Call Trace: <TASK> __vma_adjust+0xd73/0x1c10 mm/mmap.c:736 vma_adjust include/linux/mm.h:2745 [inline] __split_vma+0x459/0x540 mm/mmap.c:2385 do_mas_align_munmap+0x5f2/0xf10 mm/mmap.c:2497 do_mas_munmap+0x26c/0x2c0 mm/mmap.c:2646 __mmap_region mm/mmap.c:2694 [inline] mmap_region+0x19f/0x1770 mm/mmap.c:2912 do_mmap+0x84b/0xf20 mm/mmap.c:1432 vm_mmap_pgoff+0x1af/0x280 mm/util.c:520 ksys_mmap_pgoff+0x41f/0x5a0 mm/mmap.c:1478 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x46a269 </TASK> Those branches lack commit ccf1d78d8b86 ("mm/mmap: move vma_prepare before vma_adjust_trans_huge") so the needed locks are taken just after the newly added hugetlb_split(). Adjust the position of vma_adjust_trans_huge() blocks with the lock-taking code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before") Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Tested with testcases/kernel/mem/hugetlb/hugemmap suite provided by LTP. For the report see: https://lore.kernel.org/stable/CAG48ez3LqUwXxhRY56tqQCpfGJsJ-GeXFG9FCcTZEBo… mm/mmap.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 0f303dc8425a..941880ed62d7 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -543,8 +543,6 @@ inline int vma_expand(struct ma_state *mas, struct vm_area_struct *vma, if (mas_preallocate(mas, vma, GFP_KERNEL)) goto nomem; - vma_adjust_trans_huge(vma, start, end, 0); - if (file) { mapping = file->f_mapping; root = &mapping->i_mmap; @@ -562,6 +560,8 @@ inline int vma_expand(struct ma_state *mas, struct vm_area_struct *vma, vma_interval_tree_remove(vma, root); } + vma_adjust_trans_huge(vma, start, end, 0); + vma->vm_start = start; vma->vm_end = end; vma->vm_pgoff = pgoff; @@ -727,15 +727,6 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, return -ENOMEM; } - /* - * Get rid of huge pages and shared page tables straddling the split - * boundary. - */ - vma_adjust_trans_huge(orig_vma, start, end, adjust_next); - if (is_vm_hugetlb_page(orig_vma)) { - hugetlb_split(orig_vma, start); - hugetlb_split(orig_vma, end); - } if (file) { mapping = file->f_mapping; root = &mapping->i_mmap; @@ -775,6 +766,16 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, vma_interval_tree_remove(next, root); } + /* + * Get rid of huge pages and shared page tables straddling the split + * boundary. + */ + vma_adjust_trans_huge(orig_vma, start, end, adjust_next); + if (is_vm_hugetlb_page(orig_vma)) { + hugetlb_split(orig_vma, start); + hugetlb_split(orig_vma, end); + } + if (start != vma->vm_start) { if ((vma->vm_start < start) && (!insert || (insert->vm_end != start))) { -- 2.50.0

4 months, 2 weeks

1
0
0 0

[PATCH v3] wifi: wilc1000: Add error handling for wilc_sdio_cmd52()

by Wentao Liang

The wilc_sdio_read_size() calls wilc_sdio_cmd52() but does not check the return value. This could lead to execution with potentially invalid data if wilc_sdio_cmd52() fails. A proper implementation can be found in wilc_sdio_read_reg(). Add error handling for wilc_sdio_cmd52(). If wilc_sdio_cmd52() fails, log an error message via dev_err(). Fixes: ea5779b4fbc7 ("staging: wilc1000: wilc_sdio_cmd52: pass struct wilc") Cc: stable(a)vger.kernel.org # v4.5 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v3: Remove redundant error log. Fix code error. Fix fixes flag error. v2: Fix code error. drivers/net/wireless/microchip/wilc1000/sdio.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c index 5262c8846c13..d77f88996250 100644 --- a/drivers/net/wireless/microchip/wilc1000/sdio.c +++ b/drivers/net/wireless/microchip/wilc1000/sdio.c @@ -771,6 +771,7 @@ static int wilc_sdio_read_size(struct wilc *wilc, u32 *size) { u32 tmp; struct sdio_cmd52 cmd; + int ret; /** * Read DMA count in words @@ -780,12 +781,16 @@ static int wilc_sdio_read_size(struct wilc *wilc, u32 *size) cmd.raw = 0; cmd.address = WILC_SDIO_INTERRUPT_DATA_SZ_REG; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) + return ret; tmp = cmd.data; cmd.address = WILC_SDIO_INTERRUPT_DATA_SZ_REG + 1; cmd.data = 0; - wilc_sdio_cmd52(wilc, &cmd); + ret = wilc_sdio_cmd52(wilc, &cmd); + if (ret) + return ret; tmp |= (cmd.data << 8); *size = tmp; -- 2.42.0.windows.2

4 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] usb: dwc3: Abort suspend on soft disconnect failure" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 630a1dec3b0eba2a695b9063f1c205d585cbfec9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070816-untoasted-wooing-3f93@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 630a1dec3b0eba2a695b9063f1c205d585cbfec9 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Wed, 28 May 2025 18:03:11 +0800 Subject: [PATCH] usb: dwc3: Abort suspend on soft disconnect failure When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") Cc: stable <stable(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 2bc775a747f2..8002c23a5a02 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2422,6 +2422,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2440,7 +2441,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2475,7 +2478,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,8 +4821,15 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ + if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } spin_lock_irqsave(&dwc->lock, flags); if (dwc->gadget_driver) @@ -4830,17 +4837,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) spin_unlock_irqrestore(&dwc->lock, flags); return 0; - -err: - /* - * Attempt to reset the controller's state. Likely no - * communication can be established until the host - * performs a port reset. - */ - if (dwc->softconnect) - dwc3_gadget_soft_connect(dwc); - - return ret; } int dwc3_gadget_resume(struct dwc3 *dwc)

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: Abort suspend on soft disconnect failure" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 630a1dec3b0eba2a695b9063f1c205d585cbfec9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070814-edginess-essence-e135@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 630a1dec3b0eba2a695b9063f1c205d585cbfec9 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Wed, 28 May 2025 18:03:11 +0800 Subject: [PATCH] usb: dwc3: Abort suspend on soft disconnect failure When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") Cc: stable <stable(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 2bc775a747f2..8002c23a5a02 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2422,6 +2422,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2440,7 +2441,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2475,7 +2478,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,8 +4821,15 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ + if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } spin_lock_irqsave(&dwc->lock, flags); if (dwc->gadget_driver) @@ -4830,17 +4837,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) spin_unlock_irqrestore(&dwc->lock, flags); return 0; - -err: - /* - * Attempt to reset the controller's state. Likely no - * communication can be established until the host - * performs a port reset. - */ - if (dwc->softconnect) - dwc3_gadget_soft_connect(dwc); - - return ret; } int dwc3_gadget_resume(struct dwc3 *dwc)

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: Abort suspend on soft disconnect failure" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 630a1dec3b0eba2a695b9063f1c205d585cbfec9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070843-mammal-recapture-b529@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 630a1dec3b0eba2a695b9063f1c205d585cbfec9 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Wed, 28 May 2025 18:03:11 +0800 Subject: [PATCH] usb: dwc3: Abort suspend on soft disconnect failure When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") Cc: stable <stable(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 2bc775a747f2..8002c23a5a02 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2422,6 +2422,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2440,7 +2441,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2475,7 +2478,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,8 +4821,15 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ + if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } spin_lock_irqsave(&dwc->lock, flags); if (dwc->gadget_driver) @@ -4830,17 +4837,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) spin_unlock_irqrestore(&dwc->lock, flags); return 0; - -err: - /* - * Attempt to reset the controller's state. Likely no - * communication can be established until the host - * performs a port reset. - */ - if (dwc->softconnect) - dwc3_gadget_soft_connect(dwc); - - return ret; } int dwc3_gadget_resume(struct dwc3 *dwc)

4 months, 2 weeks

1
0
0 0

[PATCH v3 2/2] PCI: imx6: Correct the epc_features of IMX8MM_EP and IMX8MP_EP

by Richard Zhu

For IMX8MM_EP and IMX8MP_EP, add fixed 256-byte BAR 4 and reserved BAR 5 in imx8m_pcie_epc_features. Fixes: 75c2f26da03f ("PCI: imx6: Add i.MX PCIe EP mode support") Cc: stable(a)vger.kernel.org Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pci-imx6.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index 7d15bcb7c107..9754cc6e09b9 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -1385,6 +1385,8 @@ static const struct pci_epc_features imx8m_pcie_epc_features = { .msix_capable = false, .bar[BAR_1] = { .type = BAR_RESERVED, }, .bar[BAR_3] = { .type = BAR_RESERVED, }, + .bar[BAR_4] = { .type = BAR_FIXED, .fixed_size = SZ_256, }, + .bar[BAR_5] = { .type = BAR_RESERVED, }, .align = SZ_64K, }; -- 2.37.1

4 months, 2 weeks

1
0
0 0

[PATCH v3 1/2] PCI: imx6: Correct the epc_features of IMX8MQ_EP

by Richard Zhu

IMX8MQ_EP has three 64-bit BAR0/2/4 capable and programmable BARs. For IMX8MQ_EP, use imx8q_pcie_epc_features (64-bit BARs 0, 2, 4) instead of imx8m_pcie_epc_features (64-bit BARs 0, 2). Fixes: 75c2f26da03f ("PCI: imx6: Add i.MX PCIe EP mode support") Cc: stable(a)vger.kernel.org Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pci-imx6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c index 5a38cfaf989b..7d15bcb7c107 100644 --- a/drivers/pci/controller/dwc/pci-imx6.c +++ b/drivers/pci/controller/dwc/pci-imx6.c @@ -1912,7 +1912,7 @@ static const struct imx_pcie_drvdata drvdata[] = { .mode_mask[0] = IMX6Q_GPR12_DEVICE_TYPE, .mode_off[1] = IOMUXC_GPR12, .mode_mask[1] = IMX8MQ_GPR12_PCIE2_CTRL_DEVICE_TYPE, - .epc_features = &imx8m_pcie_epc_features, + .epc_features = &imx8q_pcie_epc_features, .init_phy = imx8mq_pcie_init_phy, .enable_ref_clk = imx8mm_pcie_enable_ref_clk, }, -- 2.37.1

4 months, 2 weeks

1
0
0 0

[PATCH v2 1/5] scsi: fnic: Set appropriate logging level for log message

by Karan Tilak Kumar

Replace KERN_INFO with KERN_DEBUG for a log message. Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Reviewed-by: Arun Easi <aeasi(a)cisco.com> Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- drivers/scsi/fnic/fnic_scsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/fnic/fnic_scsi.c b/drivers/scsi/fnic/fnic_scsi.c index 7133b254cbe4..75b29a018d1f 100644 --- a/drivers/scsi/fnic/fnic_scsi.c +++ b/drivers/scsi/fnic/fnic_scsi.c @@ -1046,7 +1046,7 @@ static void fnic_fcpio_icmnd_cmpl_handler(struct fnic *fnic, unsigned int cq_ind if (icmnd_cmpl->scsi_status == SAM_STAT_TASK_SET_FULL) atomic64_inc(&fnic_stats->misc_stats.queue_fulls); - FNIC_SCSI_DBG(KERN_INFO, fnic->host, fnic->fnic_num, + FNIC_SCSI_DBG(KERN_DEBUG, fnic->host, fnic->fnic_num, "xfer_len: %llu", xfer_len); break; -- 2.47.1

4 months, 2 weeks

3
8
0 0

FAILED: patch "[PATCH] usb: dwc3: Abort suspend on soft disconnect failure" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 630a1dec3b0eba2a695b9063f1c205d585cbfec9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070842-boondocks-tint-f86c@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 630a1dec3b0eba2a695b9063f1c205d585cbfec9 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Wed, 28 May 2025 18:03:11 +0800 Subject: [PATCH] usb: dwc3: Abort suspend on soft disconnect failure When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") Cc: stable <stable(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 2bc775a747f2..8002c23a5a02 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2422,6 +2422,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2440,7 +2441,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2475,7 +2478,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,8 +4821,15 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ + if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } spin_lock_irqsave(&dwc->lock, flags); if (dwc->gadget_driver) @@ -4830,17 +4837,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) spin_unlock_irqrestore(&dwc->lock, flags); return 0; - -err: - /* - * Attempt to reset the controller's state. Likely no - * communication can be established until the host - * performs a port reset. - */ - if (dwc->softconnect) - dwc3_gadget_soft_connect(dwc); - - return ret; } int dwc3_gadget_resume(struct dwc3 *dwc)

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: Abort suspend on soft disconnect failure" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 630a1dec3b0eba2a695b9063f1c205d585cbfec9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070842-amber-blog-3e94@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 630a1dec3b0eba2a695b9063f1c205d585cbfec9 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Wed, 28 May 2025 18:03:11 +0800 Subject: [PATCH] usb: dwc3: Abort suspend on soft disconnect failure When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") Cc: stable <stable(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 2bc775a747f2..8002c23a5a02 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2422,6 +2422,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2440,7 +2441,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2475,7 +2478,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,8 +4821,15 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ + if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } spin_lock_irqsave(&dwc->lock, flags); if (dwc->gadget_driver) @@ -4830,17 +4837,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) spin_unlock_irqrestore(&dwc->lock, flags); return 0; - -err: - /* - * Attempt to reset the controller's state. Likely no - * communication can be established until the host - * performs a port reset. - */ - if (dwc->softconnect) - dwc3_gadget_soft_connect(dwc); - - return ret; } int dwc3_gadget_resume(struct dwc3 *dwc)

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: cdnsp: Fix issue with CV Bad Descriptor test" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2831a81077f5162f104ba5a97a7d886eb371c21c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070817-spongy-unlinked-9fe7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2831a81077f5162f104ba5a97a7d886eb371c21c Mon Sep 17 00:00:00 2001 From: Pawel Laszczak <pawell(a)cadence.com> Date: Fri, 20 Jun 2025 08:23:12 +0000 Subject: [PATCH] usb: cdnsp: Fix issue with CV Bad Descriptor test The SSP2 controller has extra endpoint state preserve bit (ESP) which setting causes that endpoint state will be preserved during Halt Endpoint command. It is used only for EP0. Without this bit the Command Verifier "TD 9.10 Bad Descriptor Test" failed. Setting this bit doesn't have any impact for SSP controller. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> Acked-by: Peter Chen <peter.chen(a)kernel.org> Link: https://lore.kernel.org/r/PH7PR07MB95382CCD50549DABAEFD6156DD7CA@PH7PR07MB9… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/cdns3/cdnsp-debug.h b/drivers/usb/cdns3/cdnsp-debug.h index cd138acdcce1..86860686d836 100644 --- a/drivers/usb/cdns3/cdnsp-debug.h +++ b/drivers/usb/cdns3/cdnsp-debug.h @@ -327,12 +327,13 @@ static inline const char *cdnsp_decode_trb(char *str, size_t size, u32 field0, case TRB_RESET_EP: case TRB_HALT_ENDPOINT: ret = scnprintf(str, size, - "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c", + "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c %c", cdnsp_trb_type_string(type), ep_num, ep_id % 2 ? "out" : "in", TRB_TO_EP_INDEX(field3), field1, field0, TRB_TO_SLOT_ID(field3), - field3 & TRB_CYCLE ? 'C' : 'c'); + field3 & TRB_CYCLE ? 'C' : 'c', + field3 & TRB_ESP ? 'P' : 'p'); break; case TRB_STOP_RING: ret = scnprintf(str, size, diff --git a/drivers/usb/cdns3/cdnsp-ep0.c b/drivers/usb/cdns3/cdnsp-ep0.c index f317d3c84781..5cd9b898ce97 100644 --- a/drivers/usb/cdns3/cdnsp-ep0.c +++ b/drivers/usb/cdns3/cdnsp-ep0.c @@ -414,6 +414,7 @@ static int cdnsp_ep0_std_request(struct cdnsp_device *pdev, void cdnsp_setup_analyze(struct cdnsp_device *pdev) { struct usb_ctrlrequest *ctrl = &pdev->setup; + struct cdnsp_ep *pep; int ret = -EINVAL; u16 len; @@ -427,10 +428,21 @@ void cdnsp_setup_analyze(struct cdnsp_device *pdev) goto out; } + pep = &pdev->eps[0]; + /* Restore the ep0 to Stopped/Running state. */ - if (pdev->eps[0].ep_state & EP_HALTED) { - trace_cdnsp_ep0_halted("Restore to normal state"); - cdnsp_halt_endpoint(pdev, &pdev->eps[0], 0); + if (pep->ep_state & EP_HALTED) { + if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_HALTED) + cdnsp_halt_endpoint(pdev, pep, 0); + + /* + * Halt Endpoint Command for SSP2 for ep0 preserve current + * endpoint state and driver has to synchronize the + * software endpoint state with endpoint output context + * state. + */ + pep->ep_state &= ~EP_HALTED; + pep->ep_state |= EP_STOPPED; } /* diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h index 2afa3e558f85..a91cca509db0 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.h +++ b/drivers/usb/cdns3/cdnsp-gadget.h @@ -987,6 +987,12 @@ enum cdnsp_setup_dev { #define STREAM_ID_FOR_TRB(p) ((((p)) << 16) & GENMASK(31, 16)) #define SCT_FOR_TRB(p) (((p) << 1) & 0x7) +/* + * Halt Endpoint Command TRB field. + * The ESP bit only exists in the SSP2 controller. + */ +#define TRB_ESP BIT(9) + /* Link TRB specific fields. */ #define TRB_TC BIT(1) diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c index 757fdd918286..0758f171f73e 100644 --- a/drivers/usb/cdns3/cdnsp-ring.c +++ b/drivers/usb/cdns3/cdnsp-ring.c @@ -2485,7 +2485,8 @@ void cdnsp_queue_halt_endpoint(struct cdnsp_device *pdev, unsigned int ep_index) { cdnsp_queue_command(pdev, 0, 0, 0, TRB_TYPE(TRB_HALT_ENDPOINT) | SLOT_ID_FOR_TRB(pdev->slot_id) | - EP_ID_FOR_TRB(ep_index)); + EP_ID_FOR_TRB(ep_index) | + (!ep_index ? TRB_ESP : 0)); } void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int intf_num)

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: cdnsp: Fix issue with CV Bad Descriptor test" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2831a81077f5162f104ba5a97a7d886eb371c21c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070816-unmatched-handwrite-1fd4@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2831a81077f5162f104ba5a97a7d886eb371c21c Mon Sep 17 00:00:00 2001 From: Pawel Laszczak <pawell(a)cadence.com> Date: Fri, 20 Jun 2025 08:23:12 +0000 Subject: [PATCH] usb: cdnsp: Fix issue with CV Bad Descriptor test The SSP2 controller has extra endpoint state preserve bit (ESP) which setting causes that endpoint state will be preserved during Halt Endpoint command. It is used only for EP0. Without this bit the Command Verifier "TD 9.10 Bad Descriptor Test" failed. Setting this bit doesn't have any impact for SSP controller. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> Acked-by: Peter Chen <peter.chen(a)kernel.org> Link: https://lore.kernel.org/r/PH7PR07MB95382CCD50549DABAEFD6156DD7CA@PH7PR07MB9… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/cdns3/cdnsp-debug.h b/drivers/usb/cdns3/cdnsp-debug.h index cd138acdcce1..86860686d836 100644 --- a/drivers/usb/cdns3/cdnsp-debug.h +++ b/drivers/usb/cdns3/cdnsp-debug.h @@ -327,12 +327,13 @@ static inline const char *cdnsp_decode_trb(char *str, size_t size, u32 field0, case TRB_RESET_EP: case TRB_HALT_ENDPOINT: ret = scnprintf(str, size, - "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c", + "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c %c", cdnsp_trb_type_string(type), ep_num, ep_id % 2 ? "out" : "in", TRB_TO_EP_INDEX(field3), field1, field0, TRB_TO_SLOT_ID(field3), - field3 & TRB_CYCLE ? 'C' : 'c'); + field3 & TRB_CYCLE ? 'C' : 'c', + field3 & TRB_ESP ? 'P' : 'p'); break; case TRB_STOP_RING: ret = scnprintf(str, size, diff --git a/drivers/usb/cdns3/cdnsp-ep0.c b/drivers/usb/cdns3/cdnsp-ep0.c index f317d3c84781..5cd9b898ce97 100644 --- a/drivers/usb/cdns3/cdnsp-ep0.c +++ b/drivers/usb/cdns3/cdnsp-ep0.c @@ -414,6 +414,7 @@ static int cdnsp_ep0_std_request(struct cdnsp_device *pdev, void cdnsp_setup_analyze(struct cdnsp_device *pdev) { struct usb_ctrlrequest *ctrl = &pdev->setup; + struct cdnsp_ep *pep; int ret = -EINVAL; u16 len; @@ -427,10 +428,21 @@ void cdnsp_setup_analyze(struct cdnsp_device *pdev) goto out; } + pep = &pdev->eps[0]; + /* Restore the ep0 to Stopped/Running state. */ - if (pdev->eps[0].ep_state & EP_HALTED) { - trace_cdnsp_ep0_halted("Restore to normal state"); - cdnsp_halt_endpoint(pdev, &pdev->eps[0], 0); + if (pep->ep_state & EP_HALTED) { + if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_HALTED) + cdnsp_halt_endpoint(pdev, pep, 0); + + /* + * Halt Endpoint Command for SSP2 for ep0 preserve current + * endpoint state and driver has to synchronize the + * software endpoint state with endpoint output context + * state. + */ + pep->ep_state &= ~EP_HALTED; + pep->ep_state |= EP_STOPPED; } /* diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h index 2afa3e558f85..a91cca509db0 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.h +++ b/drivers/usb/cdns3/cdnsp-gadget.h @@ -987,6 +987,12 @@ enum cdnsp_setup_dev { #define STREAM_ID_FOR_TRB(p) ((((p)) << 16) & GENMASK(31, 16)) #define SCT_FOR_TRB(p) (((p) << 1) & 0x7) +/* + * Halt Endpoint Command TRB field. + * The ESP bit only exists in the SSP2 controller. + */ +#define TRB_ESP BIT(9) + /* Link TRB specific fields. */ #define TRB_TC BIT(1) diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c index 757fdd918286..0758f171f73e 100644 --- a/drivers/usb/cdns3/cdnsp-ring.c +++ b/drivers/usb/cdns3/cdnsp-ring.c @@ -2485,7 +2485,8 @@ void cdnsp_queue_halt_endpoint(struct cdnsp_device *pdev, unsigned int ep_index) { cdnsp_queue_command(pdev, 0, 0, 0, TRB_TYPE(TRB_HALT_ENDPOINT) | SLOT_ID_FOR_TRB(pdev->slot_id) | - EP_ID_FOR_TRB(ep_index)); + EP_ID_FOR_TRB(ep_index) | + (!ep_index ? TRB_ESP : 0)); } void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int intf_num)

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: cdnsp: Fix issue with CV Bad Descriptor test" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2831a81077f5162f104ba5a97a7d886eb371c21c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070816-explicit-pry-2bf8@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2831a81077f5162f104ba5a97a7d886eb371c21c Mon Sep 17 00:00:00 2001 From: Pawel Laszczak <pawell(a)cadence.com> Date: Fri, 20 Jun 2025 08:23:12 +0000 Subject: [PATCH] usb: cdnsp: Fix issue with CV Bad Descriptor test The SSP2 controller has extra endpoint state preserve bit (ESP) which setting causes that endpoint state will be preserved during Halt Endpoint command. It is used only for EP0. Without this bit the Command Verifier "TD 9.10 Bad Descriptor Test" failed. Setting this bit doesn't have any impact for SSP controller. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> Acked-by: Peter Chen <peter.chen(a)kernel.org> Link: https://lore.kernel.org/r/PH7PR07MB95382CCD50549DABAEFD6156DD7CA@PH7PR07MB9… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/cdns3/cdnsp-debug.h b/drivers/usb/cdns3/cdnsp-debug.h index cd138acdcce1..86860686d836 100644 --- a/drivers/usb/cdns3/cdnsp-debug.h +++ b/drivers/usb/cdns3/cdnsp-debug.h @@ -327,12 +327,13 @@ static inline const char *cdnsp_decode_trb(char *str, size_t size, u32 field0, case TRB_RESET_EP: case TRB_HALT_ENDPOINT: ret = scnprintf(str, size, - "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c", + "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c %c", cdnsp_trb_type_string(type), ep_num, ep_id % 2 ? "out" : "in", TRB_TO_EP_INDEX(field3), field1, field0, TRB_TO_SLOT_ID(field3), - field3 & TRB_CYCLE ? 'C' : 'c'); + field3 & TRB_CYCLE ? 'C' : 'c', + field3 & TRB_ESP ? 'P' : 'p'); break; case TRB_STOP_RING: ret = scnprintf(str, size, diff --git a/drivers/usb/cdns3/cdnsp-ep0.c b/drivers/usb/cdns3/cdnsp-ep0.c index f317d3c84781..5cd9b898ce97 100644 --- a/drivers/usb/cdns3/cdnsp-ep0.c +++ b/drivers/usb/cdns3/cdnsp-ep0.c @@ -414,6 +414,7 @@ static int cdnsp_ep0_std_request(struct cdnsp_device *pdev, void cdnsp_setup_analyze(struct cdnsp_device *pdev) { struct usb_ctrlrequest *ctrl = &pdev->setup; + struct cdnsp_ep *pep; int ret = -EINVAL; u16 len; @@ -427,10 +428,21 @@ void cdnsp_setup_analyze(struct cdnsp_device *pdev) goto out; } + pep = &pdev->eps[0]; + /* Restore the ep0 to Stopped/Running state. */ - if (pdev->eps[0].ep_state & EP_HALTED) { - trace_cdnsp_ep0_halted("Restore to normal state"); - cdnsp_halt_endpoint(pdev, &pdev->eps[0], 0); + if (pep->ep_state & EP_HALTED) { + if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_HALTED) + cdnsp_halt_endpoint(pdev, pep, 0); + + /* + * Halt Endpoint Command for SSP2 for ep0 preserve current + * endpoint state and driver has to synchronize the + * software endpoint state with endpoint output context + * state. + */ + pep->ep_state &= ~EP_HALTED; + pep->ep_state |= EP_STOPPED; } /* diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h index 2afa3e558f85..a91cca509db0 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.h +++ b/drivers/usb/cdns3/cdnsp-gadget.h @@ -987,6 +987,12 @@ enum cdnsp_setup_dev { #define STREAM_ID_FOR_TRB(p) ((((p)) << 16) & GENMASK(31, 16)) #define SCT_FOR_TRB(p) (((p) << 1) & 0x7) +/* + * Halt Endpoint Command TRB field. + * The ESP bit only exists in the SSP2 controller. + */ +#define TRB_ESP BIT(9) + /* Link TRB specific fields. */ #define TRB_TC BIT(1) diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c index 757fdd918286..0758f171f73e 100644 --- a/drivers/usb/cdns3/cdnsp-ring.c +++ b/drivers/usb/cdns3/cdnsp-ring.c @@ -2485,7 +2485,8 @@ void cdnsp_queue_halt_endpoint(struct cdnsp_device *pdev, unsigned int ep_index) { cdnsp_queue_command(pdev, 0, 0, 0, TRB_TYPE(TRB_HALT_ENDPOINT) | SLOT_ID_FOR_TRB(pdev->slot_id) | - EP_ID_FOR_TRB(ep_index)); + EP_ID_FOR_TRB(ep_index) | + (!ep_index ? TRB_ESP : 0)); } void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int intf_num)

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: Disable stream for xHC controller with" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x cd65ee81240e8bc3c3119b46db7f60c80864b90b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070814-scrunch-wolverine-ceb9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cd65ee81240e8bc3c3119b46db7f60c80864b90b Mon Sep 17 00:00:00 2001 From: Hongyu Xie <xiehongyu1(a)kylinos.cn> Date: Fri, 27 Jun 2025 17:41:20 +0300 Subject: [PATCH] xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Disable stream for platform xHC controller with broken stream. Fixes: 14aec589327a6 ("storage: accept some UAS devices if streams are unavailable") Cc: stable <stable(a)kernel.org> Signed-off-by: Hongyu Xie <xiehongyu1(a)kylinos.cn> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250627144127.3889714-3-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c index 6dab142e7278..c79d5ed48a08 100644 --- a/drivers/usb/host/xhci-plat.c +++ b/drivers/usb/host/xhci-plat.c @@ -328,7 +328,8 @@ int xhci_plat_probe(struct platform_device *pdev, struct device *sysdev, const s } usb3_hcd = xhci_get_usb3_hcd(xhci); - if (usb3_hcd && HCC_MAX_PSA(xhci->hcc_params) >= 4) + if (usb3_hcd && HCC_MAX_PSA(xhci->hcc_params) >= 4 && + !(xhci->quirks & XHCI_BROKEN_STREAMS)) usb3_hcd->can_do_streams = 1; if (xhci->shared_hcd) {

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: dbc: Flush queued requests before stopping dbc" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x efe3e3ae5a66cb38ef29c909e951b4039044bae9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070847-wooing-headway-a75d@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From efe3e3ae5a66cb38ef29c909e951b4039044bae9 Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Fri, 27 Jun 2025 17:41:22 +0300 Subject: [PATCH] xhci: dbc: Flush queued requests before stopping dbc Flush dbc requests when dbc is stopped and transfer rings are freed. Failure to flush them lead to leaking memory and dbc completing odd requests after resuming from suspend, leading to error messages such as: [ 95.344392] xhci_hcd 0000:00:0d.0: no matched request Cc: stable <stable(a)kernel.org> Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250627144127.3889714-5-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-dbgcap.c b/drivers/usb/host/xhci-dbgcap.c index 0d4ce5734165..06a2edb9e86e 100644 --- a/drivers/usb/host/xhci-dbgcap.c +++ b/drivers/usb/host/xhci-dbgcap.c @@ -652,6 +652,10 @@ static void xhci_dbc_stop(struct xhci_dbc *dbc) case DS_DISABLED: return; case DS_CONFIGURED: + spin_lock(&dbc->lock); + xhci_dbc_flush_requests(dbc); + spin_unlock(&dbc->lock); + if (dbc->driver->disconnect) dbc->driver->disconnect(dbc); break;

4 months, 2 weeks

1
0
0 0

[PATCH] fs/ntfs3: Fix a resource leak bug in wnd_extend()

by Haoxiang Li

Add put_bh() to decrease the refcount of 'bh' after the job is finished, preventing a resource leak. Fixes: 3f3b442b5ad2 ("fs/ntfs3: Add bitmap") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- fs/ntfs3/bitmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c index 04107b950717..65d05e6a0566 100644 --- a/fs/ntfs3/bitmap.c +++ b/fs/ntfs3/bitmap.c @@ -1371,6 +1371,7 @@ int wnd_extend(struct wnd_bitmap *wnd, size_t new_bits) mark_buffer_dirty(bh); unlock_buffer(bh); /* err = sync_dirty_buffer(bh); */ + put_bh(bh); b0 = 0; bits -= op; -- 2.25.1

4 months, 2 weeks

1
0
0 0

Re: [PATCH v3] drm/framebuffer: Acquire internal references on GEM handles

by Thomas Zimmermann

Hi Am 07.07.25 um 18:14 schrieb Satadru Pramanik: > Applying this patch to 6.16-rc5 resolves the sleep issue regression > from 6.16-rc4 I was having on my MacBookPro11,3 (Mid-2014 15" > MacBookPro), which has the NVIDIA GK107M GPU enabled via the Nouveau > driver. Thanks for testing. I think the sleep regression was just a side effect of the broken reference counting. Best regards Thomas > > Many thanks, > > Satadru > > On Mon, Jul 7, 2025 at 9:33 AM Thomas Zimmermann <tzimmermann(a)suse.de> > wrote: > > Hi > > Am 07.07.25 um 15:21 schrieb Christian König: > > >> > >> +#define DRM_FRAMEBUFFER_HAS_HANDLE_REF(_i) BIT(0u + (_i)) > > Why the "0u + (_i)" here? An macro trick? > > You mean why not just BIT(_i)? internal_flags could possibly contain > additional flags. Just using BIT(_i) would make it look as if it's > only > for those handle refs. > > Best regards > Thomas > > > > > Regards, > > Christian. > > > >> + > >> /** > >> * struct drm_framebuffer - frame buffer object > >> * > >> @@ -188,6 +191,10 @@ struct drm_framebuffer { > >> * DRM_MODE_FB_MODIFIERS. > >> */ > >> int flags; > >> + /** > >> + * @internal_flags: Framebuffer flags like > DRM_FRAMEBUFFER_HAS_HANDLE_REF. > >> + */ > >> + unsigned int internal_flags; > >> /** > >> * @filp_head: Placed on &drm_file.fbs, protected by > &drm_file.fbs_lock. > >> */ > > -- > -- > Thomas Zimmermann > Graphics Driver Developer > SUSE Software Solutions Germany GmbH > Frankenstrasse 146, 90461 Nuernberg, Germany > GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman > HRB 36809 (AG Nuernberg) > -- -- Thomas Zimmermann Graphics Driver Developer SUSE Software Solutions Germany GmbH Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman HRB 36809 (AG Nuernberg)

4 months, 2 weeks

1
0
0 0

[PATCH v2 1/3] drm/amdgpu: Dirty cleared blocks on free

by Arunpravin Paneer Selvam

Set the dirty bit when the memory resource is not cleared during BO release. v2(Christian): - Drop the cleared flag set to false. - Improve the amdgpu_vram_mgr_set_clear_state() function. Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> Suggested-by: Christian König <christian.koenig(a)amd.com> Cc: stable(a)vger.kernel.org Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality") --- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.h | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 9c5df35f05b7..86eb6d47dcc5 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -409,7 +409,6 @@ static int amdgpu_move_blit(struct ttm_buffer_object *bo, if (r) { goto error; } else if (wipe_fence) { - amdgpu_vram_mgr_set_cleared(bo->resource); dma_fence_put(fence); fence = wipe_fence; } diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.h index b256cbc2bc27..2c88d5fd87da 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.h @@ -66,7 +66,10 @@ to_amdgpu_vram_mgr_resource(struct ttm_resource *res) static inline void amdgpu_vram_mgr_set_cleared(struct ttm_resource *res) { - to_amdgpu_vram_mgr_resource(res)->flags |= DRM_BUDDY_CLEARED; + struct amdgpu_vram_mgr_resource *ares = to_amdgpu_vram_mgr_resource(res); + + WARN_ON(ares->flags & DRM_BUDDY_CLEARED); + ares->flags |= DRM_BUDDY_CLEARED; } #endif -- 2.43.0

4 months, 2 weeks

4
4
0 0

[PATCH AUTOSEL 5.4 1/3] Revert "ACPI: battery: negate current when discharging"

by Sasha Levin

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> [ Upstream commit de1675de39aa945bad5937d1fde4df3682670639 ] Revert commit 234f71555019 ("ACPI: battery: negate current when discharging") breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud. Perhaps it breaks more, but those are the two that have been tested. Reported-by: Matthew Schwartz <matthew.schwartz(a)linux.dev> Closes: https://lore.kernel.org/linux-acpi/87C1B2AF-D430-4568-B620-14B941A8ABA4@lin… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES**, this commit should be backported to stable kernel trees. ## Extensive Explanation: ### 1. **Critical Userspace Regression Fix** This revert fixes a critical regression that breaks userspace applications. The commit message explicitly states that the original change "breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud." This is a clear violation of the kernel's "no userspace regressions" rule, which is one of the most fundamental principles in kernel development. ### 2. **Code Analysis Shows ABI Change** Looking at the code changes: ```c // The problematic code that was added (and is now being removed): if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && acpi_battery_handle_discharging(battery) == POWER_SUPPLY_STATUS_DISCHARGING) val->intval = -val->intval; ``` This code was changing the sign of the current value when discharging, which altered the userspace-visible ABI. Even if the original behavior didn't match documentation, changing it broke existing applications that depended on the long-standing behavior. ### 3. **Simple and Safe Revert** The commit is a clean revert that: - Removes the problematic sign negation logic - Restores the original behavior that userspace applications expect - Is self-contained to the `acpi_battery_get_property()` function - Has minimal risk of introducing new issues ### 4. **Meets Stable Kernel Criteria** According to stable kernel rules, this commit qualifies because it: - **Fixes a real bug** that users are hitting (broken battery monitoring in Steam and MangoHud) - **Is obviously correct** (it's a revert of a change that broke userspace) - **Is small and contained** (only affects the ACPI battery property reporting) - **Has been tested** (the reporter confirmed the issue) - **Fixes a regression** (restores previous working behavior) ### 5. **Comparison to Similar Commits** Looking at the historical commits marked with "Backport Status: YES", they share similar characteristics: - Fix actual problems affecting users - Are relatively small and contained changes - Don't introduce new features or architectural changes - Focus on fixing specific issues This revert fits perfectly into this pattern as it's fixing a specific userspace compatibility issue without introducing any new functionality. ### 6. **Timing Considerations** The original problematic commit (234f71555019) was from May 8, 2025, and this revert is from July 3, 2025. If the original commit made it into any stable releases, those stable trees would need this revert to prevent userspace breakage. ### Conclusion: This is a textbook example of a commit that should be backported to stable kernels. It fixes a userspace regression, is minimal in scope, carries very low risk, and restores previously working behavior that applications depend on. The fact that it's a revert of a problematic change makes it even more suitable for stable backporting. drivers/acpi/battery.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index a5e120eca7f33..cf853e985d6d9 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -266,23 +266,10 @@ static int acpi_battery_get_property(struct power_supply *psy, break; case POWER_SUPPLY_PROP_CURRENT_NOW: case POWER_SUPPLY_PROP_POWER_NOW: - if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ret = -ENODEV; - break; - } - - val->intval = battery->rate_now * 1000; - /* - * When discharging, the current should be reported as a - * negative number as per the power supply class interface - * definition. - */ - if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && - (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && - acpi_battery_handle_discharging(battery) - == POWER_SUPPLY_STATUS_DISCHARGING) - val->intval = -val->intval; - + else + val->intval = battery->rate_now * 1000; break; case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: -- 2.39.5

4 months, 2 weeks

1
2
0 0

[PATCH AUTOSEL 5.10 1/3] Revert "ACPI: battery: negate current when discharging"

by Sasha Levin

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> [ Upstream commit de1675de39aa945bad5937d1fde4df3682670639 ] Revert commit 234f71555019 ("ACPI: battery: negate current when discharging") breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud. Perhaps it breaks more, but those are the two that have been tested. Reported-by: Matthew Schwartz <matthew.schwartz(a)linux.dev> Closes: https://lore.kernel.org/linux-acpi/87C1B2AF-D430-4568-B620-14B941A8ABA4@lin… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES**, this commit should be backported to stable kernel trees. ## Extensive Explanation: ### 1. **Critical Userspace Regression Fix** This revert fixes a critical regression that breaks userspace applications. The commit message explicitly states that the original change "breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud." This is a clear violation of the kernel's "no userspace regressions" rule, which is one of the most fundamental principles in kernel development. ### 2. **Code Analysis Shows ABI Change** Looking at the code changes: ```c // The problematic code that was added (and is now being removed): if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && acpi_battery_handle_discharging(battery) == POWER_SUPPLY_STATUS_DISCHARGING) val->intval = -val->intval; ``` This code was changing the sign of the current value when discharging, which altered the userspace-visible ABI. Even if the original behavior didn't match documentation, changing it broke existing applications that depended on the long-standing behavior. ### 3. **Simple and Safe Revert** The commit is a clean revert that: - Removes the problematic sign negation logic - Restores the original behavior that userspace applications expect - Is self-contained to the `acpi_battery_get_property()` function - Has minimal risk of introducing new issues ### 4. **Meets Stable Kernel Criteria** According to stable kernel rules, this commit qualifies because it: - **Fixes a real bug** that users are hitting (broken battery monitoring in Steam and MangoHud) - **Is obviously correct** (it's a revert of a change that broke userspace) - **Is small and contained** (only affects the ACPI battery property reporting) - **Has been tested** (the reporter confirmed the issue) - **Fixes a regression** (restores previous working behavior) ### 5. **Comparison to Similar Commits** Looking at the historical commits marked with "Backport Status: YES", they share similar characteristics: - Fix actual problems affecting users - Are relatively small and contained changes - Don't introduce new features or architectural changes - Focus on fixing specific issues This revert fits perfectly into this pattern as it's fixing a specific userspace compatibility issue without introducing any new functionality. ### 6. **Timing Considerations** The original problematic commit (234f71555019) was from May 8, 2025, and this revert is from July 3, 2025. If the original commit made it into any stable releases, those stable trees would need this revert to prevent userspace breakage. ### Conclusion: This is a textbook example of a commit that should be backported to stable kernels. It fixes a userspace regression, is minimal in scope, carries very low risk, and restores previously working behavior that applications depend on. The fact that it's a revert of a problematic change makes it even more suitable for stable backporting. drivers/acpi/battery.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 4a188cc28b5ce..f9fb092f33a26 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -255,23 +255,10 @@ static int acpi_battery_get_property(struct power_supply *psy, break; case POWER_SUPPLY_PROP_CURRENT_NOW: case POWER_SUPPLY_PROP_POWER_NOW: - if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ret = -ENODEV; - break; - } - - val->intval = battery->rate_now * 1000; - /* - * When discharging, the current should be reported as a - * negative number as per the power supply class interface - * definition. - */ - if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && - (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && - acpi_battery_handle_discharging(battery) - == POWER_SUPPLY_STATUS_DISCHARGING) - val->intval = -val->intval; - + else + val->intval = battery->rate_now * 1000; break; case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: -- 2.39.5

4 months, 2 weeks

1
2
0 0

[PATCH AUTOSEL 5.15 1/3] Revert "ACPI: battery: negate current when discharging"

by Sasha Levin

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> [ Upstream commit de1675de39aa945bad5937d1fde4df3682670639 ] Revert commit 234f71555019 ("ACPI: battery: negate current when discharging") breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud. Perhaps it breaks more, but those are the two that have been tested. Reported-by: Matthew Schwartz <matthew.schwartz(a)linux.dev> Closes: https://lore.kernel.org/linux-acpi/87C1B2AF-D430-4568-B620-14B941A8ABA4@lin… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES**, this commit should be backported to stable kernel trees. ## Extensive Explanation: ### 1. **Critical Userspace Regression Fix** This revert fixes a critical regression that breaks userspace applications. The commit message explicitly states that the original change "breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud." This is a clear violation of the kernel's "no userspace regressions" rule, which is one of the most fundamental principles in kernel development. ### 2. **Code Analysis Shows ABI Change** Looking at the code changes: ```c // The problematic code that was added (and is now being removed): if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && acpi_battery_handle_discharging(battery) == POWER_SUPPLY_STATUS_DISCHARGING) val->intval = -val->intval; ``` This code was changing the sign of the current value when discharging, which altered the userspace-visible ABI. Even if the original behavior didn't match documentation, changing it broke existing applications that depended on the long-standing behavior. ### 3. **Simple and Safe Revert** The commit is a clean revert that: - Removes the problematic sign negation logic - Restores the original behavior that userspace applications expect - Is self-contained to the `acpi_battery_get_property()` function - Has minimal risk of introducing new issues ### 4. **Meets Stable Kernel Criteria** According to stable kernel rules, this commit qualifies because it: - **Fixes a real bug** that users are hitting (broken battery monitoring in Steam and MangoHud) - **Is obviously correct** (it's a revert of a change that broke userspace) - **Is small and contained** (only affects the ACPI battery property reporting) - **Has been tested** (the reporter confirmed the issue) - **Fixes a regression** (restores previous working behavior) ### 5. **Comparison to Similar Commits** Looking at the historical commits marked with "Backport Status: YES", they share similar characteristics: - Fix actual problems affecting users - Are relatively small and contained changes - Don't introduce new features or architectural changes - Focus on fixing specific issues This revert fits perfectly into this pattern as it's fixing a specific userspace compatibility issue without introducing any new functionality. ### 6. **Timing Considerations** The original problematic commit (234f71555019) was from May 8, 2025, and this revert is from July 3, 2025. If the original commit made it into any stable releases, those stable trees would need this revert to prevent userspace breakage. ### Conclusion: This is a textbook example of a commit that should be backported to stable kernels. It fixes a userspace regression, is minimal in scope, carries very low risk, and restores previously working behavior that applications depend on. The fact that it's a revert of a problematic change makes it even more suitable for stable backporting. drivers/acpi/battery.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index b0a5d077db905..8bb0f4d06adc0 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -250,23 +250,10 @@ static int acpi_battery_get_property(struct power_supply *psy, break; case POWER_SUPPLY_PROP_CURRENT_NOW: case POWER_SUPPLY_PROP_POWER_NOW: - if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ret = -ENODEV; - break; - } - - val->intval = battery->rate_now * 1000; - /* - * When discharging, the current should be reported as a - * negative number as per the power supply class interface - * definition. - */ - if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && - (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && - acpi_battery_handle_discharging(battery) - == POWER_SUPPLY_STATUS_DISCHARGING) - val->intval = -val->intval; - + else + val->intval = battery->rate_now * 1000; break; case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: -- 2.39.5

4 months, 2 weeks

1
2
0 0

[PATCH AUTOSEL 6.1 1/3] Revert "ACPI: battery: negate current when discharging"

by Sasha Levin

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> [ Upstream commit de1675de39aa945bad5937d1fde4df3682670639 ] Revert commit 234f71555019 ("ACPI: battery: negate current when discharging") breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud. Perhaps it breaks more, but those are the two that have been tested. Reported-by: Matthew Schwartz <matthew.schwartz(a)linux.dev> Closes: https://lore.kernel.org/linux-acpi/87C1B2AF-D430-4568-B620-14B941A8ABA4@lin… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES**, this commit should be backported to stable kernel trees. ## Extensive Explanation: ### 1. **Critical Userspace Regression Fix** This revert fixes a critical regression that breaks userspace applications. The commit message explicitly states that the original change "breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud." This is a clear violation of the kernel's "no userspace regressions" rule, which is one of the most fundamental principles in kernel development. ### 2. **Code Analysis Shows ABI Change** Looking at the code changes: ```c // The problematic code that was added (and is now being removed): if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && acpi_battery_handle_discharging(battery) == POWER_SUPPLY_STATUS_DISCHARGING) val->intval = -val->intval; ``` This code was changing the sign of the current value when discharging, which altered the userspace-visible ABI. Even if the original behavior didn't match documentation, changing it broke existing applications that depended on the long-standing behavior. ### 3. **Simple and Safe Revert** The commit is a clean revert that: - Removes the problematic sign negation logic - Restores the original behavior that userspace applications expect - Is self-contained to the `acpi_battery_get_property()` function - Has minimal risk of introducing new issues ### 4. **Meets Stable Kernel Criteria** According to stable kernel rules, this commit qualifies because it: - **Fixes a real bug** that users are hitting (broken battery monitoring in Steam and MangoHud) - **Is obviously correct** (it's a revert of a change that broke userspace) - **Is small and contained** (only affects the ACPI battery property reporting) - **Has been tested** (the reporter confirmed the issue) - **Fixes a regression** (restores previous working behavior) ### 5. **Comparison to Similar Commits** Looking at the historical commits marked with "Backport Status: YES", they share similar characteristics: - Fix actual problems affecting users - Are relatively small and contained changes - Don't introduce new features or architectural changes - Focus on fixing specific issues This revert fits perfectly into this pattern as it's fixing a specific userspace compatibility issue without introducing any new functionality. ### 6. **Timing Considerations** The original problematic commit (234f71555019) was from May 8, 2025, and this revert is from July 3, 2025. If the original commit made it into any stable releases, those stable trees would need this revert to prevent userspace breakage. ### Conclusion: This is a textbook example of a commit that should be backported to stable kernels. It fixes a userspace regression, is minimal in scope, carries very low risk, and restores previously working behavior that applications depend on. The fact that it's a revert of a problematic change makes it even more suitable for stable backporting. drivers/acpi/battery.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 2f188a734a0c5..5a4e022662417 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -241,23 +241,10 @@ static int acpi_battery_get_property(struct power_supply *psy, break; case POWER_SUPPLY_PROP_CURRENT_NOW: case POWER_SUPPLY_PROP_POWER_NOW: - if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ret = -ENODEV; - break; - } - - val->intval = battery->rate_now * 1000; - /* - * When discharging, the current should be reported as a - * negative number as per the power supply class interface - * definition. - */ - if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && - (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && - acpi_battery_handle_discharging(battery) - == POWER_SUPPLY_STATUS_DISCHARGING) - val->intval = -val->intval; - + else + val->intval = battery->rate_now * 1000; break; case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: -- 2.39.5

4 months, 2 weeks

1
2
0 0

[PATCH AUTOSEL 6.6 1/4] Revert "ACPI: battery: negate current when discharging"

by Sasha Levin

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> [ Upstream commit de1675de39aa945bad5937d1fde4df3682670639 ] Revert commit 234f71555019 ("ACPI: battery: negate current when discharging") breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud. Perhaps it breaks more, but those are the two that have been tested. Reported-by: Matthew Schwartz <matthew.schwartz(a)linux.dev> Closes: https://lore.kernel.org/linux-acpi/87C1B2AF-D430-4568-B620-14B941A8ABA4@lin… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES**, this commit should be backported to stable kernel trees. ## Extensive Explanation: ### 1. **Critical Userspace Regression Fix** This revert fixes a critical regression that breaks userspace applications. The commit message explicitly states that the original change "breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud." This is a clear violation of the kernel's "no userspace regressions" rule, which is one of the most fundamental principles in kernel development. ### 2. **Code Analysis Shows ABI Change** Looking at the code changes: ```c // The problematic code that was added (and is now being removed): if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && acpi_battery_handle_discharging(battery) == POWER_SUPPLY_STATUS_DISCHARGING) val->intval = -val->intval; ``` This code was changing the sign of the current value when discharging, which altered the userspace-visible ABI. Even if the original behavior didn't match documentation, changing it broke existing applications that depended on the long-standing behavior. ### 3. **Simple and Safe Revert** The commit is a clean revert that: - Removes the problematic sign negation logic - Restores the original behavior that userspace applications expect - Is self-contained to the `acpi_battery_get_property()` function - Has minimal risk of introducing new issues ### 4. **Meets Stable Kernel Criteria** According to stable kernel rules, this commit qualifies because it: - **Fixes a real bug** that users are hitting (broken battery monitoring in Steam and MangoHud) - **Is obviously correct** (it's a revert of a change that broke userspace) - **Is small and contained** (only affects the ACPI battery property reporting) - **Has been tested** (the reporter confirmed the issue) - **Fixes a regression** (restores previous working behavior) ### 5. **Comparison to Similar Commits** Looking at the historical commits marked with "Backport Status: YES", they share similar characteristics: - Fix actual problems affecting users - Are relatively small and contained changes - Don't introduce new features or architectural changes - Focus on fixing specific issues This revert fits perfectly into this pattern as it's fixing a specific userspace compatibility issue without introducing any new functionality. ### 6. **Timing Considerations** The original problematic commit (234f71555019) was from May 8, 2025, and this revert is from July 3, 2025. If the original commit made it into any stable releases, those stable trees would need this revert to prevent userspace breakage. ### Conclusion: This is a textbook example of a commit that should be backported to stable kernels. It fixes a userspace regression, is minimal in scope, carries very low risk, and restores previously working behavior that applications depend on. The fact that it's a revert of a problematic change makes it even more suitable for stable backporting. drivers/acpi/battery.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index cd3cbb7a36f85..e3cbaf3c3bbc1 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -243,23 +243,10 @@ static int acpi_battery_get_property(struct power_supply *psy, break; case POWER_SUPPLY_PROP_CURRENT_NOW: case POWER_SUPPLY_PROP_POWER_NOW: - if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ret = -ENODEV; - break; - } - - val->intval = battery->rate_now * 1000; - /* - * When discharging, the current should be reported as a - * negative number as per the power supply class interface - * definition. - */ - if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && - (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && - acpi_battery_handle_discharging(battery) - == POWER_SUPPLY_STATUS_DISCHARGING) - val->intval = -val->intval; - + else + val->intval = battery->rate_now * 1000; break; case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: -- 2.39.5

4 months, 2 weeks

1
3
0 0

[PATCH AUTOSEL 6.12 1/6] Revert "ACPI: battery: negate current when discharging"

by Sasha Levin

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> [ Upstream commit de1675de39aa945bad5937d1fde4df3682670639 ] Revert commit 234f71555019 ("ACPI: battery: negate current when discharging") breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud. Perhaps it breaks more, but those are the two that have been tested. Reported-by: Matthew Schwartz <matthew.schwartz(a)linux.dev> Closes: https://lore.kernel.org/linux-acpi/87C1B2AF-D430-4568-B620-14B941A8ABA4@lin… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES**, this commit should be backported to stable kernel trees. ## Extensive Explanation: ### 1. **Critical Userspace Regression Fix** This revert fixes a critical regression that breaks userspace applications. The commit message explicitly states that the original change "breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud." This is a clear violation of the kernel's "no userspace regressions" rule, which is one of the most fundamental principles in kernel development. ### 2. **Code Analysis Shows ABI Change** Looking at the code changes: ```c // The problematic code that was added (and is now being removed): if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && acpi_battery_handle_discharging(battery) == POWER_SUPPLY_STATUS_DISCHARGING) val->intval = -val->intval; ``` This code was changing the sign of the current value when discharging, which altered the userspace-visible ABI. Even if the original behavior didn't match documentation, changing it broke existing applications that depended on the long-standing behavior. ### 3. **Simple and Safe Revert** The commit is a clean revert that: - Removes the problematic sign negation logic - Restores the original behavior that userspace applications expect - Is self-contained to the `acpi_battery_get_property()` function - Has minimal risk of introducing new issues ### 4. **Meets Stable Kernel Criteria** According to stable kernel rules, this commit qualifies because it: - **Fixes a real bug** that users are hitting (broken battery monitoring in Steam and MangoHud) - **Is obviously correct** (it's a revert of a change that broke userspace) - **Is small and contained** (only affects the ACPI battery property reporting) - **Has been tested** (the reporter confirmed the issue) - **Fixes a regression** (restores previous working behavior) ### 5. **Comparison to Similar Commits** Looking at the historical commits marked with "Backport Status: YES", they share similar characteristics: - Fix actual problems affecting users - Are relatively small and contained changes - Don't introduce new features or architectural changes - Focus on fixing specific issues This revert fits perfectly into this pattern as it's fixing a specific userspace compatibility issue without introducing any new functionality. ### 6. **Timing Considerations** The original problematic commit (234f71555019) was from May 8, 2025, and this revert is from July 3, 2025. If the original commit made it into any stable releases, those stable trees would need this revert to prevent userspace breakage. ### Conclusion: This is a textbook example of a commit that should be backported to stable kernels. It fixes a userspace regression, is minimal in scope, carries very low risk, and restores previously working behavior that applications depend on. The fact that it's a revert of a problematic change makes it even more suitable for stable backporting. drivers/acpi/battery.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 6a7ac34d73bda..65fa3444367a1 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -243,23 +243,10 @@ static int acpi_battery_get_property(struct power_supply *psy, break; case POWER_SUPPLY_PROP_CURRENT_NOW: case POWER_SUPPLY_PROP_POWER_NOW: - if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ret = -ENODEV; - break; - } - - val->intval = battery->rate_now * 1000; - /* - * When discharging, the current should be reported as a - * negative number as per the power supply class interface - * definition. - */ - if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && - (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && - acpi_battery_handle_discharging(battery) - == POWER_SUPPLY_STATUS_DISCHARGING) - val->intval = -val->intval; - + else + val->intval = battery->rate_now * 1000; break; case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: -- 2.39.5

4 months, 2 weeks

1
5
0 0

+ mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: check if folio has valid mapcount before folio_test_{anon,ksm}() when necessary has been added to the -mm mm-new branch. Its filename is mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: mm: check if folio has valid mapcount before folio_test_{anon,ksm}() when necessary Date: Mon, 7 Jul 2025 21:07:40 +0900 folio_test_anon() and folio_test_ksm() may return false positives when the folio is a typed page (except hugetlb), because lower bits of folio->mapping field can be set even if it doesn't mean FOLIO_MAPPING_* flags. To avoid false positives, folio_test_{anon,ksm}() should be called only if !page_has_type(&folio->page) || folio_test_hugetlb(folio). However, the check can be skipped if a folio is or will be mapped to userspace because typed pages that are not hugetlb folios cannot be mapped to userspace. As folio_expected_ref_count() already does the check, introduce a helper function folio_has_mapcount() and use it in folio_expected_ref_count() and stable_page_flags(). Update the comment in FOLIO_MAPPING_* flags accordingly. This fixes tools/mm/page-types reporting pages with KPF_SLAB, KPF_ANON and KPF_SLAB (with flags, page-counts, MB omitted): $ sudo ./page-types | grep slab _______S___________________________________ slab _______S____a________x_____________________ slab,anonymous,ksm Link: https://lkml.kernel.org/r/20250707120740.4413-1-harry.yoo@oracle.com Fixes: 130d4df57390 ("mm/sl[au]b: rearrange struct slab fields to allow larger rcu_head") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/page.c | 19 +++++++++++-------- include/linux/mm.h | 2 +- include/linux/page-flags.h | 20 ++++++++++++++------ 3 files changed, 26 insertions(+), 15 deletions(-) --- a/fs/proc/page.c~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/fs/proc/page.c @@ -148,18 +148,21 @@ u64 stable_page_flags(const struct page folio = page_folio(page); k = folio->flags; - mapping = (unsigned long)folio->mapping; - is_anon = mapping & FOLIO_MAPPING_ANON; /* * pseudo flags for the well known (anonymous) memory mapped pages */ - if (page_mapped(page)) - u |= 1 << KPF_MMAP; - if (is_anon) { - u |= 1 << KPF_ANON; - if (mapping & FOLIO_MAPPING_KSM) - u |= 1 << KPF_KSM; + if (folio_has_mapcount(folio)) { + mapping = (unsigned long)folio->mapping; + is_anon = mapping & FOLIO_MAPPING_ANON; + + if (page_mapped(page)) + u |= 1 << KPF_MMAP; + if (is_anon) { + u |= 1 << KPF_ANON; + if (mapping & FOLIO_MAPPING_KSM) + u |= 1 << KPF_KSM; + } } /* --- a/include/linux/mm.h~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/include/linux/mm.h @@ -2167,7 +2167,7 @@ static inline int folio_expected_ref_cou const int order = folio_order(folio); int ref_count = 0; - if (WARN_ON_ONCE(page_has_type(&folio->page) && !folio_test_hugetlb(folio))) + if (WARN_ON_ONCE(!folio_has_mapcount(folio))) return 0; if (folio_test_anon(folio)) { --- a/include/linux/page-flags.h~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/include/linux/page-flags.h @@ -706,12 +706,15 @@ PAGEFLAG_FALSE(VmemmapSelfHosted, vmemma * address_space which maps the folio from disk; whereas "folio_mapped" * refers to user virtual address space into which the folio is mapped. * - * For slab pages, since slab reuses the bits in struct page to store its - * internal states, the folio->mapping does not exist as such, nor do - * these flags below. So in order to avoid testing non-existent bits, - * please make sure that folio_test_slab(folio) actually evaluates to - * false before calling the following functions (e.g., folio_test_anon). - * See mm/slab.h. + * For certain typed pages like slabs, since they reuse bits in struct page + * to store internal states, folio->mapping does not point to a valid + * mapping, nor do these flags exist. To avoid testing non-existent bits, + * make sure folio_has_mapcount() actually evaluates to true before calling + * the following functions (e.g., folio_test_anon). + * + * The folio_has_mapcount() check can be skipped if the folio is mapped + * to userspace, since a folio with !folio_has_mapcount() cannot be mapped + * to userspace at all. */ #define FOLIO_MAPPING_ANON 0x1 #define FOLIO_MAPPING_ANON_KSM 0x2 @@ -1092,6 +1095,11 @@ static inline bool PageHuge(const struct return folio_test_hugetlb(page_folio(page)); } +static inline bool folio_has_mapcount(const struct folio *folio) +{ + return !page_has_type(&folio->page) || folio_test_hugetlb(folio); +} + /* * Check if a page is currently marked HWPoisoned. Note that this check is * best effort only and inherently racy: there is no way to synchronize with _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are lib-alloc_tag-do-not-acquire-non-existent-lock-in-alloc_tag_top_users.patch lib-alloc_tag-do-not-acquire-non-existent-lock-in-alloc_tag_top_users-v3.patch mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch

4 months, 2 weeks

1
0
0 0

Linux 6.15.5

by Greg Kroah-Hartman

I'm announcing the release of the 6.15.5 kernel. All users of the 6.15 kernel series must upgrade. The updated 6.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/8250.yaml | 2 Documentation/netlink/specs/tc.yaml | 4 Makefile | 2 arch/arm64/boot/dts/qcom/x1-crd.dtsi | 1277 ++++++++++ arch/arm64/boot/dts/qcom/x1e78100-lenovo-thinkpad-t14s.dts | 45 arch/arm64/boot/dts/qcom/x1e80100-crd.dts | 1270 --------- arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 arch/loongarch/kvm/intc/eiointc.c | 89 arch/powerpc/crypto/Kconfig | 1 arch/riscv/include/asm/cpufeature.h | 5 arch/riscv/include/asm/pgtable.h | 1 arch/riscv/include/asm/processor.h | 1 arch/riscv/include/asm/runtime-const.h | 2 arch/riscv/include/asm/vector.h | 12 arch/riscv/kernel/asm-offsets.c | 5 arch/riscv/kernel/entry.S | 9 arch/riscv/kernel/setup.c | 1 arch/riscv/kernel/traps_misaligned.c | 6 arch/riscv/mm/cacheflush.c | 15 arch/s390/kernel/ptrace.c | 2 arch/s390/mm/fault.c | 2 arch/um/drivers/ubd_user.c | 2 arch/um/include/asm/asm-prototypes.h | 5 arch/um/kernel/trap.c | 129 - arch/x86/include/uapi/asm/debugreg.h | 21 arch/x86/kernel/cpu/common.c | 24 arch/x86/kernel/fpu/signal.c | 11 arch/x86/kernel/fpu/xstate.h | 22 arch/x86/kernel/traps.c | 34 arch/x86/um/asm/checksum.h | 3 drivers/ata/ahci.c | 2 drivers/bus/mhi/host/pci_generic.c | 39 drivers/cxl/core/ras.c | 47 drivers/cxl/core/region.c | 9 drivers/dma/idxd/cdev.c | 4 drivers/dma/xilinx/xilinx_dma.c | 2 drivers/edac/amd64_edac.c | 57 drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 28 drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 30 drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_job.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 16 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 16 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 16 drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | 17 drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 5 drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 9 drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 10 drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 3 drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 2 drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 6 drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 19 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 20 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 20 drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 21 drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 97 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 drivers/gpu/drm/amd/display/dc/core/dc.c | 33 drivers/gpu/drm/amd/display/dc/dc.h | 8 drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 4 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 5 drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 1 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 9 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 28 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c | 46 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.h | 3 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 1 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_8b_10b.c | 52 drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn36/dcn36_resource.c | 3 drivers/gpu/drm/amd/display/include/link_service_types.h | 2 drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 drivers/gpu/drm/amd/pm/amdgpu_dpm.c | 22 drivers/gpu/drm/amd/pm/inc/amdgpu_dpm.h | 1 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 12 drivers/gpu/drm/ast/ast_mode.c | 6 drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 32 drivers/gpu/drm/bridge/ti-sn65dsi86.c | 109 drivers/gpu/drm/drm_writeback.c | 7 drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 drivers/gpu/drm/i915/display/intel_cx0_phy.c | 27 drivers/gpu/drm/i915/display/intel_cx0_phy_regs.h | 15 drivers/gpu/drm/i915/display/intel_display_driver.c | 30 drivers/gpu/drm/i915/display/intel_dp.c | 17 drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c | 4 drivers/gpu/drm/i915/display/vlv_dsi.c | 4 drivers/gpu/drm/i915/i915_pmu.c | 2 drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 drivers/gpu/drm/panel/panel-simple.c | 6 drivers/gpu/drm/scheduler/sched_entity.c | 1 drivers/gpu/drm/tegra/dc.c | 17 drivers/gpu/drm/tegra/hub.c | 4 drivers/gpu/drm/tegra/hub.h | 3 drivers/gpu/drm/tiny/cirrus-qemu.c | 1 drivers/gpu/drm/tiny/simpledrm.c | 4 drivers/gpu/drm/udl/udl_drv.c | 2 drivers/gpu/drm/xe/display/xe_display.c | 2 drivers/gpu/drm/xe/display/xe_dsb_buffer.c | 11 drivers/gpu/drm/xe/display/xe_fb_pin.c | 5 drivers/gpu/drm/xe/xe_ggtt.c | 11 drivers/gpu/drm/xe/xe_gpu_scheduler.h | 10 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 8 drivers/gpu/drm/xe/xe_guc_ct.c | 17 drivers/gpu/drm/xe/xe_guc_ct.h | 5 drivers/gpu/drm/xe/xe_guc_pc.c | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 23 drivers/gpu/drm/xe/xe_guc_types.h | 5 drivers/gpu/drm/xe/xe_vm.c | 8 drivers/hid/hid-appletb-kbd.c | 5 drivers/hid/hid-lenovo.c | 11 drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-protocol.c | 26 drivers/hid/wacom_sys.c | 7 drivers/hwmon/isl28022.c | 6 drivers/hwmon/pmbus/max34440.c | 48 drivers/hwtracing/coresight/coresight-core.c | 3 drivers/hwtracing/coresight/coresight-priv.h | 1 drivers/i2c/busses/i2c-imx.c | 3 drivers/i2c/busses/i2c-omap.c | 7 drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 drivers/i2c/busses/i2c-tiny-usb.c | 6 drivers/iio/adc/ad7606_spi.c | 8 drivers/iio/adc/ad_sigma_delta.c | 4 drivers/iio/dac/adi-axi-dac.c | 24 drivers/iio/light/al3000a.c | 9 drivers/iio/light/hid-sensor-prox.c | 3 drivers/iio/pressure/zpa2326.c | 2 drivers/leds/led-class-multicolor.c | 3 drivers/mailbox/mailbox.c | 2 drivers/md/bcache/Kconfig | 1 drivers/md/bcache/alloc.c | 57 drivers/md/bcache/bcache.h | 2 drivers/md/bcache/bset.c | 116 drivers/md/bcache/bset.h | 40 drivers/md/bcache/btree.c | 69 drivers/md/bcache/extents.c | 45 drivers/md/bcache/movinggc.c | 33 drivers/md/bcache/super.c | 10 drivers/md/bcache/sysfs.c | 4 drivers/md/bcache/util.h | 67 drivers/md/bcache/writeback.c | 13 drivers/md/dm-raid.c | 2 drivers/md/dm-vdo/indexer/volume.c | 24 drivers/md/md-bitmap.c | 2 drivers/media/usb/uvc/uvc_ctrl.c | 70 drivers/media/usb/uvc/uvc_v4l2.c | 91 drivers/media/usb/uvc/uvcvideo.h | 5 drivers/mfd/88pm886.c | 6 drivers/mfd/max14577.c | 1 drivers/mfd/max77541.c | 2 drivers/mfd/max77705.c | 4 drivers/mfd/sprd-sc27xx-spi.c | 5 drivers/misc/tps6594-pfsm.c | 3 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 12 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 2 drivers/net/wireless/intel/iwlwifi/mld/fw.c | 8 drivers/nvme/host/core.c | 83 drivers/nvme/host/nvme.h | 3 drivers/nvme/host/tcp.c | 22 drivers/pci/controller/dwc/pci-imx6.c | 15 drivers/pci/controller/dwc/pcie-designware.c | 5 drivers/pci/controller/pcie-apple.c | 3 drivers/s390/crypto/pkey_api.c | 2 drivers/scsi/fnic/fdls_disc.c | 122 drivers/scsi/fnic/fnic.h | 2 drivers/scsi/fnic/fnic_fcs.c | 2 drivers/scsi/fnic/fnic_fdls.h | 1 drivers/scsi/megaraid/megaraid_sas_base.c | 6 drivers/spi/spi-cadence-quadspi.c | 12 drivers/staging/rtl8723bs/core/rtw_security.c | 44 drivers/tty/serial/8250/8250_pci1xxxx.c | 10 drivers/tty/serial/imx.c | 17 drivers/tty/serial/serial_base_bus.c | 1 drivers/tty/serial/uartlite.c | 25 drivers/ufs/core/ufshcd.c | 6 drivers/usb/class/cdc-wdm.c | 23 drivers/usb/common/usb-conn-gpio.c | 25 drivers/usb/core/usb.c | 14 drivers/usb/dwc2/gadget.c | 6 drivers/usb/gadget/function/f_hid.c | 19 drivers/usb/gadget/function/f_tcm.c | 4 drivers/usb/typec/altmodes/displayport.c | 4 drivers/usb/typec/mux.c | 4 drivers/usb/typec/tcpm/tcpci_maxim_core.c | 5 drivers/usb/typec/tipd/core.c | 2 fs/btrfs/backref.h | 4 fs/btrfs/direct-io.c | 4 fs/btrfs/disk-io.c | 25 fs/btrfs/extent_io.h | 2 fs/btrfs/inode.c | 93 fs/btrfs/ordered-data.c | 14 fs/btrfs/raid56.c | 5 fs/btrfs/tests/extent-io-tests.c | 6 fs/btrfs/tree-log.c | 14 fs/btrfs/volumes.c | 6 fs/btrfs/zstd.c | 2 fs/ceph/file.c | 2 fs/f2fs/file.c | 38 fs/f2fs/super.c | 30 fs/fuse/dir.c | 11 fs/fuse/inode.c | 4 fs/namespace.c | 18 fs/nfs/inode.c | 51 fs/nfs/nfs4proc.c | 25 fs/overlayfs/util.c | 4 fs/proc/task_mmu.c | 2 fs/smb/client/cifsglob.h | 2 fs/smb/client/cifspdu.h | 6 fs/smb/client/cifssmb.c | 1 fs/smb/client/connect.c | 58 fs/smb/client/misc.c | 8 fs/smb/client/reparse.c | 20 fs/smb/client/sess.c | 21 fs/smb/client/trace.h | 24 fs/smb/server/connection.h | 1 fs/smb/server/smb2pdu.c | 72 fs/smb/server/smb2pdu.h | 3 include/net/bluetooth/hci_core.h | 2 include/uapi/linux/vm_sockets.h | 4 io_uring/io_uring.c | 3 io_uring/kbuf.c | 1 io_uring/kbuf.h | 1 io_uring/net.c | 34 io_uring/rsrc.c | 57 io_uring/rsrc.h | 3 io_uring/zcrx.c | 101 io_uring/zcrx.h | 11 kernel/sched/ext.c | 12 lib/group_cpus.c | 9 lib/maple_tree.c | 4 mm/damon/sysfs-schemes.c | 1 mm/gup.c | 14 mm/memory.c | 20 mm/shmem.c | 6 mm/swap.h | 23 mm/userfaultfd.c | 33 net/atm/clip.c | 11 net/atm/resources.c | 3 net/bluetooth/hci_core.c | 34 net/bluetooth/l2cap_core.c | 9 net/bridge/br_multicast.c | 9 net/core/netpoll.c | 2 net/core/selftests.c | 5 net/mac80211/chan.c | 3 net/mac80211/ieee80211_i.h | 12 net/mac80211/iface.c | 12 net/mac80211/link.c | 94 net/mac80211/util.c | 2 net/sunrpc/clnt.c | 9 net/unix/af_unix.c | 31 rust/Makefile | 2 rust/bindings/bindings_helper.h | 1 rust/helpers/completion.c | 8 rust/helpers/helpers.c | 1 rust/kernel/devres.rs | 53 rust/kernel/revocable.rs | 18 rust/kernel/sync.rs | 2 rust/kernel/sync/completion.rs | 112 rust/macros/module.rs | 1 scripts/gdb/linux/vfs.py | 2 security/selinux/ss/services.c | 16 sound/pci/hda/hda_bind.c | 2 sound/pci/hda/hda_intel.c | 3 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/ps/acp63.h | 4 sound/soc/amd/ps/ps-common.c | 18 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/rt1320-sdw.c | 17 sound/soc/codecs/wcd9335.c | 40 sound/usb/quirks.c | 2 sound/usb/stream.c | 2 tools/lib/bpf/btf_dump.c | 3 tools/lib/bpf/libbpf.c | 10 tools/testing/selftests/bpf/progs/test_global_map_resize.c | 16 287 files changed, 4524 insertions(+), 2532 deletions(-) Adin Scannell (1): libbpf: Fix possible use-after-free for externs Aidan Stewart (1): serial: core: restore of_node information in sysfs Al Viro (2): attach_recursive_mnt(): do not lock the covering tree when sliding something under it userns and mnt_idmap leak in open_tree_attr(2) Alex Deucher (4): drm/amdgpu/mes: add compatibility checks for set_hw_resource_1 drm/amdgpu: disable workload profile switching when OD is enabled drm/amdgpu: switch job hw_fence to amdgpu_fence drm/amdgpu/mes: add missing locking in helper functions Alex Hung (2): drm/amd/display: Check dce_hwseq before dereferencing it drm/amd/display: Fix mpv playback corruption on weston Alexis Czezar Torreno (1): hwmon: (pmbus/max34440) Fix support for max34451 Andy Chiu (1): riscv: add a data fence for CMODX in the kernel mode Andy Shevchenko (1): usb: Add checks for snprintf() calls in usb_alloc_dev() Angelo Dureghello (1): iio: dac: adi-axi-dac: add cntrl chan check Ankit Nautiyal (1): drm/i915/snps_hdmi_pll: Fix 64-bit divisor truncation by using div64_u64 Aradhya Bhatia (5): drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() drm/bridge: cdns-dsi: Fix phy de-init and flag it so drm/bridge: cdns-dsi: Fix connecting to next bridge drm/bridge: cdns-dsi: Check return value when getting default PHY config drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Arnd Bergmann (1): drm/i915: fix build error some more Avadhut Naik (1): EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs Ben Dooks (1): riscv: save the SR_SUM status over switches Benjamin Berg (1): um: use proper care when taking mmap lock during segfault Bibo Mao (6): LoongArch: KVM: Avoid overflow with array index LoongArch: KVM: Check validity of "num_cpu" from user space LoongArch: KVM: Disable updating of "num_cpu" and "feature" LoongArch: KVM: Add address alignment check for IOCSR emulation LoongArch: KVM: Fix interrupt route update with EIOINTC LoongArch: KVM: Check interrupt route from physical CPU Breno Leitao (1): net: netpoll: Initialize UDP checksum field before checksumming Cezary Rojewski (1): ALSA: hda: Ignore unsol events for cards being shut down Chance Yang (1): usb: common: usb-conn-gpio: use a unique name for usb connector device Chang S. Bae (2): x86/fpu: Refactor xfeature bitmask update code for sigframe XSAVE x86/pkeys: Simplify PKRU update in signal frame Chao Yu (2): f2fs: don't over-report free space or inodes in statvfs f2fs: fix to zero post-eof page Charles Mirabile (1): riscv: fix runtime constant support for nommu kernels Chen Yu (1): scsi: megaraid_sas: Fix invalid node index Chen Yufeng (1): usb: potential integer overflow in usbg_make_tpg() Chenyuan Yang (1): misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() Christoph Hellwig (2): nvme: refactor the atomic write unit detection nvme: fix atomic write size validation Christophe JAILLET (1): i2c: omap: Fix an error handling path in omap_i2c_probe() Clément Léger (1): riscv: misaligned: declare misaligned_access_speed under CONFIG_RISCV_MISALIGNED Cyril Bur (1): riscv: uaccess: Only restore the CSR_STATUS SUM bit Dan Williams (1): cxl/ras: Fix CPER handler device confusion Daniele Ceraolo Spurio (1): drm/xe: Fix early wedge on GuC load failure Daniele Palmas (1): bus: mhi: host: pci_generic: Add Telit FN920C04 modem support Danilo Krummrich (4): rust: completion: implement initial abstraction rust: revocable: indicate whether `data` has been revoked already rust: devres: fix race in Devres::drop() rust: devres: do not dereference to the internal Revocable David (Ming Qiang) Wu (4): drm/amdgpu/vcn5.0.1: read back register after written drm/amdgpu/vcn4: read back register after written drm/amdgpu/vcn3: read back register after written drm/amdgpu/vcn2.5: read back register after written David Heidelberg (1): iio: light: al3000a: Fix an error handling path in al3000a_probe() David Hildenbrand (2): fs/proc/task_mmu: fix PAGE_IS_PFNZERO detection for the huge zero folio mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" David Lechner (1): iio: adc: ad7606_spi: check error in ad7606B_sw_mode_config() David Sterba (1): btrfs: use unsigned types for constants defined as bit shifts Dmitry Kandybka (1): ceph: fix possible integer overflow in ceph_zero_objects() Eric Biggers (1): crypto: powerpc/poly1305 - add depends on BROKEN for now Eric Dumazet (1): atm: clip: prevent NULL deref in clip_push() Even Xu (1): HID: Intel-thc-hid: Intel-quicki2c: Enhance QuickI2C reset flow FUJITA Tomonori (1): rust: module: place cleanup_module() in .exit.text section Fabio Estevam (1): serial: imx: Restore original RXTL for console to fix data loss Fedor Pchelkin (1): s390/pkey: Prevent overflow in size calculation for memdup_user() Filipe Manana (4): btrfs: fix race between async reclaim worker and close_ctree() btrfs: fix qgroup reservation leak on failure to allocate ordered extent btrfs: fix a race between renames and directory logging btrfs: fix invalid inode pointer dereferences during log replay Florian Fainelli (1): scripts/gdb: fix dentry_name() lookup Frank Min (2): drm/amdgpu: Add kicker device detection drm/amdgpu: add kicker fws loading for gfx11/smu13/psp13 Frédéric Danis (1): Bluetooth: L2CAP: Fix L2CAP MTU negotiation Greg Kroah-Hartman (1): Linux 6.15.5 Gregory Price (1): cxl: core/region - ignore interleave granularity when ways=1 Guang Yuan Wu (1): fuse: fix race between concurrent setattrs from multiple nodes Haiyue Wang (1): fuse: fix runtime warning on truncate_folio_batch_exceptionals() Han Gao (1): riscv: vector: Fix context save/restore with xtheadvector Han Young (1): NFSv4: Always set NLINK even if the server doesn't support it Hannes Reinecke (2): nvme-tcp: fix I/O stalls on congested sockets nvme-tcp: sanitize request list handling Haoxiang Li (2): drm/i915/display: Add check for alloc_ordered_workqueue() and alloc_workqueue() drm/xe/display: Add check for alloc_ordered_workqueue() Hector Martin (1): PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Heiko Carstens (2): s390/mm: Fix in_atomic() handling in do_secure_storage_access() s390/ptrace: Fix pointer dereferencing in regs_get_kernel_stack_nth() Heinz Mauelshagen (1): dm-raid: fix variable in journal device check Ido Schimmel (1): bridge: mcast: Fix use-after-free during router port configuration Ilan Peer (1): wifi: iwlwifi: mld: Move regulatory domain initialization Imre Deak (2): drm/i915/ptl: Use everywhere the correct DDI port clock select mask drm/i915/dp_mst: Work around Thunderbolt sink disconnect after SINK_COUNT_ESI read Iusico Maxim (1): HID: lenovo: Restrict F7/9/11 mode to compact keyboards only Jakub Kicinski (2): netlink: specs: tc: replace underscores with dashes in names net: selftests: fix TCP packet checksum Jakub Lewalski (1): tty: serial: uartlite: register uart driver in init James Clark (1): coresight: Only check bottom two claim bits Jay Cornwall (1): drm/amdkfd: Fix race in GWS queue scheduling Jayesh Choudhary (1): drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type Jens Axboe (3): io_uring/net: mark iov as dynamically allocated even for single segments io_uring/kbuf: flag partial buffer mappings io_uring: gate REQ_F_ISREG on !S_ANON_INODE as well Jesse Zhang (1): drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences Jiawen Wu (1): net: libwx: fix the creation of page_pool Johan Hovold (1): arm64: dts: qcom: x1e80100-crd: mark l12b and l15b always-on Johannes Berg (1): wifi: mac80211: finish link init before RCU publish John Olender (1): drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram Jonathan Cameron (1): iio: pressure: zpa2326: Use aligned_s64 for the timestamp Joonas Lahtinen (1): Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Jos Wang (1): usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Kairui Song (2): mm: userfaultfd: fix race of userfaultfd_move and swap cache mm/shmem, swap: fix softlockup with mTHP swapin Karan Tilak Kumar (2): scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out scsi: fnic: Turn off FDMI ACTIVE flags on link down Kees Cook (1): ovl: Check for NULL d_inode() in ovl_dentry_upper() Khairul Anuar Romli (1): spi: spi-cadence-quadspi: Fix pm runtime unbalance Klara Modin (1): riscv: export boot_cpu_hartid Konrad Dybcio (1): arm64: dts: qcom: Commonize X1 CRD DTSI Krzysztof Kozlowski (8): mfd: max77541: Fix wakeup source leaks on device unbind mfd: max14577: Fix wakeup source leaks on device unbind mfd: max77705: Fix wakeup source leaks on device unbind mfd: 88pm886: Fix wakeup source leaks on device unbind mfd: sprd-sc27xx: Fix wakeup source leaks on device unbind usb: typec: tcpci: Fix wakeup source leaks on device unbind usb: typec: tipd: Fix wakeup source leaks on device unbind ASoC: codecs: wcd9335: Fix missing free of regulator supplies Kuan-Wei Chiu (3): bcache: remove unnecessary select MIN_HEAP Revert "bcache: update min_heap_callbacks to use default builtin swap" Revert "bcache: remove heap-related macros and switch to generic min_heap" Kuniyuki Iwashima (4): af_unix: Don't leave consecutive consumed OOB skbs. Bluetooth: hci_core: Fix use-after-free in vhci_flush() af_unix: Don't set -ECONNRESET for consumed OOB skb. atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Lachlan Hodges (1): wifi: mac80211: fix beacon interval calculation overflow Liam R. Howlett (1): maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Lin.Cao (1): drm/scheduler: signal scheduled fence when kill job Linggang Zeng (1): bcache: fix NULL pointer in cache_set_flush() Louis Chauvet (1): drm: writeback: Fix drm_writeback_connector_cleanup signature Luca Ceresoli (1): drm/panel: simple: Tianma TM070JDHG34-00: add delays Lucas De Marchi (2): drm/xe: Fix memset on iomem drm/xe: Fix taking invalid lock on wedge Lukasz Kucharczyk (1): i2c: imx: fix emulated smbus block read Maarten Lankhorst (1): drm/xe: Move DSB l2 flush to a more sensible place Mario Limonciello (8): ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock drm/amd: Adjust output for discovery error handling drm/amd/display: Add debugging message for brightness caps drm/amd/display: Fix default DC and AC levels drm/amd/display: Only read ACPI backlight caps once drm/amd/display: Optimize custom brightness curve drm/amd/display: Export full brightness range to userspace drm/amd/display: Fix AMDGPU_MAX_BL_LEVEL value Mark Harmstone (1): btrfs: update superblock's device bytes_used when dropping chunk Matthew Auld (4): drm/xe: move DPT l2 flush to a more sensible place drm/xe/vm: move rebind_work init earlier drm/xe/sched: stop re-submitting signalled jobs drm/xe/guc_submit: add back fix Matthew Sakai (1): dm vdo indexer: don't read request structure after enqueuing Maíra Canal (1): drm/etnaviv: Protect the scheduler's pending list with its lock Michael Grzeschik (2): usb: dwc2: also exit clock_gating when stopping udc while suspended usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Michael Strauss (2): drm/amd/display: Add early 8b/10b channel equalization test pattern sequence drm/amd/display: Get LTTPR IEEE OUI/Device ID From Closest LTTPR To Host Michal Wajdeczko (2): drm/xe/guc: Explicitly exit CT safe mode on unwind drm/xe: Process deferred GGTT node removals on device unwind Muna Sinada (2): wifi: mac80211: Add link iteration macro for link data wifi: mac80211: Create separate links for VLAN interfaces Nam Cao (2): Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" Revert "riscv: misaligned: fix sleeping function called during misaligned access handling" Namjae Jeon (2): ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension ksmbd: provide zero as a unique ID to the Mac client Nathan Chancellor (1): staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Nicholas Kazlauskas (1): drm/amd/display: Add more checks for DSC / HUBP ONO guarantees Nikhil Jha (1): sunrpc: don't immediately retransmit on seqno miss Niklas Cassel (1): ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk Olga Kornievskaia (1): NFSv4.2: fix listxattr to return selinux security label Oliver Schramm (1): ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 Pali Rohár (3): cifs: Correctly set SMB1 SessionKey field in Session Setup Request cifs: Fix cifs_query_path_info() for Windows NT servers cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in non-UNICODE mode Paulo Alcantara (2): smb: client: fix regression with native SMB symlinks smb: client: fix potential deadlock when reconnecting channels Pavel Begunkov (7): io_uring/zcrx: move io_zcrx_iov_page io_uring/zcrx: improve area validation io_uring/zcrx: split out memory holders from area io_uring/zcrx: fix area release on registration failure io_uring/rsrc: fix folio unpinning io_uring/rsrc: don't rely on user vaddr alignment io_uring: don't assume uaddr alignment in io_vec_fill_bvec Peichen Huang (1): drm/amd/display: Add dc cap for dp tunneling Peng Fan (2): mailbox: Not protect module_put with spin_lock_irqsave ASoC: codec: wcd9335: Convert to GPIO descriptors Peter Korsgaard (1): usb: gadget: f_hid: wake up readers on disable/unbind Philip Yang (1): drm/amdgpu: seq64 memory unmap uses uninterruptible lock Purva Yeshi (1): iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Qasim Ijaz (4): HID: appletb-kbd: fix "appletb_backlight" backlight device reference counting HID: wacom: fix memory leak on kobject creation failure HID: wacom: fix memory leak on sysfs attribute creation failure HID: wacom: fix kobject reference count leak Qiu-ji Chen (1): drm/tegra: Fix a possible null pointer dereference Qu Wenruo (1): btrfs: handle csum tree error with rescue=ibadroots correctly Rengarajan S (1): 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev C0 and later devices Ricardo Ribalda (4): media: uvcvideo: Keep streaming state in the file handle media: uvcvideo: Create uvc_pm_(get|put) functions media: uvcvideo: Increase/decrease the PM counter per IOCTL media: uvcvideo: Rollback non processed entities on error Richard Zhu (1): PCI: imx6: Add workaround for errata ERR051624 Robert Hodaszi (1): usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Robert Richter (1): cxl/region: Add a dev_err() on missing target list entries Rudraksha Gupta (1): rust: arm: fix unknown (to Clang) argument '-mno-fdpic' Sagi Grimberg (1): NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated Salvatore Bonaccorso (1): ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR Sami Tolvanen (1): um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Sasha Levin (3): arm64: dts: qcom: x1e78100-t14s: mark l12b and l15b always-on arm64: dts: qcom: x1e78100-t14s: fix missing HID supplies sched_ext: Make scx_group_set_weight() always update tg->scx.weight Scott Mayhew (1): NFSv4: xattr handlers should check for absent nfs filehandles SeongJae Park (1): mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write Shuming Fan (1): ASoC: rt1320: fix speaker noise when volume bar is 100% Simon Horman (1): net: enetc: Correct endianness handling in _enetc_rd_reg64 Sonny Jiang (1): drm/amdgpu: VCN v5_0_1 to prevent FW checking RB during DPG pause Stefan Metzmacher (1): smb: client: remove \t from TP_printk statements Stefano Garzarella (1): vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Stephan Gerhold (2): drm/msm/gpu: Fix crash when throttling GPU immediately during boot arm64: dts: qcom: x1-crd: Fix vreg_l2j_1p2 voltage Stephen Smalley (1): selinux: change security_compute_sid to return the ssid or tsid on match Sven Schwermer (1): leds: multicolor: Fix intensity setting while SW blinking Takashi Iwai (1): drm/amd/display: Add sanity checks for drm_edid_raw() Thierry Reding (1): drm/tegra: Assign plane type before registration Thomas Fourier (2): scsi: fnic: Fix missing DMA mapping error in fnic_send_frame() ethernet: ionic: Fix DMA mapping tests Thomas Gessler (1): dmaengine: xilinx_dma: Set dma_device directions Thomas Zeitlhofer (1): HID: wacom: fix crash in wacom_aes_battery_handler() Thomas Zimmermann (4): drm/ast: Fix comment on modeset lock drm/cirrus-qemu: Fix pitch programming drm/simpledrm: Do not upcast in release helpers drm/udl: Unregister device before cleaning up on disconnect Tiwei Bie (1): um: ubd: Add missing error check in start_io_thread() Vijendar Mukunda (2): ALSA: hda: Add new pci id for AMD GPU display HD audio controller ASoC: amd: ps: fix for soundwire failures during hibernation exit sequence Ville Syrjälä (2): drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL Wenbin Yao (1): PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane Wentao Liang (1): drm/amd/display: Add null pointer check for get_first_active_display() Wolfram Sang (3): i2c: tiny-usb: disable zero-length read messages i2c: robotfuzz-osif: disable zero-length read messages drm/bridge: ti-sn65dsi86: make use of debugfs_init callback Xin Li (Intel) (1): x86/traps: Initialize DR6 by writing its architectural reset value Yan Zhai (1): bnxt: properly flush XDP redirect lists Yao Zi (1): dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Yi Sun (1): dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using Yifan Zhang (1): amd/amdkfd: fix a kfd_process ref leak Yihan Zhu (1): drm/amd/display: Fix RMCM programming seq errors Yikai Tsai (1): hwmon: (isl28022) Fix current reading calculation Youngjun Lee (1): ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Yu Kuai (2): md/md-bitmap: fix dm-raid max_write_behind setting lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() Yuan Chen (1): libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Zhang Lixu (1): iio: hid-sensor-prox: Add support for 16-bit report size Zhongwei Zhang (1): drm/amd/display: Correct non-OLED pre_T11_delay. Ziqi Chen (1): scsi: ufs: core: Don't perform UFS clkscaling during host async scan anvithdosapati (1): scsi: ufs: core: Fix clk scaling to be conditional in reset and restore

4 months, 2 weeks

4
5
0 0

[PATCH v8 0/5] media: uvcvideo: Introduce V4L2_META_FMT_UVC_MSXU_1_5 + other meta fixes

by Ricardo Ribalda

This series introduces a new metadata format for UVC cameras and adds a couple of improvements to the UVC metadata handling. The new metadata format can be enabled in runtime with quirks. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v8: - Dynamically fill dev->meta_formats instead of be const. - Link to v7: https://lore.kernel.org/r/20250617-uvc-meta-v7-0-9c50623e2286@chromium.org Changes in v7: - Add patch: Introduce dev->meta_formats - Link to v6: https://lore.kernel.org/r/20250604-uvc-meta-v6-0-7141d48c322c@chromium.org Changes in v6 (Thanks Laurent): - Fix typo in metafmt-uvc.rst - Improve metafmt-uvc-msxu-1-5.rst - uvc_meta_v4l2_try_format() block MSXU format unless the quirk is active - Refactor uvc_enable_msxu - Document uvc_meta_detect_msxu - Rebase series - Add R-b - Link to v5: https://lore.kernel.org/r/20250404-uvc-meta-v5-0-f79974fc2d20@chromium.org Changes in v5: - Fix codestyle and kerneldoc warnings reported by media-ci - Link to v4: https://lore.kernel.org/r/20250403-uvc-meta-v4-0-877aa6475975@chromium.org Changes in v4: - Rename format to V4L2_META_FMT_UVC_MSXU_1_5 (Thanks Mauro) - Flag the new format with a quirk. - Autodetect MSXU devices. - Link to v3: https://lore.kernel.org/linux-media/20250313-uvc-metadata-v3-0-c467af869c60… Changes in v3: - Fix doc syntax errors. - Link to v2: https://lore.kernel.org/r/20250306-uvc-metadata-v2-0-7e939857cad5@chromium.… Changes in v2: - Add metadata invalid fix - Move doc note to a separate patch - Introduce V4L2_META_FMT_UVC_CUSTOM (thanks HdG!). - Link to v1: https://lore.kernel.org/r/20250226-uvc-metadata-v1-1-6cd6fe5ec2cb@chromium.… --- Ricardo Ribalda (5): media: uvcvideo: Do not mark valid metadata as invalid media: Documentation: Add note about UVCH length field media: uvcvideo: Introduce dev->meta_formats media: uvcvideo: Introduce V4L2_META_FMT_UVC_MSXU_1_5 media: uvcvideo: Auto-set UVC_QUIRK_MSXU_META .../userspace-api/media/v4l/meta-formats.rst | 1 + .../media/v4l/metafmt-uvc-msxu-1-5.rst | 23 +++++ .../userspace-api/media/v4l/metafmt-uvc.rst | 4 +- MAINTAINERS | 1 + drivers/media/usb/uvc/uvc_driver.c | 7 ++ drivers/media/usb/uvc/uvc_metadata.c | 115 +++++++++++++++++++-- drivers/media/usb/uvc/uvc_video.c | 12 +-- drivers/media/usb/uvc/uvcvideo.h | 7 ++ drivers/media/v4l2-core/v4l2-ioctl.c | 1 + include/linux/usb/uvc.h | 3 + include/uapi/linux/videodev2.h | 1 + 11 files changed, 161 insertions(+), 14 deletions(-) --- base-commit: a8598c7de1bcd94461ca54c972efa9b4ea501fb9 change-id: 20250403-uvc-meta-e556773d12ae Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

4 months, 2 weeks

2
2
0 0

[PATCH 6.12 000/413] 6.12.35-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.35 release. There are 413 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 26 Jun 2025 12:13:28 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.35-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.35-rc2 Martin KaFai Lau <martin.lau(a)kernel.org> bpftool: Fix cgroup command to only show cgroup bpf programs Pali Rohár <pali(a)kernel.org> cifs: Remove duplicate fattr->cf_dtype assignment from wsl_to_fattr() function David Thompson <davthompson(a)nvidia.com> gpio: mlxbf3: only get IRQ for device instance 0 Ian Rogers <irogers(a)google.com> perf test: Directory file descriptor leak Ian Rogers <irogers(a)google.com> perf evsel: Missed close() when probing hybrid core PMUs Sascha Hauer <s.hauer(a)pengutronix.de> gpio: pca953x: fix wrong error probe return value Anup Patel <apatel(a)ventanamicro.com> RISC-V: KVM: Don't treat SBI HFENCE calls as NOPs Anup Patel <apatel(a)ventanamicro.com> RISC-V: KVM: Fix the size parameter check in SBI SFENCE calls Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() Tengda Wu <wutengda(a)huaweicloud.com> arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix WARN in perf_cgroup_switch() Peter Zijlstra <peterz(a)infradead.org> perf: Fix cgroup state vs ERROR Peter Zijlstra <peterz(a)infradead.org> perf: Fix sample vs do_exit() Heiko Carstens <hca(a)linux.ibm.com> s390/pci: Fix __pcilg_mio_inuser() inline assembly Stefan Metzmacher <metze(a)samba.org> smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma() zhangjian <zhangjian496(a)huawei.com> smb: client: fix first command failure during re-negotiation Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Increment the runtime usage counter for the earlycon device Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Clean sci_ports[0] after at earlycon exit Paul Aurich <paul(a)darkrain42.org> smb: Log an error when close_all_cached_dirs fails Akhil R <akhilrajeev(a)nvidia.com> dt-bindings: i2c: nvidia,tegra20-i2c: Specify the required properties Avadhut Naik <avadhut.naik(a)amd.com> EDAC/amd64: Correct number of UMCs for family 19h models 70h-7fh Eric Dumazet <edumazet(a)google.com> net: atm: fix /proc/net/atm/lec handling Eric Dumazet <edumazet(a)google.com> net: atm: add lec_mutex David Thompson <davthompson(a)nvidia.com> mlxbf_gige: return EPROBE_DEFER if PHY IRQ is not available Kuniyuki Iwashima <kuniyu(a)google.com> calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). Vinay Belgaumkar <vinay.belgaumkar(a)intel.com> drm/xe/bmg: Update Wa_16023588340 Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> drm/xe/gt: Update handling of xe_force_wake_get return Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> drm/xe: Wire up device shutdown handler Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: santizize the arguments from userspace when adding a device Alexey Kodanev <aleksei.kodanev(a)bell-sw.com> net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Jakub Kicinski <kuba(a)kernel.org> eth: fbnic: avoid double free when failing to DMA-map FW msg David Wei <dw(a)davidwei.uk> tcp: fix passive TFO socket having invalid NAPI ID Haixia Qu <hxqu(a)hillstonenet.com> tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior Kuniyuki Iwashima <kuniyu(a)google.com> atm: atmtcp: Free invalid length skb in atmtcp_c_send(). Kuniyuki Iwashima <kuniyu(a)google.com> mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). Dmitry Antipov <dmantipov(a)yandex.ru> wifi: carl9170: do not ping device which has failed to load firmware Vladimir Oltean <vladimir.oltean(a)nxp.com> ptp: allow reading of currently dialed frequency to succeed on free-running clocks Vladimir Oltean <vladimir.oltean(a)nxp.com> ptp: fix breakage after ptp_vclock_in_use() rework Pavan Chebbi <pavan.chebbi(a)broadcom.com> bnxt_en: Update MRU and RSS table of RSS contexts on queue reset Pavan Chebbi <pavan.chebbi(a)broadcom.com> bnxt_en: Add a helper function to configure MRU and RSS Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: fix out-of-range access of vnic_info array Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() Mina Almasry <almasrymina(a)google.com> net: netmem: fix skb_ensure_writable with unreadable skbs Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: add free_transport ops in ksmbd connection Chuyi Zhou <zhouchuyi(a)bytedance.com> workqueue: Initialize wq_isolated_cpumask in workqueue_init_early() Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix eswitch code memory leak in reset scenario Krishna Kumar <krikku(a)gmail.com> net: ice: Perform accurate aRFS flow match Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: don't put task_struct on tctx setup failure Justin Sanders <jsanders.devel(a)gmail.com> aoe: clean device rq_list in aoedev_downdev() Simon Horman <horms(a)kernel.org> pldmfw: Select CRC32 when PLDMFW is selected Nuno Sá <nuno.sa(a)analog.com> hwmon: (ltc4282) avoid repeated register write Arnd Bergmann <arnd(a)arndb.de> hwmon: (occ) fix unaligned accesses Arnd Bergmann <arnd(a)arndb.de> hwmon: (occ) Rework attribute registration for stack usage Tzung-Bi Shih <tzungbi(a)kernel.org> drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled Jacob Keller <jacob.e.keller(a)intel.com> drm/nouveau/bl: increase buffer size to avoid truncate warning Brett Creeley <brett.creeley(a)amd.com> ionic: Prevent driver/fw getting out of sync on devcmd(s) John Keeping <jkeeping(a)inmusicbrands.com> drm/ssd130x: fix ssd132x_clear_screen() columns Connor Abbott <cwabbott0(a)gmail.com> drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE Connor Abbott <cwabbott0(a)gmail.com> drm/msm: Fix CP_RESET_CONTEXT_STATE bitfield names Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate James A. MacInnes <james.a.macinnes(a)gmail.com> drm/msm/disp: Correct porch timing for SDM845 Bharath SM <bharathsm(a)microsoft.com> smb: fix secondary channel creation issue with kerberos by populating hostname when adding channels Willem de Bruijn <willemb(a)google.com> ipv6: replace ipcm6_init calls with ipcm6_init_sk Willem de Bruijn <willemb(a)google.com> ipv6: remove leftover ip6 cookie initializer Nathan Chancellor <nathan(a)kernel.org> x86/tools: Drop duplicate unlikely() definition in insn_decoder_test.c Sergio González Collado <sergio.collado(a)gmail.com> Kunit to check the longest symbol length Maíra Canal <mcanal(a)igalia.com> drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()` Jeff Layton <jlayton(a)kernel.org> sunrpc: handle SVC_GARBAGE during svc auth processing as auth error Jeff Layton <jlayton(a)kernel.org> nfsd: use threads array as-is in netlink interface Gao Xiang <xiang(a)kernel.org> erofs: remove unused trace event erofs_destroy_inode Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE Paul Chaignon <paul.chaignon(a)gmail.com> net: Fix checksum update for ILA adj-transport Gary Guo <gary(a)garyguo.net> rust: compile libcore with edition 2024 for 1.87+ Miguel Ojeda <ojeda(a)kernel.org> kbuild: rust: add rustc-min-version support function David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amdgpu: read back register after written for VCN v4.0.5 Jann Horn <jannh(a)google.com> mm/hugetlb: unshare page tables during VMA split, not before Sean Nyekjaer <sean(a)geanix.com> iio: accel: fxls8962af: Fix temperature calculation Richard Fitzgerald <rf(a)opensource.cirrus.com> ALSA: hda/realtek: Add quirk for Asus GU605C Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA Jonathan Lane <jon(a)borg.moe> ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Add mute LED support for HP Victus 16-s1xxx and HP Victus 15-fa1xxx Takashi Iwai <tiwai(a)suse.de> ALSA: hda/intel: Add Thinkpad E15 to PM deny list wangdicheng <wangdicheng(a)kylinos.cn> ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Edward Adam Davis <eadavis(a)qq.com> wifi: cfg80211: init wiphy_work before allocating rfkill fails Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path WangYuli <wangyuli(a)uniontech.com> Input: sparcspkr - avoid unannotated fall-through Dhananjay Ugwekar <dhananjay.ugwekar(a)amd.com> cpufreq/amd-pstate: Add missing NULL ptr check in amd_pstate_update Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: phy: add dummy C2H event handler for report of TAS power Kuniyuki Iwashima <kuniyu(a)google.com> atm: Revert atm_account_tx() if copy_from_iter_full() fails. Tejun Heo <tj(a)kernel.org> sched_ext, sched/core: Don't call scx_group_set_weight() prematurely from sched_create_group() Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len Rong Zhang <i(a)rong.moe> platform/x86: ideapad-laptop: use usleep_range() for EC polling Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix null pointer dereference in destroy_previous_session Xin Li (Intel) <xin(a)zytor.com> selftests/x86: Add a test to detect infinite SIGTRAP handler loop Kai Huang <kai.huang(a)intel.com> x86/virt/tdx: Avoid indirect calls to TDX assembly functions Marek Szyprowski <m.szyprowski(a)samsung.com> udmabuf: use sgtable-based scatterlist wrappers Ryan Roberts <ryan.roberts(a)arm.com> mm: close theoretical race where stale TLB entries could linger Jakub Kicinski <kuba(a)kernel.org> net: clear the dst when changing skb protocol Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: reject invalid perturb period Jens Axboe <axboe(a)kernel.dk> nvme: always punt polled uring_cmd end_io work to task_work Peter Oberparleiter <oberpar(a)linux.ibm.com> scsi: s390: zfcp: Ensure synchronous unit_add Dexuan Cui <decui(a)microsoft.com> scsi: storvsc: Increase the timeouts to storvsc_timeout Bharath SM <bharathsm.hsk(a)gmail.com> smb: improve directory cache reuse for readdir operations Shyam Prasad N <sprasad(a)microsoft.com> cifs: do not disable interface polling on failure Shyam Prasad N <sprasad(a)microsoft.com> cifs: serialize other channels when query server interfaces is pending Shyam Prasad N <sprasad(a)microsoft.com> cifs: deal with the channel loading lag while picking channels Fedor Pchelkin <pchelkin(a)ispras.ru> jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Artem Sadovnikov <a.sadovnikov(a)ispras.ru> jffs2: check that raw node were preallocated before writing summary Tianyang Zhang <zhangtianyang(a)loongson.cn> LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset() Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> LoongArch: vDSO: Correctly use asm parameters in syscall wrappers Yao Zi <ziyao(a)disroot.org> platform/loongarch: laptop: Add backlight power control support Yao Zi <ziyao(a)disroot.org> platform/loongarch: laptop: Unregister generic_sub_drivers on exit Yao Zi <ziyao(a)disroot.org> platform/loongarch: laptop: Get brightness setting from EC on probe Andrew Morton <akpm(a)linux-foundation.org> drivers/rapidio/rio_cm.c: prevent possible heap overwrite Penglei Jiang <superman.xpt(a)gmail.com> io_uring: fix task leak issue in io_wq_create() Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: don't truncate end buffer for multiple buffer peeks Narayana Murty N <nnmlinux(a)linux.ibm.com> powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/vdso: Fix build of VDSO32 with pcrel Stuart Hayes <stuart.w.hayes(a)gmail.com> platform/x86: dell_rbu: Stop overwriting data buffer Stuart Hayes <stuart.w.hayes(a)gmail.com> platform/x86: dell_rbu: Fix list usage Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmf: Prevent amd_pmf_tee_deinit() from running twice Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmc: Clear metrics table at start of cycle Stephen Smalley <stephen.smalley.work(a)gmail.com> fs/xattr.c: fix simple_xattr_list() Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" Jann Horn <jannh(a)google.com> tee: Prevent size calculation wraparound on 32-bit kernels Sukrut Bellary <sbellary(a)baylibre.com> ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY Laurentiu Tudor <laurentiu.tudor(a)nxp.com> bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value Marcus Folkesson <marcus.folkesson(a)gmail.com> watchdog: da9052_wdt: respect TWDMIN Kees Cook <kees(a)kernel.org> fbcon: Make sure modelist not set on unregistered console Vlad Dogaru <vdogaru(a)nvidia.com> net/mlx5: HWS, Harden IP version definer checks Suraj P Kizhakkethil <quic_surapk(a)quicinc.com> wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz Balamurugan S <quic_bselvara(a)quicinc.com> wifi: ath12k: fix incorrect CE addresses Hari Chandrakanthan <quic_haric(a)quicinc.com> wifi: ath12k: fix link valid field initialization in the monitor Rx Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: determine PM policy based on machine model Wentao Liang <vulab(a)iscas.ac.cn> octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Use TOE/TSO on all TCP Jiayuan Chen <jiayuan.chen(a)linux.dev> bpf, sockmap: Fix data lost during EAGAIN retries Chao Yu <chao(a)kernel.org> f2fs: fix to set atomic write status more clear Krzysztof Hałasa <khalasa(a)piap.pl> usbnet: asix AX88772: leave the carrier control to phylink Mateusz Pacuszka <mateuszx.pacuszka(a)intel.com> ice: fix check for existing switch rule Chen Linxuan <chenlinxuan(a)uniontech.com> RDMA/hns: initialize db in update_srq_db() Rand Deeb <rand.sec96(a)gmail.com> ixgbe: Fix unreachable retry logic in combined and byte I2C write functions Kyungwook Boo <bookyungwook(a)gmail.com> i40e: fix MMIO write access to an invalid page in i40e_clear_hw Zijun Hu <quic_zijuhu(a)quicinc.com> sock: Correct error checking condition for (assign|release)_proto_idx() Daniel Wagner <wagi(a)kernel.org> scsi: lpfc: Use memcpy() for BIOS version Aditya Kumar Singh <aditya.kumar.singh(a)oss.qualcomm.com> wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping Mike Looijmans <mike.looijmans(a)topic.nl> pinctrl: mcp23s08: Reset all pins to input at probe Jonas 'Sortie' Termansen <sortie(a)maxsi.org> isofs: fix Y2038 and Y2156 issues in Rock Ridge TF entry Zijun Hu <quic_zijuhu(a)quicinc.com> software node: Correct a OOB check in software_node_get_reference_args() Michael Walle <mwalle(a)kernel.org> net: ethernet: ti: am65-cpsw: handle -EPROBE_DEFER Sarika Sharma <quic_sarishar(a)quicinc.com> wifi: ath12k: using msdu end descriptor to check for rx multicast packets Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Remove unused field "ref_count" in struct bnxt_ulp Ido Schimmel <idosch(a)nvidia.com> vxlan: Do not treat dst cache initialization errors as fatal Yong Wang <yongwang(a)nvidia.com> net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions Yong Wang <yongwang(a)nvidia.com> net: bridge: mcast: update multicast contex when vlan state is changed Víctor Gonzalo <victor.gonzalo(a)anddroptable.net> wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 Toke Høiland-Jørgensen <toke(a)toke.dk> Revert "mac80211: Dynamically set CoDel parameters per station" Muna Sinada <muna.sinada(a)oss.qualcomm.com> wifi: mac80211: VLAN traffic in multicast path Shung-Hsi Yu <shung-hsi.yu(a)suse.com> bpf: Use proper type to calculate bpf_raw_tp_null_args.mask index Vlad Dogaru <vdogaru(a)nvidia.com> net/mlx5: HWS, Fix IP version decision Joe Damato <jdamato(a)fastly.com> netdevsim: Mark NAPI ID on skb in nsim_rcv Edward Adam Davis <eadavis(a)qq.com> wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled Kuan-Chung Chen <damon.chen(a)realtek.com> wifi: rtw89: 8922a: fix TX fail with wrong VCO setting Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: pcie: make sure to lock rxq->read Sean Christopherson <seanjc(a)google.com> iommu/amd: Ensure GA log notifier callbacks finish running before module unload David Strahan <david.strahan(a)microchip.com> scsi: smartpqi: Add new PCI IDs Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Alan Maguire <alan.maguire(a)oracle.com> libbpf: Add identical pointer detection to btf_dedup_is_equiv() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Chao Yu <chao(a)kernel.org> f2fs: fix to bail out in get_new_segment() Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: fix beacon CCK flag Luke D. Jones <luke(a)ljones.dev> hid-asus: check ROG Ally MCU version and warn Heiko Stuebner <heiko(a)sntech.de> clk: rockchip: rk3036: mark ddrphy as critical Benjamin Berg <benjamin(a)sipsolutions.net> wifi: mac80211: do not offer a mesh path if forwarding is disabled Salah Triki <salah.triki(a)gmail.com> wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi Jason Xing <kernelxing(a)tencent.com> net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Mykyta Yatsenko <yatsenko(a)meta.com> libbpf: Check bpf_map_skeleton link for NULL Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Jason Xing <kernelxing(a)tencent.com> net: stmmac: generate software timestamp just before the doorbell Ilya Leoshkevich <iii(a)linux.ibm.com> bpf: Pass the same orig_call value to trampoline functions Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Jason Xing <kernelxing(a)tencent.com> net: atlantic: generate software timestamp just before the doorbell Leon Romanovsky <leon(a)kernel.org> xfrm: validate assignment of maximal possible SEQ number Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> net: page_pool: Don't recycle into cache on PREEMPT_RT Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Andrew Zaborowski <andrew.zaborowski(a)intel.com> x86/sgx: Prevent attempts to reclaim poisoned pages Eric Dumazet <edumazet(a)google.com> tcp: add receive queue awareness in tcp_rcv_space_adjust() Eric Dumazet <edumazet(a)google.com> tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Eric Dumazet <edumazet(a)google.com> tcp: remove zero TCP TS samples for autotuning Eric Dumazet <edumazet(a)google.com> tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Dian-Syuan Yang <dian_syuan0116(a)realtek.com> wifi: rtw89: leave idle mode when setting WEP encryption for AP mode Mario Limonciello <mario.limonciello(a)amd.com> iommu/amd: Allow matching ACPI HID devices without matching UIDs Muhammad Usama Anjum <usama.anjum(a)collabora.com> wifi: ath11k: Fix QMI memory reuse logic Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath12k: fix a possible dead lock caused by ab->base_lock Kang Yang <kang.yang(a)oss.qualcomm.com> wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET Moon Yeounsu <yyyynoom(a)gmail.com> net: dlink: add synchronization for stats update Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gcc-x1e80100: Set FORCE MEM CORE for UFS clocks Tali Perry <tali.perry1(a)gmail.com> i2c: npcm: Add clock toggle recovery Akhil R <akhilrajeev(a)nvidia.com> i2c: tegra: check msg length in SMBUS block read Mike Tipton <quic_mdtipton(a)quicinc.com> cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs Alan Maguire <alan.maguire(a)oracle.com> libbpf/btf: Fix string handling to support multi-split BTF Petr Malat <oss(a)malat.biz> sctp: Do not wake readers in __sctp_write_space() Aditya Kumar Singh <aditya.kumar.singh(a)oss.qualcomm.com> wifi: mac80211: validate SCAN_FLAG_AP in scan request during MLO Leon Yen <leon.yen(a)mediatek.com> wifi: mt76: mt7925: introduce thermal protection Samuel Williams <sam8641(a)gmail.com> wifi: mt76: mt7921: add 160 MHz AP for mt7922 device Henk Vergonet <henk.vergonet(a)gmail.com> wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Jiande Lu <jiande.lu(a)mediatek.com> Bluetooth: btusb: Add new VID/PID 13d3/3630 for MT7925 Alok Tiwari <alok.a.tiwari(a)oracle.com> emulex/benet: correct command version selection in be_cmd_get_stats() Benjamin Lin <benjamin-jw.lin(a)mediatek.com> wifi: mt76: mt7996: drop fragments with multicast or broadcast RA Tan En De <ende.tan(a)starfivetech.com> i2c: designware: Invoke runtime suspend on quick slave re-registration Liwei Sun <sunliweis(a)126.com> Bluetooth: btusb: Add new VID/PID 13d3/3584 for MT7922 Hou Tao <houtao1(a)huawei.com> bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() Chao Yu <chao(a)kernel.org> f2fs: use vmalloc instead of kvmalloc in .init_{,de}compress_ctx Zilin Guan <zilin(a)seu.edu.cn> tipc: use kfree_sensitive() for aead cleanup Rengarajan S <rengarajan.s(a)microchip.com> net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Sergio Perez Gonzalez <sperezglz(a)gmail.com> net: macb: Check return value of dma_set_mask_and_coherent() Peter Marheine <pmarheine(a)chromium.org> ACPI: battery: negate current when discharging Svyatoslav Ryhel <clamor95(a)gmail.com> power: supply: max17040: adjust thermal channel scaling Charan Teja Kalla <quic_charante(a)quicinc.com> PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() Peng Fan <peng.fan(a)nxp.com> gpiolib: of: Add polarity quirk for s5m8767 Linus Torvalds <torvalds(a)linux-foundation.org> Make 'cc-option' work correctly for the -Wno-xyzzy pattern Yuanjun Gong <ruc_gongyuanjun(a)163.com> ASoC: tegra210_ahub: Add check to of_device_get_match_data() Frank Li <Frank.Li(a)nxp.com> platform-msi: Add msi_remove_device_irq_domain() in platform_device_msi_free_irqs_all() gldrk <me(a)rarity.fan> ACPICA: utilities: Fix overflow check in vsnprintf() Ulf Hansson <ulf.hansson(a)linaro.org> pmdomain: core: Reset genpd->states to avoid freeing invalid data Jerry Lv <Jerry.Lv(a)axis.com> power: supply: bq27xxx: Retrieve again when busy Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda: cs35l41: Fix swapped l/r audio channels for Acer Helios laptops Tamir Duberstein <tamird(a)gmail.com> ACPICA: Apply pack(1) to union aml_resource Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi parse and parseext cache leaks Mario Limonciello <mario.limonciello(a)amd.com> ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case Armin Wolf <W_Armin(a)gmx.de> ACPI: bus: Bail out if acpi_kobj registration fails I Hsin Cheng <richard120310(a)gmail.com> ASoC: intel/sdw_utils: Assign initial value in asoc_sdw_rt_amp_spk_rtd_init() Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change Ahmed Salem <x0rw3ll(a)gmail.com> ACPICA: Avoid sequence overread in call to strncmp() Erick Shepherd <erick.shepherd(a)ni.com> mmc: Add quirk to disable DDR50 tuning Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> power: supply: collie: Fix wakeup source leaks on device unbind Guilherme G. Piccoli <gpiccoli(a)igalia.com> clocksource: Fix the CPUs' choice in the watchdog per CPU verification Talhah Peerbhai <talhah.peerbhai(a)gmail.com> ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi operand cache leak in dswstate.c David Lechner <dlechner(a)baylibre.com> iio: adc: ad7606_spi: fix reg write value mask Arthur-Prince <r2.arthur.prince(a)gmail.com> iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module build David Lechner <dlechner(a)baylibre.com> iio: adc: ad7944: mask high bits on direct read Sean Nyekjaer <sean(a)geanix.com> iio: imu: inv_icm42600: Fix temperature calculation Jann Horn <jannh(a)google.com> mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race Thomas Zimmermann <tzimmermann(a)suse.de> dummycon: Trigger redraw when switching consoles with deferred takeover Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix warning in ivpu_gem_bo_free() Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Use dma_resv_lock() instead of a custom mutex Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Use firmware names from upstream repo Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Improve buffer object logging Sean Nyekjaer <sean(a)geanix.com> iio: accel: fxls8962af: Fix temperature scan element sign Diederik de Haas <didi.debian(a)cknow.org> PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() Shawn Lin <shawn.lin(a)rock-chips.com> PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Fix lock symmetry in pci_slot_unlock() Huacai Chen <chenhuacai(a)kernel.org> PCI: Add ACS quirk for Loongson PCIe Niklas Cassel <cassel(a)kernel.org> PCI: dwc: ep: Correct PBA offset in .set_msix() callback Niklas Cassel <cassel(a)kernel.org> PCI: cadence-ep: Correct PBA offset in .set_msix() callback Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Long Li <longli(a)microsoft.com> uio_hv_generic: Use correct size for interrupt and monitor pages Long Li <longli(a)microsoft.com> Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary Ruben Devos <devosruben6(a)gmail.com> smb: client: add NULL check in automount_fullpath Shyam Prasad N <sprasad(a)microsoft.com> cifs: dns resolution is needed only for primary channel Shyam Prasad N <sprasad(a)microsoft.com> cifs: update dstaddr whenever channel iface is updated Shyam Prasad N <sprasad(a)microsoft.com> cifs: reset connections for all channels when reconnect requested Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-m4: Don't assert reset in detach routine Xiaolei Wang <xiaolei.wang(a)windriver.com> remoteproc: core: Release rproc->clean_table after rproc_attach() fails Xiaolei Wang <xiaolei.wang(a)windriver.com> remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() Wentao Liang <vulab(a)iscas.ac.cn> regulator: max14577: Add error check for max14577_read_reg() André Almeida <andrealmeid(a)igalia.com> ovl: Fix nested backing file paths Khem Raj <raj.khem(a)gmail.com> mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: ad5933: Correct settling cycles encoding per datasheet David Lechner <dlechner(a)baylibre.com> pwm: axi-pwmgen: fix missing separate external clock Thomas Zimmermann <tzimmermann(a)suse.de> video: screen_info: Relocate framebuffers behind PCI bridges Thomas Zimmermann <tzimmermann(a)suse.de> sysfb: Fix screen_info type check for VGA Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY Qasim Ijaz <qasdev00(a)gmail.com> net: ch9200: fix uninitialised access during mii_nway_restart Xu Yang <xu.yang_2(a)nxp.com> phy: fsl-imx8mq-usb: fix phy_tx_vboost_level_from_property() Mikulas Patocka <mpatocka(a)redhat.com> dm: lock limits when reading them Ye Bin <yebin10(a)huawei.com> ftrace: Fix UAF when lookup kallsym after ftrace disabled Md Sadre Alam <quic_mdalam(a)quicinc.com> mtd: rawnand: qcom: Fix read len for onfi param page Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix a memory leak if some arguments are specified multiple times Mikulas Patocka <mpatocka(a)redhat.com> dm-mirror: fix a tiny race condition Chao Gao <chao.gao(a)intel.com> KVM: VMX: Flush shadow VMCS on emergency reboot Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs Wentao Liang <vulab(a)iscas.ac.cn> mtd: nand: sunxi: Add randomizer configuration before randomizer enable Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk Sibi Sankar <quic_sibis(a)quicinc.com> firmware: arm_scmi: Ensure that the message-id supports fastchannel Dan Williams <dan.j.williams(a)intel.com> configfs-tsm-report: Fix NULL dereference of tsm_ops Johan Hovold <johan+linaro(a)kernel.org> soc: qcom: pmic_glink_altmode: fix spurious DP hotplug events Jinliang Zheng <alexjlzheng(a)tencent.com> mm: fix ratelimit_pages update error in dirty_ratio_handler() Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Luo Gengkun <luogengkun(a)huaweicloud.com> watchdog: fix watchdog may detect false positive of softlockup Jeongjun Park <aha310510(a)gmail.com> ipc: fix to protect IPCS lookups using RCU Da Xue <da(a)libre.computer> clk: meson-g12a: add missing fclk_div2 to spicc Arnd Bergmann <arnd(a)arndb.de> parisc: fix building with gcc-15 GONG Ruiqi <gongruiqi1(a)huawei.com> vgacon: Add check for vc_origin address range in vgacon_scroll() Helge Deller <deller(a)gmx.de> parisc/unaligned: Fix hex output to show 8 hex chars Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> EDAC/altera: Use correct write width with the INTTEST register Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Restore context entry setup order for aliased devices Heiner Kallweit <hkallweit1(a)gmail.com> net: ftgmac100: select FIXED_PHY Hyunwoo Kim <imv4bel(a)gmail.com> net/sched: fix use-after-free in taprio_dev_notifier Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> NFC: nci: uart: Set tty->disc_data only in success path Gui-Dong Han <hanguidong02(a)gmail.com> hwmon: (ftsteutates) Fix TOCTOU race in fts_read() Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on sit_bitmap_size Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: prevent kernel warning due to negative i_nlink from corrupted image Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on ino and xnid Gatien Chevallier <gatien.chevallier(a)foss.st.com> Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() Dan Carpenter <dan.carpenter(a)linaro.org> Input: ims-pcu - check record size in ims_pcu_flash_firmware() Brian Foster <bfoster(a)redhat.com> ext4: only dirty folios when data journaling regular files Zhang Yi <yi.zhang(a)huawei.com> ext4: ensure i_size is smaller than maxbytes Zhang Yi <yi.zhang(a)huawei.com> ext4: factor out ext4_get_maxbytes() Jan Kara <jack(a)suse.cz> ext4: fix calculation of credits for extent tree modification Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: inline: fix len overflow in ext4_prepare_inline_data Wan Junjie <junjie.wan(a)inceptio.ai> bus: fsl-mc: fix GET/SET_TAILDROP command ids Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device Mikko Korhonen <mjkorhon(a)gmail.com> ata: ahci: Disallow LPM for Asus B550-F motherboard Niklas Cassel <cassel(a)kernel.org> ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard Tasos Sahanidis <tasos(a)tasossah.com> ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> bus: firewall: Fix missing static inline annotations for stubs Chen Ridong <chenridong(a)huawei.com> cgroup,freezer: fix incomplete freezing when attaching tasks Dennis Marttinen <twelho(a)welho.tech> ceph: set superblock s_magic for IMA fsmagic matching Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: avoid kernel BUG for encrypted inode with unaligned file size Brett Werling <brett.werling(a)garmin.com> can: tcan4x5x: fix power regulator retrieval during probe Fedor Pchelkin <pchelkin(a)ispras.ru> can: kvaser_pciefd: refine error prone echo_skb_max handling logic Jeff Hugo <quic_jhugo(a)quicinc.com> bus: mhi: host: Fix conflict between power_up and SYSERR Sumit Kumar <quic_sumk(a)quicinc.com> bus: mhi: ep: Update read pointer only after buffer is written Damien Le Moal <dlemoal(a)kernel.org> block: Clear BIO_EMULATES_ZONE_APPEND flag on BIO completion Jens Axboe <axboe(a)kernel.dk> block: use plug request list tail for one-shot backmerge attempt Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd937x: Drop unused buck_supply Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9375: Fix double free of regulator supplies Andreas Kemnade <andreas(a)kemnade.info> ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4 Ross Stutterheim <ross.stutterheim(a)garmin.com> ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() Ryan Roberts <ryan.roberts(a)arm.com> arm64/mm: Close theoretical race where stale TLB entry remains valid Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Fix deferred probing error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Cleanup after an allocation error Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Reset slot data pointers when freed Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Drop the first error frames Denis Arefev <arefev(a)swemel.ru> media: vivid: Change the siize of the composing Edward Adam Davis <eadavis(a)qq.com> media: vidtv: Terminating the subsequent process of initialization failure Marek Szyprowski <m.szyprowski(a)samsung.com> media: videobuf2: use sgtable-based scatterlist wrappers Loic Poulain <loic.poulain(a)oss.qualcomm.com> media: venus: Fix probe error handling Ma Ke <make24(a)iscas.ac.cn> media: v4l2-dev: fix error handling in __video_register_device() Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Fei Shao <fshao(a)chromium.org> media: mediatek: vcodec: Correct vsi_core framebuffer size Hao Yao <hao.yao(a)intel.com> media: ipu6: Remove workaround for Meteor Lake ES2 Stanislaw Gruszka <stanislaw.gruszka(a)linux.intel.com> media: intel/ipu6: Fix dma mask for non-secure mode Haoxiang Li <haoxiang_li2024(a)163.com> media: imagination: fix a potential memory leak in e5010_probe() Kieran Bingham <kieran.bingham(a)ideasonboard.com> media: i2c: imx335: Fix frame size enumeration Wentao Liang <vulab(a)iscas.ac.cn> media: gspca: Add error handling for stv06xx_read_sensor() Dmitry Nikiforov <Dm1tryNk(a)yandex.ru> media: davinci: vpif: Fix memory leak in probe error path Edward Adam Davis <eadavis(a)qq.com> media: cxusb: no longer judge rbuf when the write fails Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ccs-pll: Start OP pre-PLL multiplier search from correct value Hans de Goede <hdegoede(a)redhat.com> media: ov2740: Move pm-runtime cleanup on probe-errors to proper place Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ccs-pll: Start VT pre-PLL multiplier search from correct value Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> media: i2c: ds90ub913: Fix returned fmt from .set_fmt() Laurentiu Palcu <laurentiu.palcu(a)oss.nxp.com> media: nxp: imx8-isi: better handle the m2m usage_count Umang Jain <umang.jain(a)ideasonboard.com> media: imx335: Use correct register width for HNUM Johan Hovold <johan+linaro(a)kernel.org> media: ov5675: suppress probe deferral errors Johan Hovold <johan+linaro(a)kernel.org> media: ov8856: suppress probe deferral errors Mingcong Bai <jeffbai(a)aosc.io> wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: usb: Reduce control message timeout to 500 ms Chuck Lever <chuck.lever(a)oracle.com> svcrdma: Unregister the device if svc_rdma_accept() fails Jeongjun Park <aha310510(a)gmail.com> jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Johan Hovold <johan+linaro(a)kernel.org> wifi: ath12k: fix ring-buffer corruption Max Kellermann <max.kellermann(a)ionos.com> fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() Scott Mayhew <smayhew(a)redhat.com> NFSv4: Don't check for OPEN feature support in v4.1 Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: Initialize ssc before laundromat_work to prevent NULL dereference NeilBrown <neil(a)brown.name> nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request Chuck Lever <chuck.lever(a)oracle.com> NFSD: Implement FATTR4_CLONE_BLKSIZE attribute Maninder Singh <maninder1.s(a)samsung.com> NFSD: fix race between nfsd registration and exports_proc Maninder Singh <maninder1.s(a)samsung.com> NFSD: unregister filesystem in case genl_register_family() fails Johan Hovold <johan+linaro(a)kernel.org> wifi: ath11k: fix ring-buffer corruption Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: usb: Upload the firmware in bigger chunks Johan Hovold <johan+linaro(a)kernel.org> wifi: ath11k: fix rx completion meta data corruption Michael Lo <michael.lo(a)mediatek.com> wifi: mt76: mt7925: fix host interrupt register initialization Christian Lamparter <chunkeey(a)gmail.com> wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() João Paulo Gonçalves <jpaulo.silvagoncalves(a)gmail.com> regulator: max20086: Change enable gpio to optional João Paulo Gonçalves <jpaulo.silvagoncalves(a)gmail.com> regulator: max20086: Fix MAX200086 chip id Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Serialize device addition and removal Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Allow re-add of a reserved but not yet removed device Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Prevent self deletion in disable_slot() Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Remove redundant bus removal and disable from zpci_release_device() Gautam Menghani <gautam(a)linux.ibm.com> powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states Pavel Begunkov <asml.silence(a)gmail.com> io_uring/kbuf: account ring io_buffer_list memory Pavel Begunkov <asml.silence(a)gmail.com> io_uring: account drain memory to cgroup Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: sof_amd_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks() Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> ASoC: meson: meson-card-utils: use of_property_present() for DT parsing Wentao Liang <vulab(a)iscas.ac.cn> ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - add shutdown handler to qat_dh895xcc Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - add shutdown handler to qat_c62x Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - add shutdown handler to qat_4xxx Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - add shutdown handler to qat_420xx Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - add shutdown handler to qat_c3xxx Alexander Aring <aahringo(a)redhat.com> gfs2: move msleep to sleepable context Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Do not chain submitted requests Zijun Hu <quic_zijuhu(a)quicinc.com> configfs: Do not override creating attribute file failure in populate_attrs() ------------- Diffstat: .../bindings/i2c/nvidia,tegra20-i2c.yaml | 24 ++- Documentation/kbuild/makefiles.rst | 14 ++ Makefile | 4 +- arch/arm/mach-omap2/clockdomain.h | 1 + arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +- arch/arm/mach-omap2/cm33xx.c | 14 +- arch/arm/mach-omap2/pmic-cpcap.c | 6 +- arch/arm/mm/ioremap.c | 4 +- arch/arm64/Makefile | 2 +- arch/arm64/include/asm/tlbflush.h | 9 +- arch/arm64/kernel/ptrace.c | 2 +- arch/arm64/mm/mmu.c | 3 +- arch/loongarch/include/asm/irqflags.h | 16 +- arch/loongarch/include/asm/vdso/getrandom.h | 2 +- arch/loongarch/include/asm/vdso/gettimeofday.h | 6 +- arch/loongarch/mm/hugetlbpage.c | 3 +- arch/mips/vdso/Makefile | 1 + arch/parisc/boot/compressed/Makefile | 1 + arch/parisc/kernel/unaligned.c | 2 +- arch/powerpc/include/asm/ppc_asm.h | 2 +- arch/powerpc/kernel/eeh.c | 2 + arch/powerpc/kernel/vdso/Makefile | 2 +- arch/powerpc/platforms/pseries/msi.c | 7 +- arch/riscv/kvm/vcpu_sbi_replace.c | 8 +- arch/s390/kvm/gaccess.c | 8 +- arch/s390/pci/pci.c | 45 ++-- arch/s390/pci/pci_bus.h | 7 +- arch/s390/pci/pci_event.c | 22 +- arch/s390/pci/pci_mmio.c | 2 +- arch/x86/include/asm/tdx.h | 2 +- arch/x86/kernel/cpu/sgx/main.c | 2 + arch/x86/kvm/svm/svm.c | 2 +- arch/x86/kvm/vmx/vmx.c | 5 +- arch/x86/tools/insn_decoder_test.c | 5 +- arch/x86/virt/vmx/tdx/tdx.c | 5 +- block/blk-merge.c | 26 +-- block/blk-zoned.c | 1 + drivers/accel/ivpu/ivpu_fw.c | 12 +- drivers/accel/ivpu/ivpu_gem.c | 91 ++++---- drivers/accel/ivpu/ivpu_gem.h | 2 +- drivers/acpi/acpica/amlresrc.h | 8 +- drivers/acpi/acpica/dsutils.c | 9 +- drivers/acpi/acpica/psobject.c | 52 ++--- drivers/acpi/acpica/rsaddr.c | 13 +- drivers/acpi/acpica/rscalc.c | 22 +- drivers/acpi/acpica/rslist.c | 12 +- drivers/acpi/acpica/utprint.c | 7 +- drivers/acpi/acpica/utresrc.c | 14 +- drivers/acpi/battery.c | 19 +- drivers/acpi/bus.c | 6 +- drivers/ata/ahci.c | 35 ++- drivers/ata/pata_via.c | 3 +- drivers/atm/atmtcp.c | 4 +- drivers/base/platform-msi.c | 1 + drivers/base/power/runtime.c | 2 +- drivers/base/swnode.c | 2 +- drivers/block/aoe/aoedev.c | 8 + drivers/block/ublk_drv.c | 3 + drivers/bluetooth/btusb.c | 4 + drivers/bus/fsl-mc/fsl-mc-uapi.c | 4 +- drivers/bus/fsl-mc/mc-io.c | 19 +- drivers/bus/fsl-mc/mc-sys.c | 2 +- drivers/bus/mhi/ep/ring.c | 16 +- drivers/bus/mhi/host/pm.c | 18 +- drivers/bus/ti-sysc.c | 49 ----- drivers/clk/meson/g12a.c | 1 + drivers/clk/qcom/gcc-x1e80100.c | 4 + drivers/clk/rockchip/clk-rk3036.c | 1 + drivers/cpufreq/amd-pstate.c | 3 + drivers/cpufreq/scmi-cpufreq.c | 36 +++- drivers/crypto/intel/qat/qat_420xx/adf_drv.c | 8 + drivers/crypto/intel/qat/qat_4xxx/adf_drv.c | 8 + drivers/crypto/intel/qat/qat_c3xxx/adf_drv.c | 8 + drivers/crypto/intel/qat/qat_c62x/adf_drv.c | 8 + drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c | 8 + drivers/crypto/marvell/cesa/cesa.c | 2 +- drivers/crypto/marvell/cesa/cesa.h | 9 +- drivers/crypto/marvell/cesa/tdma.c | 53 +++-- drivers/dma-buf/udmabuf.c | 5 +- drivers/edac/altera_edac.c | 6 +- drivers/edac/amd64_edac.c | 1 + drivers/firmware/arm_scmi/driver.c | 76 ++++--- drivers/firmware/arm_scmi/protocols.h | 2 + drivers/firmware/sysfb.c | 26 ++- drivers/gpio/gpio-mlxbf3.c | 52 +++-- drivers/gpio/gpio-pca953x.c | 2 +- drivers/gpio/gpiolib-of.c | 9 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 8 + drivers/gpu/drm/i915/i915_pmu.c | 4 +- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 14 ++ .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 14 +- drivers/gpu/drm/msm/dsi/phy/dsi_phy_10nm.c | 7 + .../gpu/drm/msm/registers/adreno/adreno_pm4.xml | 3 +- drivers/gpu/drm/nouveau/nouveau_backlight.c | 2 +- drivers/gpu/drm/solomon/ssd130x.c | 2 +- drivers/gpu/drm/v3d/v3d_sched.c | 8 +- drivers/gpu/drm/xe/display/xe_display.c | 43 ++++ drivers/gpu/drm/xe/display/xe_display.h | 4 + drivers/gpu/drm/xe/xe_device.c | 40 +++- drivers/gpu/drm/xe/xe_gt.c | 110 ++++++---- drivers/gpu/drm/xe/xe_gt.h | 1 + drivers/hid/hid-asus.c | 107 ++++++++- drivers/hv/connection.c | 23 +- drivers/hwmon/ftsteutates.c | 9 +- drivers/hwmon/ltc4282.c | 7 - drivers/hwmon/occ/common.c | 238 +++++++++------------ drivers/i2c/busses/i2c-designware-slave.c | 2 +- drivers/i2c/busses/i2c-npcm7xx.c | 12 +- drivers/i2c/busses/i2c-tegra.c | 5 + drivers/iio/accel/fxls8962af-core.c | 15 +- drivers/iio/adc/Kconfig | 1 + drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/ad7944.c | 2 + drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 8 +- drivers/infiniband/core/iwcm.c | 29 +-- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +- drivers/input/keyboard/gpio_keys.c | 2 + drivers/input/misc/ims-pcu.c | 6 + drivers/input/misc/sparcspkr.c | 22 +- drivers/iommu/amd/iommu.c | 41 +++- drivers/iommu/intel/iommu.c | 11 + drivers/iommu/intel/iommu.h | 1 + drivers/iommu/intel/nested.c | 4 +- drivers/md/dm-raid1.c | 5 +- drivers/md/dm-table.c | 8 +- drivers/md/dm-verity-fec.c | 4 + drivers/md/dm-verity-target.c | 8 +- drivers/md/dm-verity-verify-sig.c | 17 +- drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 +- drivers/media/i2c/ccs-pll.c | 11 +- drivers/media/i2c/ds90ub913.c | 4 +- drivers/media/i2c/imx335.c | 5 +- drivers/media/i2c/ov2740.c | 4 +- drivers/media/i2c/ov5675.c | 5 +- drivers/media/i2c/ov8856.c | 9 +- drivers/media/pci/intel/ipu6/ipu6-dma.c | 4 +- drivers/media/pci/intel/ipu6/ipu6.c | 5 - .../media/platform/imagination/e5010-jpeg-enc.c | 9 +- .../vcodec/decoder/vdec/vdec_hevc_req_multi_if.c | 2 +- drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 59 +++-- drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 14 +- drivers/media/platform/qcom/venus/core.c | 16 +- drivers/media/platform/ti/davinci/vpif.c | 4 +- drivers/media/platform/ti/omap3isp/ispccdc.c | 8 +- drivers/media/platform/ti/omap3isp/ispstat.c | 6 +- drivers/media/test-drivers/vidtv/vidtv_channel.c | 2 +- drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +- drivers/media/usb/dvb-usb/cxusb.c | 3 +- drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 +- drivers/media/usb/uvc/uvc_ctrl.c | 23 +- drivers/media/usb/uvc/uvc_driver.c | 27 ++- drivers/media/v4l2-core/v4l2-dev.c | 14 +- drivers/mmc/core/card.h | 6 + drivers/mmc/core/quirks.h | 10 + drivers/mmc/core/sd.c | 32 ++- drivers/mtd/nand/raw/qcom_nandc.c | 2 +- drivers/mtd/nand/raw/sunxi_nand.c | 2 + drivers/net/can/kvaser_pciefd.c | 3 +- drivers/net/can/m_can/tcan4x5x-core.c | 9 +- drivers/net/ethernet/aquantia/atlantic/aq_main.c | 1 - drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 91 ++++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 29 +-- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h | 1 - drivers/net/ethernet/cadence/macb_main.c | 6 +- drivers/net/ethernet/cortina/gemini.c | 37 +++- drivers/net/ethernet/dlink/dl2k.c | 14 +- drivers/net/ethernet/dlink/dl2k.h | 2 + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- drivers/net/ethernet/faraday/Kconfig | 1 + drivers/net/ethernet/intel/e1000e/netdev.c | 14 +- drivers/net/ethernet/intel/e1000e/ptp.c | 8 +- drivers/net/ethernet/intel/i40e/i40e_common.c | 7 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 48 +++++ drivers/net/ethernet/intel/ice/ice_eswitch.c | 6 +- drivers/net/ethernet/intel/ice/ice_switch.c | 4 +- drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c | 4 +- drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 9 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + .../mlx5/core/steering/hws/mlx5hws_definer.c | 78 +++++-- drivers/net/ethernet/mellanox/mlx5/core/vport.c | 18 +- .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 6 +- drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 5 +- drivers/net/ethernet/microchip/lan743x_ethtool.c | 18 +- drivers/net/ethernet/microchip/lan743x_ptp.h | 4 +- drivers/net/ethernet/pensando/ionic/ionic_main.c | 3 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 24 ++- drivers/net/ethernet/vertexcom/mse102x.c | 15 +- drivers/net/netdevsim/netdev.c | 2 + drivers/net/usb/asix.h | 1 - drivers/net/usb/asix_common.c | 22 -- drivers/net/usb/asix_devices.c | 17 +- drivers/net/usb/ch9200.c | 7 +- drivers/net/vxlan/vxlan_core.c | 8 +- drivers/net/wireless/ath/ath11k/ce.c | 11 +- drivers/net/wireless/ath/ath11k/core.c | 55 +++++ drivers/net/wireless/ath/ath11k/core.h | 7 + drivers/net/wireless/ath/ath11k/dp_rx.c | 25 ++- drivers/net/wireless/ath/ath11k/hal.c | 4 +- drivers/net/wireless/ath/ath11k/qmi.c | 9 + drivers/net/wireless/ath/ath12k/ce.c | 11 +- drivers/net/wireless/ath/ath12k/ce.h | 6 +- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 + drivers/net/wireless/ath/ath12k/hal.c | 12 +- drivers/net/wireless/ath/ath12k/hal_desc.h | 2 +- drivers/net/wireless/ath/ath12k/pci.c | 5 + drivers/net/wireless/ath/ath12k/wmi.c | 20 +- drivers/net/wireless/ath/carl9170/usb.c | 19 +- drivers/net/wireless/intel/iwlwifi/cfg/22000.c | 3 + drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 4 +- drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 6 + drivers/net/wireless/intersil/p54/fwio.c | 2 + drivers/net/wireless/intersil/p54/p54.h | 1 + drivers/net/wireless/intersil/p54/txrx.c | 13 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 2 + .../net/wireless/mediatek/mt76/mt76x2/usb_init.c | 13 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 6 + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 20 +- drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 1 + drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 3 - drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 + drivers/net/wireless/purelifi/plfxlc/usb.c | 4 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 10 + drivers/net/wireless/realtek/rtw88/hci.h | 8 + drivers/net/wireless/realtek/rtw88/mac.c | 11 +- drivers/net/wireless/realtek/rtw88/mac.h | 2 + drivers/net/wireless/realtek/rtw88/pci.c | 2 + drivers/net/wireless/realtek/rtw88/sdio.c | 2 + drivers/net/wireless/realtek/rtw88/usb.c | 57 ++++- drivers/net/wireless/realtek/rtw89/cam.c | 3 + drivers/net/wireless/realtek/rtw89/mac.c | 4 +- drivers/net/wireless/realtek/rtw89/phy.c | 10 +- drivers/net/wireless/realtek/rtw89/phy.h | 1 + drivers/net/wireless/realtek/rtw89/rtw8922a_rfk.c | 5 - drivers/net/wireless/virtual/mac80211_hwsim.c | 5 + drivers/nvme/host/ioctl.c | 21 +- drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +- drivers/pci/controller/dwc/pcie-designware-ep.c | 5 +- drivers/pci/controller/dwc/pcie-dw-rockchip.c | 6 +- drivers/pci/hotplug/s390_pci_hpc.c | 2 +- drivers/pci/pci.c | 3 +- drivers/pci/quirks.c | 23 ++ drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 10 +- drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 21 +- drivers/pinctrl/pinctrl-mcp23s08.c | 8 + drivers/platform/loongarch/loongson-laptop.c | 87 ++++---- drivers/platform/x86/amd/pmc/pmc.c | 2 + drivers/platform/x86/amd/pmf/tee-if.c | 11 +- drivers/platform/x86/dell/dell_rbu.c | 6 +- drivers/platform/x86/ideapad-laptop.c | 19 +- .../intel/uncore-frequency/uncore-frequency-tpmi.c | 9 +- drivers/pmdomain/core.c | 4 +- drivers/power/supply/bq27xxx_battery.c | 2 +- drivers/power/supply/bq27xxx_battery_i2c.c | 13 +- drivers/power/supply/collie_battery.c | 1 + drivers/power/supply/max17040_battery.c | 5 +- drivers/ptp/ptp_clock.c | 3 +- drivers/ptp/ptp_private.h | 22 +- drivers/pwm/pwm-axi-pwmgen.c | 23 +- drivers/rapidio/rio_cm.c | 3 + drivers/regulator/max14577-regulator.c | 5 +- drivers/regulator/max20086-regulator.c | 4 +- drivers/remoteproc/remoteproc_core.c | 6 +- drivers/remoteproc/ti_k3_m4_remoteproc.c | 2 +- drivers/s390/scsi/zfcp_sysfs.c | 2 + drivers/scsi/elx/efct/efct_hw.c | 5 +- drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +- drivers/scsi/lpfc/lpfc_sli.c | 4 +- drivers/scsi/smartpqi/smartpqi_init.c | 84 ++++++++ drivers/scsi/storvsc_drv.c | 10 +- drivers/soc/qcom/pmic_glink_altmode.c | 30 ++- drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- drivers/tee/tee_core.c | 11 +- drivers/tty/serial/sh-sci.c | 48 ++++- drivers/uio/uio_hv_generic.c | 7 +- drivers/video/console/dummycon.c | 18 +- drivers/video/console/vgacon.c | 2 +- drivers/video/fbdev/core/fbcon.c | 7 +- drivers/video/fbdev/core/fbmem.c | 22 +- drivers/video/screen_info_pci.c | 75 ++++--- drivers/virt/coco/tsm.c | 31 ++- drivers/watchdog/da9052_wdt.c | 1 + fs/ceph/addr.c | 9 + fs/ceph/super.c | 1 + fs/configfs/dir.c | 2 +- fs/ext4/ext4.h | 7 + fs/ext4/extents.c | 18 +- fs/ext4/file.c | 7 +- fs/ext4/inline.c | 2 +- fs/ext4/inode.c | 10 +- fs/f2fs/compress.c | 23 +- fs/f2fs/f2fs.h | 5 + fs/f2fs/inode.c | 10 +- fs/f2fs/namei.c | 9 + fs/f2fs/segment.c | 12 +- fs/f2fs/super.c | 12 +- fs/gfs2/lock_dlm.c | 3 +- fs/isofs/inode.c | 7 +- fs/isofs/isofs.h | 4 +- fs/isofs/rock.c | 40 ++-- fs/isofs/rock.h | 6 +- fs/isofs/util.c | 51 +++-- fs/jbd2/transaction.c | 5 +- fs/jffs2/erase.c | 4 +- fs/jffs2/scan.c | 4 +- fs/jffs2/summary.c | 7 +- fs/nfs/nfs4proc.c | 5 +- fs/nfs/read.c | 3 +- fs/nfsd/nfs4proc.c | 3 +- fs/nfsd/nfs4xdr.c | 19 +- fs/nfsd/nfsctl.c | 26 +-- fs/nfsd/nfssvc.c | 6 +- fs/overlayfs/file.c | 4 +- fs/smb/client/cached_dir.c | 14 +- fs/smb/client/cached_dir.h | 8 +- fs/smb/client/cifsglob.h | 1 + fs/smb/client/connect.c | 17 +- fs/smb/client/namespace.c | 3 + fs/smb/client/readdir.c | 28 +-- fs/smb/client/reparse.c | 1 - fs/smb/client/sess.c | 7 +- fs/smb/client/smb2pdu.c | 33 ++- fs/smb/client/smbdirect.c | 5 +- fs/smb/client/transport.c | 14 +- fs/smb/server/connection.c | 2 +- fs/smb/server/connection.h | 1 + fs/smb/server/smb2pdu.c | 11 +- fs/smb/server/transport_rdma.c | 10 +- fs/smb/server/transport_tcp.c | 3 +- fs/xattr.c | 1 + include/acpi/actypes.h | 2 +- include/linux/acpi.h | 9 +- include/linux/atmdev.h | 6 + include/linux/bus/stm32_firewall_device.h | 15 +- include/linux/f2fs_fs.h | 1 + include/linux/hugetlb.h | 3 + include/linux/mmc/card.h | 1 + include/linux/tcp.h | 2 +- include/net/checksum.h | 2 +- include/net/ipv6.h | 9 - include/net/mac80211.h | 16 -- include/trace/events/erofs.h | 18 -- include/uapi/linux/bpf.h | 2 + io_uring/io-wq.c | 4 +- io_uring/io_uring.c | 2 +- io_uring/kbuf.c | 7 +- io_uring/sqpoll.c | 5 +- ipc/shm.c | 5 +- kernel/bpf/bpf_struct_ops.c | 2 +- kernel/bpf/btf.c | 4 +- kernel/bpf/helpers.c | 3 +- kernel/cgroup/legacy_freezer.c | 3 +- kernel/events/core.c | 80 +++++-- kernel/exit.c | 17 +- kernel/sched/core.c | 4 +- kernel/sched/ext.c | 5 + kernel/sched/ext.h | 2 + kernel/time/clocksource.c | 2 +- kernel/trace/ftrace.c | 10 +- kernel/watchdog.c | 41 ++-- kernel/workqueue.c | 3 +- lib/Kconfig | 1 + lib/Kconfig.debug | 9 + lib/Makefile | 2 + lib/longest_symbol_kunit.c | 82 +++++++ mm/hugetlb.c | 67 ++++-- mm/madvise.c | 2 + mm/page-writeback.c | 2 +- mm/vma.c | 7 + mm/vma_internal.h | 1 + net/atm/common.c | 1 + net/atm/lec.c | 12 +- net/atm/raw.c | 2 +- net/bridge/br_mst.c | 4 +- net/bridge/br_multicast.c | 103 ++++++++- net/bridge/br_private.h | 11 +- net/core/filter.c | 24 ++- net/core/page_pool.c | 4 + net/core/skbuff.c | 3 - net/core/skmsg.c | 3 +- net/core/sock.c | 4 +- net/core/utils.c | 4 +- net/ipv4/route.c | 4 + net/ipv4/tcp_fastopen.c | 3 + net/ipv4/tcp_input.c | 79 ++++--- net/ipv6/calipso.c | 8 + net/ipv6/ila/ila_common.c | 6 +- net/ipv6/ip6_output.c | 2 - net/ipv6/raw.c | 8 +- net/ipv6/udp.c | 7 +- net/l2tp/l2tp_ip6.c | 8 +- net/mac80211/cfg.c | 2 +- net/mac80211/debugfs_sta.c | 6 - net/mac80211/mesh_hwmp.c | 6 +- net/mac80211/rate.c | 2 - net/mac80211/sta_info.c | 28 --- net/mac80211/sta_info.h | 11 - net/mac80211/tx.c | 15 +- net/mpls/af_mpls.c | 4 +- net/netfilter/nft_set_pipapo.c | 6 + net/nfc/nci/uart.c | 8 +- net/sched/sch_sfq.c | 10 +- net/sched/sch_taprio.c | 6 +- net/sctp/socket.c | 3 +- net/sunrpc/svc.c | 11 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 1 + net/sunrpc/xprtsock.c | 5 + net/tipc/crypto.c | 2 +- net/tipc/udp_media.c | 4 +- net/wireless/core.c | 6 +- net/xfrm/xfrm_user.c | 52 ++++- rust/Makefile | 14 +- scripts/Makefile.compiler | 8 +- scripts/generate_rust_analyzer.py | 13 +- security/selinux/xfrm.c | 2 +- sound/pci/hda/cs35l41_hda_property.c | 6 + sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_realtek.c | 5 + sound/soc/amd/acp/acp-sdw-sof-mach.c | 2 +- sound/soc/amd/yc/acp6x-mach.c | 9 +- sound/soc/codecs/tas2770.c | 30 ++- sound/soc/codecs/wcd937x.c | 7 +- sound/soc/meson/meson-card-utils.c | 2 +- sound/soc/qcom/sdm845.c | 4 + sound/soc/sdw_utils/soc_sdw_rt_amp.c | 2 +- sound/soc/tegra/tegra210_ahub.c | 2 + sound/usb/mixer_maps.c | 12 ++ tools/bpf/bpftool/cgroup.c | 12 +- tools/include/uapi/linux/bpf.h | 2 + tools/lib/bpf/btf.c | 18 +- tools/lib/bpf/libbpf.c | 6 + tools/perf/tests/tests-scripts.c | 1 + tools/perf/util/print-events.c | 1 + tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/sigtrap_loop.c | 101 +++++++++ tools/testing/vma/vma_internal.h | 2 + 439 files changed, 3802 insertions(+), 1703 deletions(-)

4 months, 2 weeks

10
11
0 0

FAILED: patch "[PATCH] EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a3f3040657417aeadb9622c629d4a0c2693a0f93 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025063022-frail-ceremony-f06e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a3f3040657417aeadb9622c629d4a0c2693a0f93 Mon Sep 17 00:00:00 2001 From: Avadhut Naik <avadhut.naik(a)amd.com> Date: Thu, 29 May 2025 20:50:04 +0000 Subject: [PATCH] EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Each Chip-Select (CS) of a Unified Memory Controller (UMC) on AMD Zen-based SOCs has an Address Mask and a Secondary Address Mask register associated with it. The amd64_edac module logs DIMM sizes on a per-UMC per-CS granularity during init using these two registers. Currently, the module primarily considers only the Address Mask register for computing DIMM sizes. The Secondary Address Mask register is only considered for odd CS. Additionally, if it has been considered, the Address Mask register is ignored altogether for that CS. For power-of-two DIMMs i.e. DIMMs whose total capacity is a power of two (32GB, 64GB, etc), this is not an issue since only the Address Mask register is used. For non-power-of-two DIMMs i.e., DIMMs whose total capacity is not a power of two (48GB, 96GB, etc), however, the Secondary Address Mask register is used in conjunction with the Address Mask register. However, since the module only considers either of the two registers for a CS, the size computed by the module is incorrect. The Secondary Address Mask register is not considered for even CS, and the Address Mask register is not considered for odd CS. Introduce a new helper function so that both Address Mask and Secondary Address Mask registers are considered, when valid, for computing DIMM sizes. Furthermore, also rename some variables for greater clarity. Fixes: 81f5090db843 ("EDAC/amd64: Support asymmetric dual-rank DIMMs") Closes: https://lore.kernel.org/dbec22b6-00f2-498b-b70d-ab6f8a5ec87e@natrix.lt Reported-by: Žilvinas Žaltiena <zilvinas(a)natrix.lt> Signed-off-by: Avadhut Naik <avadhut.naik(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Tested-by: Žilvinas Žaltiena <zilvinas(a)natrix.lt> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250529205013.403450-1-avadhut.naik@amd.com diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c index b681c0663203..07f1e9dc1ca7 100644 --- a/drivers/edac/amd64_edac.c +++ b/drivers/edac/amd64_edac.c @@ -1209,7 +1209,9 @@ static int umc_get_cs_mode(int dimm, u8 ctrl, struct amd64_pvt *pvt) if (csrow_enabled(2 * dimm + 1, ctrl, pvt)) cs_mode |= CS_ODD_PRIMARY; - /* Asymmetric dual-rank DIMM support. */ + if (csrow_sec_enabled(2 * dimm, ctrl, pvt)) + cs_mode |= CS_EVEN_SECONDARY; + if (csrow_sec_enabled(2 * dimm + 1, ctrl, pvt)) cs_mode |= CS_ODD_SECONDARY; @@ -1230,12 +1232,13 @@ static int umc_get_cs_mode(int dimm, u8 ctrl, struct amd64_pvt *pvt) return cs_mode; } -static int __addr_mask_to_cs_size(u32 addr_mask_orig, unsigned int cs_mode, - int csrow_nr, int dimm) +static int calculate_cs_size(u32 mask, unsigned int cs_mode) { - u32 msb, weight, num_zero_bits; - u32 addr_mask_deinterleaved; - int size = 0; + int msb, weight, num_zero_bits; + u32 deinterleaved_mask; + + if (!mask) + return 0; /* * The number of zero bits in the mask is equal to the number of bits @@ -1248,19 +1251,30 @@ static int __addr_mask_to_cs_size(u32 addr_mask_orig, unsigned int cs_mode, * without swapping with the most significant bit. This can be handled * by keeping the MSB where it is and ignoring the single zero bit. */ - msb = fls(addr_mask_orig) - 1; - weight = hweight_long(addr_mask_orig); + msb = fls(mask) - 1; + weight = hweight_long(mask); num_zero_bits = msb - weight - !!(cs_mode & CS_3R_INTERLEAVE); /* Take the number of zero bits off from the top of the mask. */ - addr_mask_deinterleaved = GENMASK_ULL(msb - num_zero_bits, 1); + deinterleaved_mask = GENMASK(msb - num_zero_bits, 1); + edac_dbg(1, " Deinterleaved AddrMask: 0x%x\n", deinterleaved_mask); + + return (deinterleaved_mask >> 2) + 1; +} + +static int __addr_mask_to_cs_size(u32 addr_mask, u32 addr_mask_sec, + unsigned int cs_mode, int csrow_nr, int dimm) +{ + int size; edac_dbg(1, "CS%d DIMM%d AddrMasks:\n", csrow_nr, dimm); - edac_dbg(1, " Original AddrMask: 0x%x\n", addr_mask_orig); - edac_dbg(1, " Deinterleaved AddrMask: 0x%x\n", addr_mask_deinterleaved); + edac_dbg(1, " Primary AddrMask: 0x%x\n", addr_mask); /* Register [31:1] = Address [39:9]. Size is in kBs here. */ - size = (addr_mask_deinterleaved >> 2) + 1; + size = calculate_cs_size(addr_mask, cs_mode); + + edac_dbg(1, " Secondary AddrMask: 0x%x\n", addr_mask_sec); + size += calculate_cs_size(addr_mask_sec, cs_mode); /* Return size in MBs. */ return size >> 10; @@ -1269,8 +1283,8 @@ static int __addr_mask_to_cs_size(u32 addr_mask_orig, unsigned int cs_mode, static int umc_addr_mask_to_cs_size(struct amd64_pvt *pvt, u8 umc, unsigned int cs_mode, int csrow_nr) { + u32 addr_mask = 0, addr_mask_sec = 0; int cs_mask_nr = csrow_nr; - u32 addr_mask_orig; int dimm, size = 0; /* No Chip Selects are enabled. */ @@ -1308,13 +1322,13 @@ static int umc_addr_mask_to_cs_size(struct amd64_pvt *pvt, u8 umc, if (!pvt->flags.zn_regs_v2) cs_mask_nr >>= 1; - /* Asymmetric dual-rank DIMM support. */ - if ((csrow_nr & 1) && (cs_mode & CS_ODD_SECONDARY)) - addr_mask_orig = pvt->csels[umc].csmasks_sec[cs_mask_nr]; - else - addr_mask_orig = pvt->csels[umc].csmasks[cs_mask_nr]; + if (cs_mode & (CS_EVEN_PRIMARY | CS_ODD_PRIMARY)) + addr_mask = pvt->csels[umc].csmasks[cs_mask_nr]; - return __addr_mask_to_cs_size(addr_mask_orig, cs_mode, csrow_nr, dimm); + if (cs_mode & (CS_EVEN_SECONDARY | CS_ODD_SECONDARY)) + addr_mask_sec = pvt->csels[umc].csmasks_sec[cs_mask_nr]; + + return __addr_mask_to_cs_size(addr_mask, addr_mask_sec, cs_mode, csrow_nr, dimm); } static void umc_debug_display_dimm_sizes(struct amd64_pvt *pvt, u8 ctrl) @@ -3512,9 +3526,10 @@ static void gpu_get_err_info(struct mce *m, struct err_info *err) static int gpu_addr_mask_to_cs_size(struct amd64_pvt *pvt, u8 umc, unsigned int cs_mode, int csrow_nr) { - u32 addr_mask_orig = pvt->csels[umc].csmasks[csrow_nr]; + u32 addr_mask = pvt->csels[umc].csmasks[csrow_nr]; + u32 addr_mask_sec = pvt->csels[umc].csmasks_sec[csrow_nr]; - return __addr_mask_to_cs_size(addr_mask_orig, cs_mode, csrow_nr, csrow_nr >> 1); + return __addr_mask_to_cs_size(addr_mask, addr_mask_sec, cs_mode, csrow_nr, csrow_nr >> 1); } static void gpu_debug_display_dimm_sizes(struct amd64_pvt *pvt, u8 ctrl)

4 months, 2 weeks

6
9
0 0

[PATCH 2/2] platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots

by Rong Zhang

On some models supported by ideapad-laptop, the HW/FW can remember the state of keyboard backlight among boots. However, it is always turned off while shutting down, as a side effect of the LED class device unregistering sequence. This is inconvenient for users who always prefer turning on the keyboard backlight. Thus, set LED_RETAIN_AT_SHUTDOWN on the LED class device so that the state of keyboard backlight gets remembered, which also aligns with the behavior of manufacturer utilities on Windows. Fixes: 503325f84bc0 ("platform/x86: ideapad-laptop: add keyboard backlight control support") Cc: stable(a)vger.kernel.org Signed-off-by: Rong Zhang <i(a)rong.moe> --- drivers/platform/x86/ideapad-laptop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c index 62a72b09fc3a..edb9d2fb02ec 100644 --- a/drivers/platform/x86/ideapad-laptop.c +++ b/drivers/platform/x86/ideapad-laptop.c @@ -1669,7 +1669,7 @@ static int ideapad_kbd_bl_init(struct ideapad_private *priv) priv->kbd_bl.led.name = "platform::" LED_FUNCTION_KBD_BACKLIGHT; priv->kbd_bl.led.brightness_get = ideapad_kbd_bl_led_cdev_brightness_get; priv->kbd_bl.led.brightness_set_blocking = ideapad_kbd_bl_led_cdev_brightness_set; - priv->kbd_bl.led.flags = LED_BRIGHT_HW_CHANGED; + priv->kbd_bl.led.flags = LED_BRIGHT_HW_CHANGED | LED_RETAIN_AT_SHUTDOWN; err = led_classdev_register(&priv->platform_device->dev, &priv->kbd_bl.led); if (err) -- 2.50.0

4 months, 2 weeks

2
1
0 0

[PATCH 1/2] platform/x86: ideapad-laptop: Fix FnLock not remembered among boots

by Rong Zhang

On devices supported by ideapad-laptop, the HW/FW can remember the FnLock state among boots. However, since the introduction of the FnLock LED class device, it is turned off while shutting down, as a side effect of the LED class device unregistering sequence. Many users always turn on FnLock because they use function keys much more frequently than multimedia keys. The behavior change is inconvenient for them. Thus, set LED_RETAIN_AT_SHUTDOWN on the LED class device so that the FnLock state gets remembered, which also aligns with the behavior of manufacturer utilities on Windows. Fixes: 07f48f668fac ("platform/x86: ideapad-laptop: add FnLock LED class device") Cc: stable(a)vger.kernel.org Signed-off-by: Rong Zhang <i(a)rong.moe> --- drivers/platform/x86/ideapad-laptop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c index b5e4da6a6779..62a72b09fc3a 100644 --- a/drivers/platform/x86/ideapad-laptop.c +++ b/drivers/platform/x86/ideapad-laptop.c @@ -1728,7 +1728,7 @@ static int ideapad_fn_lock_led_init(struct ideapad_private *priv) priv->fn_lock.led.name = "platform::" LED_FUNCTION_FNLOCK; priv->fn_lock.led.brightness_get = ideapad_fn_lock_led_cdev_get; priv->fn_lock.led.brightness_set_blocking = ideapad_fn_lock_led_cdev_set; - priv->fn_lock.led.flags = LED_BRIGHT_HW_CHANGED; + priv->fn_lock.led.flags = LED_BRIGHT_HW_CHANGED | LED_RETAIN_AT_SHUTDOWN; err = led_classdev_register(&priv->platform_device->dev, &priv->fn_lock.led); if (err) -- 2.50.0

4 months, 2 weeks

2
1
0 0

[PATCH] comedi: Fix initialization of data for instructions that write to subdevice

by Ian Abbott

Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first `insn->n` data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first `MIN_SAMPLES` elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For `do_insnlist_ioctl()`, the same data buffer elements are used for handling a list of instructions, so ensure the first `MIN_SAMPLES` elements are initialized for each instruction that writes to the subdevice. Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/comedi_fops.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 3383a7ce27ff..0f8b471d5032 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -1556,21 +1556,27 @@ static int do_insnlist_ioctl(struct comedi_device *dev, } for (i = 0; i < n_insns; ++i) { + unsigned int n = insns[i].n; + if (insns[i].insn & INSN_MASK_WRITE) { if (copy_from_user(data, insns[i].data, - insns[i].n * sizeof(unsigned int))) { + n * sizeof(unsigned int))) { dev_dbg(dev->class_dev, "copy_from_user failed\n"); ret = -EFAULT; goto error; } + if (n < MIN_SAMPLES) { + memset(&data[n], 0, (MIN_SAMPLES - n) * + sizeof(unsigned int)); + } } ret = parse_insn(dev, insns + i, data, file); if (ret < 0) goto error; if (insns[i].insn & INSN_MASK_READ) { if (copy_to_user(insns[i].data, data, - insns[i].n * sizeof(unsigned int))) { + n * sizeof(unsigned int))) { dev_dbg(dev->class_dev, "copy_to_user failed\n"); ret = -EFAULT; @@ -1633,6 +1639,10 @@ static int do_insn_ioctl(struct comedi_device *dev, ret = -EFAULT; goto error; } + if (insn->n < MIN_SAMPLES) { + memset(&data[insn->n], 0, + (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); + } } ret = parse_insn(dev, insn, data, file); if (ret < 0) -- 2.47.2

4 months, 2 weeks

1
0
0 0

[PATCH 5.4 000/215] 5.4.295-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.295 release. There are 215 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 27 Jun 2025 08:52:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.295-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.295-rc2 Tengda Wu <wutengda(a)huaweicloud.com> arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() Peter Zijlstra <peterz(a)infradead.org> perf: Fix sample vs do_exit() Heiko Carstens <hca(a)linux.ibm.com> s390/pci: Fix __pcilg_mio_inuser() inline assembly David Gow <davidgow(a)google.com> rtc: test: Fix invalid format specifier. Jeongjun Park <aha310510(a)gmail.com> jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Gavin Guo <gavinguo(a)igalia.com> mm/huge_memory: fix dereferencing invalid pmd migration entry Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Make rtc_time64_to_tm() support dates before 1970 Cassio Neri <cassio.neri(a)gmail.com> rtc: Improve performance of rtc_time64_to_tm(). Add tests. Dan Aloni <dan.aloni(a)vastdata.com> xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create Oleg Nesterov <oleg(a)redhat.com> posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms Colin Foster <colin.foster(a)in-advantage.com> ARM: dts: am335x-bone-common: Increase MDIO reset deassert time Shengyu Qu <wiagn233(a)outlook.com> ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board Eric Dumazet <edumazet(a)google.com> net: atm: fix /proc/net/atm/lec handling Eric Dumazet <edumazet(a)google.com> net: atm: add lec_mutex Kuniyuki Iwashima <kuniyu(a)google.com> calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). Haixia Qu <hxqu(a)hillstonenet.com> tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior Kuniyuki Iwashima <kuniyu(a)google.com> atm: atmtcp: Free invalid length skb in atmtcp_c_send(). Kuniyuki Iwashima <kuniyu(a)google.com> mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). Dmitry Antipov <dmantipov(a)yandex.ru> wifi: carl9170: do not ping device which has failed to load firmware Justin Sanders <jsanders.devel(a)gmail.com> aoe: clean device rq_list in aoedev_downdev() Arnd Bergmann <arnd(a)arndb.de> hwmon: (occ) fix unaligned accesses Jacob Keller <jacob.e.keller(a)intel.com> drm/nouveau/bl: increase buffer size to avoid truncate warning Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: remove unused trace event erofs_destroy_inode Jonathan Lane <jon(a)borg.moe> ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged Takashi Iwai <tiwai(a)suse.de> ALSA: hda/intel: Add Thinkpad E15 to PM deny list WangYuli <wangyuli(a)uniontech.com> Input: sparcspkr - avoid unannotated fall-through Terry Junge <linuxhid(a)cosmicgizmosystems.com> HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Kuniyuki Iwashima <kuniyu(a)google.com> atm: Revert atm_account_tx() if copy_from_iter_full() fails. Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len Peter Oberparleiter <oberpar(a)linux.ibm.com> scsi: s390: zfcp: Ensure synchronous unit_add Dexuan Cui <decui(a)microsoft.com> scsi: storvsc: Increase the timeouts to storvsc_timeout Fedor Pchelkin <pchelkin(a)ispras.ru> jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Artem Sadovnikov <a.sadovnikov(a)ispras.ru> jffs2: check that raw node were preallocated before writing summary Andrew Morton <akpm(a)linux-foundation.org> drivers/rapidio/rio_cm.c: prevent possible heap overwrite Breno Leitao <leitao(a)debian.org> Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older Narayana Murty N <nnmlinux(a)linux.ibm.com> powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery Stuart Hayes <stuart.w.hayes(a)gmail.com> platform/x86: dell_rbu: Stop overwriting data buffer Maximilian Luz <luzmaximilian(a)gmail.com> platform: Add Surface platform directory Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" Jann Horn <jannh(a)google.com> tee: Prevent size calculation wraparound on 32-bit kernels Sukrut Bellary <sbellary(a)baylibre.com> ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY Laurentiu Tudor <laurentiu.tudor(a)nxp.com> bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value Marcus Folkesson <marcus.folkesson(a)gmail.com> watchdog: da9052_wdt: respect TWDMIN Kyungwook Boo <bookyungwook(a)gmail.com> i40e: fix MMIO write access to an invalid page in i40e_clear_hw Zijun Hu <quic_zijuhu(a)quicinc.com> sock: Correct error checking condition for (assign|release)_proto_idx() Daniel Wagner <wagi(a)kernel.org> scsi: lpfc: Use memcpy() for BIOS version Ido Schimmel <idosch(a)nvidia.com> vxlan: Do not treat dst cache initialization errors as fatal Heiko Stuebner <heiko(a)sntech.de> clk: rockchip: rk3036: mark ddrphy as critical Benjamin Berg <benjamin(a)sipsolutions.net> wifi: mac80211: do not offer a mesh path if forwarding is disabled Jason Xing <kernelxing(a)tencent.com> net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Eric Dumazet <edumazet(a)google.com> tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Eric Dumazet <edumazet(a)google.com> tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Moon Yeounsu <yyyynoom(a)gmail.com> net: dlink: add synchronization for stats update Petr Malat <oss(a)malat.biz> sctp: Do not wake readers in __sctp_write_space() Alok Tiwari <alok.a.tiwari(a)oracle.com> emulex/benet: correct command version selection in be_cmd_get_stats() Tan En De <ende.tan(a)starfivetech.com> i2c: designware: Invoke runtime suspend on quick slave re-registration Sergio Perez Gonzalez <sperezglz(a)gmail.com> net: macb: Check return value of dma_set_mask_and_coherent() Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Force sync policy boost with global boost on sysfs update Simon Schuster <schuster.simon(a)siemens-energy.com> nios2: force update_mmu_cache on spurious tlb-permission--related pagefaults Wentao Liang <vulab(a)iscas.ac.cn> media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() Hans Verkuil <hverkuil(a)xs4all.nl> media: tc358743: ignore video while HPD is low Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB Dylan Wolff <wolffd(a)comp.nus.edu.sg> jfs: Fix null-ptr-deref in jfs_ioc_trim Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: fix CSIB handling Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx8: fix CSIB handling Aditya Dutt <duttaditya18(a)gmail.com> jfs: fix array-index-out-of-bounds read in add_missing_indices Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx7: fix CSIB handling Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: fix CSIB handling Akhil P Oommen <quic_akhilpo(a)quicinc.com> drm/msm/a6xx: Increase HFI response timeout Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() Nas Chung <nas.chung(a)chipsnmedia.com> media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/hdmi: add runtime PM calls to DDC transfer function Damon Ding <damon.ding(a)rock-chips.com> drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling disable_irq() Long Li <leo.lilong(a)huawei.com> sunrpc: update nextcheck time when adding new cache entries Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx6: fix CSIB handling Peter Marheine <pmarheine(a)chromium.org> ACPI: battery: negate current when discharging Charan Teja Kalla <quic_charante(a)quicinc.com> PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() Jerry Lv <Jerry.Lv(a)axis.com> power: supply: bq27xxx: Retrieve again when busy Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi parse and parseext cache leaks Ahmed Salem <x0rw3ll(a)gmail.com> ACPICA: Avoid sequence overread in call to strncmp() Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi operand cache leak in dswstate.c David Lechner <dlechner(a)baylibre.com> iio: adc: ad7606_spi: fix reg write value mask Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Fix lock symmetry in pci_slot_unlock() Huacai Chen <chenhuacai(a)loongson.cn> PCI: Add ACS quirk for Loongson PCIe Long Li <longli(a)microsoft.com> uio_hv_generic: Use correct size for interrupt and monitor pages Wentao Liang <vulab(a)iscas.ac.cn> regulator: max14577: Add error check for max14577_read_reg() Khem Raj <raj.khem(a)gmail.com> mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: ad5933: Correct settling cycles encoding per datasheet Qasim Ijaz <qasdev00(a)gmail.com> net: ch9200: fix uninitialised access during mii_nway_restart Ye Bin <yebin10(a)huawei.com> ftrace: Fix UAF when lookup kallsym after ftrace disabled Mikulas Patocka <mpatocka(a)redhat.com> dm-mirror: fix a tiny race condition Wentao Liang <vulab(a)iscas.ac.cn> mtd: nand: sunxi: Add randomizer configuration before randomizer enable Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk Jinliang Zheng <alexjlzheng(a)tencent.com> mm: fix ratelimit_pages update error in dirty_ratio_handler() Jeongjun Park <aha310510(a)gmail.com> ipc: fix to protect IPCS lookups using RCU Arnd Bergmann <arnd(a)arndb.de> parisc: fix building with gcc-15 GONG Ruiqi <gongruiqi1(a)huawei.com> vgacon: Add check for vc_origin address range in vgacon_scroll() Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> EDAC/altera: Use correct write width with the INTTEST register Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> NFC: nci: uart: Set tty->disc_data only in success path Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: prevent kernel warning due to negative i_nlink from corrupted image Dan Carpenter <dan.carpenter(a)linaro.org> Input: ims-pcu - check record size in ims_pcu_flash_firmware() Jan Kara <jack(a)suse.cz> ext4: fix calculation of credits for extent tree modification Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: inline: fix len overflow in ext4_prepare_inline_data Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device Tasos Sahanidis <tasos(a)tasossah.com> ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 Ross Stutterheim <ross.stutterheim(a)garmin.com> ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() Ma Ke <make24(a)iscas.ac.cn> media: v4l2-dev: fix error handling in __video_register_device() Wentao Liang <vulab(a)iscas.ac.cn> media: gspca: Add error handling for stv06xx_read_sensor() Mingcong Bai <jeffbai(a)aosc.io> wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 NeilBrown <neil(a)brown.name> nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request Christian Lamparter <chunkeey(a)gmail.com> wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Alexander Aring <aahringo(a)redhat.com> gfs2: move msleep to sleepable context Zijun Hu <quic_zijuhu(a)quicinc.com> configfs: Do not override creating attribute file failure in populate_attrs() Oliver Neukum <oneukum(a)suse.com> net: usb: aqc111: debug info before sanitation Eric Dumazet <edumazet(a)google.com> calipso: unlock rcu before returning -EAFNOSUPPORT Stefano Stabellini <stefano.stabellini(a)amd.com> xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: Flush altsetting 0 endpoints before reinitializating them after reset. Zijun Hu <quic_zijuhu(a)quicinc.com> fs/filesystems: Fix potential unsigned integer underflow in fs_name() Jakub Raczynski <j.raczynski(a)samsung.com> net/mdiobus: Fix potential out-of-bounds read/write access Nathan Chancellor <nathan(a)kernel.org> drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for clang Nathan Chancellor <nathan(a)kernel.org> drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang Nathan Chancellor <nathan(a)kernel.org> MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option Nick Desaulniers <ndesaulniers(a)google.com> x86/boot/compressed: prefer cc-option for CFLAGS additions Andrew Lunn <andrew(a)lunn.ch> net: mdio: C22 is now optional, EOPNOTSUPP if not provided Eric Dumazet <edumazet(a)google.com> net_sched: tbf: fix a race in tbf_change() Eric Dumazet <edumazet(a)google.com> net_sched: red: fix a race in __red_change() Eric Dumazet <edumazet(a)google.com> net_sched: prio: fix a race in prio_tune() Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix return value when searching for existing flow group Paul Blakey <paulb(a)mellanox.com> net/mlx5: Wait for inactive autogroups Robert Malz <robert.malz(a)canonical.com> i40e: retry VFLR handling if there is ongoing VF reset Robert Malz <robert.malz(a)canonical.com> i40e: return false from i40e_reset_vf if reset is in progress Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: fix a potential crash on gso_skb handling Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: iscsi: Fix incorrect error path labels for flashnode operations Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix ia_size underflow Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics-rmi - fix crash with unsupported versions of F34 zhang songyi <zhang.songyi(a)zte.com.cn> Input: synaptics-rmi4 - convert to use sysfs_emit() APIs Dan Carpenter <dan.carpenter(a)linaro.org> pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Al Viro <viro(a)zeniv.linux.org.uk> do_change_type(): refuse to operate on unmounted/not ours mounts Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Michal Kubiak <michal.kubiak(a)intel.com> ice: create new Tx scheduler nodes for new queues only Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Dan Carpenter <dan.carpenter(a)linaro.org> net/mlx4_en: Prevent potential integer overflow calculating Hz Nicolas Pitre <npitre(a)baylibre.com> vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() Henry Martin <bsdhenrymartin(a)gmail.com> serial: Fix potential null-ptr-deref in mlb_usio_probe() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> usb: renesas_usbhs: Reorder clock handling and power management in probe Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Fix offset calculation for .start_secs < 0 Wolfram Sang <wsa+renesas(a)sang-engineering.com> rtc: sh: assign correct interrupts with DT Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf record: Fix incorrect --user-regs comments Leo Yan <leo.yan(a)arm.com> perf tests switch-tracking: Fix timestamp comparison Alexey Gladkov <legion(a)kernel.org> mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Dan Carpenter <dan.carpenter(a)linaro.org> rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Adrian Hunter <adrian.hunter(a)intel.com> perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Arnaldo Carvalho de Melo <acme(a)redhat.com> perf ui browser hists: Set actions->thread before calling do_zoom_thread() Sergey Shtylyov <s.shtylyov(a)omp.ru> fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Henry Martin <bsdhenrymartin(a)gmail.com> soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Su Hui <suhui(a)nfschina.com> soc: aspeed: lpc: Fix impossible judgment condition Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: fix double-free on mc_dev Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Wentao Liang <vulab(a)iscas.ac.cn> nilfs2: add pointer check for nilfs_direct_propagate() Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: check return result of sb_min_blocksize Wolfram Sang <wsa+renesas(a)sang-engineering.com> ARM: dts: at91: at91sam9263: fix NAND chip selects Wolfram Sang <wsa+renesas(a)sang-engineering.com> ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: fix to correct check conditions in f2fs_cross_rename Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: use d_inode(dentry) cleanup dentry->d_inode Kuniyuki Iwashima <kuniyu(a)amazon.com> calipso: Don't call calipso functions for AF_INET sk. Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net: usb: aqc111: fix error handling of usbnet read calls Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Toke Høiland-Jørgensen <toke(a)toke.dk> wifi: ath9k_htc: Abort software beacon handling if disabled Tao Chen <chen.dylane(a)linux.dev> bpf: Fix WARN() in get_bpf_raw_tp_regs Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> pinctrl: at91: Fix possible out-of-boundary access Jiayuan Chen <jiayuan.chen(a)linux.dev> ktls, sockmap: Fix missing uncharge operation Huajian Yang <huajianyang(a)asrmicro.com> netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Chao Yu <chao(a)kernel.org> f2fs: clean up w/ fscrypt_is_bounce_page() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtw88: do not ignore hardware read error during DPK Hari Kalavakunta <kalavakunta.hari.prasad(a)gmail.com> net: ncsi: Fix GCPS 64-bit member variables Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on sbi->total_valid_block_count Biju Das <biju.das.jz(a)bp.renesas.com> drm/tegra: rgb: Fix the unbound reference count Kees Cook <kees(a)kernel.org> drm/vkms: Adjust vkms_state->active_planes allocation type Biju Das <biju.das.jz(a)bp.renesas.com> drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Neill Kapron <nkapron(a)google.com> selftests/seccomp: fix syscall_restart test for arm compat Miaoqian Lin <linmq006(a)gmail.com> firmware: psci: Fix refcount leak in psci_dt_init Finn Thain <fthain(a)linux-m68k.org> m68k: mac: Fix macintosh_config for Mac II Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Add seqno waiter for sync_files Geert Uytterhoeven <geert+renesas(a)glider.be> spi: sh-msiof: Fix maximum DMA transfer size Armin Wolf <W_Armin(a)gmx.de> ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Zijun Hu <quic_zijuhu(a)quicinc.com> PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/skx_common: Fix general protection fault Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Avoid empty transfer descriptor Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Handle zero-length skcipher requests Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Sanitize CPUID(0x80000000) output Qing Wang <wangqing7171(a)gmail.com> perf/core: Fix broken throttling when max_samples_per_tick=1 Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: gfs2_create_inode error handling fix Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Sergey Senozhatsky <senozhatsky(a)chromium.org> thunderbolt: Do not double dequeue a configuration request Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix timeout value in get_stb Hongyu Xie <xiehongyu1(a)kylinos.cn> usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Jiayi Li <lijiayi(a)kylinos.cn> usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: set GPIO output value before setting direction Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Pan Taixi <pantaixi(a)huaweicloud.com> tracing: Fix compilation warning on arm32 ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 2 - MAINTAINERS | 9 ++ Makefile | 4 +- arch/arm/boot/dts/am335x-bone-common.dtsi | 8 ++ arch/arm/boot/dts/at91sam9263ek.dts | 2 +- arch/arm/boot/dts/qcom-apq8064.dtsi | 13 +- arch/arm/boot/dts/tny_a9263.dts | 2 +- arch/arm/boot/dts/usb_a9263.dts | 4 +- arch/arm/mach-omap2/clockdomain.h | 1 + arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +- arch/arm/mach-omap2/cm33xx.c | 14 ++- arch/arm/mm/ioremap.c | 4 +- .../arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 -- arch/arm64/kernel/ptrace.c | 2 +- arch/arm64/xen/hypercall.S | 21 +++- arch/m68k/mac/config.c | 2 +- arch/mips/Makefile | 2 +- arch/mips/vdso/Makefile | 1 + arch/nios2/include/asm/pgtable.h | 16 +++ arch/parisc/boot/compressed/Makefile | 1 + arch/powerpc/kernel/eeh.c | 2 + arch/s390/pci/pci_mmio.c | 2 +- arch/x86/boot/compressed/Makefile | 2 +- arch/x86/kernel/cpu/bugs.c | 10 +- arch/x86/kernel/cpu/common.c | 17 +-- arch/x86/kernel/cpu/mtrr/generic.c | 2 +- drivers/acpi/acpica/dsutils.c | 9 +- drivers/acpi/acpica/psobject.c | 52 +++----- drivers/acpi/battery.c | 19 ++- drivers/acpi/osi.c | 1 - drivers/ata/pata_via.c | 3 +- drivers/atm/atmtcp.c | 4 +- drivers/base/power/domain.c | 2 +- drivers/base/power/main.c | 3 +- drivers/base/power/runtime.c | 2 +- drivers/block/aoe/aoedev.c | 8 ++ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +- drivers/bus/fsl-mc/mc-io.c | 19 ++- drivers/bus/fsl-mc/mc-sys.c | 2 +- drivers/bus/ti-sysc.c | 49 -------- drivers/clk/rockchip/clk-rk3036.c | 1 + drivers/cpufreq/cpufreq.c | 6 +- drivers/crypto/marvell/cipher.c | 3 + drivers/crypto/marvell/hash.c | 2 +- drivers/edac/altera_edac.c | 6 +- drivers/edac/skx_common.c | 1 + drivers/firmware/psci/psci.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 - drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 4 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 18 ++- drivers/gpu/drm/amd/display/dc/dcn20/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dcn21/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dml/Makefile | 3 +- drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 5 +- drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 2 +- drivers/gpu/drm/msm/hdmi/hdmi_i2c.c | 14 ++- drivers/gpu/drm/nouveau/nouveau_backlight.c | 2 +- drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 +- drivers/gpu/drm/tegra/rgb.c | 14 ++- drivers/gpu/drm/vkms/vkms_crtc.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 ++++ drivers/hid/hid-hyperv.c | 5 +- drivers/hid/usbhid/hid-core.c | 25 ++-- drivers/hwmon/occ/common.c | 28 ++--- drivers/i2c/busses/i2c-designware-slave.c | 2 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 - drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 - drivers/input/misc/ims-pcu.c | 6 + drivers/input/misc/sparcspkr.c | 22 +++- drivers/input/rmi4/rmi_f34.c | 135 ++++++++++++--------- drivers/md/dm-raid1.c | 5 +- drivers/media/i2c/tc358743.c | 4 + drivers/media/platform/exynos4-is/fimc-is-regs.c | 1 + drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 +- drivers/media/v4l2-core/v4l2-dev.c | 14 +-- drivers/mfd/exynos-lpass.c | 1 - drivers/mfd/stmpe-spi.c | 2 +- drivers/mtd/nand/raw/sunxi_nand.c | 2 + drivers/net/ethernet/cadence/macb_main.c | 6 +- drivers/net/ethernet/dlink/dl2k.c | 14 ++- drivers/net/ethernet/dlink/dl2k.h | 2 + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_common.c | 7 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 11 +- drivers/net/ethernet/intel/ice/ice_sched.c | 11 +- drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +- drivers/net/ethernet/microchip/lan743x_main.c | 4 +- drivers/net/phy/mdio_bus.c | 16 ++- drivers/net/usb/aqc111.c | 10 +- drivers/net/usb/ch9200.c | 7 +- drivers/net/vxlan.c | 8 +- drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 + drivers/net/wireless/ath/carl9170/usb.c | 19 ++- drivers/net/wireless/intersil/p54/fwio.c | 2 + drivers/net/wireless/intersil/p54/p54.h | 1 + drivers/net/wireless/intersil/p54/txrx.c | 13 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++ drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 +- drivers/pci/pci.c | 3 +- drivers/pci/quirks.c | 23 ++++ drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 35 +++--- drivers/pinctrl/pinctrl-at91.c | 6 +- drivers/platform/Kconfig | 2 + drivers/platform/Makefile | 1 + drivers/platform/surface/Kconfig | 14 +++ drivers/platform/surface/Makefile | 5 + drivers/platform/x86/dell_rbu.c | 2 +- drivers/power/supply/bq27xxx_battery.c | 2 +- drivers/power/supply/bq27xxx_battery_i2c.c | 13 +- drivers/rapidio/rio_cm.c | 3 + drivers/regulator/max14577-regulator.c | 5 +- drivers/rpmsg/qcom_smd.c | 2 +- drivers/rtc/Kconfig | 10 ++ drivers/rtc/Makefile | 1 + drivers/rtc/class.c | 2 +- drivers/rtc/lib.c | 121 +++++++++++++----- drivers/rtc/lib_test.c | 79 ++++++++++++ drivers/rtc/rtc-sh.c | 12 +- drivers/s390/scsi/zfcp_sysfs.c | 2 + drivers/scsi/lpfc/lpfc_sli.c | 4 +- drivers/scsi/scsi_transport_iscsi.c | 11 +- drivers/scsi/storvsc_drv.c | 10 +- drivers/soc/aspeed/aspeed-lpc-snoop.c | 17 ++- drivers/spi/spi-sh-msiof.c | 13 +- drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- drivers/tee/tee_core.c | 11 +- drivers/thunderbolt/ctl.c | 5 + drivers/tty/serial/milbeaut_usio.c | 5 +- drivers/tty/vt/vt_ioctl.c | 2 - drivers/uio/uio_hv_generic.c | 4 +- drivers/usb/class/usbtmc.c | 4 +- drivers/usb/core/hub.c | 16 ++- drivers/usb/core/quirks.c | 3 + drivers/usb/gadget/function/f_hid.c | 12 +- drivers/usb/renesas_usbhs/common.c | 50 ++++++-- drivers/usb/storage/unusual_uas.h | 7 ++ drivers/video/console/vgacon.c | 2 +- drivers/video/fbdev/core/fbcvt.c | 2 +- drivers/video/fbdev/core/fbmem.c | 4 +- drivers/watchdog/da9052_wdt.c | 1 + fs/configfs/dir.c | 2 +- fs/ext4/extents.c | 11 +- fs/ext4/inline.c | 2 +- fs/f2fs/data.c | 2 +- fs/f2fs/f2fs.h | 10 +- fs/f2fs/namei.c | 19 ++- fs/f2fs/super.c | 4 +- fs/filesystems.c | 14 ++- fs/gfs2/inode.c | 3 +- fs/gfs2/lock_dlm.c | 3 +- fs/jbd2/transaction.c | 3 +- fs/jffs2/erase.c | 4 +- fs/jffs2/scan.c | 4 +- fs/jffs2/summary.c | 7 +- fs/jfs/jfs_discard.c | 3 +- fs/jfs/jfs_dtree.c | 18 ++- fs/namespace.c | 4 + fs/nfsd/nfs3xdr.c | 2 +- fs/nfsd/nfs4proc.c | 3 +- fs/nfsd/vfs.c | 4 + fs/nilfs2/btree.c | 4 +- fs/nilfs2/direct.c | 3 + fs/squashfs/super.c | 5 + include/acpi/actypes.h | 2 +- include/linux/atmdev.h | 6 + include/linux/hid.h | 3 +- include/trace/events/erofs.h | 18 --- include/uapi/linux/videodev2.h | 1 - ipc/shm.c | 5 +- kernel/events/core.c | 23 ++-- kernel/exit.c | 17 +-- kernel/power/wakelock.c | 3 + kernel/time/posix-cpu-timers.c | 9 ++ kernel/trace/bpf_trace.c | 2 +- kernel/trace/ftrace.c | 10 +- kernel/trace/trace.c | 2 +- mm/huge_memory.c | 2 +- mm/page-writeback.c | 2 +- net/atm/common.c | 1 + net/atm/lec.c | 12 +- net/atm/raw.c | 2 +- net/bluetooth/l2cap_core.c | 3 +- net/bridge/netfilter/nf_conntrack_bridge.c | 12 +- net/core/sock.c | 4 +- net/ipv4/route.c | 4 + net/ipv4/tcp_input.c | 63 +++++----- net/ipv6/calipso.c | 8 ++ net/ipv6/netfilter.c | 12 +- net/ipv6/netfilter/nft_fib_ipv6.c | 13 +- net/mac80211/mesh_hwmp.c | 6 +- net/mpls/af_mpls.c | 4 +- net/ncsi/internal.h | 21 ++-- net/ncsi/ncsi-pkt.h | 23 ++-- net/ncsi/ncsi-rsp.c | 21 ++-- net/netfilter/nft_socket.c | 3 +- net/netlabel/netlabel_kapi.c | 5 + net/nfc/nci/uart.c | 8 +- net/sched/sch_prio.c | 2 +- net/sched/sch_red.c | 2 +- net/sched/sch_sfq.c | 5 +- net/sched/sch_tbf.c | 2 +- net/sctp/socket.c | 3 +- net/sunrpc/cache.c | 2 + net/sunrpc/xprtrdma/verbs.c | 2 + net/tipc/udp_media.c | 4 +- net/tls/tls_sw.c | 7 ++ security/selinux/xfrm.c | 2 +- sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_realtek.c | 1 + tools/perf/builtin-record.c | 2 +- tools/perf/scripts/python/exported-sql-viewer.py | 5 +- tools/perf/tests/switch-tracking.c | 2 +- tools/perf/ui/browsers/hists.c | 2 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +- 222 files changed, 1294 insertions(+), 648 deletions(-)

4 months, 2 weeks

5
4
0 0

[PATCH] comedi: Fix use of uninitialized data in insn_rw_emulate_bits()

by Ian Abbott

For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case. Reported-by: syzbot+cb96ec476fb4914445c9(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cb96ec476fb4914445c9 Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/comedi/drivers.c b/drivers/comedi/drivers.c index 376130bfba8a..98e565088289 100644 --- a/drivers/comedi/drivers.c +++ b/drivers/comedi/drivers.c @@ -615,6 +615,9 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, unsigned int _data[2]; int ret; + if (insn->n == 0) + return 0; + memset(_data, 0, sizeof(_data)); memset(&_insn, 0, sizeof(_insn)); _insn.insn = INSN_BITS; -- 2.47.2

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x fba46a5d83ca8decb338722fb4899026d8d9ead2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025063032-shed-reseller-6709@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fba46a5d83ca8decb338722fb4899026d8d9ead2 Mon Sep 17 00:00:00 2001 From: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Date: Mon, 16 Jun 2025 14:45:20 -0400 Subject: [PATCH] maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Temporarily clear the preallocation flag when explicitly requesting allocations. Pre-existing allocations are already counted against the request through mas_node_count_gfp(), but the allocations will not happen if the MA_STATE_PREALLOC flag is set. This flag is meant to avoid re-allocating in bulk allocation mode, and to detect issues with preallocation calculations. The MA_STATE_PREALLOC flag should also always be set on zero allocations so that detection of underflow allocations will print a WARN_ON() during consumption. User visible effect of this flaw is a WARN_ON() followed by a null pointer dereference when subsequent requests for larger number of nodes is ignored, such as the vma merge retry in mmap_region() caused by drivers altering the vma flags (which happens in v6.6, at least) Link: https://lkml.kernel.org/r/20250616184521.3382795-3-Liam.Howlett@oracle.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reported-by: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Reported-by: Hailong Liu <hailong.liu(a)oppo.com> Link: https://lore.kernel.org/all/1652f7eb-a51b-4fee-8058-c73af63bacd1@oppo.com/ Link: https://lore.kernel.org/all/20250428184058.1416274-1-Liam.Howlett@oracle.co… Link: https://lore.kernel.org/all/20250429014754.1479118-1-Liam.Howlett@oracle.co… Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Hailong Liu <hailong.liu(a)oppo.com> Cc: zhangpeng.00(a)bytedance.com <zhangpeng.00(a)bytedance.com> Cc: Steve Kang <Steve.Kang(a)unisoc.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/lib/maple_tree.c b/lib/maple_tree.c index affe979bd14d..00524e55a21e 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -5527,8 +5527,9 @@ int mas_preallocate(struct ma_state *mas, void *entry, gfp_t gfp) mas->store_type = mas_wr_store_type(&wr_mas); request = mas_prealloc_calc(&wr_mas, entry); if (!request) - return ret; + goto set_flag; + mas->mas_flags &= ~MA_STATE_PREALLOC; mas_node_count_gfp(mas, request, gfp); if (mas_is_err(mas)) { mas_set_alloc_req(mas, 0); @@ -5538,6 +5539,7 @@ int mas_preallocate(struct ma_state *mas, void *entry, gfp_t gfp) return ret; } +set_flag: mas->mas_flags |= MA_STATE_PREALLOC; return ret; }

4 months, 2 weeks

3
3
0 0

[PATCH net] net: phy: realtek: Reset after clock enable

by Sebastian Reichel

On Radxa ROCK 4D boards we are seeing some issues with PHY detection and stability (e.g. link loss, or not capable of transceiving packages) after new board revisions switched from a dedicated crystal to providing the 25 MHz PHY input clock from the SoC instead. This board is using a RTL8211F PHY, which is connected to an always-on regulator. Unfortunately the datasheet does not explicitly mention the power-up sequence regarding the clock, but it seems to assume that the clock is always-on (i.e. dedicated crystal). By doing an explicit reset after enabling the clock, the issue on the boards could no longer be observed. Cc: stable(a)vger.kernel.org Fixes: 7300c9b574cc ("net: phy: realtek: Add optional external PHY clock") Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> --- drivers/net/phy/realtek/realtek_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/phy/realtek/realtek_main.c b/drivers/net/phy/realtek/realtek_main.c index c3dcb62574303374666b46a454cd4e10de455d24..3a783f0c3b4f2a4f6aa63a16ad309e3471b0932a 100644 --- a/drivers/net/phy/realtek/realtek_main.c +++ b/drivers/net/phy/realtek/realtek_main.c @@ -231,6 +231,10 @@ static int rtl821x_probe(struct phy_device *phydev) return dev_err_probe(dev, PTR_ERR(priv->clk), "failed to get phy clock\n"); + /* enabling the clock might produce glitches, so hard-reset the PHY */ + phy_device_reset(phydev, 1); + phy_device_reset(phydev, 0); + ret = phy_read_paged(phydev, RTL8211F_PHYCR_PAGE, RTL8211F_PHYCR1); if (ret < 0) return ret; --- base-commit: 4c06e63b92038fadb566b652ec3ec04e228931e8 change-id: 20250704-phy-realtek-clock-fix-6cd393e8cb2a Best regards, -- Sebastian Reichel <sre(a)kernel.org>

4 months, 2 weeks

4
4
0 0

[PATCH] comedi: das6402: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Fixes: 79e5e6addbb1 ("staging: comedi: das6402: rewrite broken driver") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers/das6402.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/das6402.c b/drivers/comedi/drivers/das6402.c index 68f95330de45..7660487e563c 100644 --- a/drivers/comedi/drivers/das6402.c +++ b/drivers/comedi/drivers/das6402.c @@ -567,7 +567,8 @@ static int das6402_attach(struct comedi_device *dev, das6402_reset(dev); /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ - if ((1 << it->options[1]) & 0x8cec) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & 0x8cec) { ret = request_irq(it->options[1], das6402_interrupt, 0, dev->board_name, dev); if (ret == 0) { -- 2.47.2

4 months, 2 weeks

1
0
0 0

[PATCH] comedi: aio_iiro_16: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers/aio_iiro_16.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/aio_iiro_16.c b/drivers/comedi/drivers/aio_iiro_16.c index b00fab0b89d4..739cc4db52ac 100644 --- a/drivers/comedi/drivers/aio_iiro_16.c +++ b/drivers/comedi/drivers/aio_iiro_16.c @@ -177,7 +177,8 @@ static int aio_iiro_16_attach(struct comedi_device *dev, * Digital input change of state interrupts are optionally supported * using IRQ 2-7, 10-12, 14, or 15. */ - if ((1 << it->options[1]) & 0xdcfc) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & 0xdcfc) { ret = request_irq(it->options[1], aio_iiro_16_cos, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

4 months, 2 weeks

1
0
0 0

[PATCH] comedi: pcl812: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Reported-by: syzbot+32de323b0addb9e114ff(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers/pcl812.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/pcl812.c b/drivers/comedi/drivers/pcl812.c index 0df639c6a595..abca61a72cf7 100644 --- a/drivers/comedi/drivers/pcl812.c +++ b/drivers/comedi/drivers/pcl812.c @@ -1149,7 +1149,8 @@ static int pcl812_attach(struct comedi_device *dev, struct comedi_devconfig *it) if (IS_ERR(dev->pacer)) return PTR_ERR(dev->pacer); - if ((1 << it->options[1]) & board->irq_bits) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & board->irq_bits) { ret = request_irq(it->options[1], pcl812_interrupt, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm/hugetlb: unshare page tables during VMA split, not before" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062041-uplifted-cahoots-6c42@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Tue, 27 May 2025 23:23:53 +0200 Subject: [PATCH] mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into the hugetlb unshare logic from __split_vma() in the same place where THP splitting also happens. At that point, both the VMA and the rmap(s) are write-locked. An annoying detail is that we can now call into the helper hugetlb_unshare_pmds() from two different locking contexts: 1. from hugetlb_split(), holding: - mmap lock (exclusively) - VMA lock - file rmap lock (exclusively) 2. hugetlb_unshare_all_pmds(), which I think is designed to be able to call us with only the mmap lock held (in shared mode), but currently only runs while holding mmap lock (exclusively) and VMA lock Backporting note: This commit fixes a racy protection that was introduced in commit b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that commit claimed to fix an issue introduced in 5.13, but it should actually also go all the way back. [jannh(a)google.com: v2] Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-1-1329349bad1… Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-0-1329349bad1… Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-1-f4136f5ec58… Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> [b30c14cd6102: hugetlb: unshare some PMDs when splitting VMAs] Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 0598f36931de..42f374e828a2 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -279,6 +279,7 @@ bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); void fixup_hugetlb_reservations(struct vm_area_struct *vma); +void hugetlb_split(struct vm_area_struct *vma, unsigned long addr); #else /* !CONFIG_HUGETLB_PAGE */ @@ -476,6 +477,8 @@ static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) { } +static inline void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) {} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index f0b1d53079f9..7ba020d489d4 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -121,7 +121,7 @@ static void hugetlb_vma_lock_free(struct vm_area_struct *vma); static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma); static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma); static void hugetlb_unshare_pmds(struct vm_area_struct *vma, - unsigned long start, unsigned long end); + unsigned long start, unsigned long end, bool take_locks); static struct resv_map *vma_resv_map(struct vm_area_struct *vma); static void hugetlb_free_folio(struct folio *folio) @@ -5426,26 +5426,40 @@ static int hugetlb_vm_op_split(struct vm_area_struct *vma, unsigned long addr) { if (addr & ~(huge_page_mask(hstate_vma(vma)))) return -EINVAL; + return 0; +} +void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) +{ /* * PMD sharing is only possible for PUD_SIZE-aligned address ranges * in HugeTLB VMAs. If we will lose PUD_SIZE alignment due to this * split, unshare PMDs in the PUD_SIZE interval surrounding addr now. + * This function is called in the middle of a VMA split operation, with + * MM, VMA and rmap all write-locked to prevent concurrent page table + * walks (except hardware and gup_fast()). */ + vma_assert_write_locked(vma); + i_mmap_assert_write_locked(vma->vm_file->f_mapping); + if (addr & ~PUD_MASK) { - /* - * hugetlb_vm_op_split is called right before we attempt to - * split the VMA. We will need to unshare PMDs in the old and - * new VMAs, so let's unshare before we split. - */ unsigned long floor = addr & PUD_MASK; unsigned long ceil = floor + PUD_SIZE; - if (floor >= vma->vm_start && ceil <= vma->vm_end) - hugetlb_unshare_pmds(vma, floor, ceil); + if (floor >= vma->vm_start && ceil <= vma->vm_end) { + /* + * Locking: + * Use take_locks=false here. + * The file rmap lock is already held. + * The hugetlb VMA lock can't be taken when we already + * hold the file rmap lock, and we don't need it because + * its purpose is to synchronize against concurrent page + * table walks, which are not possible thanks to the + * locks held by our caller. + */ + hugetlb_unshare_pmds(vma, floor, ceil, /* take_locks = */ false); + } } - - return 0; } static unsigned long hugetlb_vm_op_pagesize(struct vm_area_struct *vma) @@ -7885,9 +7899,16 @@ void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int re spin_unlock_irq(&hugetlb_lock); } +/* + * If @take_locks is false, the caller must ensure that no concurrent page table + * access can happen (except for gup_fast() and hardware page walks). + * If @take_locks is true, we take the hugetlb VMA lock (to lock out things like + * concurrent page fault handling) and the file rmap lock. + */ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, unsigned long start, - unsigned long end) + unsigned long end, + bool take_locks) { struct hstate *h = hstate_vma(vma); unsigned long sz = huge_page_size(h); @@ -7911,8 +7932,12 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm, start, end); mmu_notifier_invalidate_range_start(&range); - hugetlb_vma_lock_write(vma); - i_mmap_lock_write(vma->vm_file->f_mapping); + if (take_locks) { + hugetlb_vma_lock_write(vma); + i_mmap_lock_write(vma->vm_file->f_mapping); + } else { + i_mmap_assert_write_locked(vma->vm_file->f_mapping); + } for (address = start; address < end; address += PUD_SIZE) { ptep = hugetlb_walk(vma, address, sz); if (!ptep) @@ -7922,8 +7947,10 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, spin_unlock(ptl); } flush_hugetlb_tlb_range(vma, start, end); - i_mmap_unlock_write(vma->vm_file->f_mapping); - hugetlb_vma_unlock_write(vma); + if (take_locks) { + i_mmap_unlock_write(vma->vm_file->f_mapping); + hugetlb_vma_unlock_write(vma); + } /* * No need to call mmu_notifier_arch_invalidate_secondary_tlbs(), see * Documentation/mm/mmu_notifier.rst. @@ -7938,7 +7965,8 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), - ALIGN_DOWN(vma->vm_end, PUD_SIZE)); + ALIGN_DOWN(vma->vm_end, PUD_SIZE), + /* take_locks = */ true); } /* diff --git a/mm/vma.c b/mm/vma.c index 1c6595f282e5..7ebc9eb608f4 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -539,7 +539,14 @@ __split_vma(struct vma_iterator *vmi, struct vm_area_struct *vma, init_vma_prep(&vp, vma); vp.insert = new; vma_prepare(&vp); + + /* + * Get rid of huge pages and shared page tables straddling the split + * boundary. + */ vma_adjust_trans_huge(vma, vma->vm_start, addr, NULL); + if (is_vm_hugetlb_page(vma)) + hugetlb_split(vma, addr); if (new_below) { vma->vm_start = addr; diff --git a/tools/testing/vma/vma_internal.h b/tools/testing/vma/vma_internal.h index 441feb21aa5a..4505b1c31be1 100644 --- a/tools/testing/vma/vma_internal.h +++ b/tools/testing/vma/vma_internal.h @@ -932,6 +932,8 @@ static inline void vma_adjust_trans_huge(struct vm_area_struct *vma, (void)next; } +static inline void hugetlb_split(struct vm_area_struct *, unsigned long) {} + static inline void vma_iter_free(struct vma_iterator *vmi) { mas_destroy(&vmi->mas);

4 months, 2 weeks

4
8
0 0

[PATCH] comedi: das16m1: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Reported-by: syzbot+c52293513298e0fd9a94(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c52293513298e0fd9a94 Fixes: 729988507680 ("staging: comedi: das16m1: tidy up the irq support in das16m1_attach()") Tested-by: syzbot+c52293513298e0fd9a94(a)syzkaller.appspotmail.com Suggested-by: "Enju, Kohei" <enjuk(a)amazon.co.jp> Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers/das16m1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/das16m1.c b/drivers/comedi/drivers/das16m1.c index b8ea737ad3d1..1b638f5b5a4f 100644 --- a/drivers/comedi/drivers/das16m1.c +++ b/drivers/comedi/drivers/das16m1.c @@ -522,7 +522,8 @@ static int das16m1_attach(struct comedi_device *dev, devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE; /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ - if ((1 << it->options[1]) & 0xdcfc) { + if (it->options[1] >= 2 && it->options[1] <= 15 && + (1 << it->options[1]) & 0xdcfc) { ret = request_irq(it->options[1], das16m1_interrupt, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

4 months, 2 weeks

1
0
0 0

[PATCH] platform/x86: alienware-wmi-wmax: Fix `dmi_system_id` array

by Kurt Borja

Add missing empty member to `awcc_dmi_table`. Cc: stable(a)vger.kernel.org Fixes: 6d7f1b1a5db6 ("platform/x86: alienware-wmi: Split DMI table") Signed-off-by: Kurt Borja <kuurtb(a)gmail.com> --- drivers/platform/x86/dell/alienware-wmi-wmax.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/platform/x86/dell/alienware-wmi-wmax.c b/drivers/platform/x86/dell/alienware-wmi-wmax.c index 20ec122a9fe0571a1ecd2ccf630615564ab30481..1c21be25dba54699b9ba21f53e3845df166396e1 100644 --- a/drivers/platform/x86/dell/alienware-wmi-wmax.c +++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c @@ -233,6 +233,7 @@ static const struct dmi_system_id awcc_dmi_table[] __initconst = { }, .driver_data = &g_series_quirks, }, + {} }; enum AWCC_GET_FAN_SENSORS_OPERATIONS { --- base-commit: 4f30f946f27b7f044cf8f3f1f353dee1dcd3517a change-id: 20250705-dmi-fix-df17f8619956 -- ~ Kurt

4 months, 2 weeks

3
2
0 0

[PATCH] comedi: Fix some signed shift left operations

by Ian Abbott

Correct some left shifts of the signed integer constant 1 by some unsigned number less than 32. Change the constant to 1U to avoid shifting a 1 into the sign bit. The corrected functions are comedi_dio_insn_config(), comedi_dio_update_state(), and __comedi_device_postconfig(). Fixes: e523c6c86232 ("staging: comedi: drivers: introduce comedi_dio_insn_config()") Fixes: 05e60b13a36b ("staging: comedi: drivers: introduce comedi_dio_update_state()") Fixes: 09567cb4373e ("staging: comedi: initialize subdevice s->io_bits in postconfig") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- drivers/comedi/drivers.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/comedi/drivers.c b/drivers/comedi/drivers.c index 376130bfba8a..922fe20738ef 100644 --- a/drivers/comedi/drivers.c +++ b/drivers/comedi/drivers.c @@ -339,10 +339,10 @@ int comedi_dio_insn_config(struct comedi_device *dev, unsigned int *data, unsigned int mask) { - unsigned int chan_mask = 1 << CR_CHAN(insn->chanspec); + unsigned int chan = CR_CHAN(insn->chanspec); - if (!mask) - mask = chan_mask; + if (!mask && chan < 32) + mask = 1U << chan; switch (data[0]) { case INSN_CONFIG_DIO_INPUT: @@ -382,7 +382,7 @@ EXPORT_SYMBOL_GPL(comedi_dio_insn_config); unsigned int comedi_dio_update_state(struct comedi_subdevice *s, unsigned int *data) { - unsigned int chanmask = (s->n_chan < 32) ? ((1 << s->n_chan) - 1) + unsigned int chanmask = (s->n_chan < 32) ? ((1U << s->n_chan) - 1) : 0xffffffff; unsigned int mask = data[0] & chanmask; unsigned int bits = data[1]; @@ -625,8 +625,8 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, if (insn->insn == INSN_WRITE) { if (!(s->subdev_flags & SDF_WRITABLE)) return -EINVAL; - _data[0] = 1 << (chan - base_chan); /* mask */ - _data[1] = data[0] ? (1 << (chan - base_chan)) : 0; /* bits */ + _data[0] = 1U << (chan - base_chan); /* mask */ + _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */ } ret = s->insn_bits(dev, s, &_insn, _data); @@ -709,7 +709,7 @@ static int __comedi_device_postconfig(struct comedi_device *dev) if (s->type == COMEDI_SUBD_DO) { if (s->n_chan < 32) - s->io_bits = (1 << s->n_chan) - 1; + s->io_bits = (1U << s->n_chan) - 1; else s->io_bits = 0xffffffff; } -- 2.47.2

4 months, 2 weeks

1
0
0 0

[PATCH v2] drm/bridge: tc358767: fix uninitialized variable regression

by Luca Ceresoli

Commit a59a27176914 ("drm/bridge: tc358767: convert to devm_drm_bridge_alloc() API") split tc_probe_bridge_endpoint() in two functions, thus duplicating the loop over the endpoints in each of those functions. However it missed duplicating the of_graph_parse_endpoint() call which initializes the struct of_endpoint, resulting in an uninitialized read. Fixes: a59a27176914 ("drm/bridge: tc358767: convert to devm_drm_bridge_alloc() API") Cc: stable(a)vger.kernel.org Reported-by: Colin King (gmail) <colin.i.king(a)gmail.com> Closes: https://lore.kernel.org/all/056b34c3-c1ea-4b8c-9672-c98903ffd012@gmail.com/ Reviewed-by: Colin Ian King <colin.i.king(a)gmail.com> Signed-off-by: Luca Ceresoli <luca.ceresoli(a)bootlin.com> --- - Link to v1: https://lore.kernel.org/r/20250703-drm-bridge-alloc-fix-tc358767-regression… --- Changes in v2: - fix 'Closes:' tag URL - add 'Cc: stable(a)vger.kernel.org' --- drivers/gpu/drm/bridge/tc358767.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c index 61559467e2d22b4b1b4223c97766ca3bf58908fd..562fea47b3ecf360e64a414e95ab5d645e610e9e 100644 --- a/drivers/gpu/drm/bridge/tc358767.c +++ b/drivers/gpu/drm/bridge/tc358767.c @@ -2422,6 +2422,7 @@ static int tc_probe_bridge_endpoint(struct tc_data *tc, enum tc_mode mode) struct device_node *node = NULL; for_each_endpoint_of_node(dev->of_node, node) { + of_graph_parse_endpoint(node, &endpoint); if (endpoint.port == 2) { of_property_read_u8_array(node, "toshiba,pre-emphasis", tc->pre_emphasis, --- base-commit: b4cd18f485687a2061ee7a0ce6833851fc4438da change-id: 20250703-drm-bridge-alloc-fix-tc358767-regression-536ea2861af6 Best regards, -- Luca Ceresoli <luca.ceresoli(a)bootlin.com>

4 months, 2 weeks

2
2
0 0

[PATCH v2] drm/framebuffer: Acquire internal references on GEM handles

by Thomas Zimmermann

Acquire GEM handles in drm_framebuffer_init() and release them in the corresponding drm_framebuffer_cleanup(). Ties the handle's lifetime to the framebuffer. Not all GEM buffer objects have GEM handles. If not set, no refcounting takes place. This is the case for some fbdev emulation. This is not a problem as these GEM objects do not use dma-bufs and drivers will not release them while fbdev emulation is running. Framebuffer flags keep a bit per color plane of which the framebuffer holds a GEM handle reference. As all drivers use drm_framebuffer_init(), they will now all hold dma-buf references as fixed in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers"). In the GEM framebuffer helpers, restore the original ref counting on buffer objects. As the helpers for handle refcounting are now no longer called from outside the DRM core, unexport the symbols. v2: - track framebuffer handle refs by flag - drop gma500 cleanup (Christian) Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") Reported-by: Bert Karwatzki <spasswolf(a)web.de> Closes: https://lore.kernel.org/dri-devel/20250703115915.3096-1-spasswolf@web.de/ Tested-by: Bert Karwatzki <spasswolf(a)web.de> Tested-by: Mario Limonciello <superm1(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Anusha Srivatsa <asrivats(a)redhat.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: "Christian König" <christian.koenig(a)amd.com> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org Cc: <stable(a)vger.kernel.org> --- drivers/gpu/drm/drm_framebuffer.c | 31 ++++++++++++++-- drivers/gpu/drm/drm_gem.c | 38 ++++++++++++-------- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 16 ++++----- drivers/gpu/drm/drm_internal.h | 2 +- drivers/gpu/drm/drm_modeset_helper.c | 2 +- include/drm/drm_framebuffer.h | 9 +++++ 6 files changed, 71 insertions(+), 27 deletions(-) diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c index b781601946db..23b56cde21d7 100644 --- a/drivers/gpu/drm/drm_framebuffer.c +++ b/drivers/gpu/drm/drm_framebuffer.c @@ -862,11 +862,23 @@ EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_framebuffer_free); int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, const struct drm_framebuffer_funcs *funcs) { + unsigned int i; int ret; + bool exists; if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) return -EINVAL; + for (i = 0; i < fb->format->num_planes; i++) { + if (drm_WARN_ON_ONCE(dev, fb->flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i))) + fb->flags &= ~DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + if (fb->obj[i]) { + exists = drm_gem_object_handle_get_if_exists_unlocked(fb->obj[i]); + if (exists) + fb->flags |= DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + } + } + INIT_LIST_HEAD(&fb->filp_head); fb->funcs = funcs; @@ -875,7 +887,7 @@ int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, false, drm_framebuffer_free); if (ret) - goto out; + goto err; mutex_lock(&dev->mode_config.fb_lock); dev->mode_config.num_fb++; @@ -883,7 +895,16 @@ int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, mutex_unlock(&dev->mode_config.fb_lock); drm_mode_object_register(dev, &fb->base); -out: + + return 0; + +err: + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i)) { + drm_gem_object_handle_put_unlocked(fb->obj[i]); + fb->flags &= ~DRM_FRAMEBUFFER_HAS_HANDLE_REF(i); + } + } return ret; } EXPORT_SYMBOL(drm_framebuffer_init); @@ -960,6 +981,12 @@ EXPORT_SYMBOL(drm_framebuffer_unregister_private); void drm_framebuffer_cleanup(struct drm_framebuffer *fb) { struct drm_device *dev = fb->dev; + unsigned int i; + + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i)) + drm_gem_object_handle_put_unlocked(fb->obj[i]); + } mutex_lock(&dev->mode_config.fb_lock); list_del(&fb->head); diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index bc505d938b3e..41cdab6088ae 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -224,23 +224,34 @@ static void drm_gem_object_handle_get(struct drm_gem_object *obj) } /** - * drm_gem_object_handle_get_unlocked - acquire reference on user-space handles + * drm_gem_object_handle_get_if_exists_unlocked - acquire reference on user-space handle, if any * @obj: GEM object * - * Acquires a reference on the GEM buffer object's handle. Required - * to keep the GEM object alive. Call drm_gem_object_handle_put_unlocked() - * to release the reference. + * Acquires a reference on the GEM buffer object's handle. Required to keep + * the GEM object alive. Call drm_gem_object_handle_put_if_exists_unlocked() + * to release the reference. Does nothing if the buffer object has no handle. + * + * Returns: + * True if a handle exists, or false otherwise */ -void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj) +bool drm_gem_object_handle_get_if_exists_unlocked(struct drm_gem_object *obj) { struct drm_device *dev = obj->dev; guard(mutex)(&dev->object_name_lock); - drm_WARN_ON(dev, !obj->handle_count); /* first ref taken in create-tail helper */ + /* + * First ref taken during GEM object creation, if any. Some + * drivers set up internal framebuffers with GEM objects that + * do not have a GEM handle. Hence, this counter can be zero. + */ + if (!obj->handle_count) + return false; + drm_gem_object_handle_get(obj); + + return true; } -EXPORT_SYMBOL(drm_gem_object_handle_get_unlocked); /** * drm_gem_object_handle_free - release resources bound to userspace handles @@ -273,7 +284,7 @@ static void drm_gem_object_exported_dma_buf_free(struct drm_gem_object *obj) } /** - * drm_gem_object_handle_put_unlocked - releases reference on user-space handles + * drm_gem_object_handle_put_unlocked - releases reference on user-space handle * @obj: GEM object * * Releases a reference on the GEM buffer object's handle. Possibly releases @@ -284,14 +295,14 @@ void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) struct drm_device *dev = obj->dev; bool final = false; - if (WARN_ON(READ_ONCE(obj->handle_count) == 0)) + if (drm_WARN_ON(dev, READ_ONCE(obj->handle_count) == 0)) return; /* - * Must bump handle count first as this may be the last - * ref, in which case the object would disappear before we - * checked for a name - */ + * Must bump handle count first as this may be the last + * ref, in which case the object would disappear before + * we checked for a name. + */ mutex_lock(&dev->object_name_lock); if (--obj->handle_count == 0) { @@ -304,7 +315,6 @@ void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) if (final) drm_gem_object_put(obj); } -EXPORT_SYMBOL(drm_gem_object_handle_put_unlocked); /* * Called at device or object close to release the file's diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index c60d0044d036..618ce725cd75 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -100,7 +100,7 @@ void drm_gem_fb_destroy(struct drm_framebuffer *fb) unsigned int i; for (i = 0; i < fb->format->num_planes; i++) - drm_gem_object_handle_put_unlocked(fb->obj[i]); + drm_gem_object_put(fb->obj[i]); drm_framebuffer_cleanup(fb); kfree(fb); @@ -183,10 +183,8 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, if (!objs[i]) { drm_dbg_kms(dev, "Failed to lookup GEM object\n"); ret = -ENOENT; - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; } - drm_gem_object_handle_get_unlocked(objs[i]); - drm_gem_object_put(objs[i]); min_size = (height - 1) * mode_cmd->pitches[i] + drm_format_info_min_pitch(info, i, width) @@ -196,22 +194,22 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, drm_dbg_kms(dev, "GEM object size (%zu) smaller than minimum size (%u) for plane %d\n", objs[i]->size, min_size, i); - drm_gem_object_handle_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); ret = -EINVAL; - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; } } ret = drm_gem_fb_init(dev, fb, mode_cmd, objs, i, funcs); if (ret) - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; return 0; -err_gem_object_handle_put_unlocked: +err_gem_object_put: while (i > 0) { --i; - drm_gem_object_handle_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); } return ret; } diff --git a/drivers/gpu/drm/drm_internal.h b/drivers/gpu/drm/drm_internal.h index f921cc73f8b8..e79c3c623c9a 100644 --- a/drivers/gpu/drm/drm_internal.h +++ b/drivers/gpu/drm/drm_internal.h @@ -161,7 +161,7 @@ void drm_sysfs_lease_event(struct drm_device *dev); /* drm_gem.c */ int drm_gem_init(struct drm_device *dev); -void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj); +bool drm_gem_object_handle_get_if_exists_unlocked(struct drm_gem_object *obj); void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj); int drm_gem_handle_create_tail(struct drm_file *file_priv, struct drm_gem_object *obj, diff --git a/drivers/gpu/drm/drm_modeset_helper.c b/drivers/gpu/drm/drm_modeset_helper.c index ef32f6af10d4..1e8822c4b370 100644 --- a/drivers/gpu/drm/drm_modeset_helper.c +++ b/drivers/gpu/drm/drm_modeset_helper.c @@ -94,7 +94,7 @@ void drm_helper_mode_fill_fb_struct(struct drm_device *dev, fb->offsets[i] = mode_cmd->offsets[i]; } fb->modifier = mode_cmd->modifier[0]; - fb->flags = mode_cmd->flags; + fb->flags = mode_cmd->flags & DRM_FRAMEBUFFER_FLAGS_UAPI_MASK; } EXPORT_SYMBOL(drm_helper_mode_fill_fb_struct); diff --git a/include/drm/drm_framebuffer.h b/include/drm/drm_framebuffer.h index 668077009fce..11fa20d21c58 100644 --- a/include/drm/drm_framebuffer.h +++ b/include/drm/drm_framebuffer.h @@ -23,6 +23,7 @@ #ifndef __DRM_FRAMEBUFFER_H__ #define __DRM_FRAMEBUFFER_H__ +#include <linux/bits.h> #include <linux/ctype.h> #include <linux/list.h> #include <linux/sched.h> @@ -100,6 +101,14 @@ struct drm_framebuffer_funcs { unsigned num_clips); }; +#define __DRM_FRAMEBUFFER_FLAGS_BIT_OFFSET 16 + +#define DRM_FRAMEBUFFER_FLAGS_UAPI_MASK \ + GENMASK(__DRM_FRAMEBUFFER_FLAGS_BIT_OFFSET - 1, 0) + +#define DRM_FRAMEBUFFER_HAS_HANDLE_REF(_i) \ + BIT((__DRM_FRAMEBUFFER_FLAGS_BIT_OFFSET + (_i))) + /** * struct drm_framebuffer - frame buffer object * -- 2.50.0

4 months, 2 weeks

2
2
0 0

[PATCH v 7] usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY

by Minas Harutyunyan

For UTMI+ PHY, according to programming guide, first should be set PMUACTV bit then STOPPCLK bit. Otherwise, when the device issues Remote Wakeup, then host notices disconnect instead. For ULPI PHY, above mentioned bits must be set in reversed order: STOPPCLK then PMUACTV. Fixes: 4483ef3c1685 ("usb: dwc2: Add hibernation updates for ULPI PHY") Cc: stable(a)vger.kernel.org Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> --- Changes in v7: - Fixed email formating Changes in v6: - Rabased on usb-next branch over commit 7481a97c5f49 Changes in v5: - Rebased on top of Linux 6.16-rc2 Changes in v4: - Rebased on top of Linux 6.15-rc6 Changes in v3: - Rebased on top of Linux 6.15-rc4 Changes in v2: - Added Cc: stable(a)vger.kernel.org drivers/usb/dwc2/gadget.c | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c index d5b622f78cf3..0637bfbc054e 100644 --- a/drivers/usb/dwc2/gadget.c +++ b/drivers/usb/dwc2/gadget.c @@ -5389,20 +5389,34 @@ int dwc2_gadget_enter_hibernation(struct dwc2_hsotg *hsotg) if (gusbcfg & GUSBCFG_ULPI_UTMI_SEL) { /* ULPI interface */ gpwrdn |= GPWRDN_ULPI_LATCH_EN_DURING_HIB_ENTRY; - } - dwc2_writel(hsotg, gpwrdn, GPWRDN); - udelay(10); + dwc2_writel(hsotg, gpwrdn, GPWRDN); + udelay(10); - /* Suspend the Phy Clock */ - pcgcctl = dwc2_readl(hsotg, PCGCTL); - pcgcctl |= PCGCTL_STOPPCLK; - dwc2_writel(hsotg, pcgcctl, PCGCTL); - udelay(10); + /* Suspend the Phy Clock */ + pcgcctl = dwc2_readl(hsotg, PCGCTL); + pcgcctl |= PCGCTL_STOPPCLK; + dwc2_writel(hsotg, pcgcctl, PCGCTL); + udelay(10); - gpwrdn = dwc2_readl(hsotg, GPWRDN); - gpwrdn |= GPWRDN_PMUACTV; - dwc2_writel(hsotg, gpwrdn, GPWRDN); - udelay(10); + gpwrdn = dwc2_readl(hsotg, GPWRDN); + gpwrdn |= GPWRDN_PMUACTV; + dwc2_writel(hsotg, gpwrdn, GPWRDN); + udelay(10); + } else { + /* UTMI+ Interface */ + dwc2_writel(hsotg, gpwrdn, GPWRDN); + udelay(10); + + gpwrdn = dwc2_readl(hsotg, GPWRDN); + gpwrdn |= GPWRDN_PMUACTV; + dwc2_writel(hsotg, gpwrdn, GPWRDN); + udelay(10); + + pcgcctl = dwc2_readl(hsotg, PCGCTL); + pcgcctl |= PCGCTL_STOPPCLK; + dwc2_writel(hsotg, pcgcctl, PCGCTL); + udelay(10); + } /* Set flag to indicate that we are in hibernation */ hsotg->hibernated = 1; base-commit: 7481a97c5f49f10c7490bb990d0e863f23b9bb71 -- 2.41.0

4 months, 2 weeks

1
0
0 0

[PATCH v 6] usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY

by Minas Harutyunyan

For UTMI+ PHY, according to programming guide, first should be set PMUACTV bit then STOPPCLK bit. Otherwise, when the device issues Remote Wakeup, then host notices disconnect instead. For ULPI PHY, above mentioned bits must be set in reversed order: STOPPCLK then PMUACTV. Fixes: 4483ef3c1685 ("usb: dwc2: Add hibernation updates for ULPI PHY") Cc: stable(a)vger.kernel.org Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> --- Changes in v6: - Rabased on usb-next branch over commit 7481a97c5f49 Changes in v5: - Rebased on top of Linux 6.16-rc2 Changes in v4: - Rebased on top of Linux 6.15-rc6 Changes in v3: - Rebased on top of Linux 6.15-rc4 Changes in v2: - Added Cc: stable(a)vger.kernel.org drivers/usb/dwc2/gadget.c | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c index d5b622f78cf3..0637bfbc054e 100644 --- a/drivers/usb/dwc2/gadget.c +++ b/drivers/usb/dwc2/gadget.c @@ -5389,20 +5389,34 @@ int dwc2_gadget_enter_hibernation(struct dwc2_hsotg *hsotg) if (gusbcfg & GUSBCFG_ULPI_UTMI_SEL) { /* ULPI interface */ gpwrdn |= GPWRDN_ULPI_LATCH_EN_DURING_HIB_ENTRY; - } - dwc2_writel(hsotg, gpwrdn, GPWRDN); - udelay(10); + dwc2_writel(hsotg, gpwrdn, GPWRDN); + udelay(10); - /* Suspend the Phy Clock */ - pcgcctl = dwc2_readl(hsotg, PCGCTL); - pcgcctl |= PCGCTL_STOPPCLK; - dwc2_writel(hsotg, pcgcctl, PCGCTL); - udelay(10); + /* Suspend the Phy Clock */ + pcgcctl = dwc2_readl(hsotg, PCGCTL); + pcgcctl |= PCGCTL_STOPPCLK; + dwc2_writel(hsotg, pcgcctl, PCGCTL); + udelay(10); - gpwrdn = dwc2_readl(hsotg, GPWRDN); - gpwrdn |= GPWRDN_PMUACTV; - dwc2_writel(hsotg, gpwrdn, GPWRDN); - udelay(10); + gpwrdn = dwc2_readl(hsotg, GPWRDN); + gpwrdn |= GPWRDN_PMUACTV; + dwc2_writel(hsotg, gpwrdn, GPWRDN); + udelay(10); + } else { + /* UTMI+ Interface */ + dwc2_writel(hsotg, gpwrdn, GPWRDN); + udelay(10); + + gpwrdn = dwc2_readl(hsotg, GPWRDN); + gpwrdn |= GPWRDN_PMUACTV; + dwc2_writel(hsotg, gpwrdn, GPWRDN); + udelay(10); + + pcgcctl = dwc2_readl(hsotg, PCGCTL); + pcgcctl |= PCGCTL_STOPPCLK; + dwc2_writel(hsotg, pcgcctl, PCGCTL); + udelay(10); + } /* Set flag to indicate that we are in hibernation */ hsotg->hibernated = 1; base-commit: 7481a97c5f49f10c7490bb990d0e863f23b9bb71 -- 2.41.0

4 months, 2 weeks

2
1
0 0

[PATCH v1 mm-hotfixes] mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n

by Harry Yoo

Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for migrating zsmalloc pages using the movable_operations migration framework. However, the commit did not take into account that zsmalloc supports migration only when CONFIG_COMPACTION is enabled. Tracing shows that zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is not supported. This can result in unmovable pages being allocated from movable page blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area. Clear the __GFP_MOVABLE flag when !IS_ENABLED(CONFIG_COMPACTION). Cc: stable(a)vger.kernel.org Fixes: 48b4800a1c6a ("zsmalloc: page migration support") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- mm/zsmalloc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 999b513c7fdf..f3e2215f95eb 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -1043,6 +1043,9 @@ static struct zspage *alloc_zspage(struct zs_pool *pool, if (!zspage) return NULL; + if (!IS_ENABLED(CONFIG_COMPACTION)) + gfp &= ~__GFP_MOVABLE; + zspage->magic = ZSPAGE_MAGIC; zspage->pool = pool; zspage->class = class->index; -- 2.43.0

4 months, 2 weeks

3
3
0 0

[PATCH v1] arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on

by Francesco Dolcini

From: Francesco Dolcini <francesco.dolcini(a)toradex.com> LDO5 regulator is used to power the i.MX8MM NVCC_SD2 I/O supply, that is used for the SD2 card interface and also for some GPIOs. When the SD card interface is not enabled the regulator subsystem could turn off this supply, since it is not used anywhere else, however this will also remove the power to some other GPIOs, for example one I/O that is used to power the ethernet phy, leading to a non working ethernet interface. [ 31.820515] On-module +V3.3_1.8_SD (LDO5): disabling [ 31.821761] PMIC_USDHC_VSELECT: disabling [ 32.764949] fec 30be0000.ethernet end0: Link is Down Fix this keeping the LDO5 supply always on. Cc: stable(a)vger.kernel.org Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5") Signed-off-by: Francesco Dolcini <francesco.dolcini(a)toradex.com> --- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi index d29710772569..1594ce9182a5 100644 --- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi @@ -464,6 +464,7 @@ reg_vdd_phy: LDO4 { }; reg_nvcc_sd: LDO5 { + regulator-always-on; regulator-max-microvolt = <3300000>; regulator-min-microvolt = <1800000>; regulator-name = "On-module +V3.3_1.8_SD (LDO5)"; -- 2.39.5

4 months, 2 weeks

3
2
0 0

[PATCH] crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2

by Eric Biggers

Commit 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements") added the field s390_sha_ctx::first_message_part and made it be used by s390_sha_update_blocks(). At the time, s390_sha_update_blocks() was used by all the s390 SHA-1, SHA-2, and SHA-3 algorithms. However, only the initialization functions for SHA-3 were updated, leaving SHA-1 and SHA-2 using first_message_part uninitialized. This could cause e.g. CPACF_KIMD_SHA_512 | CPACF_KIMD_NIP to be used instead of just CPACF_KIMD_NIP. It's unclear why this didn't cause a problem earlier; this bug was found only when UBSAN detected the uninitialized boolean. Perhaps the CPU ignores CPACF_KIMD_NIP for SHA-1 and SHA-2. Regardless, let's fix this. For now just initialize to false, i.e. don't try to "optimize" the SHA state initialization. Note: in 6.16, we need to patch SHA-1, SHA-384, and SHA-512. In 6.15 and earlier, we'll also need to patch SHA-224 and SHA-256, as they hadn't yet been librarified (which incidentally fixed this bug). Fixes: 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements") Cc: stable(a)vger.kernel.org Reported-by: Ingo Franzki <ifranzki(a)linux.ibm.com> Closes: https://lore.kernel.org/r/12740696-595c-4604-873e-aefe8b405fbf@linux.ibm.com Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- This is targeting 6.16. I'd prefer to take this through libcrypto-fixes, since the librarification work is also touching this area. But let me know if there's a preference for the crypto tree or the s390 tree instead. arch/s390/crypto/sha1_s390.c | 1 + arch/s390/crypto/sha512_s390.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/arch/s390/crypto/sha1_s390.c b/arch/s390/crypto/sha1_s390.c index d229cbd2ba229..73672e76a88f9 100644 --- a/arch/s390/crypto/sha1_s390.c +++ b/arch/s390/crypto/sha1_s390.c @@ -36,10 +36,11 @@ static int s390_sha1_init(struct shash_desc *desc) sctx->state[2] = SHA1_H2; sctx->state[3] = SHA1_H3; sctx->state[4] = SHA1_H4; sctx->count = 0; sctx->func = CPACF_KIMD_SHA_1; + sctx->first_message_part = false; return 0; } static int s390_sha1_export(struct shash_desc *desc, void *out) diff --git a/arch/s390/crypto/sha512_s390.c b/arch/s390/crypto/sha512_s390.c index 33711a29618c3..e9e112025ff22 100644 --- a/arch/s390/crypto/sha512_s390.c +++ b/arch/s390/crypto/sha512_s390.c @@ -30,10 +30,11 @@ static int sha512_init(struct shash_desc *desc) ctx->sha512.state[6] = SHA512_H6; ctx->sha512.state[7] = SHA512_H7; ctx->count = 0; ctx->sha512.count_hi = 0; ctx->func = CPACF_KIMD_SHA_512; + ctx->first_message_part = false; return 0; } static int sha512_export(struct shash_desc *desc, void *out) @@ -95,10 +96,11 @@ static int sha384_init(struct shash_desc *desc) ctx->sha512.state[6] = SHA384_H6; ctx->sha512.state[7] = SHA384_H7; ctx->count = 0; ctx->sha512.count_hi = 0; ctx->func = CPACF_KIMD_SHA_512; + ctx->first_message_part = false; return 0; } static struct shash_alg sha384_alg = { base-commit: e540341508ce2f6e27810106253d5de194b66750 -- 2.50.0

4 months, 2 weeks

3
8
0 0

[PATCH 5/5] lib/crypto: x86/poly1305: Fix performance regression on short messages

by Eric Biggers

Restore the len >= 288 condition on using the AVX implementation, which was incidentally removed by commit 318c53ae02f2 ("crypto: x86/poly1305 - Add block-only interface"). This check took into account the overhead in key power computation, kernel-mode "FPU", and tail handling associated with the AVX code. Indeed, restoring this check slightly improves performance for len < 256 as measured using poly1305_kunit on an "AMD Ryzen AI 9 365" (Zen 5) CPU: Length Before After ====== ========== ========== 1 30 MB/s 36 MB/s 16 516 MB/s 598 MB/s 64 1700 MB/s 1882 MB/s 127 2265 MB/s 2651 MB/s 128 2457 MB/s 2827 MB/s 200 2702 MB/s 3238 MB/s 256 3841 MB/s 3768 MB/s 511 4580 MB/s 4585 MB/s 512 5430 MB/s 5398 MB/s 1024 7268 MB/s 7305 MB/s 3173 8999 MB/s 8948 MB/s 4096 9942 MB/s 9921 MB/s 16384 10557 MB/s 10545 MB/s While the optimal threshold for this CPU might be slightly lower than 288 (see the len == 256 case), other CPUs would need to be tested too, and these sorts of benchmarks can underestimate the true cost of kernel-mode "FPU". Therefore, for now just restore the 288 threshold. Fixes: 318c53ae02f2 ("crypto: x86/poly1305 - Add block-only interface") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- lib/crypto/x86/poly1305_glue.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/crypto/x86/poly1305_glue.c b/lib/crypto/x86/poly1305_glue.c index 968d84677631..856d48fd422b 100644 --- a/lib/crypto/x86/poly1305_glue.c +++ b/lib/crypto/x86/poly1305_glue.c @@ -96,11 +96,19 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *inp, /* SIMD disables preemption, so relax after processing each page. */ BUILD_BUG_ON(SZ_4K < POLY1305_BLOCK_SIZE || SZ_4K % POLY1305_BLOCK_SIZE); + /* + * The AVX implementations have significant setup overhead (e.g. key + * power computation, kernel FPU enabling) which makes them slower for + * short messages. Fall back to the scalar implementation for messages + * shorter than 288 bytes, unless the AVX-specific key setup has already + * been performed (indicated by ctx->is_base2_26). + */ if (!static_branch_likely(&poly1305_use_avx) || + (len < POLY1305_BLOCK_SIZE * 18 && !ctx->is_base2_26) || unlikely(!irq_fpu_usable())) { convert_to_base2_64(ctx); poly1305_blocks_x86_64(ctx, inp, len, padbit); return; } -- 2.50.0

4 months, 2 weeks

1
0
0 0

[PATCH 4/5] lib/crypto: x86/poly1305: Fix register corruption in no-SIMD contexts

by Eric Biggers

Restore the SIMD usability check and base conversion that were removed by commit 318c53ae02f2 ("crypto: x86/poly1305 - Add block-only interface"). This safety check is cheap and is well worth eliminating a footgun. While the Poly1305 functions *should* be called only where SIMD registers are usable, if they are anyway, they should just do the right thing instead of corrupting random tasks' registers and/or computing incorrect MACs. Fixing this is also needed for poly1305_kunit to pass. Just use irq_fpu_usable() instead of the original crypto_simd_usable(), since poly1305_kunit won't rely on crypto_simd_disabled_for_test. Fixes: 318c53ae02f2 ("crypto: x86/poly1305 - Add block-only interface") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- lib/crypto/x86/poly1305_glue.c | 40 +++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/lib/crypto/x86/poly1305_glue.c b/lib/crypto/x86/poly1305_glue.c index b7e78a583e07..968d84677631 100644 --- a/lib/crypto/x86/poly1305_glue.c +++ b/lib/crypto/x86/poly1305_glue.c @@ -23,10 +23,46 @@ struct poly1305_arch_internal { u64 r[2]; u64 pad; struct { u32 r2, r1, r4, r3; } rn[9]; }; +/* + * The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit + * the unfortunate situation of using AVX and then having to go back to scalar + * -- because the user is silly and has called the update function from two + * separate contexts -- then we need to convert back to the original base before + * proceeding. It is possible to reason that the initial reduction below is + * sufficient given the implementation invariants. However, for an avoidance of + * doubt and because this is not performance critical, we do the full reduction + * anyway. Z3 proof of below function: https://xn--4db.cc/ltPtHCKN/py + */ +static void convert_to_base2_64(void *ctx) +{ + struct poly1305_arch_internal *state = ctx; + u32 cy; + + if (!state->is_base2_26) + return; + + cy = state->h[0] >> 26; state->h[0] &= 0x3ffffff; state->h[1] += cy; + cy = state->h[1] >> 26; state->h[1] &= 0x3ffffff; state->h[2] += cy; + cy = state->h[2] >> 26; state->h[2] &= 0x3ffffff; state->h[3] += cy; + cy = state->h[3] >> 26; state->h[3] &= 0x3ffffff; state->h[4] += cy; + state->hs[0] = ((u64)state->h[2] << 52) | ((u64)state->h[1] << 26) | state->h[0]; + state->hs[1] = ((u64)state->h[4] << 40) | ((u64)state->h[3] << 14) | (state->h[2] >> 12); + state->hs[2] = state->h[4] >> 24; + /* Unsigned Less Than: branchlessly produces 1 if a < b, else 0. */ +#define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1)) + cy = (state->hs[2] >> 2) + (state->hs[2] & ~3ULL); + state->hs[2] &= 3; + state->hs[0] += cy; + state->hs[1] += (cy = ULT(state->hs[0], cy)); + state->hs[2] += ULT(state->hs[1], cy); +#undef ULT + state->is_base2_26 = 0; +} + asmlinkage void poly1305_block_init_arch( struct poly1305_block_state *state, const u8 raw_key[POLY1305_BLOCK_SIZE]); EXPORT_SYMBOL_GPL(poly1305_block_init_arch); asmlinkage void poly1305_blocks_x86_64(struct poly1305_arch_internal *ctx, @@ -60,11 +96,13 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *inp, /* SIMD disables preemption, so relax after processing each page. */ BUILD_BUG_ON(SZ_4K < POLY1305_BLOCK_SIZE || SZ_4K % POLY1305_BLOCK_SIZE); - if (!static_branch_likely(&poly1305_use_avx)) { + if (!static_branch_likely(&poly1305_use_avx) || + unlikely(!irq_fpu_usable())) { + convert_to_base2_64(ctx); poly1305_blocks_x86_64(ctx, inp, len, padbit); return; } do { -- 2.50.0

4 months, 2 weeks

1
0
0 0

[PATCH 3/5] lib/crypto: arm64/poly1305: Fix register corruption in no-SIMD contexts

by Eric Biggers

Restore the SIMD usability check that was removed by commit a59e5468a921 ("crypto: arm64/poly1305 - Add block-only interface"). This safety check is cheap and is well worth eliminating a footgun. While the Poly1305 functions *should* be called only where SIMD registers are usable, if they are anyway, they should just do the right thing instead of corrupting random tasks' registers and/or computing incorrect MACs. Fixing this is also needed for poly1305_kunit to pass. Just use may_use_simd() instead of the original crypto_simd_usable(), since poly1305_kunit won't rely on crypto_simd_disabled_for_test. Fixes: a59e5468a921 ("crypto: arm64/poly1305 - Add block-only interface") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- lib/crypto/arm64/poly1305-glue.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/crypto/arm64/poly1305-glue.c b/lib/crypto/arm64/poly1305-glue.c index c9a74766785b..31aea21ce42f 100644 --- a/lib/crypto/arm64/poly1305-glue.c +++ b/lib/crypto/arm64/poly1305-glue.c @@ -5,10 +5,11 @@ * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel(a)linaro.org> */ #include <asm/hwcap.h> #include <asm/neon.h> +#include <asm/simd.h> #include <crypto/internal/poly1305.h> #include <linux/cpufeature.h> #include <linux/jump_label.h> #include <linux/kernel.h> #include <linux/module.h> @@ -31,11 +32,11 @@ static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src, unsigned int len, u32 padbit) { len = round_down(len, POLY1305_BLOCK_SIZE); - if (static_branch_likely(&have_neon)) { + if (static_branch_likely(&have_neon) && likely(may_use_simd())) { do { unsigned int todo = min_t(unsigned int, len, SZ_4K); kernel_neon_begin(); poly1305_blocks_neon(state, src, todo, padbit); -- 2.50.0

4 months, 2 weeks

1
0
0 0

[PATCH 2/5] lib/crypto: arm/poly1305: Fix register corruption in no-SIMD contexts

by Eric Biggers

Restore the SIMD usability check that was removed by commit 773426f4771b ("crypto: arm/poly1305 - Add block-only interface"). This safety check is cheap and is well worth eliminating a footgun. While the Poly1305 functions *should* be called only where SIMD registers are usable, if they are anyway, they should just do the right thing instead of corrupting random tasks' registers and/or computing incorrect MACs. Fixing this is also needed for poly1305_kunit to pass. Just use may_use_simd() instead of the original crypto_simd_usable(), since poly1305_kunit won't rely on crypto_simd_disabled_for_test. Fixes: 773426f4771b ("crypto: arm/poly1305 - Add block-only interface") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- lib/crypto/arm/poly1305-glue.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/crypto/arm/poly1305-glue.c b/lib/crypto/arm/poly1305-glue.c index 5b65b840c166..2d86c78af883 100644 --- a/lib/crypto/arm/poly1305-glue.c +++ b/lib/crypto/arm/poly1305-glue.c @@ -5,10 +5,11 @@ * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel(a)linaro.org> */ #include <asm/hwcap.h> #include <asm/neon.h> +#include <asm/simd.h> #include <crypto/internal/poly1305.h> #include <linux/cpufeature.h> #include <linux/jump_label.h> #include <linux/kernel.h> #include <linux/module.h> @@ -32,11 +33,11 @@ static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src, unsigned int len, u32 padbit) { len = round_down(len, POLY1305_BLOCK_SIZE); if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && - static_branch_likely(&have_neon)) { + static_branch_likely(&have_neon) && likely(may_use_simd())) { do { unsigned int todo = min_t(unsigned int, len, SZ_4K); kernel_neon_begin(); poly1305_blocks_neon(state, src, todo, padbit); -- 2.50.0

4 months, 2 weeks

1
0
0 0

[REGRESSION] - Multiple userspace implementations of battery estimate broken after "ACPI: battery: negate current when discharging"

by Matthew Schwartz

Hello, I installed kernel 6.15.4 to find that my battery estimate on my handheld gaming device was completely inaccurate, instead giving negative values and an unknown estimated battery life in multiple places. After bisecting, I landed on "ACPI: battery: negate current when discharging” as the bad commit. This commit breaks not one but several userspace implementations of battery monitoring: Steam and MangoHud. Perhaps it breaks more, but those are the two I have noticed so far. Thanks, Matthew Schwartz

4 months, 2 weeks

5
6
0 0

+ samples-damon-mtier-support-boot-time-enable-setup.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: samples/damon/mtier: support boot time enable setup has been added to the -mm mm-new branch. Its filename is samples-damon-mtier-support-boot-time-enable-setup.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: samples/damon/mtier: support boot time enable setup Date: Sun, 6 Jul 2025 12:32:04 -0700 If 'enable' parameter of the 'mtier' DAMON sample module is set at boot time via the kernel command line, memory allocation is tried before the slab is initialized. As a result kernel NULL pointer dereference BUG can happen. Fix it by checking the initialization status. Link: https://lkml.kernel.org/r/20250706193207.39810-4-sj@kernel.org Fixes: 82a08bde3cf7 ("samples/damon: implement a DAMON module for memory tiering") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/mtier.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/samples/damon/mtier.c~samples-damon-mtier-support-boot-time-enable-setup +++ a/samples/damon/mtier.c @@ -157,6 +157,8 @@ static void damon_sample_mtier_stop(void damon_destroy_ctx(ctxs[1]); } +static bool init_called; + static int damon_sample_mtier_enable_store( const char *val, const struct kernel_param *kp) { @@ -170,6 +172,9 @@ static int damon_sample_mtier_enable_sto if (enable == enabled) return 0; + if (!init_called) + return 0; + if (enable) { err = damon_sample_mtier_start(); if (err) @@ -182,6 +187,14 @@ static int damon_sample_mtier_enable_sto static int __init damon_sample_mtier_init(void) { + int err = 0; + + init_called = true; + if (enable) { + err = damon_sample_mtier_start(); + if (err) + enable = false; + } return 0; } _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-handle-damon_call_control-as-normal-under-kdmond-deactivation.patch mm-damon-introduce-damon_stat-module.patch mm-damon-introduce-damon_stat-module-fix.patch mm-damon-stat-calculate-and-expose-estimated-memory-bandwidth.patch mm-damon-stat-calculate-and-expose-idle-time-percentiles.patch docs-admin-guide-mm-damon-add-damon_stat-usage-document.patch mm-damon-paddr-use-alloc_migartion_target-with-no-migration-fallback-nodemask.patch revert-mm-rename-alloc_demote_folio-to-alloc_migrate_folio.patch revert-mm-make-alloc_demote_folio-externally-invokable-for-migration.patch selftets-damon-add-a-test-for-memcg_path-leak.patch mm-damon-sysfs-schemes-decouple-from-damos_quota_goal_metric.patch mm-damon-sysfs-schemes-decouple-from-damos_action.patch mm-damon-sysfs-schemes-decouple-from-damos_wmark_metric.patch mm-damon-sysfs-schemes-decouple-from-damos_filter_type.patch mm-damon-sysfs-decouple-from-damon_ops_id.patch selftests-damon-add-drgn-script-for-extracting-damon-status.patch selftests-damon-_damon_sysfs-set-kdamondpid-in-start.patch selftests-damon-add-python-and-drgn-based-damon-sysfs-test.patch selftests-damon-sysfspy-test-monitoring-attribute-parameters.patch selftests-damon-sysfspy-test-adaptive-targets-parameter.patch selftests-damon-sysfspy-test-damos-schemes-parameters-setup.patch mm-damon-add-trace-event-for-auto-tuned-monitoring-intervals.patch mm-damon-add-trace-event-for-effective-size-quota.patch samples-damon-wsse-fix-boot-time-enable-handling.patch samples-damon-prcl-fix-boot-time-enable-crash.patch samples-damon-mtier-support-boot-time-enable-setup.patch mm-damon-reclaim-reset-enabled-when-damon-start-failed.patch mm-damon-lru_sort-reset-enabled-when-damon-start-failed.patch mm-damon-reclaim-use-parameter-context-correctly.patch

4 months, 2 weeks

1
0
0 0

+ samples-damon-wsse-fix-boot-time-enable-handling.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: samples/damon/wsse: fix boot time enable handling has been added to the -mm mm-new branch. Its filename is samples-damon-wsse-fix-boot-time-enable-handling.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: samples/damon/wsse: fix boot time enable handling Date: Sun, 6 Jul 2025 12:32:02 -0700 Patch series "mm/damon: fix misc bugs in DAMON modules". From manual code review, I found below bugs in DAMON modules. DAMON sample modules crash if those are enabled at boot time, via kernel command line. A similar issue was found and fixed on DAMON non-sample modules in the past, but we didn't check that for sample modules. DAMON non-sample modules are not setting 'enabled' parameters accordingly when real enabling is failed. Honggyu found and fixed[1] this type of bugs in DAMON sample modules, and my inspection was motivated by the great work. Kudos to Honggyu. Finally, DAMON_RECLIAM is mistakenly losing scheme internal status due to misuse of damon_commit_ctx(). DAMON_LRU_SORT has a similar misuse, but fortunately it is not causing real status loss. Fix the bugs. Since these are similar patterns of bugs that were found in the past, it would be better to add tests or refactor the code, in future. This patch (of 6): If 'enable' parameter of the 'wsse' DAMON sample module is set at boot time via the kernel command line, memory allocation is tried before the slab is initialized. As a result kernel NULL pointer dereference BUG can happen. Fix it by checking the initialization status. Link: https://lkml.kernel.org/r/20250706193207.39810-1-sj@kernel.org Link: https://lkml.kernel.org/r/20250706193207.39810-2-sj@kernel.org Link: https://lore.kernel.org/20250702000205.1921-1-honggyu.kim@sk.com [1] Fixes: b757c6cfc696 ("samples/damon/wsse: start and stop DAMON as the user requests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/wsse.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) --- a/samples/damon/wsse.c~samples-damon-wsse-fix-boot-time-enable-handling +++ a/samples/damon/wsse.c @@ -89,6 +89,8 @@ static void damon_sample_wsse_stop(void) put_pid(target_pidp); } +static bool init_called; + static int damon_sample_wsse_enable_store( const char *val, const struct kernel_param *kp) { @@ -103,6 +105,9 @@ static int damon_sample_wsse_enable_stor return 0; if (enable) { + if (!init_called) + return 0; + err = damon_sample_wsse_start(); if (err) enable = false; @@ -114,7 +119,15 @@ static int damon_sample_wsse_enable_stor static int __init damon_sample_wsse_init(void) { - return 0; + int err = 0; + + init_called = true; + if (enable) { + err = damon_sample_wsse_start(); + if (err) + enable = false; + } + return err; } module_init(damon_sample_wsse_init); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-handle-damon_call_control-as-normal-under-kdmond-deactivation.patch mm-damon-introduce-damon_stat-module.patch mm-damon-introduce-damon_stat-module-fix.patch mm-damon-stat-calculate-and-expose-estimated-memory-bandwidth.patch mm-damon-stat-calculate-and-expose-idle-time-percentiles.patch docs-admin-guide-mm-damon-add-damon_stat-usage-document.patch mm-damon-paddr-use-alloc_migartion_target-with-no-migration-fallback-nodemask.patch revert-mm-rename-alloc_demote_folio-to-alloc_migrate_folio.patch revert-mm-make-alloc_demote_folio-externally-invokable-for-migration.patch selftets-damon-add-a-test-for-memcg_path-leak.patch mm-damon-sysfs-schemes-decouple-from-damos_quota_goal_metric.patch mm-damon-sysfs-schemes-decouple-from-damos_action.patch mm-damon-sysfs-schemes-decouple-from-damos_wmark_metric.patch mm-damon-sysfs-schemes-decouple-from-damos_filter_type.patch mm-damon-sysfs-decouple-from-damon_ops_id.patch selftests-damon-add-drgn-script-for-extracting-damon-status.patch selftests-damon-_damon_sysfs-set-kdamondpid-in-start.patch selftests-damon-add-python-and-drgn-based-damon-sysfs-test.patch selftests-damon-sysfspy-test-monitoring-attribute-parameters.patch selftests-damon-sysfspy-test-adaptive-targets-parameter.patch selftests-damon-sysfspy-test-damos-schemes-parameters-setup.patch mm-damon-add-trace-event-for-auto-tuned-monitoring-intervals.patch mm-damon-add-trace-event-for-effective-size-quota.patch samples-damon-wsse-fix-boot-time-enable-handling.patch samples-damon-prcl-fix-boot-time-enable-crash.patch samples-damon-mtier-support-boot-time-enable-setup.patch mm-damon-reclaim-reset-enabled-when-damon-start-failed.patch mm-damon-lru_sort-reset-enabled-when-damon-start-failed.patch mm-damon-reclaim-use-parameter-context-correctly.patch

4 months, 2 weeks

1
0
0 0

[PATCH 0/6] mm/damon: fix misc bugs in DAMON modules

by SeongJae Park

From manual code review, I found below bugs in DAMON modules. DAMON sample modules crash if those are enabled at boot time, via kernel command line. A similar issue was found and fixed on DAMON non-sample modules in the past, but we didn't check that for sample modules. DAMON non-sample modules are not setting 'enabled' parameters accordingly when real enabling is failed. Honggyu found and fixed[1] this type of bugs in DAMON sample modules, and my inspection was motivated by the great work. Kudos to Honggyu. Finally, DAMON_RECLIAM is mistakenly losing scheme internal status due to misuse of damon_commit_ctx(). DAMON_LRU_SORT has a similar misuse, but fortunately it is not causing real status loss. Fix the bugs. Since these are similar patterns of bugs that were found in the past, it would be better to add tests or refactor the code, in future. Note that the fix of the second bug for DAMON_STAT is sent separately[2], since it is a fix for a bug in mm-unstable tree at the moment. Also as mentioned above, DAMON_LRU_SORT also has a misuse of damon_commit_ctx(), but it is not causing a real issue, hence the fix is not included in this series. I will post it later. [1] https://lore.kernel.org/20250702000205.1921-1-honggyu.kim@sk.com [2] https://lore.kernel.org/20250706184750.36588-1-sj@kernel.org SeongJae Park (6): samples/damon/wsse: fix boot time enable handling samples/damon/prcl: fix boot time enable crash samples/damon/mtier: support boot time enable setup mm/damon/reclaim: reset enabled when DAMON start failed mm/damon/lru_sort: reset enabled when DAMON start failed mm/damon/reclaim: use parameter context correctly mm/damon/lru_sort.c | 5 ++++- mm/damon/reclaim.c | 9 ++++++--- samples/damon/mtier.c | 13 +++++++++++++ samples/damon/prcl.c | 13 +++++++++++++ samples/damon/wsse.c | 15 ++++++++++++++- 5 files changed, 50 insertions(+), 5 deletions(-) base-commit: a555ad24c884e9f4ee2f2a0184f5b7b89c8d4a6e -- 2.39.5

4 months, 2 weeks

1
2
0 0

[PATCH] drm/framebuffer: Acquire internal references on GEM handles

by Thomas Zimmermann

Acquire GEM handles in drm_framebuffer_init() and release them in the corresponding drm_framebuffer_cleanup(). Ties the handle's lifetime to the framebuffer. Not all GEM buffer objects have GEM handles. If not set, no refcounting takes place. This is the case for some fbdev emulation. This is not a problem as these GEM objects do not use dma-bufs and drivers will not release them while fbdev emulation is running. As all drivers use drm_framebuffer_init(), they will now all hold dma-buf references as fixed in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers"). In the GEM framebuffer helpers, restore the original ref counting on buffer objects. As the helpers for handle refcounting are now no longer called from outside the DRM core, unexport the symbols. Gma500 (unnecessarily) clears the framebuffer's GEM-object pointer before calling drm_framebuffer_cleanup(). Remove these lines to make it consistent with the rest of the drivers. It's one of the fbdev emulations with no GEM handle on their buffers. The change to gma500 is therefore rather cosmetic. Tested on i915, amdgpu (by Bert) and gma500. Also tested on i915 plus udl for the original problem with dma-buf sharing. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") Reported-by: Bert Karwatzki <spasswolf(a)web.de> Closes: https://lore.kernel.org/dri-devel/20250703115915.3096-1-spasswolf@web.de/ Tested-by: Bert Karwatzki <spasswolf(a)web.de> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Anusha Srivatsa <asrivats(a)redhat.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: "Christian König" <christian.koenig(a)amd.com> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org Cc: <stable(a)vger.kernel.org> --- drivers/gpu/drm/drm_framebuffer.c | 23 +++++++- drivers/gpu/drm/drm_gem.c | 59 +++++++++++++------- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 16 +++--- drivers/gpu/drm/drm_internal.h | 4 +- drivers/gpu/drm/gma500/fbdev.c | 2 - 5 files changed, 69 insertions(+), 35 deletions(-) diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c index b781601946db..e4a10dd053fc 100644 --- a/drivers/gpu/drm/drm_framebuffer.c +++ b/drivers/gpu/drm/drm_framebuffer.c @@ -862,11 +862,17 @@ EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_framebuffer_free); int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, const struct drm_framebuffer_funcs *funcs) { + unsigned int i; int ret; if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) return -EINVAL; + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->obj[i]) + drm_gem_object_handle_get_if_exists_unlocked(fb->obj[i]); + } + INIT_LIST_HEAD(&fb->filp_head); fb->funcs = funcs; @@ -875,7 +881,7 @@ int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, false, drm_framebuffer_free); if (ret) - goto out; + goto err; mutex_lock(&dev->mode_config.fb_lock); dev->mode_config.num_fb++; @@ -883,7 +889,14 @@ int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, mutex_unlock(&dev->mode_config.fb_lock); drm_mode_object_register(dev, &fb->base); -out: + + return 0; + +err: + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->obj[i]) + drm_gem_object_handle_put_if_exists_unlocked(fb->obj[i]); + } return ret; } EXPORT_SYMBOL(drm_framebuffer_init); @@ -960,6 +973,12 @@ EXPORT_SYMBOL(drm_framebuffer_unregister_private); void drm_framebuffer_cleanup(struct drm_framebuffer *fb) { struct drm_device *dev = fb->dev; + unsigned int i; + + for (i = 0; i < fb->format->num_planes; i++) { + if (fb->obj[i]) + drm_gem_object_handle_put_if_exists_unlocked(fb->obj[i]); + } mutex_lock(&dev->mode_config.fb_lock); list_del(&fb->head); diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index bc505d938b3e..9d8b9e6b7d25 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -224,23 +224,27 @@ static void drm_gem_object_handle_get(struct drm_gem_object *obj) } /** - * drm_gem_object_handle_get_unlocked - acquire reference on user-space handles + * drm_gem_object_handle_get_if_exists_unlocked - acquire reference on user-space handle, if any * @obj: GEM object * - * Acquires a reference on the GEM buffer object's handle. Required - * to keep the GEM object alive. Call drm_gem_object_handle_put_unlocked() - * to release the reference. + * Acquires a reference on the GEM buffer object's handle. Required to keep + * the GEM object alive. Call drm_gem_object_handle_put_if_exists_unlocked() + * to release the reference. Does nothing if the buffer object has no handle. */ -void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj) +void drm_gem_object_handle_get_if_exists_unlocked(struct drm_gem_object *obj) { struct drm_device *dev = obj->dev; guard(mutex)(&dev->object_name_lock); - drm_WARN_ON(dev, !obj->handle_count); /* first ref taken in create-tail helper */ - drm_gem_object_handle_get(obj); + /* + * First ref taken during GEM object creation, if any. Some + * drivers set up internal framebuffers with GEM objects that + * do not have a GEM handle. Hence, this counter can be zero. + */ + if (obj->handle_count) + drm_gem_object_handle_get(obj); } -EXPORT_SYMBOL(drm_gem_object_handle_get_unlocked); /** * drm_gem_object_handle_free - release resources bound to userspace handles @@ -272,21 +276,11 @@ static void drm_gem_object_exported_dma_buf_free(struct drm_gem_object *obj) } } -/** - * drm_gem_object_handle_put_unlocked - releases reference on user-space handles - * @obj: GEM object - * - * Releases a reference on the GEM buffer object's handle. Possibly releases - * the GEM buffer object and associated dma-buf objects. - */ -void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) +static void drm_gem_object_handle_put_unlocked_tail(struct drm_gem_object *obj) { struct drm_device *dev = obj->dev; bool final = false; - if (WARN_ON(READ_ONCE(obj->handle_count) == 0)) - return; - /* * Must bump handle count first as this may be the last * ref, in which case the object would disappear before we @@ -304,7 +298,32 @@ void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) if (final) drm_gem_object_put(obj); } -EXPORT_SYMBOL(drm_gem_object_handle_put_unlocked); + +static void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) +{ + struct drm_device *dev = obj->dev; + + if (drm_WARN_ON(dev, READ_ONCE(obj->handle_count) == 0)) + return; + + drm_gem_object_handle_put_unlocked_tail(obj); +} + +/** + * drm_gem_object_handle_put_if_exists_unlocked - releases reference on user-space handle, if any + * @obj: GEM object + * + * Releases a reference on the GEM buffer object's handle. Possibly releases + * the GEM buffer object and associated dma-buf objects. Does nothing if the + * buffer object has no handle. + */ +void drm_gem_object_handle_put_if_exists_unlocked(struct drm_gem_object *obj) +{ + if (!obj->handle_count) + return; + + drm_gem_object_handle_put_unlocked_tail(obj); +} /* * Called at device or object close to release the file's diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index c60d0044d036..618ce725cd75 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -100,7 +100,7 @@ void drm_gem_fb_destroy(struct drm_framebuffer *fb) unsigned int i; for (i = 0; i < fb->format->num_planes; i++) - drm_gem_object_handle_put_unlocked(fb->obj[i]); + drm_gem_object_put(fb->obj[i]); drm_framebuffer_cleanup(fb); kfree(fb); @@ -183,10 +183,8 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, if (!objs[i]) { drm_dbg_kms(dev, "Failed to lookup GEM object\n"); ret = -ENOENT; - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; } - drm_gem_object_handle_get_unlocked(objs[i]); - drm_gem_object_put(objs[i]); min_size = (height - 1) * mode_cmd->pitches[i] + drm_format_info_min_pitch(info, i, width) @@ -196,22 +194,22 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, drm_dbg_kms(dev, "GEM object size (%zu) smaller than minimum size (%u) for plane %d\n", objs[i]->size, min_size, i); - drm_gem_object_handle_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); ret = -EINVAL; - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; } } ret = drm_gem_fb_init(dev, fb, mode_cmd, objs, i, funcs); if (ret) - goto err_gem_object_handle_put_unlocked; + goto err_gem_object_put; return 0; -err_gem_object_handle_put_unlocked: +err_gem_object_put: while (i > 0) { --i; - drm_gem_object_handle_put_unlocked(objs[i]); + drm_gem_object_put(objs[i]); } return ret; } diff --git a/drivers/gpu/drm/drm_internal.h b/drivers/gpu/drm/drm_internal.h index f7b414a813ae..9233019f54a8 100644 --- a/drivers/gpu/drm/drm_internal.h +++ b/drivers/gpu/drm/drm_internal.h @@ -161,8 +161,8 @@ void drm_sysfs_lease_event(struct drm_device *dev); /* drm_gem.c */ int drm_gem_init(struct drm_device *dev); -void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj); -void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj); +void drm_gem_object_handle_get_if_exists_unlocked(struct drm_gem_object *obj); +void drm_gem_object_handle_put_if_exists_unlocked(struct drm_gem_object *obj); int drm_gem_handle_create_tail(struct drm_file *file_priv, struct drm_gem_object *obj, u32 *handlep); diff --git a/drivers/gpu/drm/gma500/fbdev.c b/drivers/gpu/drm/gma500/fbdev.c index 8edefea2ef59..afd252108cfa 100644 --- a/drivers/gpu/drm/gma500/fbdev.c +++ b/drivers/gpu/drm/gma500/fbdev.c @@ -121,7 +121,6 @@ static void psb_fbdev_fb_destroy(struct fb_info *info) drm_fb_helper_fini(fb_helper); drm_framebuffer_unregister_private(fb); - fb->obj[0] = NULL; drm_framebuffer_cleanup(fb); kfree(fb); @@ -243,7 +242,6 @@ int psb_fbdev_driver_fbdev_probe(struct drm_fb_helper *fb_helper, err_drm_framebuffer_unregister_private: drm_framebuffer_unregister_private(fb); - fb->obj[0] = NULL; drm_framebuffer_cleanup(fb); kfree(fb); err_drm_gem_object_put: -- 2.50.0

4 months, 2 weeks

3
4
0 0

FAILED: patch "[PATCH] drm/v3d: Disable interrupts before resetting the GPU" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070619-unblessed-antidote-17bd@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal(a)igalia.com> Date: Sat, 28 Jun 2025 19:42:42 -0300 Subject: [PATCH] drm/v3d: Disable interrupts before resetting the GPU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the GPU, it's necessary to disable all interrupts and deal with any interrupt handler still in-flight. Otherwise, the GPU might reset with jobs still running, or yet, an interrupt could be handled during the reset. Cc: stable(a)vger.kernel.org Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") Reviewed-by: Juan A. Suarez <jasuarez(a)igalia.com> Reviewed-by: Iago Toral Quiroga <itoral(a)igalia.com> Link: https://lore.kernel.org/r/20250628224243.47599-1-mcanal@igalia.com Signed-off-by: Maíra Canal <mcanal(a)igalia.com> diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h index b51f0b648a08..411e47702f8a 100644 --- a/drivers/gpu/drm/v3d/v3d_drv.h +++ b/drivers/gpu/drm/v3d/v3d_drv.h @@ -101,6 +101,12 @@ enum v3d_gen { V3D_GEN_71 = 71, }; +enum v3d_irq { + V3D_CORE_IRQ, + V3D_HUB_IRQ, + V3D_MAX_IRQS, +}; + struct v3d_dev { struct drm_device drm; @@ -112,6 +118,8 @@ struct v3d_dev { bool single_irq_line; + int irq[V3D_MAX_IRQS]; + struct v3d_perfmon_info perfmon_info; void __iomem *hub_regs; diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c index d7d16da78db3..37bf5eecdd2c 100644 --- a/drivers/gpu/drm/v3d/v3d_gem.c +++ b/drivers/gpu/drm/v3d/v3d_gem.c @@ -134,6 +134,8 @@ v3d_reset(struct v3d_dev *v3d) if (false) v3d_idle_axi(v3d, 0); + v3d_irq_disable(v3d); + v3d_idle_gca(v3d); v3d_reset_sms(v3d); v3d_reset_v3d(v3d); diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c index 2cca5d3a26a2..a515a301e480 100644 --- a/drivers/gpu/drm/v3d/v3d_irq.c +++ b/drivers/gpu/drm/v3d/v3d_irq.c @@ -260,7 +260,7 @@ v3d_hub_irq(int irq, void *arg) int v3d_irq_init(struct v3d_dev *v3d) { - int irq1, ret, core; + int irq, ret, core; INIT_WORK(&v3d->overflow_mem_work, v3d_overflow_mem_work); @@ -271,17 +271,24 @@ v3d_irq_init(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver)); V3D_WRITE(V3D_HUB_INT_CLR, V3D_HUB_IRQS(v3d->ver)); - irq1 = platform_get_irq_optional(v3d_to_pdev(v3d), 1); - if (irq1 == -EPROBE_DEFER) - return irq1; - if (irq1 > 0) { - ret = devm_request_irq(v3d->drm.dev, irq1, + irq = platform_get_irq_optional(v3d_to_pdev(v3d), 1); + if (irq == -EPROBE_DEFER) + return irq; + if (irq > 0) { + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d_core0", v3d); if (ret) goto fail; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_HUB_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_HUB_IRQ], v3d_hub_irq, IRQF_SHARED, "v3d_hub", v3d); if (ret) @@ -289,8 +296,12 @@ v3d_irq_init(struct v3d_dev *v3d) } else { v3d->single_irq_line = true; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d", v3d); if (ret) @@ -331,6 +342,12 @@ v3d_irq_disable(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_MSK_SET, ~0); V3D_WRITE(V3D_HUB_INT_MSK_SET, ~0); + /* Finish any interrupt handler still in flight. */ + for (int i = 0; i < V3D_MAX_IRQS; i++) { + if (v3d->irq[i]) + synchronize_irq(v3d->irq[i]); + } + /* Clear any pending interrupts we might have left. */ for (core = 0; core < v3d->cores; core++) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver));

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/v3d: Disable interrupts before resetting the GPU" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070618-stuck-undefined-2b00@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal(a)igalia.com> Date: Sat, 28 Jun 2025 19:42:42 -0300 Subject: [PATCH] drm/v3d: Disable interrupts before resetting the GPU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the GPU, it's necessary to disable all interrupts and deal with any interrupt handler still in-flight. Otherwise, the GPU might reset with jobs still running, or yet, an interrupt could be handled during the reset. Cc: stable(a)vger.kernel.org Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") Reviewed-by: Juan A. Suarez <jasuarez(a)igalia.com> Reviewed-by: Iago Toral Quiroga <itoral(a)igalia.com> Link: https://lore.kernel.org/r/20250628224243.47599-1-mcanal@igalia.com Signed-off-by: Maíra Canal <mcanal(a)igalia.com> diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h index b51f0b648a08..411e47702f8a 100644 --- a/drivers/gpu/drm/v3d/v3d_drv.h +++ b/drivers/gpu/drm/v3d/v3d_drv.h @@ -101,6 +101,12 @@ enum v3d_gen { V3D_GEN_71 = 71, }; +enum v3d_irq { + V3D_CORE_IRQ, + V3D_HUB_IRQ, + V3D_MAX_IRQS, +}; + struct v3d_dev { struct drm_device drm; @@ -112,6 +118,8 @@ struct v3d_dev { bool single_irq_line; + int irq[V3D_MAX_IRQS]; + struct v3d_perfmon_info perfmon_info; void __iomem *hub_regs; diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c index d7d16da78db3..37bf5eecdd2c 100644 --- a/drivers/gpu/drm/v3d/v3d_gem.c +++ b/drivers/gpu/drm/v3d/v3d_gem.c @@ -134,6 +134,8 @@ v3d_reset(struct v3d_dev *v3d) if (false) v3d_idle_axi(v3d, 0); + v3d_irq_disable(v3d); + v3d_idle_gca(v3d); v3d_reset_sms(v3d); v3d_reset_v3d(v3d); diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c index 2cca5d3a26a2..a515a301e480 100644 --- a/drivers/gpu/drm/v3d/v3d_irq.c +++ b/drivers/gpu/drm/v3d/v3d_irq.c @@ -260,7 +260,7 @@ v3d_hub_irq(int irq, void *arg) int v3d_irq_init(struct v3d_dev *v3d) { - int irq1, ret, core; + int irq, ret, core; INIT_WORK(&v3d->overflow_mem_work, v3d_overflow_mem_work); @@ -271,17 +271,24 @@ v3d_irq_init(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver)); V3D_WRITE(V3D_HUB_INT_CLR, V3D_HUB_IRQS(v3d->ver)); - irq1 = platform_get_irq_optional(v3d_to_pdev(v3d), 1); - if (irq1 == -EPROBE_DEFER) - return irq1; - if (irq1 > 0) { - ret = devm_request_irq(v3d->drm.dev, irq1, + irq = platform_get_irq_optional(v3d_to_pdev(v3d), 1); + if (irq == -EPROBE_DEFER) + return irq; + if (irq > 0) { + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d_core0", v3d); if (ret) goto fail; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_HUB_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_HUB_IRQ], v3d_hub_irq, IRQF_SHARED, "v3d_hub", v3d); if (ret) @@ -289,8 +296,12 @@ v3d_irq_init(struct v3d_dev *v3d) } else { v3d->single_irq_line = true; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d", v3d); if (ret) @@ -331,6 +342,12 @@ v3d_irq_disable(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_MSK_SET, ~0); V3D_WRITE(V3D_HUB_INT_MSK_SET, ~0); + /* Finish any interrupt handler still in flight. */ + for (int i = 0; i < V3D_MAX_IRQS; i++) { + if (v3d->irq[i]) + synchronize_irq(v3d->irq[i]); + } + /* Clear any pending interrupts we might have left. */ for (core = 0; core < v3d->cores; core++) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver));

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/v3d: Disable interrupts before resetting the GPU" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070617-culminate-consensus-97ab@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal(a)igalia.com> Date: Sat, 28 Jun 2025 19:42:42 -0300 Subject: [PATCH] drm/v3d: Disable interrupts before resetting the GPU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the GPU, it's necessary to disable all interrupts and deal with any interrupt handler still in-flight. Otherwise, the GPU might reset with jobs still running, or yet, an interrupt could be handled during the reset. Cc: stable(a)vger.kernel.org Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") Reviewed-by: Juan A. Suarez <jasuarez(a)igalia.com> Reviewed-by: Iago Toral Quiroga <itoral(a)igalia.com> Link: https://lore.kernel.org/r/20250628224243.47599-1-mcanal@igalia.com Signed-off-by: Maíra Canal <mcanal(a)igalia.com> diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h index b51f0b648a08..411e47702f8a 100644 --- a/drivers/gpu/drm/v3d/v3d_drv.h +++ b/drivers/gpu/drm/v3d/v3d_drv.h @@ -101,6 +101,12 @@ enum v3d_gen { V3D_GEN_71 = 71, }; +enum v3d_irq { + V3D_CORE_IRQ, + V3D_HUB_IRQ, + V3D_MAX_IRQS, +}; + struct v3d_dev { struct drm_device drm; @@ -112,6 +118,8 @@ struct v3d_dev { bool single_irq_line; + int irq[V3D_MAX_IRQS]; + struct v3d_perfmon_info perfmon_info; void __iomem *hub_regs; diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c index d7d16da78db3..37bf5eecdd2c 100644 --- a/drivers/gpu/drm/v3d/v3d_gem.c +++ b/drivers/gpu/drm/v3d/v3d_gem.c @@ -134,6 +134,8 @@ v3d_reset(struct v3d_dev *v3d) if (false) v3d_idle_axi(v3d, 0); + v3d_irq_disable(v3d); + v3d_idle_gca(v3d); v3d_reset_sms(v3d); v3d_reset_v3d(v3d); diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c index 2cca5d3a26a2..a515a301e480 100644 --- a/drivers/gpu/drm/v3d/v3d_irq.c +++ b/drivers/gpu/drm/v3d/v3d_irq.c @@ -260,7 +260,7 @@ v3d_hub_irq(int irq, void *arg) int v3d_irq_init(struct v3d_dev *v3d) { - int irq1, ret, core; + int irq, ret, core; INIT_WORK(&v3d->overflow_mem_work, v3d_overflow_mem_work); @@ -271,17 +271,24 @@ v3d_irq_init(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver)); V3D_WRITE(V3D_HUB_INT_CLR, V3D_HUB_IRQS(v3d->ver)); - irq1 = platform_get_irq_optional(v3d_to_pdev(v3d), 1); - if (irq1 == -EPROBE_DEFER) - return irq1; - if (irq1 > 0) { - ret = devm_request_irq(v3d->drm.dev, irq1, + irq = platform_get_irq_optional(v3d_to_pdev(v3d), 1); + if (irq == -EPROBE_DEFER) + return irq; + if (irq > 0) { + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d_core0", v3d); if (ret) goto fail; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_HUB_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_HUB_IRQ], v3d_hub_irq, IRQF_SHARED, "v3d_hub", v3d); if (ret) @@ -289,8 +296,12 @@ v3d_irq_init(struct v3d_dev *v3d) } else { v3d->single_irq_line = true; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d", v3d); if (ret) @@ -331,6 +342,12 @@ v3d_irq_disable(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_MSK_SET, ~0); V3D_WRITE(V3D_HUB_INT_MSK_SET, ~0); + /* Finish any interrupt handler still in flight. */ + for (int i = 0; i < V3D_MAX_IRQS; i++) { + if (v3d->irq[i]) + synchronize_irq(v3d->irq[i]); + } + /* Clear any pending interrupts we might have left. */ for (core = 0; core < v3d->cores; core++) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver));

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/v3d: Disable interrupts before resetting the GPU" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070615-extent-icing-b18d@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal(a)igalia.com> Date: Sat, 28 Jun 2025 19:42:42 -0300 Subject: [PATCH] drm/v3d: Disable interrupts before resetting the GPU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the GPU, it's necessary to disable all interrupts and deal with any interrupt handler still in-flight. Otherwise, the GPU might reset with jobs still running, or yet, an interrupt could be handled during the reset. Cc: stable(a)vger.kernel.org Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") Reviewed-by: Juan A. Suarez <jasuarez(a)igalia.com> Reviewed-by: Iago Toral Quiroga <itoral(a)igalia.com> Link: https://lore.kernel.org/r/20250628224243.47599-1-mcanal@igalia.com Signed-off-by: Maíra Canal <mcanal(a)igalia.com> diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h index b51f0b648a08..411e47702f8a 100644 --- a/drivers/gpu/drm/v3d/v3d_drv.h +++ b/drivers/gpu/drm/v3d/v3d_drv.h @@ -101,6 +101,12 @@ enum v3d_gen { V3D_GEN_71 = 71, }; +enum v3d_irq { + V3D_CORE_IRQ, + V3D_HUB_IRQ, + V3D_MAX_IRQS, +}; + struct v3d_dev { struct drm_device drm; @@ -112,6 +118,8 @@ struct v3d_dev { bool single_irq_line; + int irq[V3D_MAX_IRQS]; + struct v3d_perfmon_info perfmon_info; void __iomem *hub_regs; diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c index d7d16da78db3..37bf5eecdd2c 100644 --- a/drivers/gpu/drm/v3d/v3d_gem.c +++ b/drivers/gpu/drm/v3d/v3d_gem.c @@ -134,6 +134,8 @@ v3d_reset(struct v3d_dev *v3d) if (false) v3d_idle_axi(v3d, 0); + v3d_irq_disable(v3d); + v3d_idle_gca(v3d); v3d_reset_sms(v3d); v3d_reset_v3d(v3d); diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c index 2cca5d3a26a2..a515a301e480 100644 --- a/drivers/gpu/drm/v3d/v3d_irq.c +++ b/drivers/gpu/drm/v3d/v3d_irq.c @@ -260,7 +260,7 @@ v3d_hub_irq(int irq, void *arg) int v3d_irq_init(struct v3d_dev *v3d) { - int irq1, ret, core; + int irq, ret, core; INIT_WORK(&v3d->overflow_mem_work, v3d_overflow_mem_work); @@ -271,17 +271,24 @@ v3d_irq_init(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver)); V3D_WRITE(V3D_HUB_INT_CLR, V3D_HUB_IRQS(v3d->ver)); - irq1 = platform_get_irq_optional(v3d_to_pdev(v3d), 1); - if (irq1 == -EPROBE_DEFER) - return irq1; - if (irq1 > 0) { - ret = devm_request_irq(v3d->drm.dev, irq1, + irq = platform_get_irq_optional(v3d_to_pdev(v3d), 1); + if (irq == -EPROBE_DEFER) + return irq; + if (irq > 0) { + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d_core0", v3d); if (ret) goto fail; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_HUB_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_HUB_IRQ], v3d_hub_irq, IRQF_SHARED, "v3d_hub", v3d); if (ret) @@ -289,8 +296,12 @@ v3d_irq_init(struct v3d_dev *v3d) } else { v3d->single_irq_line = true; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d", v3d); if (ret) @@ -331,6 +342,12 @@ v3d_irq_disable(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_MSK_SET, ~0); V3D_WRITE(V3D_HUB_INT_MSK_SET, ~0); + /* Finish any interrupt handler still in flight. */ + for (int i = 0; i < V3D_MAX_IRQS; i++) { + if (v3d->irq[i]) + synchronize_irq(v3d->irq[i]); + } + /* Clear any pending interrupts we might have left. */ for (core = 0; core < v3d->cores; core++) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver));

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/v3d: Disable interrupts before resetting the GPU" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070614-unfeeling-suspect-5801@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal(a)igalia.com> Date: Sat, 28 Jun 2025 19:42:42 -0300 Subject: [PATCH] drm/v3d: Disable interrupts before resetting the GPU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the GPU, it's necessary to disable all interrupts and deal with any interrupt handler still in-flight. Otherwise, the GPU might reset with jobs still running, or yet, an interrupt could be handled during the reset. Cc: stable(a)vger.kernel.org Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") Reviewed-by: Juan A. Suarez <jasuarez(a)igalia.com> Reviewed-by: Iago Toral Quiroga <itoral(a)igalia.com> Link: https://lore.kernel.org/r/20250628224243.47599-1-mcanal@igalia.com Signed-off-by: Maíra Canal <mcanal(a)igalia.com> diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h index b51f0b648a08..411e47702f8a 100644 --- a/drivers/gpu/drm/v3d/v3d_drv.h +++ b/drivers/gpu/drm/v3d/v3d_drv.h @@ -101,6 +101,12 @@ enum v3d_gen { V3D_GEN_71 = 71, }; +enum v3d_irq { + V3D_CORE_IRQ, + V3D_HUB_IRQ, + V3D_MAX_IRQS, +}; + struct v3d_dev { struct drm_device drm; @@ -112,6 +118,8 @@ struct v3d_dev { bool single_irq_line; + int irq[V3D_MAX_IRQS]; + struct v3d_perfmon_info perfmon_info; void __iomem *hub_regs; diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c index d7d16da78db3..37bf5eecdd2c 100644 --- a/drivers/gpu/drm/v3d/v3d_gem.c +++ b/drivers/gpu/drm/v3d/v3d_gem.c @@ -134,6 +134,8 @@ v3d_reset(struct v3d_dev *v3d) if (false) v3d_idle_axi(v3d, 0); + v3d_irq_disable(v3d); + v3d_idle_gca(v3d); v3d_reset_sms(v3d); v3d_reset_v3d(v3d); diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c index 2cca5d3a26a2..a515a301e480 100644 --- a/drivers/gpu/drm/v3d/v3d_irq.c +++ b/drivers/gpu/drm/v3d/v3d_irq.c @@ -260,7 +260,7 @@ v3d_hub_irq(int irq, void *arg) int v3d_irq_init(struct v3d_dev *v3d) { - int irq1, ret, core; + int irq, ret, core; INIT_WORK(&v3d->overflow_mem_work, v3d_overflow_mem_work); @@ -271,17 +271,24 @@ v3d_irq_init(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver)); V3D_WRITE(V3D_HUB_INT_CLR, V3D_HUB_IRQS(v3d->ver)); - irq1 = platform_get_irq_optional(v3d_to_pdev(v3d), 1); - if (irq1 == -EPROBE_DEFER) - return irq1; - if (irq1 > 0) { - ret = devm_request_irq(v3d->drm.dev, irq1, + irq = platform_get_irq_optional(v3d_to_pdev(v3d), 1); + if (irq == -EPROBE_DEFER) + return irq; + if (irq > 0) { + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d_core0", v3d); if (ret) goto fail; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_HUB_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_HUB_IRQ], v3d_hub_irq, IRQF_SHARED, "v3d_hub", v3d); if (ret) @@ -289,8 +296,12 @@ v3d_irq_init(struct v3d_dev *v3d) } else { v3d->single_irq_line = true; - ret = devm_request_irq(v3d->drm.dev, - platform_get_irq(v3d_to_pdev(v3d), 0), + irq = platform_get_irq(v3d_to_pdev(v3d), 0); + if (irq < 0) + return irq; + v3d->irq[V3D_CORE_IRQ] = irq; + + ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], v3d_irq, IRQF_SHARED, "v3d", v3d); if (ret) @@ -331,6 +342,12 @@ v3d_irq_disable(struct v3d_dev *v3d) V3D_CORE_WRITE(core, V3D_CTL_INT_MSK_SET, ~0); V3D_WRITE(V3D_HUB_INT_MSK_SET, ~0); + /* Finish any interrupt handler still in flight. */ + for (int i = 0; i < V3D_MAX_IRQS; i++) { + if (v3d->irq[i]) + synchronize_irq(v3d->irq[i]); + } + /* Clear any pending interrupts we might have left. */ for (core = 0; core < v3d->cores; core++) V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver));

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mtk-sd: reset host->mrq on prepare_data() error" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x ec54c0a20709ed6e56f40a8d59eee725c31a916b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070655-graded-numbly-6d00@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ec54c0a20709ed6e56f40a8d59eee725c31a916b Mon Sep 17 00:00:00 2001 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Date: Wed, 25 Jun 2025 14:20:37 +0900 Subject: [PATCH] mtk-sd: reset host->mrq on prepare_data() error Do not leave host with dangling ->mrq pointer if we hit the msdc_prepare_data() error out path. Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Reviewed-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Fixes: f5de469990f1 ("mtk-sd: Prevent memory corruption from DMA map failure") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250625052106.584905-1-senozhatsky@chromium.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c index b12cfb9a5e5f..d7020e06dd55 100644 --- a/drivers/mmc/host/mtk-sd.c +++ b/drivers/mmc/host/mtk-sd.c @@ -1492,6 +1492,7 @@ static void msdc_ops_request(struct mmc_host *mmc, struct mmc_request *mrq) if (mrq->data) { msdc_prepare_data(host, mrq->data); if (!msdc_data_prepared(mrq->data)) { + host->mrq = NULL; /* * Failed to prepare DMA area, fail fast before * starting any commands.

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mtk-sd: reset host->mrq on prepare_data() error" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x ec54c0a20709ed6e56f40a8d59eee725c31a916b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070655-kindred-magnify-4bcf@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ec54c0a20709ed6e56f40a8d59eee725c31a916b Mon Sep 17 00:00:00 2001 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Date: Wed, 25 Jun 2025 14:20:37 +0900 Subject: [PATCH] mtk-sd: reset host->mrq on prepare_data() error Do not leave host with dangling ->mrq pointer if we hit the msdc_prepare_data() error out path. Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Reviewed-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Fixes: f5de469990f1 ("mtk-sd: Prevent memory corruption from DMA map failure") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250625052106.584905-1-senozhatsky@chromium.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c index b12cfb9a5e5f..d7020e06dd55 100644 --- a/drivers/mmc/host/mtk-sd.c +++ b/drivers/mmc/host/mtk-sd.c @@ -1492,6 +1492,7 @@ static void msdc_ops_request(struct mmc_host *mmc, struct mmc_request *mrq) if (mrq->data) { msdc_prepare_data(host, mrq->data); if (!msdc_data_prepared(mrq->data)) { + host->mrq = NULL; /* * Failed to prepare DMA area, fail fast before * starting any commands.

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mtk-sd: Prevent memory corruption from DMA map failure" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x f5de469990f19569627ea0dd56536ff5a13beaa3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070635-mockup-amicably-51ad@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5de469990f19569627ea0dd56536ff5a13beaa3 Mon Sep 17 00:00:00 2001 From: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> Date: Thu, 12 Jun 2025 20:26:10 +0900 Subject: [PATCH] mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request is not prepared for data receiving, but msdc_start_data() proceeds the DMA with previous setting. Since this will lead a memory corruption, we have to stop the request operation soon after the msdc_prepare_data() fails to prepare it. Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/174972756982.3337526.6755001617701603082.stgit@mh… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c index b1d1586cf1fc..b12cfb9a5e5f 100644 --- a/drivers/mmc/host/mtk-sd.c +++ b/drivers/mmc/host/mtk-sd.c @@ -853,6 +853,11 @@ static void msdc_prepare_data(struct msdc_host *host, struct mmc_data *data) } } +static bool msdc_data_prepared(struct mmc_data *data) +{ + return data->host_cookie & MSDC_PREPARE_FLAG; +} + static void msdc_unprepare_data(struct msdc_host *host, struct mmc_data *data) { if (data->host_cookie & MSDC_ASYNC_FLAG) @@ -1484,8 +1489,18 @@ static void msdc_ops_request(struct mmc_host *mmc, struct mmc_request *mrq) WARN_ON(!host->hsq_en && host->mrq); host->mrq = mrq; - if (mrq->data) + if (mrq->data) { msdc_prepare_data(host, mrq->data); + if (!msdc_data_prepared(mrq->data)) { + /* + * Failed to prepare DMA area, fail fast before + * starting any commands. + */ + mrq->cmd->error = -ENOSPC; + mmc_request_done(mmc_from_priv(host), mrq); + return; + } + } /* if SBC is required, we have HW option and SW option. * if HW option is enabled, and SBC does not have "special" flags,

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mtk-sd: Prevent memory corruption from DMA map failure" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f5de469990f19569627ea0dd56536ff5a13beaa3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070634-wrongness-claw-15a0@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5de469990f19569627ea0dd56536ff5a13beaa3 Mon Sep 17 00:00:00 2001 From: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> Date: Thu, 12 Jun 2025 20:26:10 +0900 Subject: [PATCH] mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request is not prepared for data receiving, but msdc_start_data() proceeds the DMA with previous setting. Since this will lead a memory corruption, we have to stop the request operation soon after the msdc_prepare_data() fails to prepare it. Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/174972756982.3337526.6755001617701603082.stgit@mh… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c index b1d1586cf1fc..b12cfb9a5e5f 100644 --- a/drivers/mmc/host/mtk-sd.c +++ b/drivers/mmc/host/mtk-sd.c @@ -853,6 +853,11 @@ static void msdc_prepare_data(struct msdc_host *host, struct mmc_data *data) } } +static bool msdc_data_prepared(struct mmc_data *data) +{ + return data->host_cookie & MSDC_PREPARE_FLAG; +} + static void msdc_unprepare_data(struct msdc_host *host, struct mmc_data *data) { if (data->host_cookie & MSDC_ASYNC_FLAG) @@ -1484,8 +1489,18 @@ static void msdc_ops_request(struct mmc_host *mmc, struct mmc_request *mrq) WARN_ON(!host->hsq_en && host->mrq); host->mrq = mrq; - if (mrq->data) + if (mrq->data) { msdc_prepare_data(host, mrq->data); + if (!msdc_data_prepared(mrq->data)) { + /* + * Failed to prepare DMA area, fail fast before + * starting any commands. + */ + mrq->cmd->error = -ENOSPC; + mmc_request_done(mmc_from_priv(host), mrq); + return; + } + } /* if SBC is required, we have HW option and SW option. * if HW option is enabled, and SBC does not have "special" flags,

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] regulator: gpio: Fix the out-of-bounds access to" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070620-snippet-reunite-9081@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 Mon Sep 17 00:00:00 2001 From: Manivannan Sadhasivam <mani(a)kernel.org> Date: Thu, 3 Jul 2025 16:05:49 +0530 Subject: [PATCH] regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the code to allocate enough memory to hold 'config::ngpios' of GPIO descriptors. While at it, also move the check for memory allocation failure to be below the allocation to make it more readable. Cc: stable(a)vger.kernel.org # 5.0 Fixes: d6cd33ad7102 ("regulator: gpio: Convert to use descriptors") Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Link: https://patch.msgid.link/20250703103549.16558-1-mani@kernel.org Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/regulator/gpio-regulator.c b/drivers/regulator/gpio-regulator.c index 75bd53445ba7..6351ceefdb3e 100644 --- a/drivers/regulator/gpio-regulator.c +++ b/drivers/regulator/gpio-regulator.c @@ -260,8 +260,10 @@ static int gpio_regulator_probe(struct platform_device *pdev) return -ENOMEM; } - drvdata->gpiods = devm_kzalloc(dev, sizeof(struct gpio_desc *), - GFP_KERNEL); + drvdata->gpiods = devm_kcalloc(dev, config->ngpios, + sizeof(struct gpio_desc *), GFP_KERNEL); + if (!drvdata->gpiods) + return -ENOMEM; if (config->input_supply) { drvdata->desc.supply_name = devm_kstrdup(&pdev->dev, @@ -274,8 +276,6 @@ static int gpio_regulator_probe(struct platform_device *pdev) } } - if (!drvdata->gpiods) - return -ENOMEM; for (i = 0; i < config->ngpios; i++) { drvdata->gpiods[i] = devm_gpiod_get_index(dev, NULL,

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] regulator: gpio: Fix the out-of-bounds access to" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070619-hexagon-plow-24d5@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 Mon Sep 17 00:00:00 2001 From: Manivannan Sadhasivam <mani(a)kernel.org> Date: Thu, 3 Jul 2025 16:05:49 +0530 Subject: [PATCH] regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the code to allocate enough memory to hold 'config::ngpios' of GPIO descriptors. While at it, also move the check for memory allocation failure to be below the allocation to make it more readable. Cc: stable(a)vger.kernel.org # 5.0 Fixes: d6cd33ad7102 ("regulator: gpio: Convert to use descriptors") Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Link: https://patch.msgid.link/20250703103549.16558-1-mani@kernel.org Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/regulator/gpio-regulator.c b/drivers/regulator/gpio-regulator.c index 75bd53445ba7..6351ceefdb3e 100644 --- a/drivers/regulator/gpio-regulator.c +++ b/drivers/regulator/gpio-regulator.c @@ -260,8 +260,10 @@ static int gpio_regulator_probe(struct platform_device *pdev) return -ENOMEM; } - drvdata->gpiods = devm_kzalloc(dev, sizeof(struct gpio_desc *), - GFP_KERNEL); + drvdata->gpiods = devm_kcalloc(dev, config->ngpios, + sizeof(struct gpio_desc *), GFP_KERNEL); + if (!drvdata->gpiods) + return -ENOMEM; if (config->input_supply) { drvdata->desc.supply_name = devm_kstrdup(&pdev->dev, @@ -274,8 +276,6 @@ static int gpio_regulator_probe(struct platform_device *pdev) } } - if (!drvdata->gpiods) - return -ENOMEM; for (i = 0; i < config->ngpios; i++) { drvdata->gpiods[i] = devm_gpiod_get_index(dev, NULL,

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] regulator: gpio: Fix the out-of-bounds access to" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070619-marauding-shivering-f78b@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 Mon Sep 17 00:00:00 2001 From: Manivannan Sadhasivam <mani(a)kernel.org> Date: Thu, 3 Jul 2025 16:05:49 +0530 Subject: [PATCH] regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the code to allocate enough memory to hold 'config::ngpios' of GPIO descriptors. While at it, also move the check for memory allocation failure to be below the allocation to make it more readable. Cc: stable(a)vger.kernel.org # 5.0 Fixes: d6cd33ad7102 ("regulator: gpio: Convert to use descriptors") Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Link: https://patch.msgid.link/20250703103549.16558-1-mani@kernel.org Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/regulator/gpio-regulator.c b/drivers/regulator/gpio-regulator.c index 75bd53445ba7..6351ceefdb3e 100644 --- a/drivers/regulator/gpio-regulator.c +++ b/drivers/regulator/gpio-regulator.c @@ -260,8 +260,10 @@ static int gpio_regulator_probe(struct platform_device *pdev) return -ENOMEM; } - drvdata->gpiods = devm_kzalloc(dev, sizeof(struct gpio_desc *), - GFP_KERNEL); + drvdata->gpiods = devm_kcalloc(dev, config->ngpios, + sizeof(struct gpio_desc *), GFP_KERNEL); + if (!drvdata->gpiods) + return -ENOMEM; if (config->input_supply) { drvdata->desc.supply_name = devm_kstrdup(&pdev->dev, @@ -274,8 +276,6 @@ static int gpio_regulator_probe(struct platform_device *pdev) } } - if (!drvdata->gpiods) - return -ENOMEM; for (i = 0; i < config->ngpios; i++) { drvdata->gpiods[i] = devm_gpiod_get_index(dev, NULL,

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] Bluetooth: HCI: Set extended advertising data synchronously" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 89fb8acc38852116d38d721ad394aad7f2871670 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070627-earring-fiction-a829@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 89fb8acc38852116d38d721ad394aad7f2871670 Mon Sep 17 00:00:00 2001 From: Christian Eggers <ceggers(a)arri.de> Date: Fri, 27 Jun 2025 09:05:08 +0200 Subject: [PATCH] Bluetooth: HCI: Set extended advertising data synchronously Currently, for controllers with extended advertising, the advertising data is set in the asynchronous response handler for extended adverstising params. As most advertising settings are performed in a synchronous context, the (asynchronous) setting of the advertising data is done too late (after enabling the advertising). Move setting of adverstising data from asynchronous response handler into synchronous context to fix ordering of HCI commands. Signed-off-by: Christian Eggers <ceggers(a)arri.de> Fixes: a0fb3726ba55 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports") Cc: stable(a)vger.kernel.org v2: https://lore.kernel.org/linux-bluetooth/20250626115209.17839-1-ceggers@arri… Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 66052d6aaa1d..4d5ace9d245d 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2150,40 +2150,6 @@ static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, return rp->status; } -static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, - struct sk_buff *skb) -{ - struct hci_rp_le_set_ext_adv_params *rp = data; - struct hci_cp_le_set_ext_adv_params *cp; - struct adv_info *adv_instance; - - bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); - - if (rp->status) - return rp->status; - - cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); - if (!cp) - return rp->status; - - hci_dev_lock(hdev); - hdev->adv_addr_type = cp->own_addr_type; - if (!cp->handle) { - /* Store in hdev for instance 0 */ - hdev->adv_tx_power = rp->tx_power; - } else { - adv_instance = hci_find_adv_instance(hdev, cp->handle); - if (adv_instance) - adv_instance->tx_power = rp->tx_power; - } - /* Update adv data as tx power is known now */ - hci_update_adv_data(hdev, cp->handle); - - hci_dev_unlock(hdev); - - return rp->status; -} - static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, struct sk_buff *skb) { @@ -4164,8 +4130,6 @@ static const struct hci_cc { HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, hci_cc_le_read_num_adv_sets, sizeof(struct hci_rp_le_read_num_supported_adv_sets)), - HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, - sizeof(struct hci_rp_le_set_ext_adv_params)), HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, hci_cc_le_set_ext_adv_enable), HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 106862d47964..77b3691f3423 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -1205,9 +1205,126 @@ static int hci_set_adv_set_random_addr_sync(struct hci_dev *hdev, u8 instance, sizeof(cp), &cp, HCI_CMD_TIMEOUT); } +static int +hci_set_ext_adv_params_sync(struct hci_dev *hdev, struct adv_info *adv, + const struct hci_cp_le_set_ext_adv_params *cp, + struct hci_rp_le_set_ext_adv_params *rp) +{ + struct sk_buff *skb; + + skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(*cp), + cp, HCI_CMD_TIMEOUT); + + /* If command return a status event, skb will be set to -ENODATA */ + if (skb == ERR_PTR(-ENODATA)) + return 0; + + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", + HCI_OP_LE_SET_EXT_ADV_PARAMS, PTR_ERR(skb)); + return PTR_ERR(skb); + } + + if (skb->len != sizeof(*rp)) { + bt_dev_err(hdev, "Invalid response length for 0x%4.4x: %u", + HCI_OP_LE_SET_EXT_ADV_PARAMS, skb->len); + kfree_skb(skb); + return -EIO; + } + + memcpy(rp, skb->data, sizeof(*rp)); + kfree_skb(skb); + + if (!rp->status) { + hdev->adv_addr_type = cp->own_addr_type; + if (!cp->handle) { + /* Store in hdev for instance 0 */ + hdev->adv_tx_power = rp->tx_power; + } else if (adv) { + adv->tx_power = rp->tx_power; + } + } + + return rp->status; +} + +static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, + HCI_MAX_EXT_AD_LENGTH); + u8 len; + struct adv_info *adv = NULL; + int err; + + if (instance) { + adv = hci_find_adv_instance(hdev, instance); + if (!adv || !adv->adv_data_changed) + return 0; + } + + len = eir_create_adv_data(hdev, instance, pdu->data, + HCI_MAX_EXT_AD_LENGTH); + + pdu->length = len; + pdu->handle = adv ? adv->handle : instance; + pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; + pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; + + err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, + struct_size(pdu, data, len), pdu, + HCI_CMD_TIMEOUT); + if (err) + return err; + + /* Update data if the command succeed */ + if (adv) { + adv->adv_data_changed = false; + } else { + memcpy(hdev->adv_data, pdu->data, len); + hdev->adv_data_len = len; + } + + return 0; +} + +static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + struct hci_cp_le_set_adv_data cp; + u8 len; + + memset(&cp, 0, sizeof(cp)); + + len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); + + /* There's nothing to do if the data hasn't changed */ + if (hdev->adv_data_len == len && + memcmp(cp.data, hdev->adv_data, len) == 0) + return 0; + + memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); + hdev->adv_data_len = len; + + cp.length = len; + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); +} + +int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) + return 0; + + if (ext_adv_capable(hdev)) + return hci_set_ext_adv_data_sync(hdev, instance); + + return hci_set_adv_data_sync(hdev, instance); +} + int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) { struct hci_cp_le_set_ext_adv_params cp; + struct hci_rp_le_set_ext_adv_params rp; bool connectable; u32 flags; bdaddr_t random_addr; @@ -1316,8 +1433,12 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) cp.secondary_phy = HCI_ADV_PHY_1M; } - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); + err = hci_set_ext_adv_params_sync(hdev, adv, &cp, &rp); + if (err) + return err; + + /* Update adv data as tx power is known now */ + err = hci_set_ext_adv_data_sync(hdev, cp.handle); if (err) return err; @@ -1822,79 +1943,6 @@ int hci_le_terminate_big_sync(struct hci_dev *hdev, u8 handle, u8 reason) sizeof(cp), &cp, HCI_CMD_TIMEOUT); } -static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, - HCI_MAX_EXT_AD_LENGTH); - u8 len; - struct adv_info *adv = NULL; - int err; - - if (instance) { - adv = hci_find_adv_instance(hdev, instance); - if (!adv || !adv->adv_data_changed) - return 0; - } - - len = eir_create_adv_data(hdev, instance, pdu->data, - HCI_MAX_EXT_AD_LENGTH); - - pdu->length = len; - pdu->handle = adv ? adv->handle : instance; - pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; - pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; - - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, - struct_size(pdu, data, len), pdu, - HCI_CMD_TIMEOUT); - if (err) - return err; - - /* Update data if the command succeed */ - if (adv) { - adv->adv_data_changed = false; - } else { - memcpy(hdev->adv_data, pdu->data, len); - hdev->adv_data_len = len; - } - - return 0; -} - -static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - struct hci_cp_le_set_adv_data cp; - u8 len; - - memset(&cp, 0, sizeof(cp)); - - len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); - - /* There's nothing to do if the data hasn't changed */ - if (hdev->adv_data_len == len && - memcmp(cp.data, hdev->adv_data, len) == 0) - return 0; - - memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); - hdev->adv_data_len = len; - - cp.length = len; - - return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); -} - -int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) - return 0; - - if (ext_adv_capable(hdev)) - return hci_set_ext_adv_data_sync(hdev, instance); - - return hci_set_adv_data_sync(hdev, instance); -} - int hci_schedule_adv_instance_sync(struct hci_dev *hdev, u8 instance, bool force) { @@ -6273,6 +6321,7 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, struct hci_conn *conn) { struct hci_cp_le_set_ext_adv_params cp; + struct hci_rp_le_set_ext_adv_params rp; int err; bdaddr_t random_addr; u8 own_addr_type; @@ -6314,8 +6363,12 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, if (err) return err; - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); + err = hci_set_ext_adv_params_sync(hdev, NULL, &cp, &rp); + if (err) + return err; + + /* Update adv data as tx power is known now */ + err = hci_set_ext_adv_data_sync(hdev, cp.handle); if (err) return err;

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] Bluetooth: HCI: Set extended advertising data synchronously" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 89fb8acc38852116d38d721ad394aad7f2871670 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070627-overbook-trimming-70bb@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 89fb8acc38852116d38d721ad394aad7f2871670 Mon Sep 17 00:00:00 2001 From: Christian Eggers <ceggers(a)arri.de> Date: Fri, 27 Jun 2025 09:05:08 +0200 Subject: [PATCH] Bluetooth: HCI: Set extended advertising data synchronously Currently, for controllers with extended advertising, the advertising data is set in the asynchronous response handler for extended adverstising params. As most advertising settings are performed in a synchronous context, the (asynchronous) setting of the advertising data is done too late (after enabling the advertising). Move setting of adverstising data from asynchronous response handler into synchronous context to fix ordering of HCI commands. Signed-off-by: Christian Eggers <ceggers(a)arri.de> Fixes: a0fb3726ba55 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports") Cc: stable(a)vger.kernel.org v2: https://lore.kernel.org/linux-bluetooth/20250626115209.17839-1-ceggers@arri… Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 66052d6aaa1d..4d5ace9d245d 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2150,40 +2150,6 @@ static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, return rp->status; } -static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, - struct sk_buff *skb) -{ - struct hci_rp_le_set_ext_adv_params *rp = data; - struct hci_cp_le_set_ext_adv_params *cp; - struct adv_info *adv_instance; - - bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); - - if (rp->status) - return rp->status; - - cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); - if (!cp) - return rp->status; - - hci_dev_lock(hdev); - hdev->adv_addr_type = cp->own_addr_type; - if (!cp->handle) { - /* Store in hdev for instance 0 */ - hdev->adv_tx_power = rp->tx_power; - } else { - adv_instance = hci_find_adv_instance(hdev, cp->handle); - if (adv_instance) - adv_instance->tx_power = rp->tx_power; - } - /* Update adv data as tx power is known now */ - hci_update_adv_data(hdev, cp->handle); - - hci_dev_unlock(hdev); - - return rp->status; -} - static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, struct sk_buff *skb) { @@ -4164,8 +4130,6 @@ static const struct hci_cc { HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, hci_cc_le_read_num_adv_sets, sizeof(struct hci_rp_le_read_num_supported_adv_sets)), - HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, - sizeof(struct hci_rp_le_set_ext_adv_params)), HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, hci_cc_le_set_ext_adv_enable), HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 106862d47964..77b3691f3423 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -1205,9 +1205,126 @@ static int hci_set_adv_set_random_addr_sync(struct hci_dev *hdev, u8 instance, sizeof(cp), &cp, HCI_CMD_TIMEOUT); } +static int +hci_set_ext_adv_params_sync(struct hci_dev *hdev, struct adv_info *adv, + const struct hci_cp_le_set_ext_adv_params *cp, + struct hci_rp_le_set_ext_adv_params *rp) +{ + struct sk_buff *skb; + + skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(*cp), + cp, HCI_CMD_TIMEOUT); + + /* If command return a status event, skb will be set to -ENODATA */ + if (skb == ERR_PTR(-ENODATA)) + return 0; + + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", + HCI_OP_LE_SET_EXT_ADV_PARAMS, PTR_ERR(skb)); + return PTR_ERR(skb); + } + + if (skb->len != sizeof(*rp)) { + bt_dev_err(hdev, "Invalid response length for 0x%4.4x: %u", + HCI_OP_LE_SET_EXT_ADV_PARAMS, skb->len); + kfree_skb(skb); + return -EIO; + } + + memcpy(rp, skb->data, sizeof(*rp)); + kfree_skb(skb); + + if (!rp->status) { + hdev->adv_addr_type = cp->own_addr_type; + if (!cp->handle) { + /* Store in hdev for instance 0 */ + hdev->adv_tx_power = rp->tx_power; + } else if (adv) { + adv->tx_power = rp->tx_power; + } + } + + return rp->status; +} + +static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, + HCI_MAX_EXT_AD_LENGTH); + u8 len; + struct adv_info *adv = NULL; + int err; + + if (instance) { + adv = hci_find_adv_instance(hdev, instance); + if (!adv || !adv->adv_data_changed) + return 0; + } + + len = eir_create_adv_data(hdev, instance, pdu->data, + HCI_MAX_EXT_AD_LENGTH); + + pdu->length = len; + pdu->handle = adv ? adv->handle : instance; + pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; + pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; + + err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, + struct_size(pdu, data, len), pdu, + HCI_CMD_TIMEOUT); + if (err) + return err; + + /* Update data if the command succeed */ + if (adv) { + adv->adv_data_changed = false; + } else { + memcpy(hdev->adv_data, pdu->data, len); + hdev->adv_data_len = len; + } + + return 0; +} + +static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + struct hci_cp_le_set_adv_data cp; + u8 len; + + memset(&cp, 0, sizeof(cp)); + + len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); + + /* There's nothing to do if the data hasn't changed */ + if (hdev->adv_data_len == len && + memcmp(cp.data, hdev->adv_data, len) == 0) + return 0; + + memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); + hdev->adv_data_len = len; + + cp.length = len; + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); +} + +int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) + return 0; + + if (ext_adv_capable(hdev)) + return hci_set_ext_adv_data_sync(hdev, instance); + + return hci_set_adv_data_sync(hdev, instance); +} + int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) { struct hci_cp_le_set_ext_adv_params cp; + struct hci_rp_le_set_ext_adv_params rp; bool connectable; u32 flags; bdaddr_t random_addr; @@ -1316,8 +1433,12 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) cp.secondary_phy = HCI_ADV_PHY_1M; } - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); + err = hci_set_ext_adv_params_sync(hdev, adv, &cp, &rp); + if (err) + return err; + + /* Update adv data as tx power is known now */ + err = hci_set_ext_adv_data_sync(hdev, cp.handle); if (err) return err; @@ -1822,79 +1943,6 @@ int hci_le_terminate_big_sync(struct hci_dev *hdev, u8 handle, u8 reason) sizeof(cp), &cp, HCI_CMD_TIMEOUT); } -static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, - HCI_MAX_EXT_AD_LENGTH); - u8 len; - struct adv_info *adv = NULL; - int err; - - if (instance) { - adv = hci_find_adv_instance(hdev, instance); - if (!adv || !adv->adv_data_changed) - return 0; - } - - len = eir_create_adv_data(hdev, instance, pdu->data, - HCI_MAX_EXT_AD_LENGTH); - - pdu->length = len; - pdu->handle = adv ? adv->handle : instance; - pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; - pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; - - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, - struct_size(pdu, data, len), pdu, - HCI_CMD_TIMEOUT); - if (err) - return err; - - /* Update data if the command succeed */ - if (adv) { - adv->adv_data_changed = false; - } else { - memcpy(hdev->adv_data, pdu->data, len); - hdev->adv_data_len = len; - } - - return 0; -} - -static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - struct hci_cp_le_set_adv_data cp; - u8 len; - - memset(&cp, 0, sizeof(cp)); - - len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); - - /* There's nothing to do if the data hasn't changed */ - if (hdev->adv_data_len == len && - memcmp(cp.data, hdev->adv_data, len) == 0) - return 0; - - memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); - hdev->adv_data_len = len; - - cp.length = len; - - return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); -} - -int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) - return 0; - - if (ext_adv_capable(hdev)) - return hci_set_ext_adv_data_sync(hdev, instance); - - return hci_set_adv_data_sync(hdev, instance); -} - int hci_schedule_adv_instance_sync(struct hci_dev *hdev, u8 instance, bool force) { @@ -6273,6 +6321,7 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, struct hci_conn *conn) { struct hci_cp_le_set_ext_adv_params cp; + struct hci_rp_le_set_ext_adv_params rp; int err; bdaddr_t random_addr; u8 own_addr_type; @@ -6314,8 +6363,12 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, if (err) return err; - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); + err = hci_set_ext_adv_params_sync(hdev, NULL, &cp, &rp); + if (err) + return err; + + /* Update adv data as tx power is known now */ + err = hci_set_ext_adv_data_sync(hdev, cp.handle); if (err) return err;

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] Bluetooth: HCI: Set extended advertising data synchronously" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 89fb8acc38852116d38d721ad394aad7f2871670 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070626-yo-yo-osmosis-27dd@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 89fb8acc38852116d38d721ad394aad7f2871670 Mon Sep 17 00:00:00 2001 From: Christian Eggers <ceggers(a)arri.de> Date: Fri, 27 Jun 2025 09:05:08 +0200 Subject: [PATCH] Bluetooth: HCI: Set extended advertising data synchronously Currently, for controllers with extended advertising, the advertising data is set in the asynchronous response handler for extended adverstising params. As most advertising settings are performed in a synchronous context, the (asynchronous) setting of the advertising data is done too late (after enabling the advertising). Move setting of adverstising data from asynchronous response handler into synchronous context to fix ordering of HCI commands. Signed-off-by: Christian Eggers <ceggers(a)arri.de> Fixes: a0fb3726ba55 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports") Cc: stable(a)vger.kernel.org v2: https://lore.kernel.org/linux-bluetooth/20250626115209.17839-1-ceggers@arri… Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 66052d6aaa1d..4d5ace9d245d 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2150,40 +2150,6 @@ static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, return rp->status; } -static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, - struct sk_buff *skb) -{ - struct hci_rp_le_set_ext_adv_params *rp = data; - struct hci_cp_le_set_ext_adv_params *cp; - struct adv_info *adv_instance; - - bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); - - if (rp->status) - return rp->status; - - cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); - if (!cp) - return rp->status; - - hci_dev_lock(hdev); - hdev->adv_addr_type = cp->own_addr_type; - if (!cp->handle) { - /* Store in hdev for instance 0 */ - hdev->adv_tx_power = rp->tx_power; - } else { - adv_instance = hci_find_adv_instance(hdev, cp->handle); - if (adv_instance) - adv_instance->tx_power = rp->tx_power; - } - /* Update adv data as tx power is known now */ - hci_update_adv_data(hdev, cp->handle); - - hci_dev_unlock(hdev); - - return rp->status; -} - static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, struct sk_buff *skb) { @@ -4164,8 +4130,6 @@ static const struct hci_cc { HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, hci_cc_le_read_num_adv_sets, sizeof(struct hci_rp_le_read_num_supported_adv_sets)), - HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, - sizeof(struct hci_rp_le_set_ext_adv_params)), HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, hci_cc_le_set_ext_adv_enable), HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 106862d47964..77b3691f3423 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -1205,9 +1205,126 @@ static int hci_set_adv_set_random_addr_sync(struct hci_dev *hdev, u8 instance, sizeof(cp), &cp, HCI_CMD_TIMEOUT); } +static int +hci_set_ext_adv_params_sync(struct hci_dev *hdev, struct adv_info *adv, + const struct hci_cp_le_set_ext_adv_params *cp, + struct hci_rp_le_set_ext_adv_params *rp) +{ + struct sk_buff *skb; + + skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(*cp), + cp, HCI_CMD_TIMEOUT); + + /* If command return a status event, skb will be set to -ENODATA */ + if (skb == ERR_PTR(-ENODATA)) + return 0; + + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", + HCI_OP_LE_SET_EXT_ADV_PARAMS, PTR_ERR(skb)); + return PTR_ERR(skb); + } + + if (skb->len != sizeof(*rp)) { + bt_dev_err(hdev, "Invalid response length for 0x%4.4x: %u", + HCI_OP_LE_SET_EXT_ADV_PARAMS, skb->len); + kfree_skb(skb); + return -EIO; + } + + memcpy(rp, skb->data, sizeof(*rp)); + kfree_skb(skb); + + if (!rp->status) { + hdev->adv_addr_type = cp->own_addr_type; + if (!cp->handle) { + /* Store in hdev for instance 0 */ + hdev->adv_tx_power = rp->tx_power; + } else if (adv) { + adv->tx_power = rp->tx_power; + } + } + + return rp->status; +} + +static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, + HCI_MAX_EXT_AD_LENGTH); + u8 len; + struct adv_info *adv = NULL; + int err; + + if (instance) { + adv = hci_find_adv_instance(hdev, instance); + if (!adv || !adv->adv_data_changed) + return 0; + } + + len = eir_create_adv_data(hdev, instance, pdu->data, + HCI_MAX_EXT_AD_LENGTH); + + pdu->length = len; + pdu->handle = adv ? adv->handle : instance; + pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; + pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; + + err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, + struct_size(pdu, data, len), pdu, + HCI_CMD_TIMEOUT); + if (err) + return err; + + /* Update data if the command succeed */ + if (adv) { + adv->adv_data_changed = false; + } else { + memcpy(hdev->adv_data, pdu->data, len); + hdev->adv_data_len = len; + } + + return 0; +} + +static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + struct hci_cp_le_set_adv_data cp; + u8 len; + + memset(&cp, 0, sizeof(cp)); + + len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); + + /* There's nothing to do if the data hasn't changed */ + if (hdev->adv_data_len == len && + memcmp(cp.data, hdev->adv_data, len) == 0) + return 0; + + memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); + hdev->adv_data_len = len; + + cp.length = len; + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); +} + +int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) + return 0; + + if (ext_adv_capable(hdev)) + return hci_set_ext_adv_data_sync(hdev, instance); + + return hci_set_adv_data_sync(hdev, instance); +} + int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) { struct hci_cp_le_set_ext_adv_params cp; + struct hci_rp_le_set_ext_adv_params rp; bool connectable; u32 flags; bdaddr_t random_addr; @@ -1316,8 +1433,12 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) cp.secondary_phy = HCI_ADV_PHY_1M; } - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); + err = hci_set_ext_adv_params_sync(hdev, adv, &cp, &rp); + if (err) + return err; + + /* Update adv data as tx power is known now */ + err = hci_set_ext_adv_data_sync(hdev, cp.handle); if (err) return err; @@ -1822,79 +1943,6 @@ int hci_le_terminate_big_sync(struct hci_dev *hdev, u8 handle, u8 reason) sizeof(cp), &cp, HCI_CMD_TIMEOUT); } -static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, - HCI_MAX_EXT_AD_LENGTH); - u8 len; - struct adv_info *adv = NULL; - int err; - - if (instance) { - adv = hci_find_adv_instance(hdev, instance); - if (!adv || !adv->adv_data_changed) - return 0; - } - - len = eir_create_adv_data(hdev, instance, pdu->data, - HCI_MAX_EXT_AD_LENGTH); - - pdu->length = len; - pdu->handle = adv ? adv->handle : instance; - pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; - pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; - - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, - struct_size(pdu, data, len), pdu, - HCI_CMD_TIMEOUT); - if (err) - return err; - - /* Update data if the command succeed */ - if (adv) { - adv->adv_data_changed = false; - } else { - memcpy(hdev->adv_data, pdu->data, len); - hdev->adv_data_len = len; - } - - return 0; -} - -static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - struct hci_cp_le_set_adv_data cp; - u8 len; - - memset(&cp, 0, sizeof(cp)); - - len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); - - /* There's nothing to do if the data hasn't changed */ - if (hdev->adv_data_len == len && - memcmp(cp.data, hdev->adv_data, len) == 0) - return 0; - - memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); - hdev->adv_data_len = len; - - cp.length = len; - - return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); -} - -int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) - return 0; - - if (ext_adv_capable(hdev)) - return hci_set_ext_adv_data_sync(hdev, instance); - - return hci_set_adv_data_sync(hdev, instance); -} - int hci_schedule_adv_instance_sync(struct hci_dev *hdev, u8 instance, bool force) { @@ -6273,6 +6321,7 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, struct hci_conn *conn) { struct hci_cp_le_set_ext_adv_params cp; + struct hci_rp_le_set_ext_adv_params rp; int err; bdaddr_t random_addr; u8 own_addr_type; @@ -6314,8 +6363,12 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, if (err) return err; - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); + err = hci_set_ext_adv_params_sync(hdev, NULL, &cp, &rp); + if (err) + return err; + + /* Update adv data as tx power is known now */ + err = hci_set_ext_adv_data_sync(hdev, cp.handle); if (err) return err;

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 009c3a4bc41e855fd76f92727f9fbae4e5917d7f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070621-plant-sedan-c997@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 009c3a4bc41e855fd76f92727f9fbae4e5917d7f Mon Sep 17 00:00:00 2001 From: Avri Altman <avri.altman(a)sandisk.com> Date: Mon, 26 May 2025 14:44:45 +0300 Subject: [PATCH] mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier Move the BROKEN_SD_DISCARD quirk for certain SanDisk SD cards from the `mmc_blk_fixups[]` to `mmc_sd_fixups[]`. This ensures the quirk is applied earlier in the device initialization process, aligning with the reasoning in [1]. Applying the quirk sooner prevents the kernel from incorrectly enabling discard support on affected cards during initial setup. [1] https://lore.kernel.org/all/20240820230631.GA436523@sony.com Fixes: 07d2872bf4c8 ("mmc: core: Add SD card quirk for broken discard") Signed-off-by: Avri Altman <avri.altman(a)sandisk.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250526114445.675548-1-avri.altman@sandisk.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/core/quirks.h b/drivers/mmc/core/quirks.h index 7f893bafaa60..c417ed34c057 100644 --- a/drivers/mmc/core/quirks.h +++ b/drivers/mmc/core/quirks.h @@ -44,6 +44,12 @@ static const struct mmc_fixup __maybe_unused mmc_sd_fixups[] = { 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd, MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY), + /* + * Some SD cards reports discard support while they don't + */ + MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, + MMC_QUIRK_BROKEN_SD_DISCARD), + END_FIXUP }; @@ -147,12 +153,6 @@ static const struct mmc_fixup __maybe_unused mmc_blk_fixups[] = { MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc, MMC_QUIRK_TRIM_BROKEN), - /* - * Some SD cards reports discard support while they don't - */ - MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, - MMC_QUIRK_BROKEN_SD_DISCARD), - END_FIXUP };

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 009c3a4bc41e855fd76f92727f9fbae4e5917d7f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070620-seclusion-jarring-cacd@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 009c3a4bc41e855fd76f92727f9fbae4e5917d7f Mon Sep 17 00:00:00 2001 From: Avri Altman <avri.altman(a)sandisk.com> Date: Mon, 26 May 2025 14:44:45 +0300 Subject: [PATCH] mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier Move the BROKEN_SD_DISCARD quirk for certain SanDisk SD cards from the `mmc_blk_fixups[]` to `mmc_sd_fixups[]`. This ensures the quirk is applied earlier in the device initialization process, aligning with the reasoning in [1]. Applying the quirk sooner prevents the kernel from incorrectly enabling discard support on affected cards during initial setup. [1] https://lore.kernel.org/all/20240820230631.GA436523@sony.com Fixes: 07d2872bf4c8 ("mmc: core: Add SD card quirk for broken discard") Signed-off-by: Avri Altman <avri.altman(a)sandisk.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250526114445.675548-1-avri.altman@sandisk.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/core/quirks.h b/drivers/mmc/core/quirks.h index 7f893bafaa60..c417ed34c057 100644 --- a/drivers/mmc/core/quirks.h +++ b/drivers/mmc/core/quirks.h @@ -44,6 +44,12 @@ static const struct mmc_fixup __maybe_unused mmc_sd_fixups[] = { 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd, MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY), + /* + * Some SD cards reports discard support while they don't + */ + MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, + MMC_QUIRK_BROKEN_SD_DISCARD), + END_FIXUP }; @@ -147,12 +153,6 @@ static const struct mmc_fixup __maybe_unused mmc_blk_fixups[] = { MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc, MMC_QUIRK_TRIM_BROKEN), - /* - * Some SD cards reports discard support while they don't - */ - MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, - MMC_QUIRK_BROKEN_SD_DISCARD), - END_FIXUP };

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] s390/pci: Fix stale function handles in error handling" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 45537926dd2aaa9190ac0fac5a0fbeefcadfea95 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070623-pacific-brewery-7cd2@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 45537926dd2aaa9190ac0fac5a0fbeefcadfea95 Mon Sep 17 00:00:00 2001 From: Niklas Schnelle <schnelle(a)linux.ibm.com> Date: Wed, 25 Jun 2025 11:28:28 +0200 Subject: [PATCH] s390/pci: Fix stale function handles in error handling The error event information for PCI error events contains a function handle for the respective function. This handle is generally captured at the time the error event was recorded. Due to delays in processing or cascading issues, it may happen that during firmware recovery multiple events are generated. When processing these events in order Linux may already have recovered an affected function making the event information stale. Fix this by doing an unconditional CLP List PCI function retrieving the current function handle with the zdev->state_lock held and ignoring the event if its function handle is stale. Cc: stable(a)vger.kernel.org Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") Reviewed-by: Julian Ruess <julianr(a)linux.ibm.com> Reviewed-by: Gerd Bayer <gbayer(a)linux.ibm.com> Reviewed-by: Farhan Ali <alifm(a)linux.ibm.com> Signed-off-by: Niklas Schnelle <schnelle(a)linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c index 2fbee3887d13..82ee2578279a 100644 --- a/arch/s390/pci/pci_event.c +++ b/arch/s390/pci/pci_event.c @@ -273,6 +273,8 @@ static void __zpci_event_error(struct zpci_ccdf_err *ccdf) struct zpci_dev *zdev = get_zdev_by_fid(ccdf->fid); struct pci_dev *pdev = NULL; pci_ers_result_t ers_res; + u32 fh = 0; + int rc; zpci_dbg(3, "err fid:%x, fh:%x, pec:%x\n", ccdf->fid, ccdf->fh, ccdf->pec); @@ -281,6 +283,15 @@ static void __zpci_event_error(struct zpci_ccdf_err *ccdf) if (zdev) { mutex_lock(&zdev->state_lock); + rc = clp_refresh_fh(zdev->fid, &fh); + if (rc) + goto no_pdev; + if (!fh || ccdf->fh != fh) { + /* Ignore events with stale handles */ + zpci_dbg(3, "err fid:%x, fh:%x (stale %x)\n", + ccdf->fid, fh, ccdf->fh); + goto no_pdev; + } zpci_update_fh(zdev, ccdf->fh); if (zdev->zbus->bus) pdev = pci_get_slot(zdev->zbus->bus, zdev->devfn);

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] s390/pci: Fix stale function handles in error handling" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 45537926dd2aaa9190ac0fac5a0fbeefcadfea95 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070622-clay-crimp-7cf6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 45537926dd2aaa9190ac0fac5a0fbeefcadfea95 Mon Sep 17 00:00:00 2001 From: Niklas Schnelle <schnelle(a)linux.ibm.com> Date: Wed, 25 Jun 2025 11:28:28 +0200 Subject: [PATCH] s390/pci: Fix stale function handles in error handling The error event information for PCI error events contains a function handle for the respective function. This handle is generally captured at the time the error event was recorded. Due to delays in processing or cascading issues, it may happen that during firmware recovery multiple events are generated. When processing these events in order Linux may already have recovered an affected function making the event information stale. Fix this by doing an unconditional CLP List PCI function retrieving the current function handle with the zdev->state_lock held and ignoring the event if its function handle is stale. Cc: stable(a)vger.kernel.org Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") Reviewed-by: Julian Ruess <julianr(a)linux.ibm.com> Reviewed-by: Gerd Bayer <gbayer(a)linux.ibm.com> Reviewed-by: Farhan Ali <alifm(a)linux.ibm.com> Signed-off-by: Niklas Schnelle <schnelle(a)linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c index 2fbee3887d13..82ee2578279a 100644 --- a/arch/s390/pci/pci_event.c +++ b/arch/s390/pci/pci_event.c @@ -273,6 +273,8 @@ static void __zpci_event_error(struct zpci_ccdf_err *ccdf) struct zpci_dev *zdev = get_zdev_by_fid(ccdf->fid); struct pci_dev *pdev = NULL; pci_ers_result_t ers_res; + u32 fh = 0; + int rc; zpci_dbg(3, "err fid:%x, fh:%x, pec:%x\n", ccdf->fid, ccdf->fh, ccdf->pec); @@ -281,6 +283,15 @@ static void __zpci_event_error(struct zpci_ccdf_err *ccdf) if (zdev) { mutex_lock(&zdev->state_lock); + rc = clp_refresh_fh(zdev->fid, &fh); + if (rc) + goto no_pdev; + if (!fh || ccdf->fh != fh) { + /* Ignore events with stale handles */ + zpci_dbg(3, "err fid:%x, fh:%x (stale %x)\n", + ccdf->fid, fh, ccdf->fh); + goto no_pdev; + } zpci_update_fh(zdev, ccdf->fh); if (zdev->zbus->bus) pdev = pci_get_slot(zdev->zbus->bus, zdev->devfn);

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] virtio-net: ensure the received length does not exceed" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070648-capitol-stained-1407@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001 From: Bui Quang Minh <minhquangbui99(a)gmail.com> Date: Mon, 30 Jun 2025 21:42:10 +0700 Subject: [PATCH] virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check. Cc: <stable(a)vger.kernel.org> Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set") Signed-off-by: Bui Quang Minh <minhquangbui99(a)gmail.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index e53ba600605a..31661bcb3932 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -778,6 +778,26 @@ static unsigned int mergeable_ctx_to_truesize(void *mrg_ctx) return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1); } +static int check_mergeable_len(struct net_device *dev, void *mrg_ctx, + unsigned int len) +{ + unsigned int headroom, tailroom, room, truesize; + + truesize = mergeable_ctx_to_truesize(mrg_ctx); + headroom = mergeable_ctx_to_headroom(mrg_ctx); + tailroom = headroom ? sizeof(struct skb_shared_info) : 0; + room = SKB_DATA_ALIGN(headroom + tailroom); + + if (len > truesize - room) { + pr_debug("%s: rx error: len %u exceeds truesize %lu\n", + dev->name, len, (unsigned long)(truesize - room)); + DEV_STATS_INC(dev, rx_length_errors); + return -1; + } + + return 0; +} + static struct sk_buff *virtnet_build_skb(void *buf, unsigned int buflen, unsigned int headroom, unsigned int len) @@ -1797,7 +1817,8 @@ static unsigned int virtnet_get_headroom(struct virtnet_info *vi) * across multiple buffers (num_buf > 1), and we make sure buffers * have enough headroom. */ -static struct page *xdp_linearize_page(struct receive_queue *rq, +static struct page *xdp_linearize_page(struct net_device *dev, + struct receive_queue *rq, int *num_buf, struct page *p, int offset, @@ -1817,18 +1838,27 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, memcpy(page_address(page) + page_off, page_address(p) + offset, *len); page_off += *len; + /* Only mergeable mode can go inside this while loop. In small mode, + * *num_buf == 1, so it cannot go inside. + */ while (--*num_buf) { unsigned int buflen; void *buf; + void *ctx; int off; - buf = virtnet_rq_get_buf(rq, &buflen, NULL); + buf = virtnet_rq_get_buf(rq, &buflen, &ctx); if (unlikely(!buf)) goto err_buf; p = virt_to_head_page(buf); off = buf - page_address(p); + if (check_mergeable_len(dev, ctx, buflen)) { + put_page(p); + goto err_buf; + } + /* guard against a misconfigured or uncooperative backend that * is sending packet larger than the MTU. */ @@ -1917,7 +1947,7 @@ static struct sk_buff *receive_small_xdp(struct net_device *dev, headroom = vi->hdr_len + header_offset; buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); - xdp_page = xdp_linearize_page(rq, &num_buf, page, + xdp_page = xdp_linearize_page(dev, rq, &num_buf, page, offset, header_offset, &tlen); if (!xdp_page) @@ -2252,7 +2282,7 @@ static void *mergeable_xdp_get_buf(struct virtnet_info *vi, */ if (!xdp_prog->aux->xdp_has_frags) { /* linearize data for XDP */ - xdp_page = xdp_linearize_page(rq, num_buf, + xdp_page = xdp_linearize_page(vi->dev, rq, num_buf, *page, offset, XDP_PACKET_HEADROOM, len);

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] virtio-net: ensure the received length does not exceed" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070648-purist-custody-51f7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001 From: Bui Quang Minh <minhquangbui99(a)gmail.com> Date: Mon, 30 Jun 2025 21:42:10 +0700 Subject: [PATCH] virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check. Cc: <stable(a)vger.kernel.org> Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set") Signed-off-by: Bui Quang Minh <minhquangbui99(a)gmail.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index e53ba600605a..31661bcb3932 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -778,6 +778,26 @@ static unsigned int mergeable_ctx_to_truesize(void *mrg_ctx) return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1); } +static int check_mergeable_len(struct net_device *dev, void *mrg_ctx, + unsigned int len) +{ + unsigned int headroom, tailroom, room, truesize; + + truesize = mergeable_ctx_to_truesize(mrg_ctx); + headroom = mergeable_ctx_to_headroom(mrg_ctx); + tailroom = headroom ? sizeof(struct skb_shared_info) : 0; + room = SKB_DATA_ALIGN(headroom + tailroom); + + if (len > truesize - room) { + pr_debug("%s: rx error: len %u exceeds truesize %lu\n", + dev->name, len, (unsigned long)(truesize - room)); + DEV_STATS_INC(dev, rx_length_errors); + return -1; + } + + return 0; +} + static struct sk_buff *virtnet_build_skb(void *buf, unsigned int buflen, unsigned int headroom, unsigned int len) @@ -1797,7 +1817,8 @@ static unsigned int virtnet_get_headroom(struct virtnet_info *vi) * across multiple buffers (num_buf > 1), and we make sure buffers * have enough headroom. */ -static struct page *xdp_linearize_page(struct receive_queue *rq, +static struct page *xdp_linearize_page(struct net_device *dev, + struct receive_queue *rq, int *num_buf, struct page *p, int offset, @@ -1817,18 +1838,27 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, memcpy(page_address(page) + page_off, page_address(p) + offset, *len); page_off += *len; + /* Only mergeable mode can go inside this while loop. In small mode, + * *num_buf == 1, so it cannot go inside. + */ while (--*num_buf) { unsigned int buflen; void *buf; + void *ctx; int off; - buf = virtnet_rq_get_buf(rq, &buflen, NULL); + buf = virtnet_rq_get_buf(rq, &buflen, &ctx); if (unlikely(!buf)) goto err_buf; p = virt_to_head_page(buf); off = buf - page_address(p); + if (check_mergeable_len(dev, ctx, buflen)) { + put_page(p); + goto err_buf; + } + /* guard against a misconfigured or uncooperative backend that * is sending packet larger than the MTU. */ @@ -1917,7 +1947,7 @@ static struct sk_buff *receive_small_xdp(struct net_device *dev, headroom = vi->hdr_len + header_offset; buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); - xdp_page = xdp_linearize_page(rq, &num_buf, page, + xdp_page = xdp_linearize_page(dev, rq, &num_buf, page, offset, header_offset, &tlen); if (!xdp_page) @@ -2252,7 +2282,7 @@ static void *mergeable_xdp_get_buf(struct virtnet_info *vi, */ if (!xdp_prog->aux->xdp_has_frags) { /* linearize data for XDP */ - xdp_page = xdp_linearize_page(rq, num_buf, + xdp_page = xdp_linearize_page(vi->dev, rq, num_buf, *page, offset, XDP_PACKET_HEADROOM, len);

4 months, 2 weeks

1
0
0 0

[PATCH v3 0/3] m68k: Bug fix and cleanup for framebuffer debug console

by Finn Thain

This series has a bug fix for the early bootconsole as well as some related efficiency improvements and cleanup. The relevant code is subject to CONSOLE_DEBUG, which is presently only used with CONFIG_MAC. To test this series (in qemu-system-m68k, for example) it's helpful to enable CONFIG_EARLY_PRINTK and CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER and boot with kernel parameters 'console=ttyS0 earlyprintk keep_bootcon'. --- Changed since v1: - Solved problem with line wrap while scrolling. - Added two additional patches. Changed since v2: - Adopted addq and subq as suggested by Andreas. Finn Thain (3): m68k: Fix lost column on framebuffer debug console m68k: Avoid pointless recursion in debug console rendering m68k: Remove unused "cursor home" code from debug console arch/m68k/kernel/head.S | 73 +++++++++++++++++++++-------------------- 1 file changed, 37 insertions(+), 36 deletions(-) -- 2.45.3

4 months, 2 weeks

3
3
0 0

Linux 6.12.36

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.36 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/8250.yaml | 2 Documentation/netlink/specs/tc.yaml | 4 Makefile | 2 arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 12 arch/riscv/include/asm/cmpxchg.h | 2 arch/riscv/include/asm/pgtable.h | 1 arch/riscv/kernel/traps_misaligned.c | 4 arch/riscv/mm/cacheflush.c | 15 arch/um/drivers/ubd_user.c | 2 arch/um/include/asm/asm-prototypes.h | 5 arch/um/kernel/trap.c | 129 + arch/x86/include/uapi/asm/debugreg.h | 21 arch/x86/kernel/cpu/common.c | 24 arch/x86/kernel/fpu/signal.c | 11 arch/x86/kernel/fpu/xstate.h | 22 arch/x86/kernel/traps.c | 34 arch/x86/um/asm/checksum.h | 3 drivers/accel/ivpu/ivpu_debugfs.c | 84 + drivers/accel/ivpu/ivpu_drv.c | 6 drivers/accel/ivpu/ivpu_drv.h | 10 drivers/accel/ivpu/ivpu_hw.c | 21 drivers/accel/ivpu/ivpu_hw.h | 5 drivers/accel/ivpu/ivpu_job.c | 201 +- drivers/accel/ivpu/ivpu_job.h | 2 drivers/accel/ivpu/ivpu_jsm_msg.c | 46 drivers/ata/ahci.c | 2 drivers/cxl/core/region.c | 7 drivers/dma/idxd/cdev.c | 4 drivers/dma/xilinx/xilinx_dma.c | 2 drivers/edac/amd64_edac.c | 57 drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 64 drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 30 drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_job.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 16 drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | 17 drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 6 drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h | 677 +++++----- drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm | 82 - drivers/gpu/drm/amd/amdkfd/kfd_device.c | 3 drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 5 drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 1 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 9 drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 drivers/gpu/drm/ast/ast_mode.c | 6 drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 32 drivers/gpu/drm/bridge/ti-sn65dsi86.c | 109 + drivers/gpu/drm/drm_fbdev_dma.c | 219 ++- drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 drivers/gpu/drm/i915/display/vlv_dsi.c | 4 drivers/gpu/drm/i915/i915_pmu.c | 2 drivers/gpu/drm/msm/dp/dp_display.c | 11 drivers/gpu/drm/msm/dp/dp_drm.c | 5 drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 drivers/gpu/drm/scheduler/sched_entity.c | 1 drivers/gpu/drm/tegra/dc.c | 17 drivers/gpu/drm/tegra/hub.c | 4 drivers/gpu/drm/tegra/hub.h | 3 drivers/gpu/drm/tiny/cirrus.c | 1 drivers/gpu/drm/udl/udl_drv.c | 2 drivers/gpu/drm/xe/display/xe_display.c | 2 drivers/gpu/drm/xe/xe_ggtt.c | 11 drivers/gpu/drm/xe/xe_gpu_scheduler.h | 10 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 8 drivers/gpu/drm/xe/xe_guc_ct.c | 7 drivers/gpu/drm/xe/xe_guc_ct.h | 5 drivers/gpu/drm/xe/xe_guc_pc.c | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 23 drivers/gpu/drm/xe/xe_guc_types.h | 5 drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c | 54 drivers/gpu/drm/xe/xe_vm.c | 8 drivers/hid/hid-lenovo.c | 11 drivers/hid/wacom_sys.c | 7 drivers/hwmon/pmbus/max34440.c | 48 drivers/hwtracing/coresight/coresight-core.c | 3 drivers/hwtracing/coresight/coresight-priv.h | 1 drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 drivers/i2c/busses/i2c-tiny-usb.c | 6 drivers/iio/adc/ad_sigma_delta.c | 4 drivers/iio/dac/Makefile | 2 drivers/iio/dac/ad3552r-common.c | 248 +++ drivers/iio/dac/ad3552r.c | 557 +------- drivers/iio/dac/ad3552r.h | 223 +++ drivers/iio/pressure/zpa2326.c | 2 drivers/leds/led-class-multicolor.c | 3 drivers/mailbox/mailbox.c | 2 drivers/md/bcache/super.c | 7 drivers/md/dm-raid.c | 2 drivers/md/dm-vdo/indexer/volume.c | 24 drivers/md/md-bitmap.c | 2 drivers/media/usb/uvc/uvc_ctrl.c | 34 drivers/mfd/max14577.c | 1 drivers/misc/tps6594-pfsm.c | 3 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 12 drivers/net/ethernet/realtek/r8169.h | 1 drivers/net/ethernet/realtek/r8169_main.c | 23 drivers/net/ethernet/realtek/r8169_phy_config.c | 10 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 6 drivers/net/phy/realtek.c | 54 drivers/nvme/host/tcp.c | 22 drivers/pci/controller/dwc/pci-imx6.c | 15 drivers/pci/controller/dwc/pcie-designware.c | 5 drivers/pci/controller/pcie-apple.c | 7 drivers/s390/crypto/pkey_api.c | 2 drivers/scsi/megaraid/megaraid_sas_base.c | 6 drivers/spi/spi-cadence-quadspi.c | 12 drivers/spi/spi-fsl-qspi.c | 36 drivers/staging/rtl8723bs/core/rtw_security.c | 44 drivers/tty/serial/8250/8250_pci1xxxx.c | 10 drivers/tty/serial/imx.c | 17 drivers/tty/serial/serial_base_bus.c | 1 drivers/tty/serial/uartlite.c | 25 drivers/ufs/core/ufshcd.c | 6 drivers/usb/class/cdc-wdm.c | 23 drivers/usb/common/usb-conn-gpio.c | 25 drivers/usb/core/usb.c | 14 drivers/usb/dwc2/gadget.c | 6 drivers/usb/gadget/function/f_hid.c | 19 drivers/usb/gadget/function/f_tcm.c | 4 drivers/usb/typec/altmodes/displayport.c | 4 drivers/usb/typec/mux.c | 4 drivers/usb/typec/tcpm/tcpm.c | 3 fs/btrfs/backref.h | 4 fs/btrfs/direct-io.c | 4 fs/btrfs/disk-io.c | 5 fs/btrfs/extent_io.h | 2 fs/btrfs/extent_map.c | 132 + fs/btrfs/extent_map.h | 3 fs/btrfs/fs.h | 2 fs/btrfs/inode.c | 297 ++-- fs/btrfs/ordered-data.c | 14 fs/btrfs/raid56.c | 5 fs/btrfs/super.c | 13 fs/btrfs/tests/extent-io-tests.c | 6 fs/btrfs/volumes.c | 6 fs/btrfs/zstd.c | 2 fs/ceph/file.c | 2 fs/f2fs/file.c | 38 fs/f2fs/super.c | 30 fs/fuse/dir.c | 11 fs/jfs/jfs_dmap.c | 41 fs/namespace.c | 8 fs/nfs/inode.c | 51 fs/nfs/nfs4proc.c | 25 fs/overlayfs/util.c | 4 fs/proc/task_mmu.c | 2 fs/smb/client/cifs_debug.c | 23 fs/smb/client/cifsglob.h | 2 fs/smb/client/cifspdu.h | 6 fs/smb/client/cifssmb.c | 1 fs/smb/client/connect.c | 58 fs/smb/client/misc.c | 8 fs/smb/client/sess.c | 21 fs/smb/client/smb2ops.c | 14 fs/smb/client/smbdirect.c | 513 +++---- fs/smb/client/smbdirect.h | 64 fs/smb/client/trace.h | 24 fs/smb/common/smbdirect/smbdirect.h | 37 fs/smb/common/smbdirect/smbdirect_pdu.h | 55 fs/smb/common/smbdirect/smbdirect_socket.h | 43 fs/smb/server/connection.h | 1 fs/smb/server/smb2pdu.c | 72 - fs/smb/server/smb2pdu.h | 3 include/net/bluetooth/hci_core.h | 2 include/uapi/drm/ivpu_accel.h | 6 include/uapi/linux/vm_sockets.h | 4 io_uring/kbuf.c | 1 io_uring/kbuf.h | 1 io_uring/net.c | 46 io_uring/rsrc.c | 23 io_uring/rsrc.h | 1 lib/group_cpus.c | 9 lib/maple_tree.c | 4 mm/damon/sysfs-schemes.c | 1 mm/gup.c | 14 mm/vma.c | 27 net/atm/clip.c | 11 net/atm/resources.c | 3 net/bluetooth/hci_core.c | 34 net/bluetooth/l2cap_core.c | 9 net/core/selftests.c | 5 net/mac80211/chan.c | 3 net/mac80211/ieee80211_i.h | 12 net/mac80211/iface.c | 12 net/mac80211/link.c | 94 + net/mac80211/util.c | 2 net/sunrpc/clnt.c | 9 net/unix/af_unix.c | 31 rust/Makefile | 2 rust/macros/module.rs | 1 sound/pci/hda/hda_bind.c | 2 sound/pci/hda/hda_intel.c | 3 sound/pci/hda/patch_realtek.c | 2 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/rt1320-sdw.c | 17 sound/soc/codecs/wcd9335.c | 40 sound/usb/quirks.c | 2 sound/usb/stream.c | 2 tools/lib/bpf/btf_dump.c | 3 tools/lib/bpf/libbpf.c | 10 tools/testing/selftests/bpf/progs/test_global_map_resize.c | 16 212 files changed, 3777 insertions(+), 2218 deletions(-) Adin Scannell (1): libbpf: Fix possible use-after-free for externs Aidan Stewart (1): serial: core: restore of_node information in sysfs Al Viro (1): attach_recursive_mnt(): do not lock the covering tree when sliding something under it Alex Deucher (2): drm/amdgpu/discovery: optionally use fw based ip discovery drm/amdgpu: switch job hw_fence to amdgpu_fence Alex Hung (2): drm/amd/display: Check dce_hwseq before dereferencing it drm/amd/display: Fix mpv playback corruption on weston Alexis Czezar Torreno (1): hwmon: (pmbus/max34440) Fix support for max34451 Andres Traumann (1): ALSA: hda/realtek: Bass speaker fixup for ASUS UM5606KA Andrzej Kacprowski (1): accel/ivpu: Remove copy engine support Andy Chiu (1): riscv: add a data fence for CMODX in the kernel mode Andy Shevchenko (1): usb: Add checks for snprintf() calls in usb_alloc_dev() Angelo Dureghello (3): iio: dac: ad3552r: changes to use FIELD_PREP iio: dac: ad3552r: extract common code (no changes in behavior intended) iio: dac: ad3552r-common: fix ad3541/2r ranges Aradhya Bhatia (5): drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() drm/bridge: cdns-dsi: Fix phy de-init and flag it so drm/bridge: cdns-dsi: Fix connecting to next bridge drm/bridge: cdns-dsi: Check return value when getting default PHY config drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Arnd Bergmann (1): drm/i915: fix build error some more Avadhut Naik (1): EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs Benjamin Berg (1): um: use proper care when taking mmap lock during segfault Cezary Rojewski (1): ALSA: hda: Ignore unsol events for cards being shut down Chance Yang (1): usb: common: usb-conn-gpio: use a unique name for usb connector device Chang S. Bae (2): x86/fpu: Refactor xfeature bitmask update code for sigframe XSAVE x86/pkeys: Simplify PKRU update in signal frame Chao Yu (2): f2fs: don't over-report free space or inodes in statvfs f2fs: fix to zero post-eof page Chen Yu (1): scsi: megaraid_sas: Fix invalid node index Chen Yufeng (1): usb: potential integer overflow in usbg_make_tpg() Chenyuan Yang (1): misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() Daniele Ceraolo Spurio (1): drm/xe: Fix early wedge on GuC load failure Dave Kleikamp (1): fs/jfs: consolidate sanity checking in dbMount David Hildenbrand (2): fs/proc/task_mmu: fix PAGE_IS_PFNZERO detection for the huge zero folio mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" David Howells (2): cifs: Fix the smbd_response slab to allow usercopy cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code David Sterba (1): btrfs: use unsigned types for constants defined as bit shifts Dmitry Kandybka (1): ceph: fix possible integer overflow in ceph_zero_objects() Dragan Simic (1): arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi Eric Dumazet (1): atm: clip: prevent NULL deref in clip_push() FUJITA Tomonori (1): rust: module: place cleanup_module() in .exit.text section Fabio Estevam (1): serial: imx: Restore original RXTL for console to fix data loss Fedor Pchelkin (1): s390/pkey: Prevent overflow in size calculation for memdup_user() Filipe Manana (5): btrfs: fix qgroup reservation leak on failure to allocate ordered extent btrfs: fix a race between renames and directory logging btrfs: skip inodes without loaded extent maps when shrinking extent maps btrfs: make the extent map shrinker run asynchronously as a work queue job btrfs: do regular iput instead of delayed iput during extent map shrinking Frank Min (1): drm/amdgpu: Add kicker device detection Frédéric Danis (1): Bluetooth: L2CAP: Fix L2CAP MTU negotiation Greg Kroah-Hartman (1): Linux 6.12.36 Guang Yuan Wu (1): fuse: fix race between concurrent setattrs from multiple nodes Han Xu (1): spi: fsl-qspi: use devm function instead of driver remove Han Young (1): NFSv4: Always set NLINK even if the server doesn't support it Hannes Reinecke (2): nvme-tcp: fix I/O stalls on congested sockets nvme-tcp: sanitize request list handling Haoxiang Li (1): drm/xe/display: Add check for alloc_ordered_workqueue() Hector Martin (1): PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Heiner Kallweit (3): r8169: add support for RTL8125D net: phy: realtek: merge the drivers for internal NBase-T PHY's net: phy: realtek: add RTL8125D-internal PHY Heinz Mauelshagen (1): dm-raid: fix variable in journal device check Iusico Maxim (1): HID: lenovo: Restrict F7/9/11 mode to compact keyboards only Jakub Kicinski (2): netlink: specs: tc: replace underscores with dashes in names net: selftests: fix TCP packet checksum Jakub Lewalski (1): tty: serial: uartlite: register uart driver in init James Clark (1): coresight: Only check bottom two claim bits Janne Grunau (1): PCI: apple: Set only available ports up Jay Cornwall (2): drm/amdkfd: Fix race in GWS queue scheduling drm/amdkfd: Fix instruction hazard in gfx12 trap handler Jayesh Choudhary (1): drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type Jens Axboe (6): io_uring/net: improve recv bundles io_uring/net: only retry recv bundle for a full transfer io_uring/net: only consider msg_inq if larger than 1 io_uring/net: always use current transfer count for buffer put io_uring/net: mark iov as dynamically allocated even for single segments io_uring/kbuf: flag partial buffer mappings Jesse Zhang (1): drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences Jiawen Wu (2): net: libwx: fix the creation of page_pool net: libwx: fix Tx L4 checksum Johannes Berg (1): wifi: mac80211: finish link init before RCU publish John Olender (1): drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram Jonathan Cameron (1): iio: pressure: zpa2326: Use aligned_s64 for the timestamp Jonathan Kim (1): drm/amdkfd: remove gfx 12 trap handler page size cap Joonas Lahtinen (1): Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Jos Wang (1): usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Karol Wachowski (5): accel/ivpu: Do not fail on cmdq if failed to allocate preemption buffers accel/ivpu: Make command queue ID allocated on XArray accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation accel/ivpu: Add debugfs interface for setting HWS priority bands accel/ivpu: Trigger device recovery on engine reset/resume failure Kees Cook (1): ovl: Check for NULL d_inode() in ovl_dentry_upper() Kevin Hao (1): spi: fsl-qspi: Fix double cleanup in probe error path Khairul Anuar Romli (1): spi: spi-cadence-quadspi: Fix pm runtime unbalance Krzysztof Kozlowski (2): mfd: max14577: Fix wakeup source leaks on device unbind ASoC: codecs: wcd9335: Fix missing free of regulator supplies Kuniyuki Iwashima (4): af_unix: Don't leave consecutive consumed OOB skbs. Bluetooth: hci_core: Fix use-after-free in vhci_flush() af_unix: Don't set -ECONNRESET for consumed OOB skb. atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Lachlan Hodges (1): wifi: mac80211: fix beacon interval calculation overflow Liam R. Howlett (1): maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Lin.Cao (1): drm/scheduler: signal scheduled fence when kill job Linggang Zeng (1): bcache: fix NULL pointer in cache_set_flush() Lorenzo Stoakes (1): mm/vma: reset VMA iterator on commit_merge() OOM failure Lucas De Marchi (2): drm/xe: Fix memset on iomem drm/xe: Fix taking invalid lock on wedge Mario Limonciello (2): ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock drm/amd: Adjust output for discovery error handling Mark Harmstone (1): btrfs: update superblock's device bytes_used when dropping chunk Matthew Auld (3): drm/xe/vm: move rebind_work init earlier drm/xe/sched: stop re-submitting signalled jobs drm/xe/guc_submit: add back fix Matthew Sakai (1): dm vdo indexer: don't read request structure after enqueuing Maíra Canal (1): drm/etnaviv: Protect the scheduler's pending list with its lock Michael Grzeschik (2): usb: dwc2: also exit clock_gating when stopping udc while suspended usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Michal Wajdeczko (1): drm/xe: Process deferred GGTT node removals on device unwind Muna Sinada (2): wifi: mac80211: Add link iteration macro for link data wifi: mac80211: Create separate links for VLAN interfaces Nam Cao (2): Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" Revert "riscv: misaligned: fix sleeping function called during misaligned access handling" Namjae Jeon (2): ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension ksmbd: provide zero as a unique ID to the Mac client Naohiro Aota (1): btrfs: zoned: fix extent range end unlock in cow_file_range() Nathan Chancellor (1): staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Nikhil Jha (1): sunrpc: don't immediately retransmit on seqno miss Niklas Cassel (1): ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk Olga Kornievskaia (1): NFSv4.2: fix listxattr to return selinux security label Oliver Schramm (1): ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 Pali Rohár (3): cifs: Correctly set SMB1 SessionKey field in Session Setup Request cifs: Fix cifs_query_path_info() for Windows NT servers cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in non-UNICODE mode Paulo Alcantara (1): smb: client: fix potential deadlock when reconnecting channels Pavel Begunkov (2): io_uring/rsrc: fix folio unpinning io_uring/rsrc: don't rely on user vaddr alignment Peng Fan (2): mailbox: Not protect module_put with spin_lock_irqsave ASoC: codec: wcd9335: Convert to GPIO descriptors Penglei Jiang (1): io_uring: fix potential page leak in io_sqe_buffer_register() Peter Korsgaard (1): usb: gadget: f_hid: wake up readers on disable/unbind Philip Yang (1): drm/amdgpu: seq64 memory unmap uses uninterruptible lock Purva Yeshi (1): iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Qasim Ijaz (3): HID: wacom: fix memory leak on kobject creation failure HID: wacom: fix memory leak on sysfs attribute creation failure HID: wacom: fix kobject reference count leak Qingfang Deng (1): net: stmmac: Fix accessing freed irq affinity_hint Qiu-ji Chen (1): drm/tegra: Fix a possible null pointer dereference Qu Wenruo (3): btrfs: handle csum tree error with rescue=ibadroots correctly btrfs: factor out nocow ordered extent and extent map generation into a helper btrfs: do proper folio cleanup when cow_file_range() failed Rengarajan S (1): 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev C0 and later devices Ricardo Ribalda (1): media: uvcvideo: Rollback non processed entities on error Richard Zhu (1): PCI: imx6: Add workaround for errata ERR051624 Robert Hodaszi (1): usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Robert Richter (1): cxl/region: Add a dev_err() on missing target list entries Rudraksha Gupta (1): rust: arm: fix unknown (to Clang) argument '-mno-fdpic' Sagi Grimberg (1): NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated Salvatore Bonaccorso (1): ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR Sami Tolvanen (1): um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Sasha Levin (5): drm/xe: Carve out wopcm portion from the stolen memory usb: typec: tcpm: PSSourceOffTimer timeout in PR_Swap enters ERROR_RECOVERY drm/msm/dp: account for widebus and yuv420 during mode validation riscv/atomic: Do proper sign extension also for unsigned in arch_cmpxchg btrfs: fix use-after-free on inode when scanning root during em shrinking Scott Mayhew (1): NFSv4: xattr handlers should check for absent nfs filehandles SeongJae Park (1): mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write Shuming Fan (1): ASoC: rt1320: fix speaker noise when volume bar is 100% Simon Horman (1): net: enetc: Correct endianness handling in _enetc_rd_reg64 Stefan Metzmacher (8): smb: client: remove \t from TP_printk statements smb: smbdirect: add smbdirect_pdu.h with protocol definitions smb: client: make use of common smbdirect_pdu.h smb: smbdirect: add smbdirect.h with public structures smb: smbdirect: add smbdirect_socket.h smb: client: make use of common smbdirect_socket smb: smbdirect: introduce smbdirect_socket_parameters smb: client: make use of common smbdirect_socket_parameters Stefano Garzarella (1): vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Stephan Gerhold (1): drm/msm/gpu: Fix crash when throttling GPU immediately during boot Sven Schwermer (1): leds: multicolor: Fix intensity setting while SW blinking Thierry Reding (1): drm/tegra: Assign plane type before registration Thomas Fourier (1): ethernet: ionic: Fix DMA mapping tests Thomas Gessler (1): dmaengine: xilinx_dma: Set dma_device directions Thomas Zeitlhofer (1): HID: wacom: fix crash in wacom_aes_battery_handler() Thomas Zimmermann (4): drm/ast: Fix comment on modeset lock drm/cirrus-qemu: Fix pitch programming drm/udl: Unregister device before cleaning up on disconnect drm/fbdev-dma: Add shadow buffering for deferred I/O Tiwei Bie (1): um: ubd: Add missing error check in start_io_thread() Vasiliy Kovalev (1): jfs: validate AG parameters in dbMount() to prevent crashes Vijendar Mukunda (1): ALSA: hda: Add new pci id for AMD GPU display HD audio controller Ville Syrjälä (2): drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL Wenbin Yao (1): PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane Wentao Liang (1): drm/amd/display: Add null pointer check for get_first_active_display() Wolfram Sang (3): i2c: tiny-usb: disable zero-length read messages i2c: robotfuzz-osif: disable zero-length read messages drm/bridge: ti-sn65dsi86: make use of debugfs_init callback Xin Li (Intel) (1): x86/traps: Initialize DR6 by writing its architectural reset value Yan Zhai (1): bnxt: properly flush XDP redirect lists Yao Zi (1): dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Yi Sun (1): dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using Yifan Zhang (1): amd/amdkfd: fix a kfd_process ref leak Yihan Zhu (1): drm/amd/display: Fix RMCM programming seq errors Youngjun Lee (1): ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Yu Kuai (2): md/md-bitmap: fix dm-raid max_write_behind setting lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() Yuan Chen (1): libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Zhang Zekun (1): PCI: apple: Use helper function for_each_child_of_node_scoped() Zhongwei Zhang (1): drm/amd/display: Correct non-OLED pre_T11_delay. Ziqi Chen (1): scsi: ufs: core: Don't perform UFS clkscaling during host async scan anvithdosapati (1): scsi: ufs: core: Fix clk scaling to be conditional in reset and restore

4 months, 2 weeks

1
1
0 0

Linux 6.6.96

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.96 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/8250.yaml | 2 Makefile | 2 arch/arm/include/asm/ptrace.h | 5 arch/s390/kernel/entry.S | 2 arch/um/drivers/ubd_user.c | 2 arch/um/include/asm/asm-prototypes.h | 5 arch/um/kernel/trap.c | 129 ++++++- arch/x86/tools/insn_decoder_test.c | 5 arch/x86/um/asm/checksum.h | 3 drivers/cxl/core/region.c | 7 drivers/dma/idxd/cdev.c | 4 drivers/dma/xilinx/xilinx_dma.c | 2 drivers/edac/amd64_edac.c | 57 +-- drivers/firmware/arm_scmi/driver.c | 44 ++ drivers/firmware/arm_scmi/protocols.h | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 30 - drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_job.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 16 drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | 17 drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 drivers/gpu/drm/ast/ast_mode.c | 6 drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 32 + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 109 +++-- drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 drivers/gpu/drm/i915/i915_pmu.c | 2 drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 drivers/gpu/drm/scheduler/sched_entity.c | 1 drivers/gpu/drm/tegra/dc.c | 17 drivers/gpu/drm/tegra/hub.c | 4 drivers/gpu/drm/tegra/hub.h | 3 drivers/gpu/drm/tiny/cirrus.c | 1 drivers/gpu/drm/udl/udl_drv.c | 2 drivers/hid/hid-lenovo.c | 11 drivers/hid/wacom_sys.c | 6 drivers/hv/channel_mgmt.c | 15 drivers/hv/hyperv_vmbus.h | 5 drivers/hwmon/pmbus/max34440.c | 48 ++ drivers/hwtracing/coresight/coresight-core.c | 3 drivers/hwtracing/coresight/coresight-priv.h | 1 drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 drivers/i2c/busses/i2c-tiny-usb.c | 6 drivers/iio/adc/ad_sigma_delta.c | 4 drivers/iio/pressure/zpa2326.c | 2 drivers/leds/led-class-multicolor.c | 3 drivers/mailbox/mailbox.c | 2 drivers/md/bcache/super.c | 7 drivers/md/dm-raid.c | 2 drivers/md/md-bitmap.c | 2 drivers/media/usb/uvc/uvc_ctrl.c | 39 +- drivers/mfd/max14577.c | 1 drivers/misc/tps6594-pfsm.c | 3 drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 2 drivers/nvme/host/ioctl.c | 16 drivers/pci/controller/dwc/pcie-designware.c | 5 drivers/pci/controller/pcie-apple.c | 7 drivers/platform/x86/Kconfig | 1 drivers/platform/x86/ideapad-laptop.c | 237 +++++++++++++ drivers/platform/x86/ideapad-laptop.h | 142 ------- drivers/platform/x86/lenovo-ymc.c | 60 --- drivers/s390/crypto/pkey_api.c | 2 drivers/scsi/megaraid/megaraid_sas_base.c | 6 drivers/spi/spi-cadence-quadspi.c | 11 drivers/staging/rtl8723bs/core/rtw_security.c | 44 -- drivers/tty/serial/imx.c | 17 drivers/tty/serial/uartlite.c | 25 - drivers/tty/vt/vt.c | 12 drivers/ufs/core/ufshcd.c | 3 drivers/uio/uio_hv_generic.c | 10 drivers/usb/class/cdc-wdm.c | 23 - drivers/usb/common/usb-conn-gpio.c | 25 + drivers/usb/core/usb.c | 14 drivers/usb/dwc2/gadget.c | 6 drivers/usb/gadget/function/f_tcm.c | 4 drivers/usb/typec/altmodes/displayport.c | 4 drivers/usb/typec/mux.c | 4 drivers/video/console/dummycon.c | 24 - drivers/video/console/mdacon.c | 21 - drivers/video/console/newport_con.c | 12 drivers/video/console/sticon.c | 14 drivers/video/console/vgacon.c | 12 drivers/video/fbdev/core/fbcon.c | 40 +- fs/btrfs/disk-io.c | 3 fs/btrfs/inode.c | 81 +++- fs/btrfs/volumes.c | 6 fs/ceph/file.c | 2 fs/f2fs/super.c | 30 - fs/fuse/dir.c | 11 fs/jfs/jfs_dmap.c | 41 -- fs/namespace.c | 8 fs/nfs/inode.c | 2 fs/nfs/nfs4proc.c | 17 fs/overlayfs/util.c | 4 fs/smb/client/cifsglob.h | 2 fs/smb/client/cifspdu.h | 6 fs/smb/client/cifssmb.c | 1 fs/smb/client/connect.c | 58 +-- fs/smb/client/misc.c | 8 fs/smb/client/sess.c | 21 - fs/smb/server/connection.h | 1 fs/smb/server/smb2pdu.c | 81 ++-- fs/smb/server/smb2pdu.h | 3 include/linux/console.h | 13 include/linux/hyperv.h | 2 include/linux/ipv6.h | 1 include/uapi/linux/vm_sockets.h | 4 lib/Kconfig.debug | 9 lib/Makefile | 2 lib/group_cpus.c | 9 lib/longest_symbol_kunit.c | 82 ++++ mm/damon/sysfs-schemes.c | 1 net/atm/clip.c | 11 net/atm/resources.c | 3 net/bluetooth/l2cap_core.c | 9 net/core/selftests.c | 5 net/ipv6/ip6_output.c | 9 net/mac80211/util.c | 2 net/sunrpc/clnt.c | 9 net/unix/af_unix.c | 107 ++++- net/unix/garbage.c | 24 - rust/macros/module.rs | 1 scripts/checkstack.pl | 3 scripts/gdb/linux/tasks.py | 15 scripts/head-object-list.txt | 1 scripts/kconfig/mconf.c | 2 scripts/kconfig/nconf.c | 2 scripts/package/kernel.spec | 28 - scripts/package/mkdebian | 2 scripts/recordmcount.c | 1 scripts/recordmcount.pl | 7 scripts/xz_wrap.sh | 1 sound/pci/hda/hda_bind.c | 2 sound/pci/hda/hda_intel.c | 3 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/wcd9335.c | 62 +-- sound/usb/quirks.c | 2 sound/usb/stream.c | 2 tools/lib/bpf/btf_dump.c | 3 tools/lib/bpf/libbpf.c | 10 tools/testing/selftests/bpf/progs/test_global_map_resize.c | 16 149 files changed, 1557 insertions(+), 828 deletions(-) Adin Scannell (1): libbpf: Fix possible use-after-free for externs Al Viro (1): attach_recursive_mnt(): do not lock the covering tree when sliding something under it Alex Deucher (1): drm/amdgpu: switch job hw_fence to amdgpu_fence Alexis Czezar Torreno (1): hwmon: (pmbus/max34440) Fix support for max34451 Andy Shevchenko (1): usb: Add checks for snprintf() calls in usb_alloc_dev() Aradhya Bhatia (5): drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() drm/bridge: cdns-dsi: Fix phy de-init and flag it so drm/bridge: cdns-dsi: Fix connecting to next bridge drm/bridge: cdns-dsi: Check return value when getting default PHY config drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Arnd Bergmann (1): drm/i915: fix build error some more Avadhut Naik (1): EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs Benjamin Berg (1): um: use proper care when taking mmap lock during segfault Brett A C Sheffield (Librecast) (1): Revert "ipv6: save dontfrag in cork" Cezary Rojewski (1): ALSA: hda: Ignore unsol events for cards being shut down Chance Yang (1): usb: common: usb-conn-gpio: use a unique name for usb connector device Chao Yu (1): f2fs: don't over-report free space or inodes in statvfs Chen Yu (1): scsi: megaraid_sas: Fix invalid node index Chen Yufeng (1): usb: potential integer overflow in usbg_make_tpg() Chenyuan Yang (1): misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() Cristian Marussi (1): firmware: arm_scmi: Add a common helper to check if a message is supported Dave Kleikamp (1): fs/jfs: consolidate sanity checking in dbMount Dmitry Kandybka (1): ceph: fix possible integer overflow in ceph_zero_objects() Eric Dumazet (1): atm: clip: prevent NULL deref in clip_push() FUJITA Tomonori (1): rust: module: place cleanup_module() in .exit.text section Fabio Estevam (1): serial: imx: Restore original RXTL for console to fix data loss Fedor Pchelkin (1): s390/pkey: Prevent overflow in size calculation for memdup_user() Filipe Manana (1): btrfs: fix a race between renames and directory logging Frank Min (1): drm/amdgpu: Add kicker device detection Frédéric Danis (1): Bluetooth: L2CAP: Fix L2CAP MTU negotiation Geert Uytterhoeven (1): ARM: 9354/1: ptrace: Use bitfield helpers Gergo Koteles (3): platform/x86: ideapad-laptop: introduce a generic notification chain platform/x86: ideapad-laptop: move ymc_trigger_ec from lenovo-ymc platform/x86: ideapad-laptop: move ACPI helpers from header to source file Greg Kroah-Hartman (1): Linux 6.6.96 Guang Yuan Wu (1): fuse: fix race between concurrent setattrs from multiple nodes Han Young (1): NFSv4: Always set NLINK even if the server doesn't support it Hector Martin (1): PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Heiko Carstens (1): s390/entry: Fix last breaking event handling in case of stack corruption Heinz Mauelshagen (1): dm-raid: fix variable in journal device check Iusico Maxim (1): HID: lenovo: Restrict F7/9/11 mode to compact keyboards only Jakub Kicinski (1): net: selftests: fix TCP packet checksum Jakub Lewalski (1): tty: serial: uartlite: register uart driver in init James Clark (1): coresight: Only check bottom two claim bits Janne Grunau (1): PCI: apple: Set only available ports up Jay Cornwall (1): drm/amdkfd: Fix race in GWS queue scheduling Jayesh Choudhary (1): drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type Jens Axboe (1): nvme: always punt polled uring_cmd end_io work to task_work Jiawen Wu (1): net: libwx: fix the creation of page_pool Jiri Slaby (SUSE) (3): tty: vt: make init parameter of consw::con_init() a bool tty: vt: sanitize arguments of consw::con_clear() tty: vt: make consw::con_switch() return a bool John Olender (1): drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram Jonathan Cameron (1): iio: pressure: zpa2326: Use aligned_s64 for the timestamp Jos Wang (1): usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Jose Ignacio Tornos Martinez (1): kbuild: rpm-pkg: simplify installkernel %post Kees Cook (1): ovl: Check for NULL d_inode() in ovl_dentry_upper() Khairul Anuar Romli (1): spi: spi-cadence-quadspi: Fix pm runtime unbalance Krzysztof Kozlowski (3): mfd: max14577: Fix wakeup source leaks on device unbind ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() ASoC: codecs: wcd9335: Fix missing free of regulator supplies Kuniyuki Iwashima (7): af_unix: Define locking order for unix_table_double_lock(). af_unix: Define locking order for U_LOCK_SECOND in unix_state_double_lock(). af_unix: Define locking order for U_RECVQ_LOCK_EMBRYO in unix_collect_skb(). af_unix: Don't call skb_get() for OOB skb. af_unix: Don't leave consecutive consumed OOB skbs. af_unix: Don't set -ECONNRESET for consumed OOB skb. atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Lachlan Hodges (1): wifi: mac80211: fix beacon interval calculation overflow Lin.Cao (1): drm/scheduler: signal scheduled fence when kill job Linggang Zeng (1): bcache: fix NULL pointer in cache_set_flush() Long Li (1): uio_hv_generic: Align ring size to system page Mario Limonciello (1): ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock Mark Harmstone (1): btrfs: update superblock's device bytes_used when dropping chunk Masahiro Yamada (1): scripts: clean up IA-64 code Maíra Canal (1): drm/etnaviv: Protect the scheduler's pending list with its lock Michael Grzeschik (2): usb: dwc2: also exit clock_gating when stopping udc while suspended usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Namjae Jeon (4): ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension ksmbd: provide zero as a unique ID to the Mac client ksmbd: Use unsafe_memcpy() for ntlm_negotiate ksmbd: remove unsafe_memcpy use in session setup Nathan Chancellor (2): staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() x86/tools: Drop duplicate unlikely() definition in insn_decoder_test.c Nikhil Jha (1): sunrpc: don't immediately retransmit on seqno miss Olga Kornievskaia (1): NFSv4.2: fix listxattr to return selinux security label Oliver Schramm (1): ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 Pali Rohár (3): cifs: Correctly set SMB1 SessionKey field in Session Setup Request cifs: Fix cifs_query_path_info() for Windows NT servers cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in non-UNICODE mode Paulo Alcantara (1): smb: client: fix potential deadlock when reconnecting channels Peng Fan (2): mailbox: Not protect module_put with spin_lock_irqsave ASoC: codec: wcd9335: Convert to GPIO descriptors Purva Yeshi (1): iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Qasim Ijaz (3): HID: wacom: fix memory leak on kobject creation failure HID: wacom: fix memory leak on sysfs attribute creation failure HID: wacom: fix kobject reference count leak Qiu-ji Chen (1): drm/tegra: Fix a possible null pointer dereference Qu Wenruo (1): btrfs: handle csum tree error with rescue=ibadroots correctly Ricardo Ribalda (1): media: uvcvideo: Rollback non processed entities on error Robert Hodaszi (1): usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Robert Richter (1): cxl/region: Add a dev_err() on missing target list entries Rong Zhang (1): platform/x86: ideapad-laptop: use usleep_range() for EC polling Salvatore Bonaccorso (1): ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR Sami Tolvanen (1): um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Saurabh Sengar (2): Drivers: hv: vmbus: Add utility function for querying ring size uio_hv_generic: Query the ringbuffer size for device Scott Mayhew (1): NFSv4: xattr handlers should check for absent nfs filehandles SeongJae Park (1): mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write Sergio González Collado (1): Kunit to check the longest symbol length Sibi Sankar (1): firmware: arm_scmi: Ensure that the message-id supports fastchannel Simon Horman (1): net: enetc: Correct endianness handling in _enetc_rd_reg64 Stefano Garzarella (1): vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Stephan Gerhold (1): drm/msm/gpu: Fix crash when throttling GPU immediately during boot Sven Schwermer (1): leds: multicolor: Fix intensity setting while SW blinking Thierry Reding (1): drm/tegra: Assign plane type before registration Thomas Gessler (1): dmaengine: xilinx_dma: Set dma_device directions Thomas Zimmermann (4): dummycon: Trigger redraw when switching consoles with deferred takeover drm/ast: Fix comment on modeset lock drm/cirrus-qemu: Fix pitch programming drm/udl: Unregister device before cleaning up on disconnect Tiwei Bie (1): um: ubd: Add missing error check in start_io_thread() Vasiliy Kovalev (1): jfs: validate AG parameters in dbMount() to prevent crashes Vijendar Mukunda (1): ALSA: hda: Add new pci id for AMD GPU display HD audio controller Ville Syrjälä (1): drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Wenbin Yao (1): PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane Wentao Liang (1): drm/amd/display: Add null pointer check for get_first_active_display() Wolfram Sang (3): i2c: tiny-usb: disable zero-length read messages i2c: robotfuzz-osif: disable zero-length read messages drm/bridge: ti-sn65dsi86: make use of debugfs_init callback Yao Zi (1): dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Yi Sun (1): dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using Yifan Zhang (1): amd/amdkfd: fix a kfd_process ref leak Youngjun Lee (1): ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Yu Kuai (2): md/md-bitmap: fix dm-raid max_write_behind setting lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() Yuan Chen (1): libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Zhang Zekun (1): PCI: apple: Use helper function for_each_child_of_node_scoped() Ziqi Chen (1): scsi: ufs: core: Don't perform UFS clkscaling during host async scan

4 months, 2 weeks

1
1
0 0

Linux 6.1.143

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.143 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/8250.yaml | 2 Makefile | 2 arch/arm/include/asm/ptrace.h | 5 arch/arm64/mm/mmu.c | 3 arch/s390/kernel/entry.S | 2 arch/um/drivers/ubd_user.c | 2 arch/um/include/asm/asm-prototypes.h | 5 arch/um/kernel/trap.c | 129 +++- arch/x86/tools/insn_decoder_test.c | 5 arch/x86/um/asm/checksum.h | 3 drivers/dma/xilinx/xilinx_dma.c | 2 drivers/firmware/arm_scmi/driver.c | 44 + drivers/firmware/arm_scmi/protocols.h | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | 17 drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 drivers/gpu/drm/bridge/cdns-dsi.c | 32 drivers/gpu/drm/bridge/ti-sn65dsi86.c | 109 ++- drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 drivers/gpu/drm/tegra/dc.c | 17 drivers/gpu/drm/tegra/hub.c | 4 drivers/gpu/drm/tegra/hub.h | 3 drivers/gpu/drm/udl/udl_drv.c | 2 drivers/hid/hid-lenovo.c | 11 drivers/hid/wacom_sys.c | 6 drivers/hv/channel_mgmt.c | 15 drivers/hv/connection.c | 134 +--- drivers/hv/hv.c | 36 - drivers/hv/hv_common.c | 231 +++++++ drivers/hv/hyperv_vmbus.h | 7 drivers/hv/vmbus_drv.c | 206 ------ drivers/hwmon/pmbus/max34440.c | 48 + drivers/hwtracing/coresight/coresight-core.c | 3 drivers/hwtracing/coresight/coresight-priv.h | 2 drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 drivers/i2c/busses/i2c-tiny-usb.c | 6 drivers/iio/adc/ad_sigma_delta.c | 4 drivers/iio/pressure/zpa2326.c | 2 drivers/leds/led-class-multicolor.c | 3 drivers/mailbox/mailbox.c | 2 drivers/md/bcache/super.c | 7 drivers/md/dm-raid.c | 2 drivers/md/md-bitmap.c | 2 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.h | 1 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 212 +++--- drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h | 6 drivers/media/usb/uvc/uvc_ctrl.c | 40 - drivers/mfd/max14577.c | 1 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 26 drivers/net/ethernet/broadcom/bnxt/bnxt_hsi.h | 644 ++------------------ drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 drivers/nvme/host/ioctl.c | 15 drivers/pci/controller/pcie-apple.c | 7 drivers/s390/crypto/pkey_api.c | 2 drivers/scsi/megaraid/megaraid_sas_base.c | 6 drivers/staging/rtl8723bs/core/rtw_security.c | 44 - drivers/tty/serial/imx.c | 17 drivers/tty/serial/uartlite.c | 25 drivers/tty/vt/vt.c | 12 drivers/uio/uio_hv_generic.c | 10 drivers/usb/class/cdc-wdm.c | 23 drivers/usb/common/usb-conn-gpio.c | 25 drivers/usb/core/usb.c | 14 drivers/usb/dwc2/gadget.c | 6 drivers/usb/gadget/function/f_tcm.c | 4 drivers/usb/typec/altmodes/displayport.c | 4 drivers/usb/typec/mux.c | 4 drivers/video/console/dummycon.c | 24 drivers/video/console/mdacon.c | 21 drivers/video/console/newport_con.c | 12 drivers/video/console/sticon.c | 14 drivers/video/console/vgacon.c | 34 - drivers/video/fbdev/core/fbcon.c | 40 - drivers/video/fbdev/core/fbmem.c | 18 drivers/video/fbdev/hyperv_fb.c | 8 fs/btrfs/disk-io.c | 3 fs/btrfs/inode.c | 81 +- fs/btrfs/volumes.c | 6 fs/ceph/file.c | 2 fs/f2fs/super.c | 30 fs/jfs/jfs_dmap.c | 41 - fs/namespace.c | 8 fs/nfs/inode.c | 2 fs/nfs/nfs4proc.c | 17 fs/omfs/file.c | 12 fs/omfs/omfs_fs.h | 2 fs/overlayfs/util.c | 4 fs/smb/client/cifsglob.h | 1 fs/smb/client/cifspdu.h | 6 fs/smb/client/cifssmb.c | 1 fs/smb/client/misc.c | 8 fs/smb/client/sess.c | 1 fs/smb/server/smb2pdu.c | 62 - include/asm-generic/mshyperv.h | 2 include/linux/console.h | 13 include/linux/hyperv.h | 2 include/linux/ipv6.h | 1 include/uapi/linux/vm_sockets.h | 4 io_uring/kbuf.c | 2 lib/Kconfig.debug | 9 lib/Makefile | 2 lib/longest_symbol_kunit.c | 82 ++ net/atm/clip.c | 11 net/atm/resources.c | 3 net/bluetooth/l2cap_core.c | 9 net/core/selftests.c | 5 net/ipv6/ip6_output.c | 9 net/mac80211/util.c | 2 net/unix/af_unix.c | 58 - net/unix/garbage.c | 24 rust/macros/module.rs | 1 sound/pci/hda/hda_bind.c | 2 sound/pci/hda/hda_intel.c | 3 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/wcd9335.c | 62 - sound/usb/quirks.c | 2 sound/usb/stream.c | 2 tools/lib/bpf/btf_dump.c | 3 123 files changed, 1594 insertions(+), 1482 deletions(-) Al Viro (1): attach_recursive_mnt(): do not lock the covering tree when sliding something under it Alexis Czezar Torreno (1): hwmon: (pmbus/max34440) Fix support for max34451 Andy Shevchenko (1): usb: Add checks for snprintf() calls in usb_alloc_dev() Aradhya Bhatia (5): drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() drm/bridge: cdns-dsi: Fix phy de-init and flag it so drm/bridge: cdns-dsi: Fix connecting to next bridge drm/bridge: cdns-dsi: Check return value when getting default PHY config drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Benjamin Berg (1): um: use proper care when taking mmap lock during segfault Brett A C Sheffield (Librecast) (1): Revert "ipv6: save dontfrag in cork" Cezary Rojewski (1): ALSA: hda: Ignore unsol events for cards being shut down Chance Yang (1): usb: common: usb-conn-gpio: use a unique name for usb connector device Chao Yu (1): f2fs: don't over-report free space or inodes in statvfs Chen Ni (1): fbdev: hyperv_fb: Convert comma to semicolon Chen Yu (1): scsi: megaraid_sas: Fix invalid node index Chen Yufeng (1): usb: potential integer overflow in usbg_make_tpg() Cristian Marussi (1): firmware: arm_scmi: Add a common helper to check if a message is supported Dave Kleikamp (1): fs/jfs: consolidate sanity checking in dbMount Dev Jain (1): arm64: Restrict pagetable teardown to avoid false warning Dmitry Kandybka (1): ceph: fix possible integer overflow in ceph_zero_objects() Eric Dumazet (1): atm: clip: prevent NULL deref in clip_push() FUJITA Tomonori (1): rust: module: place cleanup_module() in .exit.text section Fabio Estevam (1): serial: imx: Restore original RXTL for console to fix data loss Fedor Pchelkin (1): s390/pkey: Prevent overflow in size calculation for memdup_user() Filipe Manana (1): btrfs: fix a race between renames and directory logging Frank Min (1): drm/amdgpu: Add kicker device detection Frédéric Danis (1): Bluetooth: L2CAP: Fix L2CAP MTU negotiation Geert Uytterhoeven (1): ARM: 9354/1: ptrace: Use bitfield helpers Greg Kroah-Hartman (1): Linux 6.1.143 Guilherme G. Piccoli (1): drivers: hv, hyperv_fb: Untangle and refactor Hyper-V panic notifiers Gustavo A. R. Silva (1): fs: omfs: Use flexible-array member in struct omfs_extent Han Young (1): NFSv4: Always set NLINK even if the server doesn't support it Hector Martin (1): PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Heiko Carstens (1): s390/entry: Fix last breaking event handling in case of stack corruption Heinz Mauelshagen (1): dm-raid: fix variable in journal device check Iusico Maxim (1): HID: lenovo: Restrict F7/9/11 mode to compact keyboards only Jakub Kicinski (2): net: selftests: fix TCP packet checksum eth: bnxt: fix one of the W=1 warnings about fortified memcpy() Jakub Lewalski (1): tty: serial: uartlite: register uart driver in init James Clark (1): coresight: Only check bottom two claim bits Janne Grunau (1): PCI: apple: Set only available ports up Jason Wang (1): media: imx-jpeg: Remove unnecessary memset() after dma_alloc_coherent() Jay Cornwall (1): drm/amdkfd: Fix race in GWS queue scheduling Jayesh Choudhary (1): drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type Jens Axboe (1): nvme: always punt polled uring_cmd end_io work to task_work Jiri Slaby (SUSE) (5): vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen() vgacon: remove unneeded forward declarations tty: vt: make init parameter of consw::con_init() a bool tty: vt: sanitize arguments of consw::con_clear() tty: vt: make consw::con_switch() return a bool John Olender (1): drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram Jonathan Cameron (1): iio: pressure: zpa2326: Use aligned_s64 for the timestamp Joonas Lahtinen (1): Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Jos Wang (1): usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Kameron Carr (1): Drivers: hv: Change hv_free_hyperv_page() to take void * argument Kees Cook (1): ovl: Check for NULL d_inode() in ovl_dentry_upper() Krzysztof Kozlowski (3): mfd: max14577: Fix wakeup source leaks on device unbind ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() ASoC: codecs: wcd9335: Fix missing free of regulator supplies Kuniyuki Iwashima (4): af_unix: Don't call skb_get() for OOB skb. af_unix: Don't leave consecutive consumed OOB skbs. af_unix: Don't set -ECONNRESET for consumed OOB skb. atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Lachlan Hodges (1): wifi: mac80211: fix beacon interval calculation overflow Linggang Zeng (1): bcache: fix NULL pointer in cache_set_flush() Long Li (3): Drivers: hv: move panic report code from vmbus to hv early init code Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary uio_hv_generic: Align ring size to system page Mario Limonciello (1): ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock Mark Harmstone (1): btrfs: update superblock's device bytes_used when dropping chunk Maíra Canal (1): drm/etnaviv: Protect the scheduler's pending list with its lock Michael Chan (2): bnxt_en: Fix W=1 warning in bnxt_dcb.c from fortify memcpy() bnxt_en: Fix W=stringop-overflow warning in bnxt_dcb.c Michael Grzeschik (2): usb: dwc2: also exit clock_gating when stopping udc while suspended usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Michael Kelley (1): Drivers: hv: vmbus: Remove second mapping of VMBus monitor pages Ming Qian (5): media: imx-jpeg: Add a timeout mechanism for each frame media: imx-jpeg: Support to assign slot for encoder/decoder media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead media: imx-jpeg: Reset slot data pointers when freed media: imx-jpeg: Cleanup after an allocation error Murad Masimov (1): fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var Namjae Jeon (3): ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension ksmbd: Use unsafe_memcpy() for ntlm_negotiate ksmbd: remove unsafe_memcpy use in session setup Nathan Chancellor (2): staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() x86/tools: Drop duplicate unlikely() definition in insn_decoder_test.c Olga Kornievskaia (1): NFSv4.2: fix listxattr to return selinux security label Oliver Schramm (1): ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 Pali Rohár (2): cifs: Correctly set SMB1 SessionKey field in Session Setup Request cifs: Fix cifs_query_path_info() for Windows NT servers Pavel Begunkov (1): io_uring/kbuf: account ring io_buffer_list memory Peng Fan (2): mailbox: Not protect module_put with spin_lock_irqsave ASoC: codec: wcd9335: Convert to GPIO descriptors Purva Yeshi (1): iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Qasim Ijaz (3): HID: wacom: fix memory leak on kobject creation failure HID: wacom: fix memory leak on sysfs attribute creation failure HID: wacom: fix kobject reference count leak Qiu-ji Chen (1): drm/tegra: Fix a possible null pointer dereference Qu Wenruo (1): btrfs: handle csum tree error with rescue=ibadroots correctly Ricardo Ribalda (1): media: uvcvideo: Rollback non processed entities on error Rick Edgecombe (1): Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails Robert Hodaszi (1): usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Salvatore Bonaccorso (1): ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR Sami Tolvanen (1): um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Saurabh Sengar (2): Drivers: hv: vmbus: Add utility function for querying ring size uio_hv_generic: Query the ringbuffer size for device Scott Mayhew (1): NFSv4: xattr handlers should check for absent nfs filehandles Sergio González Collado (1): Kunit to check the longest symbol length Sibi Sankar (1): firmware: arm_scmi: Ensure that the message-id supports fastchannel Simon Horman (1): net: enetc: Correct endianness handling in _enetc_rd_reg64 Stefano Garzarella (1): vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Stephan Gerhold (1): drm/msm/gpu: Fix crash when throttling GPU immediately during boot Sven Schwermer (1): leds: multicolor: Fix intensity setting while SW blinking Thierry Reding (1): drm/tegra: Assign plane type before registration Thomas Gessler (1): dmaengine: xilinx_dma: Set dma_device directions Thomas Zimmermann (2): dummycon: Trigger redraw when switching consoles with deferred takeover drm/udl: Unregister device before cleaning up on disconnect Tiwei Bie (1): um: ubd: Add missing error check in start_io_thread() Vasiliy Kovalev (1): jfs: validate AG parameters in dbMount() to prevent crashes Vijendar Mukunda (1): ALSA: hda: Add new pci id for AMD GPU display HD audio controller Ville Syrjälä (1): drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Wentao Liang (1): drm/amd/display: Add null pointer check for get_first_active_display() Wolfram Sang (3): i2c: tiny-usb: disable zero-length read messages i2c: robotfuzz-osif: disable zero-length read messages drm/bridge: ti-sn65dsi86: make use of debugfs_init callback Yao Zi (1): dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Yifan Zhang (1): amd/amdkfd: fix a kfd_process ref leak Youngjun Lee (1): ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Yu Kuai (1): md/md-bitmap: fix dm-raid max_write_behind setting Yuan Chen (1): libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Zhang Zekun (1): PCI: apple: Use helper function for_each_child_of_node_scoped()

4 months, 2 weeks

1
1
0 0

Hot Leads from CWIEME Berlin 2025!

by Nancy Doll

Hi, We’re offering exclusive access to the CWIEME Berlin 2025 Visitor Contact List, featuring 8,954 verified contacts from industry professionals. Each contact contains: Contact name, Job Title, Business Name, Physical Address, Phone Numbers, Official Email address and many more… Limited-Time Offer: Celebrate Independence Day with 20% OFF your purchase! If you're interested in the list, just reply "Send me Pricing"? Kind Regards, Nancy Doll Sr. Marketing Manager If you do not wish to receive this newsletter reply as “Unfollow”

4 months, 2 weeks

1
0
0 0

[PATCH 6.12 000/218] 6.12.36-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.36 release. There are 218 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 05 Jul 2025 14:39:10 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.36-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.36-rc1 Kevin Hao <haokexin(a)gmail.com> spi: fsl-qspi: Fix double cleanup in probe error path Sasha Levin <sashal(a)kernel.org> btrfs: fix use-after-free on inode when scanning root during em shrinking Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix extent range end unlock in cow_file_range() Han Xu <han.xu(a)nxp.com> spi: fsl-qspi: use devm function instead of driver remove Miquel Raynal <miquel.raynal(a)bootlin.com> spi: fsl-qspi: Support per spi-mem operation frequency switches Miquel Raynal <miquel.raynal(a)bootlin.com> spi: spi-mem: Add a new controller capability Miquel Raynal <miquel.raynal(a)bootlin.com> spi: spi-mem: Extend spi-mem operations with a per-operation maximum frequency Qingfang Deng <dqfext(a)gmail.com> net: stmmac: Fix accessing freed irq affinity_hint Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix instruction hazard in gfx12 trap handler Jonathan Kim <jonathan.kim(a)amd.com> drm/amdkfd: remove gfx 12 trap handler page size cap Andres Traumann <andres.traumann.01(a)gmail.com> ALSA: hda/realtek: Bass speaker fixup for ASUS UM5606KA Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi Bibo Mao <maobibo(a)loongson.cn> LoongArch: Set hugetlb mmap base address aligned with pmd size Sasha Levin <sashal(a)kernel.org> riscv/atomic: Do proper sign extension also for unsigned in arch_cmpxchg Filipe Manana <fdmanana(a)suse.com> btrfs: do regular iput instead of delayed iput during extent map shrinking Filipe Manana <fdmanana(a)suse.com> btrfs: make the extent map shrinker run asynchronously as a work queue job Filipe Manana <fdmanana(a)suse.com> btrfs: skip inodes without loaded extent maps when shrinking extent maps Thomas Zimmermann <tzimmermann(a)suse.de> drm/fbdev-dma: Add shadow buffering for deferred I/O Sasha Levin <sashal(a)kernel.org> drm/msm/dp: account for widebus and yuv420 during mode validation Sasha Levin <sashal(a)kernel.org> usb: typec: tcpm: PSSourceOffTimer timeout in PR_Swap enters ERROR_RECOVERY Sasha Levin <sashal(a)kernel.org> drm/xe: Carve out wopcm portion from the stolen memory Angelo Dureghello <adureghello(a)baylibre.com> iio: dac: ad3552r-common: fix ad3541/2r ranges Angelo Dureghello <adureghello(a)baylibre.com> iio: dac: ad3552r: extract common code (no changes in behavior intended) Angelo Dureghello <adureghello(a)baylibre.com> iio: dac: ad3552r: changes to use FIELD_PREP Qu Wenruo <wqu(a)suse.com> btrfs: do proper folio cleanup when cow_file_range() failed Heiner Kallweit <hkallweit1(a)gmail.com> net: phy: realtek: add RTL8125D-internal PHY Heiner Kallweit <hkallweit1(a)gmail.com> net: phy: realtek: merge the drivers for internal NBase-T PHY's Heiner Kallweit <hkallweit1(a)gmail.com> r8169: add support for RTL8125D Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm/vma: reset VMA iterator on commit_merge() OOM failure Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: flag partial buffer mappings Jens Axboe <axboe(a)kernel.dk> io_uring/net: mark iov as dynamically allocated even for single segments Jens Axboe <axboe(a)kernel.dk> io_uring/net: always use current transfer count for buffer put Jens Axboe <axboe(a)kernel.dk> io_uring/net: only consider msg_inq if larger than 1 Jens Axboe <axboe(a)kernel.dk> io_uring/net: only retry recv bundle for a full transfer Jens Axboe <axboe(a)kernel.dk> io_uring/net: improve recv bundles Pavel Begunkov <asml.silence(a)gmail.com> io_uring/rsrc: don't rely on user vaddr alignment Pavel Begunkov <asml.silence(a)gmail.com> io_uring/rsrc: fix folio unpinning Penglei Jiang <superman.xpt(a)gmail.com> io_uring: fix potential page leak in io_sqe_buffer_register() Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix Tx L4 checksum Chang S. Bae <chang.seok.bae(a)intel.com> x86/pkeys: Simplify PKRU update in signal frame Chang S. Bae <chang.seok.bae(a)intel.com> x86/fpu: Refactor xfeature bitmask update code for sigframe XSAVE Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Alex Hung <alex.hung(a)amd.com> drm/amd/display: Fix mpv playback corruption on weston Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: switch job hw_fence to amdgpu_fence Jesse Zhang <jesse.zhang(a)amd.com> drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: Fix early wedge on GuC load failure Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Fix taking invalid lock on wedge Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Fix memset on iomem Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check dce_hwseq before dereferencing it Frank Min <Frank.Min(a)amd.com> drm/amdgpu: Add kicker device detection Yihan Zhu <Yihan.Zhu(a)amd.com> drm/amd/display: Fix RMCM programming seq errors Matthew Auld <matthew.auld(a)intel.com> drm/xe/guc_submit: add back fix Matthew Auld <matthew.auld(a)intel.com> drm/xe/sched: stop re-submitting signalled jobs Matthew Auld <matthew.auld(a)intel.com> drm/xe/vm: move rebind_work init earlier Zhongwei Zhang <Zhongwei.Zhang(a)amd.com> drm/amd/display: Correct non-OLED pre_T11_delay. John Olender <john.olender(a)gmail.com> drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram Wentao Liang <vulab(a)iscas.ac.cn> drm/amd/display: Add null pointer check for get_first_active_display() Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix phy de-init and flag it so Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Stephan Gerhold <stephan.gerhold(a)linaro.org> drm/msm/gpu: Fix crash when throttling GPU immediately during boot Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Maíra Canal <mcanal(a)igalia.com> drm/etnaviv: Protect the scheduler's pending list with its lock Thomas Zimmermann <tzimmermann(a)suse.de> drm/cirrus-qemu: Fix pitch programming Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Fix comment on modeset lock anvithdosapati <anvithdosapati(a)google.com> scsi: ufs: core: Fix clk scaling to be conditional in reset and restore Chen Yu <yu.c.chen(a)intel.com> scsi: megaraid_sas: Fix invalid node index Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Iusico Maxim <iusico.maxim(a)libero.it> HID: lenovo: Restrict F7/9/11 mode to compact keyboards only Chao Yu <chao(a)kernel.org> f2fs: fix to zero post-eof page David Hildenbrand <david(a)redhat.com> mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix the creation of page_pool Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> spi: spi-cadence-quadspi: Fix pm runtime unbalance Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Filipe Manana <fdmanana(a)suse.com> btrfs: fix a race between renames and directory logging Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Fabio Estevam <festevam(a)gmail.com> serial: imx: Restore original RXTL for console to fix data loss Aidan Stewart <astewart(a)tektelic.com> serial: core: restore of_node information in sysfs Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Xin Li (Intel) <xin(a)zytor.com> x86/traps: Initialize DR6 by writing its architectural reset value Avadhut Naik <avadhut.naik(a)amd.com> EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs David Howells <dhowells(a)redhat.com> cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code David Howells <dhowells(a)redhat.com> cifs: Fix the smbd_response slab to allow usercopy Stefan Metzmacher <metze(a)samba.org> smb: client: make use of common smbdirect_socket_parameters Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: introduce smbdirect_socket_parameters Stefan Metzmacher <metze(a)samba.org> smb: client: make use of common smbdirect_socket Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: add smbdirect_socket.h Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: add smbdirect.h with public structures Stefan Metzmacher <metze(a)samba.org> smb: client: make use of common smbdirect_pdu.h Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: add smbdirect_pdu.h with protocol definitions Paulo Alcantara <pc(a)manguebit.org> smb: client: fix potential deadlock when reconnecting channels Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe: Process deferred GGTT node removals on device unwind Jayesh Choudhary <j-choudhary(a)ti.com> drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type Wolfram Sang <wsa+renesas(a)sang-engineering.com> drm/bridge: ti-sn65dsi86: make use of debugfs_init callback Arnd Bergmann <arnd(a)arndb.de> drm/i915: fix build error some more Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Adjust output for discovery error handling Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/discovery: optionally use fw based ip discovery Jakub Kicinski <kuba(a)kernel.org> net: selftests: fix TCP packet checksum Salvatore Bonaccorso <carnil(a)debian.org> ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Jakub Kicinski <kuba(a)kernel.org> netlink: specs: tc: replace underscores with dashes in names Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Adin Scannell <amscanne(a)meta.com> libbpf: Fix possible use-after-free for externs Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Yan Zhai <yan(a)cloudflare.com> bnxt: properly flush XDP redirect lists Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: finish link init before RCU publish Muna Sinada <muna.sinada(a)oss.qualcomm.com> wifi: mac80211: Create separate links for VLAN interfaces Muna Sinada <muna.sinada(a)oss.qualcomm.com> wifi: mac80211: Add link iteration macro for link data Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't set -ECONNRESET for consumed OOB skb. Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: ionic: Fix DMA mapping tests Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: hci_core: Fix use-after-free in vhci_flush() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Thomas Zeitlhofer <thomas.zeitlhofer+lkml(a)ze-it.at> HID: wacom: fix crash in wacom_aes_battery_handler() Haoxiang Li <haoxiang_li2024(a)163.com> drm/xe/display: Add check for alloc_ordered_workqueue() Imre Deak <imre.deak(a)intel.com> drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Nam Cao <namcao(a)linutronix.de> Revert "riscv: misaligned: fix sleeping function called during misaligned access handling" Nam Cao <namcao(a)linutronix.de> Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" Yu Kuai <yukuai3(a)huawei.com> lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() David Hildenbrand <david(a)redhat.com> fs/proc/task_mmu: fix PAGE_IS_PFNZERO detection for the huge zero folio Fedor Pchelkin <pchelkin(a)ispras.ru> s390/pkey: Prevent overflow in size calculation for memdup_user() Oliver Schramm <oliver.schramm97(a)gmail.com> ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 SeongJae Park <sj(a)kernel.org> mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write Stefan Metzmacher <metze(a)samba.org> smb: client: remove \t from TP_printk statements Niklas Cassel <cassel(a)kernel.org> ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't leave consecutive consumed OOB skbs. Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Trigger device recovery on engine reset/resume failure Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Add debugfs interface for setting HWS priority bands Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Make command queue ID allocated on XArray Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> accel/ivpu: Remove copy engine support Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Do not fail on cmdq if failed to allocate preemption buffers Janne Grunau <j(a)jannau.net> PCI: apple: Set only available ports up Zhang Zekun <zhangzekun11(a)huawei.com> PCI: apple: Use helper function for_each_child_of_node_scoped() Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9335: Fix missing free of regulator supplies Peng Fan <peng.fan(a)nxp.com> ASoC: codec: wcd9335: Convert to GPIO descriptors Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Filipe Manana <fdmanana(a)suse.com> btrfs: fix qgroup reservation leak on failure to allocate ordered extent David Sterba <dsterba(a)suse.com> btrfs: use unsigned types for constants defined as bit shifts Qu Wenruo <wqu(a)suse.com> btrfs: factor out nocow ordered extent and extent map generation into a helper Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Qu Wenruo <wqu(a)suse.com> btrfs: handle csum tree error with rescue=ibadroots correctly Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Ziqi Chen <quic_ziqichen(a)quicinc.com> scsi: ufs: core: Don't perform UFS clkscaling during host async scan Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Shuming Fan <shumingf(a)realtek.com> ASoC: rt1320: fix speaker noise when volume bar is 100% Mario Limonciello <mario.limonciello(a)amd.com> ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Andy Chiu <andybnac(a)gmail.com> riscv: add a data fence for CMODX in the kernel mode Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Peter Korsgaard <peter(a)korsgaard.com> usb: gadget: f_hid: wake up readers on disable/unbind Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Jakub Lewalski <jakub.lewalski(a)nokia.com> tty: serial: uartlite: register uart driver in init Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Chenyuan Yang <chenyuan0y(a)gmail.com> misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() Purva Yeshi <purvayeshi550(a)gmail.com> iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: dwc2: also exit clock_gating when stopping udc while suspended James Clark <james.clark(a)linaro.org> coresight: Only check bottom two claim bits Rengarajan S <rengarajan.s(a)microchip.com> 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev C0 and later devices Benjamin Berg <benjamin.berg(a)intel.com> um: use proper care when taking mmap lock during segfault Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Lin.Cao <lincao12(a)amd.com> drm/scheduler: signal scheduled fence when kill job Philip Yang <Philip.Yang(a)amd.com> drm/amdgpu: seq64 memory unmap uses uninterruptible lock Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yifan Zhang <yifan1.zhang(a)amd.com> amd/amdkfd: fix a kfd_process ref leak Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Hannes Reinecke <hare(a)kernel.org> nvme-tcp: sanitize request list handling Hannes Reinecke <hare(a)kernel.org> nvme-tcp: fix I/O stalls on congested sockets Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Add workaround for errata ERR051624 Hector Martin <marcan(a)marcan.st> PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Wenbin Yao <quic_wenbyao(a)quicinc.com> PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using Lukas Wunner <lukas(a)wunner.de> Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices" Rudraksha Gupta <guptarud(a)gmail.com> rust: arm: fix unknown (to Clang) argument '-mno-fdpic' FUJITA Tomonori <fujita.tomonori(a)gmail.com> rust: module: place cleanup_module() in .exit.text section Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: provide zero as a unique ID to the Mac client Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Scott Mayhew <smayhew(a)redhat.com> NFSv4: xattr handlers should check for absent nfs filehandles Robert Richter <rrichter(a)amd.com> cxl/region: Add a dev_err() on missing target list entries Guang Yuan Wu <gwu(a)ddn.com> fuse: fix race between concurrent setattrs from multiple nodes Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Matthew Sakai <msakai(a)redhat.com> dm vdo indexer: don't read request structure after enqueuing Nikhil Jha <njha(a)janestreet.com> sunrpc: don't immediately retransmit on seqno miss Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Sagi Grimberg <sagi(a)grimberg.me> NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Han Young <hanyang.tony(a)bytedance.com> NFSv4: Always set NLINK even if the server doesn't support it Pali Rohár <pali(a)kernel.org> cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in non-UNICODE mode Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers Pali Rohár <pali(a)kernel.org> cifs: Correctly set SMB1 SessionKey field in Session Setup Request ------------- Diffstat: Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Documentation/netlink/specs/tc.yaml | 4 +- Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 12 + arch/loongarch/mm/mmap.c | 6 +- arch/riscv/include/asm/cmpxchg.h | 2 +- arch/riscv/include/asm/pgtable.h | 1 - arch/riscv/kernel/traps_misaligned.c | 4 +- arch/riscv/mm/cacheflush.c | 15 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/include/asm/asm-prototypes.h | 5 + arch/um/kernel/trap.c | 129 +++- arch/x86/include/uapi/asm/debugreg.h | 21 +- arch/x86/kernel/cpu/common.c | 24 +- arch/x86/kernel/fpu/signal.c | 11 +- arch/x86/kernel/fpu/xstate.h | 22 +- arch/x86/kernel/traps.c | 34 +- arch/x86/um/asm/checksum.h | 3 + drivers/accel/ivpu/ivpu_debugfs.c | 84 +++ drivers/accel/ivpu/ivpu_drv.c | 6 + drivers/accel/ivpu/ivpu_drv.h | 10 +- drivers/accel/ivpu/ivpu_hw.c | 21 + drivers/accel/ivpu/ivpu_hw.h | 5 + drivers/accel/ivpu/ivpu_job.c | 203 +++--- drivers/accel/ivpu/ivpu_job.h | 2 + drivers/accel/ivpu/ivpu_jsm_msg.c | 46 +- drivers/ata/ahci.c | 2 +- drivers/cxl/core/region.c | 7 + drivers/dma/idxd/cdev.c | 4 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/edac/amd64_edac.c | 57 +- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 64 +- drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 30 +- drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 12 +- drivers/gpu/drm/amd/amdgpu/amdgpu_job.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 16 + drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | 17 + drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 6 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 +- drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 6 +- drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h | 703 +++++++++++---------- .../gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm | 82 +-- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 3 +- drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- .../dc/dml2/dml21/dml21_translation_helper.c | 1 + .../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 5 +- .../amd/display/dc/dml2/dml2_translation_helper.c | 1 + .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 9 +- .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 + drivers/gpu/drm/ast/ast_mode.c | 6 +- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 32 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 109 ++-- drivers/gpu/drm/display/drm_dp_helper.c | 2 +- drivers/gpu/drm/drm_fbdev_dma.c | 219 +++++-- drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 +- drivers/gpu/drm/i915/display/vlv_dsi.c | 4 +- drivers/gpu/drm/i915/i915_pmu.c | 2 +- drivers/gpu/drm/msm/dp/dp_display.c | 11 +- drivers/gpu/drm/msm/dp/dp_drm.c | 5 +- drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 + drivers/gpu/drm/scheduler/sched_entity.c | 1 + drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/tiny/cirrus.c | 1 - drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/xe/display/xe_display.c | 2 + drivers/gpu/drm/xe/xe_ggtt.c | 11 + drivers/gpu/drm/xe/xe_gpu_scheduler.h | 10 +- drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 8 + drivers/gpu/drm/xe/xe_guc_ct.c | 7 +- drivers/gpu/drm/xe/xe_guc_ct.h | 5 + drivers/gpu/drm/xe/xe_guc_pc.c | 2 +- drivers/gpu/drm/xe/xe_guc_submit.c | 23 + drivers/gpu/drm/xe/xe_guc_types.h | 5 + drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c | 70 +- drivers/gpu/drm/xe/xe_vm.c | 8 +- drivers/hid/hid-lenovo.c | 11 +- drivers/hid/wacom_sys.c | 7 +- drivers/hwmon/pmbus/max34440.c | 48 +- drivers/hwtracing/coresight/coresight-core.c | 3 +- drivers/hwtracing/coresight/coresight-priv.h | 1 + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/adc/ad_sigma_delta.c | 4 + drivers/iio/dac/Makefile | 2 +- drivers/iio/dac/ad3552r-common.c | 248 ++++++++ drivers/iio/dac/ad3552r.c | 553 +++------------- drivers/iio/dac/ad3552r.h | 223 +++++++ drivers/iio/pressure/zpa2326.c | 2 +- drivers/iommu/amd/init.c | 3 - drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/dm-vdo/indexer/volume.c | 24 +- drivers/md/md-bitmap.c | 2 +- drivers/media/usb/uvc/uvc_ctrl.c | 34 +- drivers/mfd/max14577.c | 1 + drivers/misc/tps6594-pfsm.c | 3 + drivers/mtd/nand/spi/core.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +- drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 12 +- drivers/net/ethernet/realtek/r8169.h | 1 + drivers/net/ethernet/realtek/r8169_main.c | 23 +- drivers/net/ethernet/realtek/r8169_phy_config.c | 10 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 6 +- drivers/net/phy/realtek.c | 54 +- drivers/nvme/host/tcp.c | 22 +- drivers/pci/controller/dwc/pci-imx6.c | 15 + drivers/pci/controller/dwc/pcie-designware.c | 5 +- drivers/pci/controller/pcie-apple.c | 7 +- drivers/s390/crypto/pkey_api.c | 2 +- drivers/scsi/megaraid/megaraid_sas_base.c | 6 +- drivers/spi/spi-cadence-quadspi.c | 12 +- drivers/spi/spi-fsl-qspi.c | 48 +- drivers/spi/spi-mem.c | 34 + drivers/staging/rtl8723bs/core/rtw_security.c | 44 +- drivers/tty/serial/8250/8250_pci1xxxx.c | 10 + drivers/tty/serial/imx.c | 17 +- drivers/tty/serial/serial_base_bus.c | 1 + drivers/tty/serial/uartlite.c | 25 +- drivers/ufs/core/ufshcd.c | 6 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/usb.c | 14 +- drivers/usb/dwc2/gadget.c | 6 + drivers/usb/gadget/function/f_hid.c | 19 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/typec/altmodes/displayport.c | 4 + drivers/usb/typec/mux.c | 4 +- drivers/usb/typec/tcpm/tcpm.c | 3 +- fs/btrfs/backref.h | 4 +- fs/btrfs/direct-io.c | 4 +- fs/btrfs/disk-io.c | 5 +- fs/btrfs/extent_io.h | 2 +- fs/btrfs/extent_map.c | 132 +++- fs/btrfs/extent_map.h | 3 +- fs/btrfs/fs.h | 2 + fs/btrfs/inode.c | 299 +++++---- fs/btrfs/ordered-data.c | 14 +- fs/btrfs/raid56.c | 5 +- fs/btrfs/super.c | 13 +- fs/btrfs/tests/extent-io-tests.c | 6 +- fs/btrfs/volumes.c | 6 + fs/btrfs/zstd.c | 2 +- fs/ceph/file.c | 2 +- fs/f2fs/file.c | 38 ++ fs/f2fs/super.c | 30 +- fs/fuse/dir.c | 11 + fs/jfs/jfs_dmap.c | 41 +- fs/namespace.c | 8 +- fs/nfs/inode.c | 51 +- fs/nfs/nfs4proc.c | 25 +- fs/overlayfs/util.c | 4 +- fs/proc/task_mmu.c | 2 +- fs/smb/client/cifs_debug.c | 23 +- fs/smb/client/cifsglob.h | 2 + fs/smb/client/cifspdu.h | 6 +- fs/smb/client/cifssmb.c | 1 + fs/smb/client/connect.c | 58 +- fs/smb/client/misc.c | 8 + fs/smb/client/sess.c | 21 +- fs/smb/client/smb2ops.c | 14 +- fs/smb/client/smbdirect.c | 513 +++++++-------- fs/smb/client/smbdirect.h | 62 +- fs/smb/client/trace.h | 24 +- fs/smb/common/smbdirect/smbdirect.h | 37 ++ fs/smb/common/smbdirect/smbdirect_pdu.h | 55 ++ fs/smb/common/smbdirect/smbdirect_socket.h | 43 ++ fs/smb/server/connection.h | 1 + fs/smb/server/smb2pdu.c | 72 ++- fs/smb/server/smb2pdu.h | 3 + include/linux/spi/spi-mem.h | 14 +- include/net/bluetooth/hci_core.h | 2 + include/uapi/drm/ivpu_accel.h | 6 +- include/uapi/linux/vm_sockets.h | 4 + io_uring/kbuf.c | 1 + io_uring/kbuf.h | 1 + io_uring/net.c | 46 +- io_uring/rsrc.c | 23 +- io_uring/rsrc.h | 1 + lib/group_cpus.c | 9 +- lib/maple_tree.c | 4 +- mm/damon/sysfs-schemes.c | 1 + mm/gup.c | 14 +- mm/vma.c | 27 +- net/atm/clip.c | 11 +- net/atm/resources.c | 3 +- net/bluetooth/hci_core.c | 34 +- net/bluetooth/l2cap_core.c | 9 +- net/core/selftests.c | 5 +- net/mac80211/chan.c | 3 + net/mac80211/ieee80211_i.h | 12 + net/mac80211/iface.c | 12 +- net/mac80211/link.c | 94 ++- net/mac80211/util.c | 2 +- net/sunrpc/clnt.c | 9 +- net/unix/af_unix.c | 31 +- rust/Makefile | 2 +- rust/macros/module.rs | 1 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/pci/hda/patch_realtek.c | 2 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/rt1320-sdw.c | 17 +- sound/soc/codecs/wcd9335.c | 40 +- sound/usb/quirks.c | 2 + sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + tools/lib/bpf/libbpf.c | 10 +- .../selftests/bpf/progs/test_global_map_resize.c | 16 + 218 files changed, 3862 insertions(+), 2248 deletions(-)

4 months, 2 weeks

15
242
0 0

[PATCH 6.15.y v2] mm/vmalloc: fix data race in show_numa_info()

by Jeongjun Park

commit 5c5f0468d172ddec2e333d738d2a1f85402cf0bc upstream. The following data-race was found in show_numa_info(): ================================================================== BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show read to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0: show_numa_info mm/vmalloc.c:4936 [inline] vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 .... write to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1: show_numa_info mm/vmalloc.c:4934 [inline] vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 .... value changed: 0x0000008f -> 0x00000000 ================================================================== According to this report,there is a read/write data-race because m->private is accessible to multiple CPUs. To fix this, instead of allocating the heap in proc_vmalloc_init() and passing the heap address to m->private, vmalloc_info_show() should allocate the heap. Link: https://lkml.kernel.org/r/20250508165620.15321-1-aha310510@gmail.com Fixes: 8e1d743f2c26 ("mm: vmalloc: support multiple nodes in vmallocinfo") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Suggested-by: Eric Dumazet <edumazet(a)google.com> Suggested-by: Andrew Morton <akpm(a)linux-foundation.org> Reviewed-by: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 63 +++++++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 28 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 00cf1b575c89..3fb534dcf14d 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3100,7 +3100,7 @@ static void clear_vm_uninitialized_flag(struct vm_struct *vm) /* * Before removing VM_UNINITIALIZED, * we should make sure that vm has proper values. - * Pair with smp_rmb() in show_numa_info(). + * Pair with smp_rmb() in vread_iter() and vmalloc_info_show(). */ smp_wmb(); vm->flags &= ~VM_UNINITIALIZED; @@ -4934,28 +4934,29 @@ bool vmalloc_dump_obj(void *object) #endif #ifdef CONFIG_PROC_FS -static void show_numa_info(struct seq_file *m, struct vm_struct *v) -{ - if (IS_ENABLED(CONFIG_NUMA)) { - unsigned int nr, *counters = m->private; - unsigned int step = 1U << vm_area_page_order(v); - if (!counters) - return; +/* + * Print number of pages allocated on each memory node. + * + * This function can only be called if CONFIG_NUMA is enabled + * and VM_UNINITIALIZED bit in v->flags is disabled. + */ +static void show_numa_info(struct seq_file *m, struct vm_struct *v, + unsigned int *counters) +{ + unsigned int nr; + unsigned int step = 1U << vm_area_page_order(v); - if (v->flags & VM_UNINITIALIZED) - return; - /* Pair with smp_wmb() in clear_vm_uninitialized_flag() */ - smp_rmb(); + if (!counters) + return; - memset(counters, 0, nr_node_ids * sizeof(unsigned int)); + memset(counters, 0, nr_node_ids * sizeof(unsigned int)); - for (nr = 0; nr < v->nr_pages; nr += step) - counters[page_to_nid(v->pages[nr])] += step; - for_each_node_state(nr, N_HIGH_MEMORY) - if (counters[nr]) - seq_printf(m, " N%u=%u", nr, counters[nr]); - } + for (nr = 0; nr < v->nr_pages; nr += step) + counters[page_to_nid(v->pages[nr])] += step; + for_each_node_state(nr, N_HIGH_MEMORY) + if (counters[nr]) + seq_printf(m, " N%u=%u", nr, counters[nr]); } static void show_purge_info(struct seq_file *m) @@ -4983,6 +4984,10 @@ static int vmalloc_info_show(struct seq_file *m, void *p) struct vmap_area *va; struct vm_struct *v; int i; + unsigned int *counters; + + if (IS_ENABLED(CONFIG_NUMA)) + counters = kmalloc(nr_node_ids * sizeof(unsigned int), GFP_KERNEL); for (i = 0; i < nr_vmap_nodes; i++) { vn = &vmap_nodes[i]; @@ -4999,6 +5004,11 @@ static int vmalloc_info_show(struct seq_file *m, void *p) } v = va->vm; + if (v->flags & VM_UNINITIALIZED) + continue; + + /* Pair with smp_wmb() in clear_vm_uninitialized_flag() */ + smp_rmb(); seq_printf(m, "0x%pK-0x%pK %7ld", v->addr, v->addr + v->size, v->size); @@ -5033,7 +5043,9 @@ static int vmalloc_info_show(struct seq_file *m, void *p) if (is_vmalloc_addr(v->pages)) seq_puts(m, " vpages"); - show_numa_info(m, v); + if (IS_ENABLED(CONFIG_NUMA)) + show_numa_info(m, v, counters); + seq_putc(m, '\n'); } spin_unlock(&vn->busy.lock); @@ -5043,19 +5055,14 @@ static int vmalloc_info_show(struct seq_file *m, void *p) * As a final step, dump "unpurged" areas. */ show_purge_info(m); + if (IS_ENABLED(CONFIG_NUMA)) + kfree(counters); return 0; } static int __init proc_vmalloc_init(void) { - void *priv_data = NULL; - - if (IS_ENABLED(CONFIG_NUMA)) - priv_data = kmalloc(nr_node_ids * sizeof(unsigned int), GFP_KERNEL); - - proc_create_single_data("vmallocinfo", - 0400, NULL, vmalloc_info_show, priv_data); - + proc_create_single("vmallocinfo", 0400, NULL, vmalloc_info_show); return 0; } module_init(proc_vmalloc_init); --

4 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x fba46a5d83ca8decb338722fb4899026d8d9ead2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025063033-shrink-submersed-b5de@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fba46a5d83ca8decb338722fb4899026d8d9ead2 Mon Sep 17 00:00:00 2001 From: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Date: Mon, 16 Jun 2025 14:45:20 -0400 Subject: [PATCH] maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Temporarily clear the preallocation flag when explicitly requesting allocations. Pre-existing allocations are already counted against the request through mas_node_count_gfp(), but the allocations will not happen if the MA_STATE_PREALLOC flag is set. This flag is meant to avoid re-allocating in bulk allocation mode, and to detect issues with preallocation calculations. The MA_STATE_PREALLOC flag should also always be set on zero allocations so that detection of underflow allocations will print a WARN_ON() during consumption. User visible effect of this flaw is a WARN_ON() followed by a null pointer dereference when subsequent requests for larger number of nodes is ignored, such as the vma merge retry in mmap_region() caused by drivers altering the vma flags (which happens in v6.6, at least) Link: https://lkml.kernel.org/r/20250616184521.3382795-3-Liam.Howlett@oracle.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reported-by: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Reported-by: Hailong Liu <hailong.liu(a)oppo.com> Link: https://lore.kernel.org/all/1652f7eb-a51b-4fee-8058-c73af63bacd1@oppo.com/ Link: https://lore.kernel.org/all/20250428184058.1416274-1-Liam.Howlett@oracle.co… Link: https://lore.kernel.org/all/20250429014754.1479118-1-Liam.Howlett@oracle.co… Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Hailong Liu <hailong.liu(a)oppo.com> Cc: zhangpeng.00(a)bytedance.com <zhangpeng.00(a)bytedance.com> Cc: Steve Kang <Steve.Kang(a)unisoc.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/lib/maple_tree.c b/lib/maple_tree.c index affe979bd14d..00524e55a21e 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -5527,8 +5527,9 @@ int mas_preallocate(struct ma_state *mas, void *entry, gfp_t gfp) mas->store_type = mas_wr_store_type(&wr_mas); request = mas_prealloc_calc(&wr_mas, entry); if (!request) - return ret; + goto set_flag; + mas->mas_flags &= ~MA_STATE_PREALLOC; mas_node_count_gfp(mas, request, gfp); if (mas_is_err(mas)) { mas_set_alloc_req(mas, 0); @@ -5538,6 +5539,7 @@ int mas_preallocate(struct ma_state *mas, void *entry, gfp_t gfp) return ret; } +set_flag: mas->mas_flags |= MA_STATE_PREALLOC; return ret; }

4 months, 2 weeks

3
2
0 0

[PATCH 5.15.y v3] xen: replace xen_remap() with memremap()

by Teddy Astie

From: Juergen Gross <jgross(a)suse.com> [ upstream commit 41925b105e345ebc84cedb64f59d20cb14a62613 ] xen_remap() is used to establish mappings for frames not under direct control of the kernel: for Xenstore and console ring pages, and for grant pages of non-PV guests. Today xen_remap() is defined to use ioremap() on x86 (doing uncached mappings), and ioremap_cache() on Arm (doing cached mappings). Uncached mappings for those use cases are bad for performance, so they should be avoided if possible. As all use cases of xen_remap() don't require uncached mappings (the mapped area is always physical RAM), a mapping using the standard WB cache mode is fine. As sparse is flagging some of the xen_remap() use cases to be not appropriate for iomem(), as the result is not annotated with the __iomem modifier, eliminate xen_remap() completely and replace all use cases with memremap() specifying the MEMREMAP_WB caching mode. xen_unmap() can be replaced with memunmap(). Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky(a)oracle.com> Acked-by: Stefano Stabellini <sstabellini(a)kernel.org> Link: https://lore.kernel.org/r/20220530082634.6339-1-jgross@suse.com Signed-off-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Teddy Astie <teddy.astie(a)vates.tech> [backport to 5.15.y] --- v3: - add missing hvc_xen.c change v2: - also remove xen_remap/xen_unmap on ARM --- arch/x86/include/asm/xen/page.h | 3 --- drivers/tty/hvc/hvc_xen.c | 2 +- drivers/xen/grant-table.c | 6 +++--- drivers/xen/xenbus/xenbus_probe.c | 3 +-- include/xen/arm/page.h | 3 --- 5 files changed, 5 insertions(+), 12 deletions(-) diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h index 1a162e559753..c183b7f9efef 100644 --- a/arch/x86/include/asm/xen/page.h +++ b/arch/x86/include/asm/xen/page.h @@ -355,9 +355,6 @@ unsigned long arbitrary_virt_to_mfn(void *vaddr); void make_lowmem_page_readonly(void *vaddr); void make_lowmem_page_readwrite(void *vaddr); -#define xen_remap(cookie, size) ioremap((cookie), (size)) -#define xen_unmap(cookie) iounmap((cookie)) - static inline bool xen_arch_need_swiotlb(struct device *dev, phys_addr_t phys, dma_addr_t dev_addr) diff --git a/drivers/tty/hvc/hvc_xen.c b/drivers/tty/hvc/hvc_xen.c index 141acc662eba..6a11a4177a16 100644 --- a/drivers/tty/hvc/hvc_xen.c +++ b/drivers/tty/hvc/hvc_xen.c @@ -270,7 +270,7 @@ static int xen_hvm_console_init(void) if (r < 0 || v == 0) goto err; gfn = v; - info->intf = xen_remap(gfn << XEN_PAGE_SHIFT, XEN_PAGE_SIZE); + info->intf = memremap(gfn << XEN_PAGE_SHIFT, XEN_PAGE_SIZE, MEMREMAP_WB); if (info->intf == NULL) goto err; info->vtermno = HVC_COOKIE; diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c index 0a2d24d6ac6f..a10e0741bec5 100644 --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -743,7 +743,7 @@ int gnttab_setup_auto_xlat_frames(phys_addr_t addr) if (xen_auto_xlat_grant_frames.count) return -EINVAL; - vaddr = xen_remap(addr, XEN_PAGE_SIZE * max_nr_gframes); + vaddr = memremap(addr, XEN_PAGE_SIZE * max_nr_gframes, MEMREMAP_WB); if (vaddr == NULL) { pr_warn("Failed to ioremap gnttab share frames (addr=%pa)!\n", &addr); @@ -751,7 +751,7 @@ int gnttab_setup_auto_xlat_frames(phys_addr_t addr) } pfn = kcalloc(max_nr_gframes, sizeof(pfn[0]), GFP_KERNEL); if (!pfn) { - xen_unmap(vaddr); + memunmap(vaddr); return -ENOMEM; } for (i = 0; i < max_nr_gframes; i++) @@ -770,7 +770,7 @@ void gnttab_free_auto_xlat_frames(void) if (!xen_auto_xlat_grant_frames.count) return; kfree(xen_auto_xlat_grant_frames.pfn); - xen_unmap(xen_auto_xlat_grant_frames.vaddr); + memunmap(xen_auto_xlat_grant_frames.vaddr); xen_auto_xlat_grant_frames.pfn = NULL; xen_auto_xlat_grant_frames.count = 0; diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c index 2068f83556b7..77ca24611293 100644 --- a/drivers/xen/xenbus/xenbus_probe.c +++ b/drivers/xen/xenbus/xenbus_probe.c @@ -982,8 +982,7 @@ static int __init xenbus_init(void) #endif xen_store_gfn = (unsigned long)v; xen_store_interface = - xen_remap(xen_store_gfn << XEN_PAGE_SHIFT, - XEN_PAGE_SIZE); + memremap(xen_store_gfn << XEN_PAGE_SHIFT, XEN_PAGE_SIZE, MEMREMAP_WB); break; default: pr_warn("Xenstore state unknown\n"); diff --git a/include/xen/arm/page.h b/include/xen/arm/page.h index ac1b65470563..f831cfeca000 100644 --- a/include/xen/arm/page.h +++ b/include/xen/arm/page.h @@ -109,9 +109,6 @@ static inline bool set_phys_to_machine(unsigned long pfn, unsigned long mfn) return __set_phys_to_machine(pfn, mfn); } -#define xen_remap(cookie, size) ioremap_cache((cookie), (size)) -#define xen_unmap(cookie) iounmap((cookie)) - bool xen_arch_need_swiotlb(struct device *dev, phys_addr_t phys, dma_addr_t dev_addr); -- 2.50.0 Teddy Astie | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

4 months, 2 weeks

2
1
0 0

Re: [PATCH] mod_devicetable: Enlarge the maximum platform_device_id name length

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Summary of potential issues: ⚠️ Found matching upstream commit but patch is missing proper reference to it Found matching upstream commit: 655862865c97ff55e4f3f2aaa7708f42f0ea3bd8 Note: The patch differs from the upstream commit: --- 1: 655862865c97f ! 1: b545ae48a3db0 mod_devicetable: Enlarge the maximum platform_device_id name length @@ Commit message /* last cacheline: 32 bytes */ }; - Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> - Link: https://lore.kernel.org/r/20250415231420.work.066-kees@kernel.org Signed-off-by: Kees Cook <kees(a)kernel.org> ## include/linux/mod_devicetable.h ## --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.15.y | Success | Success | | stable/linux-6.12.y | Success | Success | | stable/linux-6.6.y | Success | Success | | stable/linux-6.1.y | Success | Success | | stable/linux-5.15.y | Success | Success | | stable/linux-5.10.y | Success | Success | | stable/linux-5.4.y | Success | Success |

4 months, 2 weeks

1
0
0 0

[PATCH 5.15] ice: safer stats processing

by Przemek Kitszel

From: Jesse Brandeburg <jesse.brandeburg(a)intel.com> [ Upstream commit 1a0f25a52e08b1f67510cabbb44888d2b3c46359 ] Fix an issue of stats growing indefinitely, minor conflict resolved: struct ice_tx_ring replaced by struct ice_ring, as the split is not yet present on 5.15 line. -Przemek Original commit message: The driver was zeroing live stats that could be fetched by ndo_get_stats64 at any time. This could result in inconsistent statistics, and the telltale sign was when reading stats frequently from /proc/net/dev, the stats would go backwards. Fix by collecting stats into a local, and delaying when we write to the structure so it's not incremental. Fixes: fcea6f3da546 ("ice: Add stats and ethtool support") Signed-off-by: Jesse Brandeburg <jesse.brandeburg(a)intel.com> Tested-by: Gurucharan G <gurucharanx.g(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Reported-by: Masakazu Asama <masakazu.asama(a)gmail.com> Closes: https://lore.kernel.org/intel-wired-lan/CAP8M2pGttT4JBjt+i4GJkxy7yERbqWJ5a8… Signed-off-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> --- CC: Jesse Brandeburg <jbrandeburg(a)cloudflare.com> CC: Sasha Levin <sashal(a)kernel.org> CC: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> CC: intel-wired-lan(a)lists.osuosl.org CC: kernel-team(a)lists.ubuntu.com the issue was reported against Ubuntu 22.04, do you backport stable patches by default, or should I post one more, directed to you? --- drivers/net/ethernet/intel/ice/ice_main.c | 29 ++++++++++++++--------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c index 91840ea92b0d..04e3f6c424c0 100644 --- a/drivers/net/ethernet/intel/ice/ice_main.c +++ b/drivers/net/ethernet/intel/ice/ice_main.c @@ -5731,14 +5731,15 @@ ice_fetch_u64_stats_per_ring(struct ice_ring *ring, u64 *pkts, u64 *bytes) /** * ice_update_vsi_tx_ring_stats - Update VSI Tx ring stats counters * @vsi: the VSI to be updated + * @vsi_stats: the stats struct to be updated * @rings: rings to work on * @count: number of rings */ static void -ice_update_vsi_tx_ring_stats(struct ice_vsi *vsi, struct ice_ring **rings, - u16 count) +ice_update_vsi_tx_ring_stats(struct ice_vsi *vsi, + struct rtnl_link_stats64 *vsi_stats, + struct ice_ring **rings, u16 count) { - struct rtnl_link_stats64 *vsi_stats = &vsi->net_stats; u16 i; for (i = 0; i < count; i++) { @@ -5761,15 +5762,13 @@ ice_update_vsi_tx_ring_stats(struct ice_vsi *vsi, struct ice_ring **rings, */ static void ice_update_vsi_ring_stats(struct ice_vsi *vsi) { - struct rtnl_link_stats64 *vsi_stats = &vsi->net_stats; + struct rtnl_link_stats64 *vsi_stats; u64 pkts, bytes; int i; - /* reset netdev stats */ - vsi_stats->tx_packets = 0; - vsi_stats->tx_bytes = 0; - vsi_stats->rx_packets = 0; - vsi_stats->rx_bytes = 0; + vsi_stats = kzalloc(sizeof(*vsi_stats), GFP_ATOMIC); + if (!vsi_stats) + return; /* reset non-netdev (extended) stats */ vsi->tx_restart = 0; @@ -5781,7 +5780,8 @@ static void ice_update_vsi_ring_stats(struct ice_vsi *vsi) rcu_read_lock(); /* update Tx rings counters */ - ice_update_vsi_tx_ring_stats(vsi, vsi->tx_rings, vsi->num_txq); + ice_update_vsi_tx_ring_stats(vsi, vsi_stats, vsi->tx_rings, + vsi->num_txq); /* update Rx rings counters */ ice_for_each_rxq(vsi, i) { @@ -5796,10 +5796,17 @@ static void ice_update_vsi_ring_stats(struct ice_vsi *vsi) /* update XDP Tx rings counters */ if (ice_is_xdp_ena_vsi(vsi)) - ice_update_vsi_tx_ring_stats(vsi, vsi->xdp_rings, + ice_update_vsi_tx_ring_stats(vsi, vsi_stats, vsi->xdp_rings, vsi->num_xdp_txq); rcu_read_unlock(); + + vsi->net_stats.tx_packets = vsi_stats->tx_packets; + vsi->net_stats.tx_bytes = vsi_stats->tx_bytes; + vsi->net_stats.rx_packets = vsi_stats->rx_packets; + vsi->net_stats.rx_bytes = vsi_stats->rx_bytes; + + kfree(vsi_stats); } /** -- 2.46.0

4 months, 2 weeks

2
1
0 0

[PATCH v4] riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot

by Jingwei Wang

The value for some hwprobe keys, like MISALIGNED_VECTOR_PERF, is determined by an asynchronous kthread. This kthread can finish after the hwprobe vDSO data is populated, creating a race condition where userspace can read stale values. A completion-based framework is introduced to synchronize the async probes with the vDSO population. The init_hwprobe_vdso_data() function is deferred to `late_initcall` and now blocks until all probes signal completion. Reported-by: Tsukasa OI <research_trasio(a)irq.a4lg.com> Closes: https://lore.kernel.org/linux-riscv/760d637b-b13b-4518-b6bf-883d55d44e7f@ir… Fixes: e7c9d66e313b ("RISC-V: Report vector unaligned access speed hwprobe") Cc: Palmer Dabbelt <palmer(a)dabbelt.com> Cc: Alexandre Ghiti <alexghiti(a)rivosinc.com> Cc: stable(a)vger.kernel.org Signed-off-by: Jingwei Wang <wangjingwei(a)iscas.ac.cn> --- Changes in v4: - Reworked the synchronization mechanism based on feedback from Palmer and Alexandre. - Instead of a post-hoc refresh, this version introduces a robust completion-based framework using an atomic counter to ensure async probes are finished before populating the vDSO. - Moved the vdso data initialization to a late_initcall to avoid impacting boot time. Changes in v3: - Retained existing blank line. Changes in v2: - Addressed feedback from Yixun's regarding #ifdef CONFIG_MMU usage. - Updated commit message to provide a high-level summary. - Added Fixes tag for commit e7c9d66e313b. v1: https://lore.kernel.org/linux-riscv/20250521052754.185231-1-wangjingwei@isc… arch/riscv/include/asm/hwprobe.h | 8 +++++++- arch/riscv/kernel/sys_hwprobe.c | 20 +++++++++++++++++++- arch/riscv/kernel/unaligned_access_speed.c | 9 +++++++-- 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/arch/riscv/include/asm/hwprobe.h b/arch/riscv/include/asm/hwprobe.h index 7fe0a379474ae2c6..87af186d92e75ddb 100644 --- a/arch/riscv/include/asm/hwprobe.h +++ b/arch/riscv/include/asm/hwprobe.h @@ -40,5 +40,11 @@ static inline bool riscv_hwprobe_pair_cmp(struct riscv_hwprobe *pair, return pair->value == other_pair->value; } - +#ifdef CONFIG_MMU +void riscv_hwprobe_register_async_probe(void); +void riscv_hwprobe_complete_async_probe(void); +#else +inline void riscv_hwprobe_register_async_probe(void) {} +inline void riscv_hwprobe_complete_async_probe(void) {} +#endif #endif diff --git a/arch/riscv/kernel/sys_hwprobe.c b/arch/riscv/kernel/sys_hwprobe.c index 0b170e18a2beba57..8c50dcec2b754c30 100644 --- a/arch/riscv/kernel/sys_hwprobe.c +++ b/arch/riscv/kernel/sys_hwprobe.c @@ -5,6 +5,8 @@ * more details. */ #include <linux/syscalls.h> +#include <linux/completion.h> +#include <linux/atomic.h> #include <asm/cacheflush.h> #include <asm/cpufeature.h> #include <asm/hwprobe.h> @@ -467,6 +469,20 @@ static int do_riscv_hwprobe(struct riscv_hwprobe __user *pairs, #ifdef CONFIG_MMU +static DECLARE_COMPLETION(boot_probes_done); +static atomic_t pending_boot_probes = ATOMIC_INIT(0); + +void riscv_hwprobe_register_async_probe(void) +{ + atomic_inc(&pending_boot_probes); +} + +void riscv_hwprobe_complete_async_probe(void) +{ + if (atomic_dec_and_test(&pending_boot_probes)) + complete(&boot_probes_done); +} + static int __init init_hwprobe_vdso_data(void) { struct vdso_arch_data *avd = vdso_k_arch_data; @@ -474,6 +490,8 @@ static int __init init_hwprobe_vdso_data(void) struct riscv_hwprobe pair; int key; + if (unlikely(atomic_read(&pending_boot_probes) > 0)) + wait_for_completion(&boot_probes_done); /* * Initialize vDSO data with the answers for the "all CPUs" case, to * save a syscall in the common case. @@ -504,7 +522,7 @@ static int __init init_hwprobe_vdso_data(void) return 0; } -arch_initcall_sync(init_hwprobe_vdso_data); +late_initcall(init_hwprobe_vdso_data); #endif /* CONFIG_MMU */ diff --git a/arch/riscv/kernel/unaligned_access_speed.c b/arch/riscv/kernel/unaligned_access_speed.c index ae2068425fbcd207..4b8ad2673b0f7470 100644 --- a/arch/riscv/kernel/unaligned_access_speed.c +++ b/arch/riscv/kernel/unaligned_access_speed.c @@ -379,6 +379,7 @@ static void check_vector_unaligned_access(struct work_struct *work __always_unus static int __init vec_check_unaligned_access_speed_all_cpus(void *unused __always_unused) { schedule_on_each_cpu(check_vector_unaligned_access); + riscv_hwprobe_complete_async_probe(); return 0; } @@ -473,8 +474,12 @@ static int __init check_unaligned_access_all_cpus(void) per_cpu(vector_misaligned_access, cpu) = unaligned_vector_speed_param; } else if (!check_vector_unaligned_access_emulated_all_cpus() && IS_ENABLED(CONFIG_RISCV_PROBE_VECTOR_UNALIGNED_ACCESS)) { - kthread_run(vec_check_unaligned_access_speed_all_cpus, - NULL, "vec_check_unaligned_access_speed_all_cpus"); + riscv_hwprobe_register_async_probe(); + if (IS_ERR(kthread_run(vec_check_unaligned_access_speed_all_cpus, + NULL, "vec_check_unaligned_access_speed_all_cpus"))) { + pr_warn("Failed to create vec_unalign_check kthread\n"); + riscv_hwprobe_complete_async_probe(); + } } /* -- 2.50.0

4 months, 2 weeks

3
4
0 0

[PATCH 0/3] Various devicetree fixes for Exynos7870 devices

by Kaustabh Chakraborty

This patch series introduces a few minor fixes on Exynos7870 devices. These fix USB gadget problems and serious crashes on certain variants of devices. More information is provided in respective commits. This series has no dependencies. Would be nice to get them merged in 6.16 itself. I assume it's okay to cc stable as the -rc releases are also owned by the "Stable Group" in git.kernel.org... [1] [2] [1] https://git.kernel.org/?q=Stable+Group [2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Signed-off-by: Kaustabh Chakraborty <kauschluss(a)disroot.org> --- Kaustabh Chakraborty (3): arm64: dts: exynos7870: add quirk to disable USB2 LPM in gadget mode arm64: dts: exynos7870-on7xelte: reduce memory ranges to base amount arm64: dts: exynos7870-j6lte: reduce memory ranges to base amount arch/arm64/boot/dts/exynos/exynos7870-j6lte.dts | 2 +- arch/arm64/boot/dts/exynos/exynos7870-on7xelte.dts | 2 +- arch/arm64/boot/dts/exynos/exynos7870.dtsi | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) --- base-commit: 1b152eeca84a02bdb648f16b82ef3394007a9dcf change-id: 20250626-exynos7870-dts-fixes-e730f7086ddc Best regards, -- Kaustabh Chakraborty <kauschluss(a)disroot.org>

4 months, 2 weeks

2
4
0 0

[PATCH] efi/tpm: Fix the issue where the CC platforms event log header can't be correctly identified

by yangge1116＠126.com

From: Ge Yang <yangge1116(a)126.com> Since commit d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") reuses TPM2 support code for the CC platforms, when launching a TDX virtual machine with coco measurement enabled, the following error log is generated: [Firmware Bug]: Failed to parse event in TPM Final Events Log Call Trace: efi_config_parse_tables() efi_tpm_eventlog_init() tpm2_calc_event_log_size() __calc_tpm2_event_size() The pcr_idx value in the Intel TDX log header is 1, causing the function __calc_tpm2_event_size() to fail to recognize the log header, ultimately leading to the "Failed to parse event in TPM Final Events Log" error. According to UEFI Spec 2.10 Section 38.4.1: For Tdx, TPM PCR 0 maps to MRTD, so the log header uses TPM PCR 1. To successfully parse the TDX event log header, the check for a pcr_idx value of 0 has been removed here, and it appears that this will not affect other functionalities. Link: https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html#intel-trust… Fixes: d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") Signed-off-by: Ge Yang <yangge1116(a)126.com> Cc: stable(a)vger.kernel.org --- include/linux/tpm_eventlog.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 891368e..05c0ae5 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -202,8 +202,7 @@ static __always_inline u32 __calc_tpm2_event_size(struct tcg_pcr_event2_head *ev event_type = event->event_type; /* Verify that it's the log header */ - if (event_header->pcr_idx != 0 || - event_header->event_type != NO_ACTION || + if (event_header->event_type != NO_ACTION || memcmp(event_header->digest, zero_digest, sizeof(zero_digest))) { size = 0; goto out; -- 2.7.4

4 months, 2 weeks

4
6
0 0

Re: [PATCH] mod_devicetable: Enlarge the maximum platform_device_id name length

by Vitaly Chikunov

Andy, Kees, On Wed, Apr 16, 2025 at 09:45:52AM +0300, Andy Shevchenko wrote: > On Tue, Apr 15, 2025 at 04:14:24PM -0700, Kees Cook wrote: > > The 20 byte length of struct platform_device_id::name is not long enough > > for many devices (especially regulators), where the string initialization > > is getting truncated and missing the trailing NUL byte. This is seen > > with GCC 15's -Wunterminated-string-initialization option: > > > > drivers/regulator/hi6421v530-regulator.c:189:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] > > 189 | { .name = "hi6421v530-regulator" }, > > | ^~~~~~~~~~~~~~~~~~~~~~ > > drivers/regulator/hi6421v600-regulator.c:278:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] > > 278 | { .name = "hi6421v600-regulator" }, > > | ^~~~~~~~~~~~~~~~~~~~~~ > > drivers/regulator/lp87565-regulator.c:233:11: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] > > 233 | { "lp87565-q1-regulator", }, > > | ^~~~~~~~~~~~~~~~~~~~~~ > > sound/soc/fsl/imx-pcm-rpmsg.c:818:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] > > 818 | { .name = "rpmsg-micfil-channel" }, > > | ^~~~~~~~~~~~~~~~~~~~~~ > > drivers/iio/light/hid-sensor-als.c:457:25: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] > > 457 | .name = "HID-SENSOR-LISS-0041", > > | ^~~~~~~~~~~~~~~~~~~~~~ > > drivers/iio/light/hid-sensor-prox.c:366:25: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] > > 366 | .name = "HID-SENSOR-LISS-0226", > > | ^~~~~~~~~~~~~~~~~~~~~~ > > > > Increase the length to 24, slightly more than is currently being used by > > the affected drivers. The string is used in '%s' format strings and via > > the module code, which appears to do its own length encoding. This size > > was chosen because there was already a 4 byte hole in the structure: > > > > struct platform_device_id { > > char name[20]; /* 0 20 */ > > > > /* XXX 4 bytes hole, try to pack */ > > > > kernel_ulong_t driver_data; /* 24 8 */ > > > > /* size: 32, cachelines: 1, members: 2 */ > > /* sum members: 28, holes: 1, sum holes: 4 */ > > /* last cacheline: 32 bytes */ > > }; > > Since there is no even potential ABI breakage, I'm fine with the change. > Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> This definitely breaks ABI on 32-bit architectures such as i586, because there is no gap from alignment. Perhaps, this also make the commit not suitable for backporting to stable branches? I recently stumbled on build failure on v5.10.239 for i586: make: Entering directory '/usr/src/kernel-source-5.10' DEPMOD 5.10.239 depmod: FATAL: Module index: bad character '�'=0x80 - only 7-bit ASCII is supported: platform:jsl_rt5682_max98360ax� make: *** [Makefile:1786: modules_install] Error 1 make: Leaving directory '/usr/src/kernel-source-5.10' With this patch not applied "jsl_rt5682_max98360a" have terminating '\0' truncated due to PLATFORM_NAME_SIZE being same as the string length and concatenated with the following binary data: { .name = "jsl_rt5682_max98360a", .driver_data = (kernel_ulong_t)(SOF_RT5682_MCLK_EN | SOF_RT5682_MCLK_24MHZ | SOF_RT5682_SSP_CODEC(0) | SOF_SPEAKER_AMP_PRESENT | SOF_MAX98360A_SPEAKER_AMP_PRESENT | SOF_RT5682_SSP_AMP(1)), }, modpost then interprets it as an asciiz string concatenating with `driver_data` resulting in bad characters. static int do_platform_entry(const char *filename, void *symval, char *alias) { DEF_FIELD_ADDR(symval, platform_device_id, name); sprintf(alias, PLATFORM_MODULE_PREFIX "%s", *name); return 1; } creating in an incorrect alias, and this somehow breaks depmod in kmod 34.2 (maybe earlier). Old kmod 30 successfully adds incorrect alias: $ modinfo snd-soc-sof_rt5682.ko | grep jsl_rt5682_max98360a alias: platform:jsl_rt5682_max98360a alias: platform:jsl_rt5682_max98360ax� and modules.alias:alias platform:jsl_rt5682_max98360ax� snd_soc_sof_rt5682 Perhaps, scripts/mod/file2alias.c should be updated with: - sprintf(alias, PLATFORM_MODULE_PREFIX "%s", *name); + sprintf(alias, PLATFORM_MODULE_PREFIX "%.*s", PLATFORM_NAME_SIZE, *name); (Or even producing an error if more serious truncation occurs.) Thanks, > > -- > With Best Regards, > Andy Shevchenko > >

4 months, 2 weeks

1
0
0 0

+ mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Date: Fri, 4 Jul 2025 19:30:53 +0900 Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for migrating zsmalloc pages using the movable_operations migration framework. However, the commit did not take into account that zsmalloc supports migration only when CONFIG_COMPACTION is enabled. Tracing shows that zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is not supported. This can result in unmovable pages being allocated from movable page blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area. Possible user visible effects: - Some ZONE_MOVABLE memory can be not actually movable - CMA allocation can fail because of this - Increased memory fragmentation due to ignoring the page mobility grouping feature I'm not really sure who uses kernels without compaction support, though :( To fix this, clear the __GFP_MOVABLE flag when !IS_ENABLED(CONFIG_COMPACTION). Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com Fixes: 48b4800a1c6a ("zsmalloc: page migration support") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zsmalloc.c | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/zsmalloc.c~mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n +++ a/mm/zsmalloc.c @@ -1043,6 +1043,9 @@ static struct zspage *alloc_zspage(struc if (!zspage) return NULL; + if (!IS_ENABLED(CONFIG_COMPACTION)) + gfp &= ~__GFP_MOVABLE; + zspage->magic = ZSPAGE_MAGIC; zspage->pool = pool; zspage->class = class->index; _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are lib-alloc_tag-do-not-acquire-non-existent-lock-in-alloc_tag_top_users.patch lib-alloc_tag-do-not-acquire-non-existent-lock-in-alloc_tag_top_users-v3.patch mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch

4 months, 2 weeks

1
0
0 0

+ mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hung.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm/shmem, swap: improve cached mTHP handling and fix potential hang has been added to the -mm mm-unstable branch. Its filename is mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hung.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kairui Song <kasong(a)tencent.com> Subject: mm/shmem, swap: improve cached mTHP handling and fix potential hang Date: Sat, 5 Jul 2025 02:17:40 +0800 Patch series "mm/shmem, swap: bugfix and improvement of mTHP swap-in", v4. The current mTHP swapin path have several problems. It may potentially hang, may cause redundant faults due to false positive swap cache lookup, and it will involve at least 4 Xarray tree walks (get order, get order again, confirm swap, insert folio). And for !CONFIG_TRANSPARENT_HUGEPAGE builds, it will performs some mTHP related checks. This series fixes all of the mentioned issues, and the code should be more robust and prepared for the swap table series. Now tree walks is reduced to twice (get order & confirm, insert folio), !CONFIG_TRANSPARENT_HUGEPAGE build overhead is also minimized, and comes with a sanity check now. The performance is slightly better after this series, sequential swap in of 24G data from ZRAM, using transparent_hugepage_tmpfs=always (24 samples each): Before: 11.02, stddev: 0.06 After patch 1: 10.74, stddev: 0.03 After patch 2: 10.72, stddev: 0.01 After patch 3: 10.73, stddev: 0.04 After patch 4: 10.72, stddev: 0.02 After patch 5: 10.74, stddev: 0.01 After patch 6: 10.13, stddev: 0.09 After patch 7: 9.95, stddev: 0.02 After patch 8: 9.88, stddev: 0.04 Each patch improves the performance by a little, which is about ~10% faster in total. Build kernel test showed very slightly improvement, testing with make -j24 with defconfig in a 256M memcg also using ZRAM as swap, and transparent_hugepage_tmpfs=always (6 test runs): Before: system time avg: 3911.80s After: system time avg: 3863.76s This patch (of 9): The current swap-in code assumes that, when a swap entry in shmem mapping is order 0, its cached folios (if present) must be order 0 too, which turns out not always correct. The problem is shmem_split_large_entry is called before verifying the folio will eventually be swapped in, one possible race is: CPU1 CPU2 shmem_swapin_folio /* swap in of order > 0 swap entry S1 */ folio = swap_cache_get_folio /* folio = NULL */ order = xa_get_order /* order > 0 */ folio = shmem_swap_alloc_folio /* mTHP alloc failure, folio = NULL */ <... Interrupted ...> shmem_swapin_folio /* S1 is swapped in */ shmem_writeout /* S1 is swapped out, folio cached */ shmem_split_large_entry(..., S1) /* S1 is split, but the folio covering it has order > 0 now */ Now any following swapin of S1 will hang: `xa_get_order` returns 0, and folio lookup will return a folio with order > 0. The `xa_get_order(&mapping->i_pages, index) != folio_order(folio)` will always return false causing swap-in to return -EEXIST. And this looks fragile. So fix this up by allowing seeing a larger folio in swap cache, and check the whole shmem mapping range covered by the swapin have the right swap value upon inserting the folio. And drop the redundant tree walks before the insertion. This will actually improve performance, as it avoids two redundant Xarray tree walks in the hot path, and the only side effect is that in the failure path, shmem may redundantly reallocate a few folios causing temporary slight memory pressure. And worth noting, it may seem the order and value check before inserting might help reducing the lock contention, which is not true. The swap cache layer ensures raced swapin will either see a swap cache folio or failed to do a swapin (we have SWAP_HAS_CACHE bit even if swap cache is bypassed), so holding the folio lock and checking the folio flag is already good enough for avoiding the lock contention. The chance that a folio passes the swap entry value check but the shmem mapping slot has changed should be very low. Link: https://lkml.kernel.org/r/20250704181748.63181-1-ryncsn@gmail.com Link: https://lkml.kernel.org/r/20250704181748.63181-2-ryncsn@gmail.com Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Tested-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: <stable(a)vger.kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Nhat Pham <nphamcs(a)gmail.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) --- a/mm/shmem.c~mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hung +++ a/mm/shmem.c @@ -884,7 +884,9 @@ static int shmem_add_to_page_cache(struc pgoff_t index, void *expected, gfp_t gfp) { XA_STATE_ORDER(xas, &mapping->i_pages, index, folio_order(folio)); - long nr = folio_nr_pages(folio); + unsigned long nr = folio_nr_pages(folio); + swp_entry_t iter, swap; + void *entry; VM_BUG_ON_FOLIO(index != round_down(index, nr), folio); VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); @@ -896,14 +898,24 @@ static int shmem_add_to_page_cache(struc gfp &= GFP_RECLAIM_MASK; folio_throttle_swaprate(folio, gfp); + swap = iter = radix_to_swp_entry(expected); do { xas_lock_irq(&xas); - if (expected != xas_find_conflict(&xas)) { - xas_set_err(&xas, -EEXIST); - goto unlock; + xas_for_each_conflict(&xas, entry) { + /* + * The range must either be empty, or filled with + * expected swap entries. Shmem swap entries are never + * partially freed without split of both entry and + * folio, so there shouldn't be any holes. + */ + if (!expected || entry != swp_to_radix_entry(iter)) { + xas_set_err(&xas, -EEXIST); + goto unlock; + } + iter.val += 1 << xas_get_order(&xas); } - if (expected && xas_find_conflict(&xas)) { + if (expected && iter.val - nr != swap.val) { xas_set_err(&xas, -EEXIST); goto unlock; } @@ -2323,7 +2335,7 @@ static int shmem_swapin_folio(struct ino error = -ENOMEM; goto failed; } - } else if (order != folio_order(folio)) { + } else if (order > folio_order(folio)) { /* * Swap readahead may swap in order 0 folios into swapcache * asynchronously, while the shmem mapping can still stores @@ -2348,15 +2360,15 @@ static int shmem_swapin_folio(struct ino swap = swp_entry(swp_type(swap), swp_offset(swap) + offset); } + } else if (order < folio_order(folio)) { + swap.val = round_down(swap.val, 1 << folio_order(folio)); } alloced: /* We have to do this with folio locked to prevent races */ folio_lock(folio); if ((!skip_swapcache && !folio_test_swapcache(folio)) || - folio->swap.val != swap.val || - !shmem_confirm_swap(mapping, index, swap) || - xa_get_order(&mapping->i_pages, index) != folio_order(folio)) { + folio->swap.val != swap.val) { error = -EEXIST; goto unlock; } _ Patches currently in -mm which might be from kasong(a)tencent.com are mm-list_lru-refactor-the-locking-code.patch mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hung.patch mm-shmem-swap-avoid-redundant-xarray-lookup-during-swapin.patch mm-shmem-swap-tidy-up-thp-swapin-checks.patch mm-shmem-swap-tidy-up-swap-entry-splitting.patch mm-shmem-swap-avoid-false-positive-swap-cache-lookup.patch mm-shmem-swap-never-use-swap-cache-and-readahead-for-swp_synchronous_io.patch mm-shmem-swap-simplify-swapin-path-and-result-handling.patch mm-shmem-swap-simplify-swap-entry-and-index-calculation-of-large-swapin.patch mm-shmem-swap-fix-major-fault-counting.patch

4 months, 2 weeks

1
0
0 0

[PATCH v4 1/9] mm/shmem, swap: improve cached mTHP handling and fix potential hung

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> The current swap-in code assumes that, when a swap entry in shmem mapping is order 0, its cached folios (if present) must be order 0 too, which turns out not always correct. The problem is shmem_split_large_entry is called before verifying the folio will eventually be swapped in, one possible race is: CPU1 CPU2 shmem_swapin_folio /* swap in of order > 0 swap entry S1 */ folio = swap_cache_get_folio /* folio = NULL */ order = xa_get_order /* order > 0 */ folio = shmem_swap_alloc_folio /* mTHP alloc failure, folio = NULL */ <... Interrupted ...> shmem_swapin_folio /* S1 is swapped in */ shmem_writeout /* S1 is swapped out, folio cached */ shmem_split_large_entry(..., S1) /* S1 is split, but the folio covering it has order > 0 now */ Now any following swapin of S1 will hang: `xa_get_order` returns 0, and folio lookup will return a folio with order > 0. The `xa_get_order(&mapping->i_pages, index) != folio_order(folio)` will always return false causing swap-in to return -EEXIST. And this looks fragile. So fix this up by allowing seeing a larger folio in swap cache, and check the whole shmem mapping range covered by the swapin have the right swap value upon inserting the folio. And drop the redundant tree walks before the insertion. This will actually improve performance, as it avoids two redundant Xarray tree walks in the hot path, and the only side effect is that in the failure path, shmem may redundantly reallocate a few folios causing temporary slight memory pressure. And worth noting, it may seems the order and value check before inserting might help reducing the lock contention, which is not true. The swap cache layer ensures raced swapin will either see a swap cache folio or failed to do a swapin (we have SWAP_HAS_CACHE bit even if swap cache is bypassed), so holding the folio lock and checking the folio flag is already good enough for avoiding the lock contention. The chance that a folio passes the swap entry value check but the shmem mapping slot has changed should be very low. Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Tested-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: <stable(a)vger.kernel.org> --- mm/shmem.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/mm/shmem.c b/mm/shmem.c index 334b7b4a61a0..e3c9a1365ff4 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -884,7 +884,9 @@ static int shmem_add_to_page_cache(struct folio *folio, pgoff_t index, void *expected, gfp_t gfp) { XA_STATE_ORDER(xas, &mapping->i_pages, index, folio_order(folio)); - long nr = folio_nr_pages(folio); + unsigned long nr = folio_nr_pages(folio); + swp_entry_t iter, swap; + void *entry; VM_BUG_ON_FOLIO(index != round_down(index, nr), folio); VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); @@ -896,14 +898,24 @@ static int shmem_add_to_page_cache(struct folio *folio, gfp &= GFP_RECLAIM_MASK; folio_throttle_swaprate(folio, gfp); + swap = iter = radix_to_swp_entry(expected); do { xas_lock_irq(&xas); - if (expected != xas_find_conflict(&xas)) { - xas_set_err(&xas, -EEXIST); - goto unlock; + xas_for_each_conflict(&xas, entry) { + /* + * The range must either be empty, or filled with + * expected swap entries. Shmem swap entries are never + * partially freed without split of both entry and + * folio, so there shouldn't be any holes. + */ + if (!expected || entry != swp_to_radix_entry(iter)) { + xas_set_err(&xas, -EEXIST); + goto unlock; + } + iter.val += 1 << xas_get_order(&xas); } - if (expected && xas_find_conflict(&xas)) { + if (expected && iter.val - nr != swap.val) { xas_set_err(&xas, -EEXIST); goto unlock; } @@ -2323,7 +2335,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, error = -ENOMEM; goto failed; } - } else if (order != folio_order(folio)) { + } else if (order > folio_order(folio)) { /* * Swap readahead may swap in order 0 folios into swapcache * asynchronously, while the shmem mapping can still stores @@ -2348,15 +2360,15 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, swap = swp_entry(swp_type(swap), swp_offset(swap) + offset); } + } else if (order < folio_order(folio)) { + swap.val = round_down(swap.val, 1 << folio_order(folio)); } alloced: /* We have to do this with folio locked to prevent races */ folio_lock(folio); if ((!skip_swapcache && !folio_test_swapcache(folio)) || - folio->swap.val != swap.val || - !shmem_confirm_swap(mapping, index, swap) || - xa_get_order(&mapping->i_pages, index) != folio_order(folio)) { + folio->swap.val != swap.val) { error = -EEXIST; goto unlock; } -- 2.50.0

4 months, 2 weeks

1
0
0 0

[PATCH] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented

by Mark Brown

We have a number of hwcaps for various SME subfeatures enumerated via ID_AA64SMFR0_EL1. Currently we advertise these without cross checking against the main SME feature, advertised in ID_AA64PFR1_EL1.SME which means that if the two are out of sync userspace can see a confusing situation where SME subfeatures are advertised without the base SME hwcap. This can be readily triggered by using the arm64.nosme override which only masks out ID_AA64PFR1_EL1.SME, and there have also been reports of VMMs which do the same thing. Fix this as we did previously for SVE in 064737920bdb ("arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented") by filtering out the SME subfeature hwcaps when FEAT_SME is not present. Fixes: 5e64b862c482 ("arm64/sme: Basic enumeration support") Reported-by: Yury Khrustalev <yury.khrustalev(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kernel/cpufeature.c | 57 ++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 25 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index b34044e20128..e151585c6cca 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -3135,6 +3135,13 @@ static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) } #endif +#ifdef CONFIG_ARM64_SME +static bool has_sme_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sme() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3223,31 +3230,31 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR2_EL1, BC, IMP, CAP_HWCAP, KERNEL_HWCAP_HBC), #ifdef CONFIG_ARM64_SME HWCAP_CAP(ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), - HWCAP_CAP(ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), - HWCAP_CAP(ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p2, CAP_HWCAP, KERNEL_HWCAP_SME2P2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), - HWCAP_CAP(ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SBitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SBITPERM), - HWCAP_CAP(ID_AA64SMFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_AES), - HWCAP_CAP(ID_AA64SMFR0_EL1, SFEXPA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SFEXPA), - HWCAP_CAP(ID_AA64SMFR0_EL1, STMOP, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_STMOP), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMOP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SMOP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p2, CAP_HWCAP, KERNEL_HWCAP_SME2P2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SBitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SBITPERM), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_AES), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SFEXPA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SFEXPA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, STMOP, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_STMOP), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMOP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SMOP4), #endif /* CONFIG_ARM64_SME */ HWCAP_CAP(ID_AA64FPFR0_EL1, F8CVT, IMP, CAP_HWCAP, KERNEL_HWCAP_F8CVT), HWCAP_CAP(ID_AA64FPFR0_EL1, F8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_F8FMA), --- base-commit: e04c78d86a9699d136910cfc0bdcf01087e3267e change-id: 20250618-arm64-sme-filter-hwcaps-b763242f5625 Best regards, -- Mark Brown <broonie(a)kernel.org>

4 months, 2 weeks

2
1
0 0

100% Direct Investment Loan

by Capital Reliance Investment Corporation

4 months, 2 weeks

1
0
0 0

patch "iio: dac: ad3530r: Fix incorrect masking for channels 4-7 in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: dac: ad3530r: Fix incorrect masking for channels 4-7 in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 1131e70558bc70f1fc52515281de2663e961e1cc Mon Sep 17 00:00:00 2001 From: Kim Seer Paller <kimseer.paller(a)analog.com> Date: Thu, 26 Jun 2025 16:38:12 +0800 Subject: iio: dac: ad3530r: Fix incorrect masking for channels 4-7 in powerdown mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the current implementation of ad3530r_set_dac_powerdown() function, the macro AD3530R_OP_MODE_CHAN_MSK(chan->channel) is used to generate the bitmask for the operating mode of a specific channel. However, this macro does not account for channels 4-7, which map to the second register AD3530R_OUTPUT_OPERATING_MODE_1 for the 8 channeled device. As a result, the bitmask is incorrectly calculated for these channels, leading to improper configuration of the powerdown mode. Resolve this issue by adjusting the channel index for channels 4-7 by subtracting 4 before applying the macro. This ensures that the correct bitmask is generated for the second register. Fixes: 93583174a3df ("iio: dac: ad3530r: Add driver for AD3530R and AD3531R") Signed-off-by: Kim Seer Paller <kimseer.paller(a)analog.com> Reviewed-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250626-bug_fix-v1-1-eb3c2b370f10@analog.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/dac/ad3530r.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/iio/dac/ad3530r.c b/drivers/iio/dac/ad3530r.c index f9752a571aa5..6134613777b8 100644 --- a/drivers/iio/dac/ad3530r.c +++ b/drivers/iio/dac/ad3530r.c @@ -166,7 +166,9 @@ static ssize_t ad3530r_set_dac_powerdown(struct iio_dev *indio_dev, AD3530R_OUTPUT_OPERATING_MODE_0 : AD3530R_OUTPUT_OPERATING_MODE_1; pdmode = powerdown ? st->chan[chan->channel].powerdown_mode : 0; - mask = AD3530R_OP_MODE_CHAN_MSK(chan->channel); + mask = chan->channel < AD3531R_MAX_CHANNELS ? + AD3530R_OP_MODE_CHAN_MSK(chan->channel) : + AD3530R_OP_MODE_CHAN_MSK(chan->channel - 4); val = field_prep(mask, pdmode); ret = regmap_update_bits(st->regmap, reg, mask, val); -- 2.50.0

4 months, 2 weeks

1
0
0 0

patch "iio: adc: ad7380: fix adi,gain-milli property parsing" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7380: fix adi,gain-milli property parsing to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 24fa69894ea3f76ecb13d7160692ee574a912803 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 19 Jun 2025 10:24:22 -0500 Subject: iio: adc: ad7380: fix adi,gain-milli property parsing Change the data type of the "adi,gain-milli" property from u32 to u16. The devicetree binding specifies it as uint16, so we need to read it as such to avoid an -EOVERFLOW error when parsing the property. Fixes: c904e6dcf402 ("iio: adc: ad7380: add support for adaq4370-4 and adaq4380-4") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250619-iio-adc-ad7380-fix-adi-gain-milli-parsing… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7380.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/iio/adc/ad7380.c b/drivers/iio/adc/ad7380.c index d96bd12dfea6..cabf5511d116 100644 --- a/drivers/iio/adc/ad7380.c +++ b/drivers/iio/adc/ad7380.c @@ -1953,8 +1953,9 @@ static int ad7380_probe(struct spi_device *spi) if (st->chip_info->has_hardware_gain) { device_for_each_child_node_scoped(dev, node) { - unsigned int channel, gain; + unsigned int channel; int gain_idx; + u16 gain; ret = fwnode_property_read_u32(node, "reg", &channel); if (ret) @@ -1966,7 +1967,7 @@ static int ad7380_probe(struct spi_device *spi) "Invalid channel number %i\n", channel); - ret = fwnode_property_read_u32(node, "adi,gain-milli", + ret = fwnode_property_read_u16(node, "adi,gain-milli", &gain); if (ret && ret != -EINVAL) return dev_err_probe(dev, ret, -- 2.50.0

4 months, 2 weeks

1
0
0 0

patch "iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 3281ddcea6429f7bc1fdb39d407752dd1371aba9 Mon Sep 17 00:00:00 2001 From: Chen-Yu Tsai <wens(a)csie.org> Date: Sat, 7 Jun 2025 21:56:27 +0800 Subject: iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps The AXP717 ADC channel maps is missing a sentinel entry at the end. This causes a KASAN warning. Add the missing sentinel entry. Fixes: 5ba0cb92584b ("iio: adc: axp20x_adc: add support for AXP717 ADC") Signed-off-by: Chen-Yu Tsai <wens(a)csie.org> Link: https://patch.msgid.link/20250607135627.2086850-1-wens@kernel.org Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/axp20x_adc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/adc/axp20x_adc.c b/drivers/iio/adc/axp20x_adc.c index 71584ffd3632..1b49325ec1ce 100644 --- a/drivers/iio/adc/axp20x_adc.c +++ b/drivers/iio/adc/axp20x_adc.c @@ -187,6 +187,7 @@ static struct iio_map axp717_maps[] = { .consumer_channel = "batt_chrg_i", .adc_channel_label = "batt_chrg_i", }, + { } }; /* -- 2.50.0

4 months, 2 weeks

1
0
0 0

patch "iio: adc: stm32-adc: Fix race in installing chained IRQ handler" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: stm32-adc: Fix race in installing chained IRQ handler to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 Mon Sep 17 00:00:00 2001 From: Chen Ni <nichen(a)iscas.ac.cn> Date: Thu, 15 May 2025 16:31:01 +0800 Subject: iio: adc: stm32-adc: Fix race in installing chained IRQ handler MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a race where a pending interrupt could be received and the handler called before the handler's data has been setup, by converting to irq_set_chained_handler_and_data(). Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core") Signed-off-by: Chen Ni <nichen(a)iscas.ac.cn> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Tested-by: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Reviewed-by: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> Link: https://patch.msgid.link/20250515083101.3811350-1-nichen@iscas.ac.cn Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/stm32-adc-core.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/stm32-adc-core.c b/drivers/iio/adc/stm32-adc-core.c index bd3458965bff..21c04a98b3b6 100644 --- a/drivers/iio/adc/stm32-adc-core.c +++ b/drivers/iio/adc/stm32-adc-core.c @@ -430,10 +430,9 @@ static int stm32_adc_irq_probe(struct platform_device *pdev, return -ENOMEM; } - for (i = 0; i < priv->cfg->num_irqs; i++) { - irq_set_chained_handler(priv->irq[i], stm32_adc_irq_handler); - irq_set_handler_data(priv->irq[i], priv); - } + for (i = 0; i < priv->cfg->num_irqs; i++) + irq_set_chained_handler_and_data(priv->irq[i], + stm32_adc_irq_handler, priv); return 0; } -- 2.50.0

4 months, 2 weeks

1
0
0 0

patch "iio: backend: fix out-of-bound write" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: backend: fix out-of-bound write to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From da9374819eb3885636934c1006d450c3cb1a02ed Mon Sep 17 00:00:00 2001 From: Markus Burri <markus.burri(a)mt.com> Date: Thu, 8 May 2025 15:06:07 +0200 Subject: iio: backend: fix out-of-bound write MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The buffer is set to 80 character. If a caller write more characters, count is truncated to the max available space in "simple_write_to_buffer". But afterwards a string terminator is written to the buffer at offset count without boundary check. The zero termination is written OUT-OF-BOUND. Add a check that the given buffer is smaller then the buffer to prevent. Fixes: 035b4989211d ("iio: backend: make sure to NULL terminate stack buffer") Signed-off-by: Markus Burri <markus.burri(a)mt.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250508130612.82270-2-markus.burri@mt.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/industrialio-backend.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/iio/industrialio-backend.c b/drivers/iio/industrialio-backend.c index c1eb9ef9db08..266e1b29bf91 100644 --- a/drivers/iio/industrialio-backend.c +++ b/drivers/iio/industrialio-backend.c @@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write_reg(struct file *file, ssize_t rc; int ret; + if (count >= sizeof(buf)) + return -ENOSPC; + rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count); if (rc < 0) return rc; - buf[count] = '\0'; + buf[rc] = '\0'; ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val); -- 2.50.0

4 months, 2 weeks

1
0
0 0

[PATCH v2] x86/mm: Disable hugetlb page table sharing on 32-bit

by Jann Horn

Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86. Page table sharing requires at least three levels because it involves shared references to PMD tables; 32-bit x86 has either two-level paging (without PAE) or three-level paging (with PAE), but even with three-level paging, having a dedicated PGD entry for hugetlb is only barely possible (because the PGD only has four entries), and it seems unlikely anyone's actually using PMD sharing on 32-bit. Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which has 2-level paging) became particularly problematic after commit 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"), since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and the `pt_share_count` (for PMDs) share the same union storage - and with 2-level paging, PMDs are PGDs. (For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the configuration of page tables such that it is never enabled with 2-level paging.) Reported-by: Vitaly Chikunov <vt(a)altlinux.org> Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org Suggested-by: Dave Hansen <dave.hansen(a)intel.com> Tested-by: Vitaly Chikunov <vt(a)altlinux.org> Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.") Cc: stable(a)vger.kernel.org Signed-off-by: Jann Horn <jannh(a)google.com> --- I'm carrying over Vitaly Chikunov's "Tested-by" from v1. Changes in v2: - disable it for 32-bit entirely (Dave Hansen) - Link to v1: https://lore.kernel.org/r/20250630-x86-2level-hugetlb-v1-1-077cd53d8255@goo… --- arch/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 71019b3b54ea..4e0fe688cc83 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -147,7 +147,7 @@ config X86 select ARCH_WANTS_DYNAMIC_TASK_STRUCT select ARCH_WANTS_NO_INSTR select ARCH_WANT_GENERAL_HUGETLB - select ARCH_WANT_HUGE_PMD_SHARE + select ARCH_WANT_HUGE_PMD_SHARE if X86_64 select ARCH_WANT_LD_ORPHAN_WARN select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64 select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64 --- base-commit: d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af change-id: 20250630-x86-2level-hugetlb-b1d8feb255ce -- Jann Horn <jannh(a)google.com>

4 months, 2 weeks

3
2
0 0

[PATCH] gpiolib: fix efficiency regression when using gpio_chip_get_multiple()

by Hugo Villeneuve

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> commit 74abd086d2ee ("gpiolib: sanitize the return value of gpio_chip::get_multiple()") altered the value returned by gc->get_multiple() in case it is positive (> 0), but failed to return for other cases (<= 0). This may result in the "if (gc->get)" block being executed and thus negates the performance gain that is normally obtained by using gc->get_multiple(). Fix by returning the result of gc->get_multiple() if it is <= 0. Also move the "ret" variable to the scope where it is used, which as an added bonus fixes an indentation error introduced by the aforementioned commit. Fixes: 74abd086d2ee ("gpiolib: sanitize the return value of gpio_chip::get_multiple()") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- drivers/gpio/gpiolib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index fdafa0df1b43..3a3eca5b4c40 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -3297,14 +3297,15 @@ static int gpiod_get_raw_value_commit(const struct gpio_desc *desc) static int gpio_chip_get_multiple(struct gpio_chip *gc, unsigned long *mask, unsigned long *bits) { - int ret; - lockdep_assert_held(&gc->gpiodev->srcu); if (gc->get_multiple) { + int ret; + ret = gc->get_multiple(gc, mask, bits); if (ret > 0) return -EBADE; + return ret; } if (gc->get) { base-commit: b4911fb0b060899e4eebca0151eb56deb86921ec -- 2.39.5

4 months, 2 weeks

2
3
0 0

[PATCH v3] fscrypt: Don't use problematic non-inline crypto engines

by Eric Biggers

Make fscrypt no longer use Crypto API drivers for non-inline crypto engines, even when the Crypto API prioritizes them over CPU-based code (which unfortunately it often does). These drivers tend to be really problematic, especially for fscrypt's workload. This commit has no effect on inline crypto engines, which are different and do work well. Specifically, exclude drivers that have CRYPTO_ALG_KERN_DRIVER_ONLY or CRYPTO_ALG_ALLOCATES_MEMORY set. (Later, CRYPTO_ALG_ASYNC should be excluded too. That's omitted for now to keep this commit backportable, since until recently some CPU-based code had CRYPTO_ALG_ASYNC set.) There are two major issues with these drivers: bugs and performance. First, these drivers tend to be buggy. They're fundamentally much more error-prone and harder to test than the CPU-based code. They often don't get tested before kernel releases, and even if they do, the crypto self-tests don't properly test these drivers. Released drivers have en/decrypted or hashed data incorrectly. These bugs cause issues for fscrypt users who often didn't even want to use these drivers, e.g.: - https://github.com/google/fscryptctl/issues/32 - https://github.com/google/fscryptctl/issues/9 - https://lore.kernel.org/r/PH0PR02MB731916ECDB6C613665863B6CFFAA2@PH0PR02MB7… These drivers have also similarly caused issues for dm-crypt users, including data corruption and deadlocks. Since Linux v5.10, dm-crypt has disabled most of them by excluding CRYPTO_ALG_ALLOCATES_MEMORY. Second, these drivers tend to be *much* slower than the CPU-based code. This may seem counterintuitive, but benchmarks clearly show it. There's a *lot* of overhead associated with going to a hardware driver, off the CPU, and back again. To prove this, I gathered as many systems with this type of crypto engine as I could, and I measured synchronous encryption of 4096-byte messages (which matches fscrypt's workload): Intel Emerald Rapids server: AES-256-XTS: xts-aes-vaes-avx512 16171 MB/s [CPU-based, Vector AES] qat_aes_xts 289 MB/s [Offload, Intel QuickAssist] Qualcomm SM8650 HDK: AES-256-XTS: xts-aes-ce 4301 MB/s [CPU-based, ARMv8 Crypto Extensions] xts-aes-qce 73 MB/s [Offload, Qualcomm Crypto Engine] i.MX 8M Nano LPDDR4 EVK: AES-256-XTS: xts-aes-ce 647 MB/s [CPU-based, ARMv8 Crypto Extensions] xts(ecb-aes-caam) 20 MB/s [Offload, CAAM] AES-128-CBC-ESSIV: essiv(cbc-aes-caam,sha256-lib) 23 MB/s [Offload, CAAM] STM32MP157F-DK2: AES-256-XTS: xts-aes-neonbs 13.2 MB/s [CPU-based, ARM NEON] xts(stm32-ecb-aes) 3.1 MB/s [Offload, STM32 crypto engine] AES-128-CBC-ESSIV: essiv(cbc-aes-neonbs,sha256-lib) 14.7 MB/s [CPU-based, ARM NEON] essiv(stm32-cbc-aes,sha256-lib) 3.2 MB/s [Offload, STM32 crypto engine] Adiantum: adiantum(xchacha12-arm,aes-arm,nhpoly1305-neon) 52.8 MB/s [CPU-based, ARM scalar + NEON] So, there was no case in which the crypto engine was even *close* to being faster. On the first three, which have AES instructions in the CPU, the CPU was 30 to 55 times faster (!). Even on STM32MP157F-DK2 which has a Cortex-A7 CPU that doesn't have AES instructions, AES was over 4 times faster on the CPU. And Adiantum encryption, which is what actually should be used on CPUs like that, was over 17 times faster. Other justifications that have been given for these non-inline crypto engines (almost always coming from the hardware vendors, not actual users) don't seem very plausible either: - The crypto engine throughput could be improved by processing multiple requests concurrently. Currently irrelevant to fscrypt, since it doesn't do that. This would also be complex, and unhelpful in many cases. 2 of the 4 engines I tested even had only one queue. - Some of the engines, e.g. STM32, support hardware keys. Also currently irrelevant to fscrypt, since it doesn't support these. Interestingly, the STM32 driver itself doesn't support this either. - Free up CPU for other tasks and/or reduce energy usage. Not very plausible considering the "short" message length, driver overhead, and scheduling overhead. There's just very little time for the CPU to do something else like run another task or enter low-power state, before the message finishes and it's time to process the next one. - Some of these engines resist power analysis and electromagnetic attacks, while the CPU-based crypto generally does not. In theory, this sounds great. In practice, if this benefit requires the use of an off-CPU offload that massively regresses performance and has a low-quality, buggy driver, the price for this hardening (which is not relevant to most fscrypt users, and tends to be incomplete) is just too high. Inline crypto engines are much more promising here, as are on-CPU solutions like RISC-V High Assurance Cryptography. Fixes: b30ab0e03407 ("ext4 crypto: add ext4 encryption facilities") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- Changed in v3: - Further improved the commit message and comment. Added data for STM32MP157F-DK2 and i.MX 8M Nano LPDDR4 EVK. - Updated fscrypt.rst Changed in v2: - Improved commit message and comment - Dropped CRYPTO_ALG_ASYNC from the mask, to make this patch backport-friendly - Added Fixes and Cc stable Documentation/filesystems/fscrypt.rst | 37 +++++++++++---------------- fs/crypto/fscrypt_private.h | 17 ++++++++++++ fs/crypto/hkdf.c | 2 +- fs/crypto/keysetup.c | 3 ++- fs/crypto/keysetup_v1.c | 3 ++- 5 files changed, 37 insertions(+), 25 deletions(-) diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst index 29e84d125e02..4a3e844b790c 100644 --- a/Documentation/filesystems/fscrypt.rst +++ b/Documentation/filesystems/fscrypt.rst @@ -145,13 +145,12 @@ However, these ioctls have some limitations: caches are freed but not wiped. Therefore, portions thereof may be recoverable from freed memory, even after the corresponding key(s) were wiped. To partially solve this, you can add init_on_free=1 to your kernel command line. However, this has a performance cost. -- Secret keys might still exist in CPU registers, in crypto - accelerator hardware (if used by the crypto API to implement any of - the algorithms), or in other places not explicitly considered here. +- Secret keys might still exist in CPU registers or in other places + not explicitly considered here. Full system compromise ~~~~~~~~~~~~~~~~~~~~~~ An attacker who gains "root" access and/or the ability to execute @@ -404,13 +403,16 @@ of hardware acceleration for AES. Adiantum is a wide-block cipher that uses XChaCha12 and AES-256 as its underlying components. Most of the work is done by XChaCha12, which is much faster than AES when AES acceleration is unavailable. For more information about Adiantum, see `the Adiantum paper <https://eprint.iacr.org/2018/720.pdf>`_. -The (AES-128-CBC-ESSIV, AES-128-CBC-CTS) pair exists only to support -systems whose only form of AES acceleration is an off-CPU crypto -accelerator such as CAAM or CESA that does not support XTS. +The (AES-128-CBC-ESSIV, AES-128-CBC-CTS) pair was added to try to +provide a more efficient option for systems that lack AES instructions +in the CPU but do have a non-inline crypto engine such as CAAM or CESA +that supports AES-CBC (and not AES-XTS). This is deprecated. It has +been shown that just doing AES on the CPU is actually faster. +Moreover, Adiantum is faster still and is recommended on such systems. The remaining mode pairs are the "national pride ciphers": - (SM4-XTS, SM4-CBC-CTS) @@ -1324,26 +1326,17 @@ that systems implementing a form of "verified boot" take advantage of this by validating all top-level encryption policies prior to access. Inline encryption support ========================= -By default, fscrypt uses the kernel crypto API for all cryptographic -operations (other than HKDF, which fscrypt partially implements -itself). The kernel crypto API supports hardware crypto accelerators, -but only ones that work in the traditional way where all inputs and -outputs (e.g. plaintexts and ciphertexts) are in memory. fscrypt can -take advantage of such hardware, but the traditional acceleration -model isn't particularly efficient and fscrypt hasn't been optimized -for it. - -Instead, many newer systems (especially mobile SoCs) have *inline -encryption hardware* that can encrypt/decrypt data while it is on its -way to/from the storage device. Linux supports inline encryption -through a set of extensions to the block layer called *blk-crypto*. -blk-crypto allows filesystems to attach encryption contexts to bios -(I/O requests) to specify how the data will be encrypted or decrypted -in-line. For more information about blk-crypto, see +Many newer systems (especially mobile SoCs) have *inline encryption +hardware* that can encrypt/decrypt data while it is on its way to/from +the storage device. Linux supports inline encryption through a set of +extensions to the block layer called *blk-crypto*. blk-crypto allows +filesystems to attach encryption contexts to bios (I/O requests) to +specify how the data will be encrypted or decrypted in-line. For more +information about blk-crypto, see :ref:`Documentation/block/inline-encryption.rst <inline_encryption>`. On supported filesystems (currently ext4 and f2fs), fscrypt can use blk-crypto instead of the kernel crypto API to encrypt/decrypt file contents. To enable this, set CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y in diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h index c1d92074b65c..6e7164530a1e 100644 --- a/fs/crypto/fscrypt_private.h +++ b/fs/crypto/fscrypt_private.h @@ -43,10 +43,27 @@ * hardware-wrapped keys has made it misleading as it's only for raw keys. * Don't use it in kernel code; use one of the above constants instead. */ #undef FSCRYPT_MAX_KEY_SIZE +/* + * This mask is passed as the third argument to the crypto_alloc_*() functions + * to prevent fscrypt from using the Crypto API drivers for non-inline crypto + * engines. Those drivers have been problematic for fscrypt. fscrypt users + * have reported hangs and even incorrect en/decryption with these drivers. + * Since going to the driver, off CPU, and back again is really slow, such + * drivers can be over 50 times slower than the CPU-based code for fscrypt's + * workload. Even on platforms that lack AES instructions on the CPU, using the + * offloads has been shown to be slower, even staying with AES. (Of course, + * Adiantum is faster still, and is the recommended option on such platforms...) + * + * Note that fscrypt also supports inline crypto engines. Those don't use the + * Crypto API and work much better than the old-style (non-inline) engines. + */ +#define FSCRYPT_CRYPTOAPI_MASK \ + (CRYPTO_ALG_ALLOCATES_MEMORY | CRYPTO_ALG_KERN_DRIVER_ONLY) + #define FSCRYPT_CONTEXT_V1 1 #define FSCRYPT_CONTEXT_V2 2 /* Keep this in sync with include/uapi/linux/fscrypt.h */ #define FSCRYPT_MODE_MAX FSCRYPT_MODE_AES_256_HCTR2 diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c index 0f3028adc9c7..5b9c21cfe2b4 100644 --- a/fs/crypto/hkdf.c +++ b/fs/crypto/hkdf.c @@ -56,11 +56,11 @@ int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key, struct crypto_shash *hmac_tfm; static const u8 default_salt[HKDF_HASHLEN]; u8 prk[HKDF_HASHLEN]; int err; - hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, 0); + hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, FSCRYPT_CRYPTOAPI_MASK); if (IS_ERR(hmac_tfm)) { fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld", PTR_ERR(hmac_tfm)); return PTR_ERR(hmac_tfm); } diff --git a/fs/crypto/keysetup.c b/fs/crypto/keysetup.c index 0d71843af946..d8113a719697 100644 --- a/fs/crypto/keysetup.c +++ b/fs/crypto/keysetup.c @@ -101,11 +101,12 @@ fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key, const struct inode *inode) { struct crypto_skcipher *tfm; int err; - tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); + tfm = crypto_alloc_skcipher(mode->cipher_str, 0, + FSCRYPT_CRYPTOAPI_MASK); if (IS_ERR(tfm)) { if (PTR_ERR(tfm) == -ENOENT) { fscrypt_warn(inode, "Missing crypto API support for %s (API name: \"%s\")", mode->friendly_name, mode->cipher_str); diff --git a/fs/crypto/keysetup_v1.c b/fs/crypto/keysetup_v1.c index b70521c55132..158ceae8a5bc 100644 --- a/fs/crypto/keysetup_v1.c +++ b/fs/crypto/keysetup_v1.c @@ -50,11 +50,12 @@ static int derive_key_aes(const u8 *master_key, { int res = 0; struct skcipher_request *req = NULL; DECLARE_CRYPTO_WAIT(wait); struct scatterlist src_sg, dst_sg; - struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); + struct crypto_skcipher *tfm = + crypto_alloc_skcipher("ecb(aes)", 0, FSCRYPT_CRYPTOAPI_MASK); if (IS_ERR(tfm)) { res = PTR_ERR(tfm); tfm = NULL; goto out; base-commit: d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af -- 2.50.0

4 months, 2 weeks

2
1
0 0

[PATCH] comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large

by Ian Abbott

The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set this to the same value as `MAX_SAMPLES` (65536), which is the maximum allowed sum of the values of the member `n` in the array of `struct comedi_insn`, and sensible comedi instructions will have an `n` of at least 1. Reported-by: syzbot+d6995b62e5ac7d79557a(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d6995b62e5ac7d79557a Fixes: ed9eccbe8970 ("Staging: add comedi core") Tested-by: Ian Abbott <abbotti(a)mev.co.uk> Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/comedi_fops.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 3383a7ce27ff..962fb9b18a52 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -1589,6 +1589,16 @@ static int do_insnlist_ioctl(struct comedi_device *dev, return i; } +#define MAX_INSNS MAX_SAMPLES +static int check_insnlist_len(struct comedi_device *dev, unsigned int n_insns) +{ + if (n_insns > MAX_INSNS) { + dev_dbg(dev->class_dev, "insnlist length too large\n"); + return -EINVAL; + } + return 0; +} + /* * COMEDI_INSN ioctl * synchronous instruction @@ -2239,6 +2249,9 @@ static long comedi_unlocked_ioctl(struct file *file, unsigned int cmd, rc = -EFAULT; break; } + rc = check_insnlist_len(dev, insnlist.n_insns); + if (rc) + break; insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL); if (!insns) { rc = -ENOMEM; @@ -3142,6 +3155,9 @@ static int compat_insnlist(struct file *file, unsigned long arg) if (copy_from_user(&insnlist32, compat_ptr(arg), sizeof(insnlist32))) return -EFAULT; + rc = check_insnlist_len(dev, insnlist32.n_insns); + if (rc) + return rc; insns = kcalloc(insnlist32.n_insns, sizeof(*insns), GFP_KERNEL); if (!insns) return -ENOMEM; -- 2.47.2

4 months, 2 weeks

1
0
0 0

[PATCH 5.10] bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

by Anastasia Belova

From: Hao Sun <sunhao.th(a)gmail.com> [ Upstream commit 22c7fa171a02d310e3a3f6ed46a698ca8a0060ed ] For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited". Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") Signed-off-by: Hao Sun <sunhao.th(a)gmail.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Acked-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/bpf/20240115082028.9992-1-sunhao.th@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- Backport fix for CVE-2024-26589 kernel/bpf/verifier.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 75251870430e..2a3b5e4276ba 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -6280,6 +6280,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, verbose(env, "R%d pointer arithmetic on %s prohibited, null-check it first\n", dst, reg_type_str[ptr_reg->type]); return -EACCES; + case PTR_TO_FLOW_KEYS: + if (known) + break; + fallthrough; case CONST_PTR_TO_MAP: /* smin_val represents the known value */ if (known && smin_val == 0 && opcode == BPF_ADD) -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

by Pranav Tyagi

From: Guo Xuenan <guoxuenan(a)huawei.com> [ Upstream commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 ] xfs log io error will trigger xlog shut down, and end_io worker call xlog_state_shutdown_callbacks to unpin and release the buf log item. The race condition is that when there are some thread doing transaction commit and happened not to be intercepted by xlog_is_shutdown, then, these log item will be insert into CIL, when unpin and release these buf log item, UAF will occur. BTW, add delay before `xlog_cil_commit` can increase recurrence probability. The following call graph actually encountered this bad situation. fsstress io end worker kworker/0:1H-216 xlog_ioend_work ->xlog_force_shutdown ->xlog_state_shutdown_callbacks ->xlog_cil_process_committed ->xlog_cil_committed ->xfs_trans_committed_bulk ->xfs_trans_apply_sb_deltas ->li_ops->iop_unpin(lip, 1); ->xfs_trans_getsb ->_xfs_trans_bjoin ->xfs_buf_item_init ->if (bip) { return 0;} //relog ->xlog_cil_commit ->xlog_cil_insert_items //insert into CIL ->xfs_buf_ioend_fail(bp); ->xfs_buf_ioend ->xfs_buf_item_done ->xfs_buf_item_relse ->xfs_buf_item_free when cil push worker gather percpu cil and insert super block buf log item into ctx->log_items then uaf occurs. ================================================================== BUG: KASAN: use-after-free in xlog_cil_push_work+0x1c8f/0x22f0 Write of size 8 at addr ffff88801800f3f0 by task kworker/u4:4/105 CPU: 0 PID: 105 Comm: kworker/u4:4 Tainted: G W 6.1.0-rc1-00001-g274115149b42 #136 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: xfs-cil/sda xlog_cil_push_work Call Trace: <TASK> dump_stack_lvl+0x4d/0x66 print_report+0x171/0x4a6 kasan_report+0xb3/0x130 xlog_cil_push_work+0x1c8f/0x22f0 process_one_work+0x6f9/0xf70 worker_thread+0x578/0xf30 kthread+0x28c/0x330 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 2145: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x54/0x60 kmem_cache_alloc+0x14a/0x510 xfs_buf_item_init+0x160/0x6d0 _xfs_trans_bjoin+0x7f/0x2e0 xfs_trans_getsb+0xb6/0x3f0 xfs_trans_apply_sb_deltas+0x1f/0x8c0 __xfs_trans_commit+0xa25/0xe10 xfs_symlink+0xe23/0x1660 xfs_vn_symlink+0x157/0x280 vfs_symlink+0x491/0x790 do_symlinkat+0x128/0x220 __x64_sys_symlink+0x7a/0x90 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 216: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 __kasan_slab_free+0x105/0x1a0 kmem_cache_free+0xb6/0x460 xfs_buf_ioend+0x1e9/0x11f0 xfs_buf_item_unpin+0x3d6/0x840 xfs_trans_committed_bulk+0x4c2/0x7c0 xlog_cil_committed+0xab6/0xfb0 xlog_cil_process_committed+0x117/0x1e0 xlog_state_shutdown_callbacks+0x208/0x440 xlog_force_shutdown+0x1b3/0x3a0 xlog_ioend_work+0xef/0x1d0 process_one_work+0x6f9/0xf70 worker_thread+0x578/0xf30 kthread+0x28c/0x330 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff88801800f388 which belongs to the cache xfs_buf_item of size 272 The buggy address is located 104 bytes inside of 272-byte region [ffff88801800f388, ffff88801800f498) The buggy address belongs to the physical page: page:ffffea0000600380 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801800f208 pfn:0x1800e head:ffffea0000600380 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x1fffff80010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) raw: 001fffff80010200 ffffea0000699788 ffff88801319db50 ffff88800fb50640 raw: ffff88801800f208 000000000015000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801800f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801800f300: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88801800f380: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801800f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801800f480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint [ Backport to 5.15: context cleanly applied with no semantic changes. Build-tested. ] Signed-off-by: Guo Xuenan <guoxuenan(a)huawei.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Pranav Tyagi <pranav.tyagi03(a)gmail.com> --- fs/xfs/xfs_buf_item.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c index b1ab100c09e1..ffe318eb897f 100644 --- a/fs/xfs/xfs_buf_item.c +++ b/fs/xfs/xfs_buf_item.c @@ -1017,6 +1017,8 @@ xfs_buf_item_relse( trace_xfs_buf_item_relse(bp, _RET_IP_); ASSERT(!test_bit(XFS_LI_IN_AIL, &bip->bli_item.li_flags)); + if (atomic_read(&bip->bli_refcount)) + return; bp->b_log_item = NULL; xfs_buf_rele(bp); xfs_buf_item_free(bip); -- 2.49.0

4 months, 2 weeks

3
6
0 0

[PATCH v2] drm/gem: Acquire references on GEM handles for framebuffers

by Thomas Zimmermann

A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is shown below. [ 156.791968] ------------[ cut here ]------------ [ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430 [...] [ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430 [ 157.043420] Call Trace: [ 157.045898] <TASK> [ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710 [ 157.065567] ? dma_buf_vmap+0x224/0x430 [ 157.069446] ? __warn.cold+0x58/0xe4 [ 157.073061] ? dma_buf_vmap+0x224/0x430 [ 157.077111] ? report_bug+0x1dd/0x390 [ 157.080842] ? handle_bug+0x5e/0xa0 [ 157.084389] ? exc_invalid_op+0x14/0x50 [ 157.088291] ? asm_exc_invalid_op+0x16/0x20 [ 157.092548] ? dma_buf_vmap+0x224/0x430 [ 157.096663] ? dma_resv_get_singleton+0x6d/0x230 [ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10 [ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10 [ 157.110697] drm_gem_shmem_vmap+0x74/0x710 [ 157.114866] drm_gem_vmap+0xa9/0x1b0 [ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0 [ 157.123086] drm_gem_fb_vmap+0xab/0x300 [ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10 [ 157.133032] ? lockdep_init_map_type+0x19d/0x880 [ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0 [ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180 [ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40 [...] [ 157.346424] ---[ end trace 0000000000000000 ]--- Acquiring GEM handles for the framebuffer's GEM buffer objects prevents this from happening. The framebuffer's cleanup later puts the handle references. Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object instance") triggers the segmentation fault easily by using the dma-buf field more widely. The underlying issue with reference counting has been present before. v2: - acquire the handle instead of the BO (Christian) - fix comment style (Christian) - drop the Fixes tag (Christian) - rename err_ gotos - add missing Link tag Suggested-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Link: https://elixir.bootlin.com/linux/v6.15/source/drivers/gpu/drm/drm_gem.c#L241 # [1] Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Anusha Srivatsa <asrivats(a)redhat.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: "Christian König" <christian.koenig(a)amd.com> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org Cc: <stable(a)vger.kernel.org> --- drivers/gpu/drm/drm_gem.c | 44 ++++++++++++++++++-- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 16 +++---- drivers/gpu/drm/drm_internal.h | 2 + 3 files changed, 51 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index 19d50d254fe6..bc505d938b3e 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -213,6 +213,35 @@ void drm_gem_private_object_fini(struct drm_gem_object *obj) } EXPORT_SYMBOL(drm_gem_private_object_fini); +static void drm_gem_object_handle_get(struct drm_gem_object *obj) +{ + struct drm_device *dev = obj->dev; + + drm_WARN_ON(dev, !mutex_is_locked(&dev->object_name_lock)); + + if (obj->handle_count++ == 0) + drm_gem_object_get(obj); +} + +/** + * drm_gem_object_handle_get_unlocked - acquire reference on user-space handles + * @obj: GEM object + * + * Acquires a reference on the GEM buffer object's handle. Required + * to keep the GEM object alive. Call drm_gem_object_handle_put_unlocked() + * to release the reference. + */ +void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj) +{ + struct drm_device *dev = obj->dev; + + guard(mutex)(&dev->object_name_lock); + + drm_WARN_ON(dev, !obj->handle_count); /* first ref taken in create-tail helper */ + drm_gem_object_handle_get(obj); +} +EXPORT_SYMBOL(drm_gem_object_handle_get_unlocked); + /** * drm_gem_object_handle_free - release resources bound to userspace handles * @obj: GEM object to clean up. @@ -243,8 +272,14 @@ static void drm_gem_object_exported_dma_buf_free(struct drm_gem_object *obj) } } -static void -drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) +/** + * drm_gem_object_handle_put_unlocked - releases reference on user-space handles + * @obj: GEM object + * + * Releases a reference on the GEM buffer object's handle. Possibly releases + * the GEM buffer object and associated dma-buf objects. + */ +void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) { struct drm_device *dev = obj->dev; bool final = false; @@ -269,6 +304,7 @@ drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj) if (final) drm_gem_object_put(obj); } +EXPORT_SYMBOL(drm_gem_object_handle_put_unlocked); /* * Called at device or object close to release the file's @@ -390,8 +426,8 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, int ret; WARN_ON(!mutex_is_locked(&dev->object_name_lock)); - if (obj->handle_count++ == 0) - drm_gem_object_get(obj); + + drm_gem_object_handle_get(obj); /* * Get the user-visible handle using idr. Preload and perform diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index 618ce725cd75..c60d0044d036 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -100,7 +100,7 @@ void drm_gem_fb_destroy(struct drm_framebuffer *fb) unsigned int i; for (i = 0; i < fb->format->num_planes; i++) - drm_gem_object_put(fb->obj[i]); + drm_gem_object_handle_put_unlocked(fb->obj[i]); drm_framebuffer_cleanup(fb); kfree(fb); @@ -183,8 +183,10 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, if (!objs[i]) { drm_dbg_kms(dev, "Failed to lookup GEM object\n"); ret = -ENOENT; - goto err_gem_object_put; + goto err_gem_object_handle_put_unlocked; } + drm_gem_object_handle_get_unlocked(objs[i]); + drm_gem_object_put(objs[i]); min_size = (height - 1) * mode_cmd->pitches[i] + drm_format_info_min_pitch(info, i, width) @@ -194,22 +196,22 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, drm_dbg_kms(dev, "GEM object size (%zu) smaller than minimum size (%u) for plane %d\n", objs[i]->size, min_size, i); - drm_gem_object_put(objs[i]); + drm_gem_object_handle_put_unlocked(objs[i]); ret = -EINVAL; - goto err_gem_object_put; + goto err_gem_object_handle_put_unlocked; } } ret = drm_gem_fb_init(dev, fb, mode_cmd, objs, i, funcs); if (ret) - goto err_gem_object_put; + goto err_gem_object_handle_put_unlocked; return 0; -err_gem_object_put: +err_gem_object_handle_put_unlocked: while (i > 0) { --i; - drm_gem_object_put(objs[i]); + drm_gem_object_handle_put_unlocked(objs[i]); } return ret; } diff --git a/drivers/gpu/drm/drm_internal.h b/drivers/gpu/drm/drm_internal.h index 442eb31351dd..f7b414a813ae 100644 --- a/drivers/gpu/drm/drm_internal.h +++ b/drivers/gpu/drm/drm_internal.h @@ -161,6 +161,8 @@ void drm_sysfs_lease_event(struct drm_device *dev); /* drm_gem.c */ int drm_gem_init(struct drm_device *dev); +void drm_gem_object_handle_get_unlocked(struct drm_gem_object *obj); +void drm_gem_object_handle_put_unlocked(struct drm_gem_object *obj); int drm_gem_handle_create_tail(struct drm_file *file_priv, struct drm_gem_object *obj, u32 *handlep); -- 2.50.0

4 months, 2 weeks

3
14
0 0

[REGRESSION] Packet loss after hot-plugging ethernet cable on HP Zbook (Arrow Lake)

by En-Wei WU

Hi, I'm seeing a regression on an HP ZBook using the e1000e driver (chipset PCI ID: [8086:57a0]) -- the system can't get an IP address after hot-plugging an Ethernet cable. In this case, the Ethernet cable was unplugged at boot. The network interface eno1 was present but stuck in the DHCP process. Using tcpdump, only TX packets were visible and never got any RX -- indicating a possible packet loss or link-layer issue. This is on the vanilla Linux 6.16-rc4 (commit 62f224733431dbd564c4fe800d4b67a0cf92ed10). Bisect says it's this commit: commit efaaf344bc2917cbfa5997633bc18a05d3aed27f Author: Vitaly Lifshits <vitaly.lifshits(a)intel.com> Date: Thu Mar 13 16:05:56 2025 +0200 e1000e: change k1 configuration on MTP and later platforms Starting from Meteor Lake, the Kumeran interface between the integrated MAC and the I219 PHY works at a different frequency. This causes sporadic MDI errors when accessing the PHY, and in rare circumstances could lead to packet corruption. To overcome this, introduce minor changes to the Kumeran idle state (K1) parameters during device initialization. Hardware reset reverts this configuration, therefore it needs to be applied in a few places. Fixes: cc23f4f0b6b9 ("e1000e: Add support for Meteor Lake") Signed-off-by: Vitaly Lifshits <vitaly.lifshits(a)intel.com> Tested-by: Avigail Dahan <avigailx.dahan(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> drivers/net/ethernet/intel/e1000e/defines.h | 3 +++ drivers/net/ethernet/intel/e1000e/ich8lan.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----- drivers/net/ethernet/intel/e1000e/ich8lan.h | 4 ++++ 3 files changed, 82 insertions(+), 5 deletions(-) Reverting this patch resolves the issue. Based on the symptoms and the bisect result, this issue might be similar to https://lore.kernel.org/intel-wired-lan/20250626153544.1853d106@onyx.my.dom… Affected machine is: HP ZBook X G1i 16 inch Mobile Workstation PC, BIOS 01.02.03 05/27/2025 (see end of message for dmesg from boot) CPU model name: Intel(R) Core(TM) Ultra 7 265H (Arrow Lake) ethtool output: driver: e1000e version: 6.16.0-061600rc4-generic firmware-version: 0.1-4 expansion-rom-version: bus-info: 0000:00:1f.6 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: yes lspci output: 0:1f.6 Ethernet controller [0200]: Intel Corporation Device [8086:57a0] DeviceName: Onboard Ethernet Subsystem: Hewlett-Packard Company Device [103c:8e1d] Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 Interrupt: pin D routed to IRQ 162 IOMMU group: 17 Region 0: Memory at 92280000 (32-bit, non-prefetchable) [size=128K] Capabilities: [c8] Power Management version 3 Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=1 PME- Capabilities: [d0] MSI: Enable+ Count=1/1 Maskable- 64bit+ Address: 00000000fee00798 Data: 0000 Kernel driver in use: e1000e Kernel modules: e1000e The relevant dmesg: <<<cable disconnected>>> [ 0.927394] e1000e: Intel(R) PRO/1000 Network Driver [ 0.927398] e1000e: Copyright(c) 1999 - 2015 Intel Corporation. [ 0.927933] e1000e 0000:00:1f.6: enabling device (0000 -> 0002) [ 0.928249] e1000e 0000:00:1f.6: Interrupt Throttling Rate (ints/sec) set to dynamic conservative mode [ 1.155716] e1000e 0000:00:1f.6 0000:00:1f.6 (uninitialized): registered PHC clock [ 1.220694] e1000e 0000:00:1f.6 eth0: (PCI Express:2.5GT/s:Width x1) 24:fb:e3:bf:28:c6 [ 1.220721] e1000e 0000:00:1f.6 eth0: Intel(R) PRO/1000 Network Connection [ 1.220903] e1000e 0000:00:1f.6 eth0: MAC: 16, PHY: 12, PBA No: FFFFFF-0FF [ 1.222632] e1000e 0000:00:1f.6 eno1: renamed from eth0 <<<cable connected>>> [ 153.932626] e1000e 0000:00:1f.6 eno1: NIC Link is Up 1000 Mbps Half Duplex, Flow Control: None [ 153.934527] e1000e 0000:00:1f.6 eno1: NIC Link is Down [ 157.622238] e1000e 0000:00:1f.6 eno1: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None No error message seen after hot-plugging the Ethernet cable. -- Best Regards, En-Wei.

4 months, 2 weeks

3
3
0 0

[PATCH] ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp()

by Thorsten Blum

Use pr_warn() instead of dev_warn() when 'pdev' is NULL to avoid a potential NULL pointer dereference. Cc: stable(a)vger.kernel.org Fixes: 20869176d7a7 ("ALSA: ad1816a: Use standard print API") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- sound/isa/ad1816a/ad1816a.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/isa/ad1816a/ad1816a.c b/sound/isa/ad1816a/ad1816a.c index 99006dc4777e..5c9e2d41d900 100644 --- a/sound/isa/ad1816a/ad1816a.c +++ b/sound/isa/ad1816a/ad1816a.c @@ -98,7 +98,7 @@ static int snd_card_ad1816a_pnp(int dev, struct pnp_card_link *card, pdev = pnp_request_card_device(card, id->devs[1].id, NULL); if (pdev == NULL) { mpu_port[dev] = -1; - dev_warn(&pdev->dev, "MPU401 device busy, skipping.\n"); + pr_warn("MPU401 device busy, skipping.\n"); return 0; } -- 2.50.0

4 months, 2 weeks

2
1
0 0

[PATCH 1/2] KVM: arm64: Fix enforcement of upper bound on MDCR_EL2.HPMN

by Ben Horgan

Previously, u64_replace_bits() was used to no effect as the return value was ignored. Convert to u64p_replace_bits() so the value is updated in place. Signed-off-by: Ben Horgan <ben.horgan(a)arm.com> Fixes: efff9dd2fee7 ("KVM: arm64: Handle out-of-bound write to MDCR_EL2.HPMN") Cc: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/sys_regs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index 76c2f0da821f..c20bd6f21e60 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -2624,7 +2624,7 @@ static bool access_mdcr(struct kvm_vcpu *vcpu, */ if (hpmn > vcpu->kvm->arch.nr_pmu_counters) { hpmn = vcpu->kvm->arch.nr_pmu_counters; - u64_replace_bits(val, hpmn, MDCR_EL2_HPMN); + u64p_replace_bits(&val, hpmn, MDCR_EL2_HPMN); } __vcpu_assign_sys_reg(vcpu, MDCR_EL2, val); -- 2.43.0

4 months, 2 weeks

2
1
0 0

+ mm-damon-fix-divide-by-zero-in-damon_get_intervals_score.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon: fix divide by zero in damon_get_intervals_score() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-fix-divide-by-zero-in-damon_get_intervals_score.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Honggyu Kim <honggyu.kim(a)sk.com> Subject: mm/damon: fix divide by zero in damon_get_intervals_score() Date: Wed, 2 Jul 2025 09:02:04 +0900 The current implementation allows having zero size regions with no special reasons, but damon_get_intervals_score() gets crashed by divide by zero when the region size is zero. [ 29.403950] Oops: divide error: 0000 [#1] SMP NOPTI This patch fixes the bug, but does not disallow zero size regions to keep the backward compatibility since disallowing zero size regions might be a breaking change for some users. In addition, the same crash can happen when intervals_goal.access_bp is zero so this should be fixed in stable trees as well. Link: https://lkml.kernel.org/r/20250702000205.1921-5-honggyu.kim@sk.com Fixes: f04b0fedbe71 ("mm/damon/core: implement intervals auto-tuning") Signed-off-by: Honggyu Kim <honggyu.kim(a)sk.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 1 + 1 file changed, 1 insertion(+) --- a/mm/damon/core.c~mm-damon-fix-divide-by-zero-in-damon_get_intervals_score +++ a/mm/damon/core.c @@ -1449,6 +1449,7 @@ static unsigned long damon_get_intervals } } target_access_events = max_access_events * goal_bp / 10000; + target_access_events = target_access_events ? : 1; return access_events * 10000 / target_access_events; } _ Patches currently in -mm which might be from honggyu.kim(a)sk.com are samples-damon-fix-damon-sample-prcl-for-start-failure.patch samples-damon-fix-damon-sample-wsse-for-start-failure.patch samples-damon-fix-damon-sample-mtier-for-start-failure.patch mm-damon-fix-divide-by-zero-in-damon_get_intervals_score.patch

4 months, 2 weeks

1
0
0 0

+ samples-damon-fix-damon-sample-mtier-for-start-failure.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: samples/damon: fix damon sample mtier for start failure has been added to the -mm mm-hotfixes-unstable branch. Its filename is samples-damon-fix-damon-sample-mtier-for-start-failure.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Honggyu Kim <honggyu.kim(a)sk.com> Subject: samples/damon: fix damon sample mtier for start failure Date: Wed, 2 Jul 2025 09:02:03 +0900 The damon_sample_mtier_start() can fail so we must reset the "enable" parameter to "false" again for proper rollback. In such cases, setting Y to "enable" then N triggers the similar crash with mtier because damon sample start failed but the "enable" stays as Y. Link: https://lkml.kernel.org/r/20250702000205.1921-4-honggyu.kim@sk.com Fixes: 82a08bde3cf7 ("samples/damon: implement a DAMON module for memory tiering") Signed-off-by: Honggyu Kim <honggyu.kim(a)sk.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/mtier.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/samples/damon/mtier.c~samples-damon-fix-damon-sample-mtier-for-start-failure +++ a/samples/damon/mtier.c @@ -164,8 +164,12 @@ static int damon_sample_mtier_enable_sto if (enable == enabled) return 0; - if (enable) - return damon_sample_mtier_start(); + if (enable) { + err = damon_sample_mtier_start(); + if (err) + enable = false; + return err; + } damon_sample_mtier_stop(); return 0; } _ Patches currently in -mm which might be from honggyu.kim(a)sk.com are samples-damon-fix-damon-sample-prcl-for-start-failure.patch samples-damon-fix-damon-sample-wsse-for-start-failure.patch samples-damon-fix-damon-sample-mtier-for-start-failure.patch mm-damon-fix-divide-by-zero-in-damon_get_intervals_score.patch

4 months, 2 weeks

1
0
0 0

+ samples-damon-fix-damon-sample-wsse-for-start-failure.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: samples/damon: fix damon sample wsse for start failure has been added to the -mm mm-hotfixes-unstable branch. Its filename is samples-damon-fix-damon-sample-wsse-for-start-failure.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Honggyu Kim <honggyu.kim(a)sk.com> Subject: samples/damon: fix damon sample wsse for start failure Date: Wed, 2 Jul 2025 09:02:02 +0900 The damon_sample_wsse_start() can fail so we must reset the "enable" parameter to "false" again for proper rollback. In such cases, setting Y to "enable" then N triggers the similar crash with wsse because damon sample start failed but the "enable" stays as Y. Link: https://lkml.kernel.org/r/20250702000205.1921-3-honggyu.kim@sk.com Fixes: b757c6cfc696 ("samples/damon/wsse: start and stop DAMON as the user requests") Signed-off-by: Honggyu Kim <honggyu.kim(a)sk.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/wsse.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/samples/damon/wsse.c~samples-damon-fix-damon-sample-wsse-for-start-failure +++ a/samples/damon/wsse.c @@ -102,8 +102,12 @@ static int damon_sample_wsse_enable_stor if (enable == enabled) return 0; - if (enable) - return damon_sample_wsse_start(); + if (enable) { + err = damon_sample_wsse_start(); + if (err) + enable = false; + return err; + } damon_sample_wsse_stop(); return 0; } _ Patches currently in -mm which might be from honggyu.kim(a)sk.com are samples-damon-fix-damon-sample-prcl-for-start-failure.patch samples-damon-fix-damon-sample-wsse-for-start-failure.patch samples-damon-fix-damon-sample-mtier-for-start-failure.patch mm-damon-fix-divide-by-zero-in-damon_get_intervals_score.patch

4 months, 2 weeks

1
0
0 0

+ samples-damon-fix-damon-sample-prcl-for-start-failure.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: samples/damon: fix damon sample prcl for start failure has been added to the -mm mm-hotfixes-unstable branch. Its filename is samples-damon-fix-damon-sample-prcl-for-start-failure.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Honggyu Kim <honggyu.kim(a)sk.com> Subject: samples/damon: fix damon sample prcl for start failure Date: Wed, 2 Jul 2025 09:02:01 +0900 Patch series "mm/damon: fix divide by zero and its samples", v3. This series includes fixes against damon and its samples to make it safer when damon sample starting fails. It includes the following changes. - fix unexpected divide by zero crash for zero size regions - fix bugs for damon samples in case of start failures This patch (of 4): The damon_sample_prcl_start() can fail so we must reset the "enable" parameter to "false" again for proper rollback. In such cases, setting Y to "enable" then N triggers the following crash because damon sample start failed but the "enable" stays as Y. [ 2441.419649] damon_sample_prcl: start [ 2454.146817] damon_sample_prcl: stop [ 2454.146862] ------------[ cut here ]------------ [ 2454.146865] kernel BUG at mm/slub.c:546! [ 2454.148183] Oops: invalid opcode: 0000 [#1] SMP NOPTI ... [ 2454.167555] Call Trace: [ 2454.167822] <TASK> [ 2454.168061] damon_destroy_ctx+0x78/0x140 [ 2454.168454] damon_sample_prcl_enable_store+0x8d/0xd0 [ 2454.168932] param_attr_store+0xa1/0x120 [ 2454.169315] module_attr_store+0x20/0x50 [ 2454.169695] sysfs_kf_write+0x72/0x90 [ 2454.170065] kernfs_fop_write_iter+0x150/0x1e0 [ 2454.170491] vfs_write+0x315/0x440 [ 2454.170833] ksys_write+0x69/0xf0 [ 2454.171162] __x64_sys_write+0x19/0x30 [ 2454.171525] x64_sys_call+0x18b2/0x2700 [ 2454.171900] do_syscall_64+0x7f/0x680 [ 2454.172258] ? exit_to_user_mode_loop+0xf6/0x180 [ 2454.172694] ? clear_bhb_loop+0x30/0x80 [ 2454.173067] ? clear_bhb_loop+0x30/0x80 [ 2454.173439] entry_SYSCALL_64_after_hwframe+0x76/0x7e Link: https://lkml.kernel.org/r/20250702000205.1921-1-honggyu.kim@sk.com Link: https://lkml.kernel.org/r/20250702000205.1921-2-honggyu.kim@sk.com Fixes: 2aca254620a8 ("samples/damon: introduce a skeleton of a smaple DAMON module for proactive reclamation") Signed-off-by: Honggyu Kim <honggyu.kim(a)sk.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/prcl.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/samples/damon/prcl.c~samples-damon-fix-damon-sample-prcl-for-start-failure +++ a/samples/damon/prcl.c @@ -122,8 +122,12 @@ static int damon_sample_prcl_enable_stor if (enable == enabled) return 0; - if (enable) - return damon_sample_prcl_start(); + if (enable) { + err = damon_sample_prcl_start(); + if (err) + enable = false; + return err; + } damon_sample_prcl_stop(); return 0; } _ Patches currently in -mm which might be from honggyu.kim(a)sk.com are samples-damon-fix-damon-sample-prcl-for-start-failure.patch samples-damon-fix-damon-sample-wsse-for-start-failure.patch samples-damon-fix-damon-sample-mtier-for-start-failure.patch mm-damon-fix-divide-by-zero-in-damon_get_intervals_score.patch

4 months, 2 weeks

1
0
0 0

[PATCH] drm/nouveau: Do not fail module init on debugfs errors

by Aaron Thompson

From: Aaron Thompson <dev(a)aaront.org> If CONFIG_DEBUG_FS is enabled, nouveau_drm_init() returns an error if it fails to create the "nouveau" directory in debugfs. One case where that will happen is when debugfs access is restricted by CONFIG_DEBUG_FS_ALLOW_NONE or by the boot parameter debugfs=off, which cause the debugfs APIs to return -EPERM. So just ignore errors from debugfs. Note that nouveau_debugfs_root may be an error now, but that is a standard pattern for debugfs. From include/linux/debugfs.h: "NOTE: it's expected that most callers should _ignore_ the errors returned by this function. Other debugfs functions handle the fact that the "dentry" passed to them could be an error and they don't crash in that case. Drivers should generally work fine even if debugfs fails to init anyway." Fixes: 97118a1816d2 ("drm/nouveau: create module debugfs root") Cc: stable(a)vger.kernel.org Signed-off-by: Aaron Thompson <dev(a)aaront.org> --- drivers/gpu/drm/nouveau/nouveau_debugfs.c | 6 +----- drivers/gpu/drm/nouveau/nouveau_debugfs.h | 5 ++--- drivers/gpu/drm/nouveau/nouveau_drm.c | 4 +--- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c index 200e65a7cefc..c7869a639bef 100644 --- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c +++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c @@ -314,14 +314,10 @@ nouveau_debugfs_fini(struct nouveau_drm *drm) drm->debugfs = NULL; } -int +void nouveau_module_debugfs_init(void) { nouveau_debugfs_root = debugfs_create_dir("nouveau", NULL); - if (IS_ERR(nouveau_debugfs_root)) - return PTR_ERR(nouveau_debugfs_root); - - return 0; } void diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.h b/drivers/gpu/drm/nouveau/nouveau_debugfs.h index b7617b344ee2..d05ed0e641c4 100644 --- a/drivers/gpu/drm/nouveau/nouveau_debugfs.h +++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.h @@ -24,7 +24,7 @@ extern void nouveau_debugfs_fini(struct nouveau_drm *); extern struct dentry *nouveau_debugfs_root; -int nouveau_module_debugfs_init(void); +void nouveau_module_debugfs_init(void); void nouveau_module_debugfs_fini(void); #else static inline void @@ -42,10 +42,9 @@ nouveau_debugfs_fini(struct nouveau_drm *drm) { } -static inline int +static inline void nouveau_module_debugfs_init(void) { - return 0; } static inline void diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c index 0c82a63cd49d..1527b801f013 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c @@ -1461,9 +1461,7 @@ nouveau_drm_init(void) if (!nouveau_modeset) return 0; - ret = nouveau_module_debugfs_init(); - if (ret) - return ret; + nouveau_module_debugfs_init(); #ifdef CONFIG_NOUVEAU_PLATFORM_DRIVER platform_driver_register(&nouveau_platform_driver); base-commit: d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af -- 2.39.5

4 months, 2 weeks

3
2
0 0

[PATCH v6 01/12] platform/x86/intel/pmt: fix a crashlog NULL pointer access

by Michael J. Ruhl

Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The current use of the endpoint value is only valid for telemetry endpoint usage. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Augment struct intel_pmt_entry with a pointer to the pcidev to avoid the NULL pointer exception. Reviewed-by: Tejas Upadhyay <tejas.upadhyay(a)intel.com> Fixes: 045a513040cc ("platform/x86/intel/pmt: Use PMT callbacks") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmt/class.c | 3 ++- drivers/platform/x86/intel/pmt/class.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel/pmt/class.c b/drivers/platform/x86/intel/pmt/class.c index 7233b654bbad..d046e8752173 100644 --- a/drivers/platform/x86/intel/pmt/class.c +++ b/drivers/platform/x86/intel/pmt/class.c @@ -97,7 +97,7 @@ intel_pmt_read(struct file *filp, struct kobject *kobj, if (count > entry->size - off) count = entry->size - off; - count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf, + count = pmt_telem_read_mmio(entry->pcidev, entry->cb, entry->header.guid, buf, entry->base, off, count); return count; @@ -252,6 +252,7 @@ static int intel_pmt_populate_entry(struct intel_pmt_entry *entry, return -EINVAL; } + entry->pcidev = pci_dev; entry->guid = header->guid; entry->size = header->size; entry->cb = ivdev->priv_data; diff --git a/drivers/platform/x86/intel/pmt/class.h b/drivers/platform/x86/intel/pmt/class.h index b2006d57779d..f6ce80c4e051 100644 --- a/drivers/platform/x86/intel/pmt/class.h +++ b/drivers/platform/x86/intel/pmt/class.h @@ -39,6 +39,7 @@ struct intel_pmt_header { struct intel_pmt_entry { struct telem_endpoint *ep; + struct pci_dev *pcidev; struct intel_pmt_header header; struct bin_attribute pmt_bin_attr; struct kobject *kobj; -- 2.49.0

4 months, 2 weeks

1
0
0 0

+ kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kasan: remove kasan_find_vm_area() to prevent possible deadlock has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yeoreum Yun <yeoreum.yun(a)arm.com> Subject: kasan: remove kasan_find_vm_area() to prevent possible deadlock Date: Thu, 3 Jul 2025 19:10:18 +0100 find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock! To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> Reported-by: Yunseong Kim <ysk(a)kzalloc.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Byungchul Park <byungchul(a)sk.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/report.c | 45 +------------------------------------------- 1 file changed, 2 insertions(+), 43 deletions(-) --- a/mm/kasan/report.c~kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock +++ a/mm/kasan/report.c @@ -370,36 +370,6 @@ static inline bool init_task_stack_addr( sizeof(init_thread_union.stack)); } -/* - * This function is invoked with report_lock (a raw_spinlock) held. A - * PREEMPT_RT kernel cannot call find_vm_area() as it will acquire a sleeping - * rt_spinlock. - * - * For !RT kernel, the PROVE_RAW_LOCK_NESTING config option will print a - * lockdep warning for this raw_spinlock -> spinlock dependency. This config - * option is enabled by default to ensure better test coverage to expose this - * kind of RT kernel problem. This lockdep splat, however, can be suppressed - * by using DEFINE_WAIT_OVERRIDE_MAP() if it serves a useful purpose and the - * invalid PREEMPT_RT case has been taken care of. - */ -static inline struct vm_struct *kasan_find_vm_area(void *addr) -{ - static DEFINE_WAIT_OVERRIDE_MAP(vmalloc_map, LD_WAIT_SLEEP); - struct vm_struct *va; - - if (IS_ENABLED(CONFIG_PREEMPT_RT)) - return NULL; - - /* - * Suppress lockdep warning and fetch vmalloc area of the - * offending address. - */ - lock_map_acquire_try(&vmalloc_map); - va = find_vm_area(addr); - lock_map_release(&vmalloc_map); - return va; -} - static void print_address_description(void *addr, u8 tag, struct kasan_report_info *info) { @@ -429,19 +399,8 @@ static void print_address_description(vo } if (is_vmalloc_addr(addr)) { - struct vm_struct *va = kasan_find_vm_area(addr); - - if (va) { - pr_err("The buggy address belongs to the virtual mapping at\n" - " [%px, %px) created by:\n" - " %pS\n", - va->addr, va->addr + va->size, va->caller); - pr_err("\n"); - - page = vmalloc_to_page(addr); - } else { - pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); - } + pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + page = vmalloc_to_page(addr); } if (page) { _ Patches currently in -mm which might be from yeoreum.yun(a)arm.com are kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch

4 months, 2 weeks

1
0
0 0

[PATCH 6.12.y 0/3] r8169: add support for RTL8125D

by mathieu.tortuyaux＠gmail.com

From: Mathieu Tortuyaux <mtortuyaux(a)microsoft.com> Hi, This backports support for Realtek device 0x688 on Kernel 6.12.y: * Tested in Flatcar CI w/ Kernel 6.12.35 on qemu (for regression): https://github.com/flatcar/scripts/pull/3006 * The user requesting this support has confirmed correct behavior: https://github.com/flatcar/Flatcar/issues/1749#issuecomment-3005483988 The two other commits ("net: phy: realtek: merge the drivers for internal NBase-T PHY's" and "net: phy: realtek: add RTL8125D-internal PHY") are required to add support here as well, otherwise it fails with: ``` $ dmesg ... r8169 ... : no dedicated PHY driver found for PHY ID 0x001cc841 ... ``` Thanks and have a great day, Mathieu (@tormath1) Heiner Kallweit (3): r8169: add support for RTL8125D net: phy: realtek: merge the drivers for internal NBase-T PHY's net: phy: realtek: add RTL8125D-internal PHY drivers/net/ethernet/realtek/r8169.h | 1 + drivers/net/ethernet/realtek/r8169_main.c | 23 +++++--- .../net/ethernet/realtek/r8169_phy_config.c | 10 ++++ drivers/net/phy/realtek.c | 54 +++++++++++++++---- 4 files changed, 71 insertions(+), 17 deletions(-) -- 2.49.0

4 months, 2 weeks

3
14
0 0

[PATCH 6.12.y] mm/vmalloc: fix data race in show_numa_info()

by Jeongjun Park

commit 5c5f0468d172ddec2e333d738d2a1f85402cf0bc upstream. The following data-race was found in show_numa_info(): ================================================================== BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show read to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0: show_numa_info mm/vmalloc.c:4936 [inline] vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 .... write to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1: show_numa_info mm/vmalloc.c:4934 [inline] vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 .... value changed: 0x0000008f -> 0x00000000 ================================================================== According to this report,there is a read/write data-race because m->private is accessible to multiple CPUs. To fix this, instead of allocating the heap in proc_vmalloc_init() and passing the heap address to m->private, vmalloc_info_show() should allocate the heap. Link: https://lkml.kernel.org/r/20250508165620.15321-1-aha310510@gmail.com Fixes: 8e1d743 ("mm: vmalloc: support multiple nodes in vmallocinfo") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Suggested-by: Eric Dumazet <edumazet(a)google.com> Suggested-by: Andrew Morton <akpm(a)linux-foundation.org> Reviewed-by: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 63 +++++++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 28 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index cc04e501b1c5..7888600b6a79 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3095,7 +3095,7 @@ static void clear_vm_uninitialized_flag(struct vm_struct *vm) /* * Before removing VM_UNINITIALIZED, * we should make sure that vm has proper values. - * Pair with smp_rmb() in show_numa_info(). + * Pair with smp_rmb() in vread_iter() and vmalloc_info_show(). */ smp_wmb(); vm->flags &= ~VM_UNINITIALIZED; @@ -4938,28 +4938,29 @@ bool vmalloc_dump_obj(void *object) #endif #ifdef CONFIG_PROC_FS -static void show_numa_info(struct seq_file *m, struct vm_struct *v) -{ - if (IS_ENABLED(CONFIG_NUMA)) { - unsigned int nr, *counters = m->private; - unsigned int step = 1U << vm_area_page_order(v); - if (!counters) - return; +/* + * Print number of pages allocated on each memory node. + * + * This function can only be called if CONFIG_NUMA is enabled + * and VM_UNINITIALIZED bit in v->flags is disabled. + */ +static void show_numa_info(struct seq_file *m, struct vm_struct *v, + unsigned int *counters) +{ + unsigned int nr; + unsigned int step = 1U << vm_area_page_order(v); - if (v->flags & VM_UNINITIALIZED) - return; - /* Pair with smp_wmb() in clear_vm_uninitialized_flag() */ - smp_rmb(); + if (!counters) + return; - memset(counters, 0, nr_node_ids * sizeof(unsigned int)); + memset(counters, 0, nr_node_ids * sizeof(unsigned int)); - for (nr = 0; nr < v->nr_pages; nr += step) - counters[page_to_nid(v->pages[nr])] += step; - for_each_node_state(nr, N_HIGH_MEMORY) - if (counters[nr]) - seq_printf(m, " N%u=%u", nr, counters[nr]); - } + for (nr = 0; nr < v->nr_pages; nr += step) + counters[page_to_nid(v->pages[nr])] += step; + for_each_node_state(nr, N_HIGH_MEMORY) + if (counters[nr]) + seq_printf(m, " N%u=%u", nr, counters[nr]); } static void show_purge_info(struct seq_file *m) @@ -4987,6 +4988,10 @@ static int vmalloc_info_show(struct seq_file *m, void *p) struct vmap_area *va; struct vm_struct *v; int i; + unsigned int *counters; + + if (IS_ENABLED(CONFIG_NUMA)) + counters = kmalloc(nr_node_ids * sizeof(unsigned int), GFP_KERNEL); for (i = 0; i < nr_vmap_nodes; i++) { vn = &vmap_nodes[i]; @@ -5003,6 +5008,11 @@ static int vmalloc_info_show(struct seq_file *m, void *p) } v = va->vm; + if (v->flags & VM_UNINITIALIZED) + continue; + + /* Pair with smp_wmb() in clear_vm_uninitialized_flag() */ + smp_rmb(); seq_printf(m, "0x%pK-0x%pK %7ld", v->addr, v->addr + v->size, v->size); @@ -5037,7 +5047,9 @@ static int vmalloc_info_show(struct seq_file *m, void *p) if (is_vmalloc_addr(v->pages)) seq_puts(m, " vpages"); - show_numa_info(m, v); + if (IS_ENABLED(CONFIG_NUMA)) + show_numa_info(m, v, counters); + seq_putc(m, '\n'); } spin_unlock(&vn->busy.lock); @@ -5047,19 +5059,14 @@ static int vmalloc_info_show(struct seq_file *m, void *p) * As a final step, dump "unpurged" areas. */ show_purge_info(m); + if (IS_ENABLED(CONFIG_NUMA)) + kfree(counters); return 0; } static int __init proc_vmalloc_init(void) { - void *priv_data = NULL; - - if (IS_ENABLED(CONFIG_NUMA)) - priv_data = kmalloc(nr_node_ids * sizeof(unsigned int), GFP_KERNEL); - - proc_create_single_data("vmallocinfo", - 0400, NULL, vmalloc_info_show, priv_data); - + proc_create_single("vmallocinfo", 0400, NULL, vmalloc_info_show); return 0; } module_init(proc_vmalloc_init); --

4 months, 2 weeks

3
2
0 0

[PATCH 6.15.y] mm/vmalloc: fix data race in show_numa_info()

by Jeongjun Park

commit 5c5f0468d172ddec2e333d738d2a1f85402cf0bc upstream. The following data-race was found in show_numa_info(): ================================================================== BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show read to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0: show_numa_info mm/vmalloc.c:4936 [inline] vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 .... write to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1: show_numa_info mm/vmalloc.c:4934 [inline] vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 .... value changed: 0x0000008f -> 0x00000000 ================================================================== According to this report,there is a read/write data-race because m->private is accessible to multiple CPUs. To fix this, instead of allocating the heap in proc_vmalloc_init() and passing the heap address to m->private, vmalloc_info_show() should allocate the heap. Link: https://lkml.kernel.org/r/20250508165620.15321-1-aha310510@gmail.com Fixes: 8e1d743 ("mm: vmalloc: support multiple nodes in vmallocinfo") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Suggested-by: Eric Dumazet <edumazet(a)google.com> Suggested-by: Andrew Morton <akpm(a)linux-foundation.org> Reviewed-by: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 63 +++++++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 28 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 00cf1b575c89..3fb534dcf14d 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3100,7 +3100,7 @@ static void clear_vm_uninitialized_flag(struct vm_struct *vm) /* * Before removing VM_UNINITIALIZED, * we should make sure that vm has proper values. - * Pair with smp_rmb() in show_numa_info(). + * Pair with smp_rmb() in vread_iter() and vmalloc_info_show(). */ smp_wmb(); vm->flags &= ~VM_UNINITIALIZED; @@ -4934,28 +4934,29 @@ bool vmalloc_dump_obj(void *object) #endif #ifdef CONFIG_PROC_FS -static void show_numa_info(struct seq_file *m, struct vm_struct *v) -{ - if (IS_ENABLED(CONFIG_NUMA)) { - unsigned int nr, *counters = m->private; - unsigned int step = 1U << vm_area_page_order(v); - if (!counters) - return; +/* + * Print number of pages allocated on each memory node. + * + * This function can only be called if CONFIG_NUMA is enabled + * and VM_UNINITIALIZED bit in v->flags is disabled. + */ +static void show_numa_info(struct seq_file *m, struct vm_struct *v, + unsigned int *counters) +{ + unsigned int nr; + unsigned int step = 1U << vm_area_page_order(v); - if (v->flags & VM_UNINITIALIZED) - return; - /* Pair with smp_wmb() in clear_vm_uninitialized_flag() */ - smp_rmb(); + if (!counters) + return; - memset(counters, 0, nr_node_ids * sizeof(unsigned int)); + memset(counters, 0, nr_node_ids * sizeof(unsigned int)); - for (nr = 0; nr < v->nr_pages; nr += step) - counters[page_to_nid(v->pages[nr])] += step; - for_each_node_state(nr, N_HIGH_MEMORY) - if (counters[nr]) - seq_printf(m, " N%u=%u", nr, counters[nr]); - } + for (nr = 0; nr < v->nr_pages; nr += step) + counters[page_to_nid(v->pages[nr])] += step; + for_each_node_state(nr, N_HIGH_MEMORY) + if (counters[nr]) + seq_printf(m, " N%u=%u", nr, counters[nr]); } static void show_purge_info(struct seq_file *m) @@ -4983,6 +4984,10 @@ static int vmalloc_info_show(struct seq_file *m, void *p) struct vmap_area *va; struct vm_struct *v; int i; + unsigned int *counters; + + if (IS_ENABLED(CONFIG_NUMA)) + counters = kmalloc(nr_node_ids * sizeof(unsigned int), GFP_KERNEL); for (i = 0; i < nr_vmap_nodes; i++) { vn = &vmap_nodes[i]; @@ -4999,6 +5004,11 @@ static int vmalloc_info_show(struct seq_file *m, void *p) } v = va->vm; + if (v->flags & VM_UNINITIALIZED) + continue; + + /* Pair with smp_wmb() in clear_vm_uninitialized_flag() */ + smp_rmb(); seq_printf(m, "0x%pK-0x%pK %7ld", v->addr, v->addr + v->size, v->size); @@ -5033,7 +5043,9 @@ static int vmalloc_info_show(struct seq_file *m, void *p) if (is_vmalloc_addr(v->pages)) seq_puts(m, " vpages"); - show_numa_info(m, v); + if (IS_ENABLED(CONFIG_NUMA)) + show_numa_info(m, v, counters); + seq_putc(m, '\n'); } spin_unlock(&vn->busy.lock); @@ -5043,19 +5055,14 @@ static int vmalloc_info_show(struct seq_file *m, void *p) * As a final step, dump "unpurged" areas. */ show_purge_info(m); + if (IS_ENABLED(CONFIG_NUMA)) + kfree(counters); return 0; } static int __init proc_vmalloc_init(void) { - void *priv_data = NULL; - - if (IS_ENABLED(CONFIG_NUMA)) - priv_data = kmalloc(nr_node_ids * sizeof(unsigned int), GFP_KERNEL); - - proc_create_single_data("vmallocinfo", - 0400, NULL, vmalloc_info_show, priv_data); - + proc_create_single("vmallocinfo", 0400, NULL, vmalloc_info_show); return 0; } module_init(proc_vmalloc_init); --

4 months, 2 weeks

3
3
0 0

[REGRESSION] Linux 6.15.1 xen/dom0 domain_crash_sync called from entry.S

by Chuck Zmudzinski

Hi, I am seeing the following regression between Linux 6.14.8 and 6.15.1. Kernel version 6.14.8 boots fine but version 6.15.1 crashes and reboots on Xen. I don't know if 6.14.9 or 6.14.10 is affected, or if 6.15 or the 6.15 release candidates are affected because I did not test them. Also, Linux 6.15.1 boots fine on bare metal without Xen. Hardware: Intel i5-14500 Raptor Lake CPU, and ASRock B760M PG motherboard and 32 GB RAM. Xen version: 4.19.2 (mockbuild(a)dynavirt.com) (gcc (GCC) 13.3.1 20240611 (Red Hat 13.3.1-2)) debug=n Sun Apr 13 15:24:29 PDT 2025 Xen Command line: placeholder dom0_mem=2G,max:2G conring_size=32k com1=9600,8n1,0x40c0,16,1:0.0 console=com1 Linux version 6.15.1-1.el9.elrepo.x86_64 (mockbuild@5b7a5dab3b71429898b4f8474fab8fa0) (gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-5), GNU ld version 2.35.2-63.el9) #1 SMP PREEMPT_DYNAMIC Wed Jun 4 16:42:58 EDT 2025 Linux Kernel Command line: placeholder root=/dev/mapper/systems-rootalma ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=UUID=2ddc2e3b-8f7b-498b-a4e8-bb4d33a1e5a7 console=hvc0 The Linux 6.15.1 dom0 kernel causes Xen to crash and reboot, here are the last messages on the serial console (includes messages from both dom0 and Xen) before crash: [ 0.301573] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl [ 0.301577] Register File Data Sampling: Vulnerable: No microcode [ 0.301581] ITS: Mitigation: Aligned branch/return thunks [ 0.301594] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' [ 0.301598] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' [ 0.301602] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers' [ 0.301605] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256 [ 0.301609] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'compacted' format. (XEN) Pagetable walk from ffffc9003ffffff8: (XEN) L4[0x192] = 0000000855bee067 0000000000060e56 (XEN) L3[0x000] = 0000000855bed067 0000000000060e55 (XEN) L2[0x1ff] = 0000000855bf0067 0000000000060e58 (XEN) L1[0x1ff] = 8010000855bf2025 0000000000060e5a (XEN) domain_crash_sync called from entry.S: fault at ffff82d04036e5b0 x86_64/entry.S#domain_crash_page_fault_6x8+0/0x4 (XEN) Domain 0 (vcpu#0) crashed on cpu#11: (XEN) ----[ Xen-4.19.2 x86_64 debug=n Not tainted ]---- (XEN) CPU: 11 (XEN) RIP: e033:[<ffffffff810014fe>] (XEN) RFLAGS: 0000000000010206 EM: 1 CONTEXT: pv guest (d0v0) (XEN) rax: ffffffff81fb12d0 rbx: 000000000000029a rcx: 000000000000000c (XEN) rdx: 000000000000029a rsi: ffffffff81000b99 rdi: ffffc900400000f0 (XEN) rbp: 000000000000014d rsp: ffffc90040000000 r8: 0000000000000f9c (XEN) r9: 0000000000000000 r10: 0000000000000000 r11: 0000000000000000 (XEN) r12: 000000000000000c r13: ffffffff82771530 r14: ffffffff827724cc (XEN) r15: ffffc900400000f0 cr0: 0000000080050033 cr4: 0000000000b526e0 (XEN) cr3: 000000086ae24000 cr2: ffffc9003ffffff8 (XEN) fsb: 0000000000000000 gsb: ffff88819ac55000 gss: 0000000000000000 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e02b cs: e033 (XEN) Guest stack trace from rsp=ffffc90040000000: (XEN) Stack empty. (XEN) Hardware Dom0 crashed: rebooting machine in 5 seconds. (XEN) Resetting with ACPI MEMORY or I/O RESET_REG. I searched mailing lists but could not find a report similar to what I am seeing here. I don't know what to try except to git bisect, but I have not done that yet. Chuck Zmudzinski

4 months, 2 weeks

3
3
0 0

6.12.y longterm regression - IPv6 UDP packet fragmentation

by Brett Sheffield

Hello Stable Maintainers, Longterm kernel 6.12.y backports commit: - a18dfa9925b9ef6107ea3aa5814ca3c704d34a8a "ipv6: save dontfrag in cork" but does not backport these related commits: - 54580ccdd8a9c6821fd6f72171d435480867e4c3 "ipv6: remove leftover ip6 cookie initializer" - 096208592b09c2f5fc0c1a174694efa41c04209d "ipv6: replace ipcm6_init calls with ipcm6_init_sk" This causes a regression when sending IPv6 UDP packets by preventing fragmentation and instead returning EMSGSIZE. I have attached a program which demonstrates the issue. sendmsg() returns correctly (8192) on a working kernel, and returns -1 (EMSGSIZE) when the regression is present. The regression is not present in the mainline kernel. Applying the two missing commits to 6.12.y fixes the regression. Cheers, Brett -- Brett Sheffield (he/him) Librecast - Decentralising the Internet with Multicast https://librecast.net/ https://blog.brettsheffield.com/

4 months, 2 weeks

6
14
0 0

[PATCH 5.15.y] xen: replace xen_remap() with memremap()

by Teddy Astie

From: Juergen Gross <jgross(a)suse.com> [ upstream commit 41925b105e345ebc84cedb64f59d20cb14a62613 ] xen_remap() is used to establish mappings for frames not under direct control of the kernel: for Xenstore and console ring pages, and for grant pages of non-PV guests. Today xen_remap() is defined to use ioremap() on x86 (doing uncached mappings), and ioremap_cache() on Arm (doing cached mappings). Uncached mappings for those use cases are bad for performance, so they should be avoided if possible. As all use cases of xen_remap() don't require uncached mappings (the mapped area is always physical RAM), a mapping using the standard WB cache mode is fine. As sparse is flagging some of the xen_remap() use cases to be not appropriate for iomem(), as the result is not annotated with the __iomem modifier, eliminate xen_remap() completely and replace all use cases with memremap() specifying the MEMREMAP_WB caching mode. xen_unmap() can be replaced with memunmap(). Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky(a)oracle.com> Acked-by: Stefano Stabellini <sstabellini(a)kernel.org> Link: https://lore.kernel.org/r/20220530082634.6339-1-jgross@suse.com Signed-off-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Teddy Astie <teddy.astie(a)vates.tech> [backport to 5.15.y] --- arch/x86/include/asm/xen/page.h | 3 --- drivers/xen/grant-table.c | 6 +++--- drivers/xen/xenbus/xenbus_probe.c | 3 +-- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h index 1a162e559753..c183b7f9efef 100644 --- a/arch/x86/include/asm/xen/page.h +++ b/arch/x86/include/asm/xen/page.h @@ -355,9 +355,6 @@ unsigned long arbitrary_virt_to_mfn(void *vaddr); void make_lowmem_page_readonly(void *vaddr); void make_lowmem_page_readwrite(void *vaddr); -#define xen_remap(cookie, size) ioremap((cookie), (size)) -#define xen_unmap(cookie) iounmap((cookie)) - static inline bool xen_arch_need_swiotlb(struct device *dev, phys_addr_t phys, dma_addr_t dev_addr) diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c index 0a2d24d6ac6f..a10e0741bec5 100644 --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -743,7 +743,7 @@ int gnttab_setup_auto_xlat_frames(phys_addr_t addr) if (xen_auto_xlat_grant_frames.count) return -EINVAL; - vaddr = xen_remap(addr, XEN_PAGE_SIZE * max_nr_gframes); + vaddr = memremap(addr, XEN_PAGE_SIZE * max_nr_gframes, MEMREMAP_WB); if (vaddr == NULL) { pr_warn("Failed to ioremap gnttab share frames (addr=%pa)!\n", &addr); @@ -751,7 +751,7 @@ int gnttab_setup_auto_xlat_frames(phys_addr_t addr) } pfn = kcalloc(max_nr_gframes, sizeof(pfn[0]), GFP_KERNEL); if (!pfn) { - xen_unmap(vaddr); + memunmap(vaddr); return -ENOMEM; } for (i = 0; i < max_nr_gframes; i++) @@ -770,7 +770,7 @@ void gnttab_free_auto_xlat_frames(void) if (!xen_auto_xlat_grant_frames.count) return; kfree(xen_auto_xlat_grant_frames.pfn); - xen_unmap(xen_auto_xlat_grant_frames.vaddr); + memunmap(xen_auto_xlat_grant_frames.vaddr); xen_auto_xlat_grant_frames.pfn = NULL; xen_auto_xlat_grant_frames.count = 0; diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c index 2068f83556b7..77ca24611293 100644 --- a/drivers/xen/xenbus/xenbus_probe.c +++ b/drivers/xen/xenbus/xenbus_probe.c @@ -982,8 +982,7 @@ static int __init xenbus_init(void) #endif xen_store_gfn = (unsigned long)v; xen_store_interface = - xen_remap(xen_store_gfn << XEN_PAGE_SHIFT, - XEN_PAGE_SIZE); + memremap(xen_store_gfn << XEN_PAGE_SHIFT, XEN_PAGE_SIZE, MEMREMAP_WB); break; default: pr_warn("Xenstore state unknown\n"); -- 2.50.0 Teddy Astie | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

4 months, 2 weeks

2
1
0 0

[PATCH 5.15.y v2] xen: replace xen_remap() with memremap()

by Teddy Astie

From: Juergen Gross <jgross(a)suse.com> [ upstream commit 41925b105e345ebc84cedb64f59d20cb14a62613 ] xen_remap() is used to establish mappings for frames not under direct control of the kernel: for Xenstore and console ring pages, and for grant pages of non-PV guests. Today xen_remap() is defined to use ioremap() on x86 (doing uncached mappings), and ioremap_cache() on Arm (doing cached mappings). Uncached mappings for those use cases are bad for performance, so they should be avoided if possible. As all use cases of xen_remap() don't require uncached mappings (the mapped area is always physical RAM), a mapping using the standard WB cache mode is fine. As sparse is flagging some of the xen_remap() use cases to be not appropriate for iomem(), as the result is not annotated with the __iomem modifier, eliminate xen_remap() completely and replace all use cases with memremap() specifying the MEMREMAP_WB caching mode. xen_unmap() can be replaced with memunmap(). Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky(a)oracle.com> Acked-by: Stefano Stabellini <sstabellini(a)kernel.org> Link: https://lore.kernel.org/r/20220530082634.6339-1-jgross@suse.com Signed-off-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Teddy Astie <teddy.astie(a)vates.tech> [backport to 5.15.y] --- v2: - also remove xen_remap/xen_unmap on ARM --- arch/x86/include/asm/xen/page.h | 3 --- drivers/xen/grant-table.c | 6 +++--- drivers/xen/xenbus/xenbus_probe.c | 3 +-- include/xen/arm/page.h | 3 --- 4 files changed, 4 insertions(+), 11 deletions(-) diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h index 1a162e559753..c183b7f9efef 100644 --- a/arch/x86/include/asm/xen/page.h +++ b/arch/x86/include/asm/xen/page.h @@ -355,9 +355,6 @@ unsigned long arbitrary_virt_to_mfn(void *vaddr); void make_lowmem_page_readonly(void *vaddr); void make_lowmem_page_readwrite(void *vaddr); -#define xen_remap(cookie, size) ioremap((cookie), (size)) -#define xen_unmap(cookie) iounmap((cookie)) - static inline bool xen_arch_need_swiotlb(struct device *dev, phys_addr_t phys, dma_addr_t dev_addr) diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c index 0a2d24d6ac6f..a10e0741bec5 100644 --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -743,7 +743,7 @@ int gnttab_setup_auto_xlat_frames(phys_addr_t addr) if (xen_auto_xlat_grant_frames.count) return -EINVAL; - vaddr = xen_remap(addr, XEN_PAGE_SIZE * max_nr_gframes); + vaddr = memremap(addr, XEN_PAGE_SIZE * max_nr_gframes, MEMREMAP_WB); if (vaddr == NULL) { pr_warn("Failed to ioremap gnttab share frames (addr=%pa)!\n", &addr); @@ -751,7 +751,7 @@ int gnttab_setup_auto_xlat_frames(phys_addr_t addr) } pfn = kcalloc(max_nr_gframes, sizeof(pfn[0]), GFP_KERNEL); if (!pfn) { - xen_unmap(vaddr); + memunmap(vaddr); return -ENOMEM; } for (i = 0; i < max_nr_gframes; i++) @@ -770,7 +770,7 @@ void gnttab_free_auto_xlat_frames(void) if (!xen_auto_xlat_grant_frames.count) return; kfree(xen_auto_xlat_grant_frames.pfn); - xen_unmap(xen_auto_xlat_grant_frames.vaddr); + memunmap(xen_auto_xlat_grant_frames.vaddr); xen_auto_xlat_grant_frames.pfn = NULL; xen_auto_xlat_grant_frames.count = 0; diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c index 2068f83556b7..77ca24611293 100644 --- a/drivers/xen/xenbus/xenbus_probe.c +++ b/drivers/xen/xenbus/xenbus_probe.c @@ -982,8 +982,7 @@ static int __init xenbus_init(void) #endif xen_store_gfn = (unsigned long)v; xen_store_interface = - xen_remap(xen_store_gfn << XEN_PAGE_SHIFT, - XEN_PAGE_SIZE); + memremap(xen_store_gfn << XEN_PAGE_SHIFT, XEN_PAGE_SIZE, MEMREMAP_WB); break; default: pr_warn("Xenstore state unknown\n"); diff --git a/include/xen/arm/page.h b/include/xen/arm/page.h index ac1b65470563..f831cfeca000 100644 --- a/include/xen/arm/page.h +++ b/include/xen/arm/page.h @@ -109,9 +109,6 @@ static inline bool set_phys_to_machine(unsigned long pfn, unsigned long mfn) return __set_phys_to_machine(pfn, mfn); } -#define xen_remap(cookie, size) ioremap_cache((cookie), (size)) -#define xen_unmap(cookie) iounmap((cookie)) - bool xen_arch_need_swiotlb(struct device *dev, phys_addr_t phys, dma_addr_t dev_addr); -- 2.50.0 Teddy Astie | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

4 months, 2 weeks

2
1
0 0

[PATCH 5.15.y] jfs: fix null ptr deref in dtInsertEntry

by Aditya Dutt

From: Edward Adam Davis <eadavis(a)qq.com> [ Upstream commit ce6dede912f064a855acf6f04a04cbb2c25b8c8c ] [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL. Closes: https://syzkaller.appspot.com/bug?extid=30b3e48dc48dd2ad45b6 Reported-by: syzbot+30b3e48dc48dd2ad45b6(a)syzkaller.appspotmail.com Reported-by: syzbot+bba84aef3a26fb93deb9(a)syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Aditya Dutt <duttaditya18(a)gmail.com> --- I tested the patch manually using the C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=135c9b70580000 given in the syzkaller dashboard above. fs/jfs/jfs_dtree.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c index 27ca98614b0b..cb57d4f1161f 100644 --- a/fs/jfs/jfs_dtree.c +++ b/fs/jfs/jfs_dtree.c @@ -835,6 +835,8 @@ int dtInsert(tid_t tid, struct inode *ip, * the full page. */ DT_GETSEARCH(ip, btstack->top, bn, mp, p, index); + if (p->header.freelist == 0) + return -EINVAL; /* * insert entry for new key -- 2.34.1

4 months, 2 weeks

2
1
0 0

[PATCH v2] crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2

by Eric Biggers

Commit 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements") added the field s390_sha_ctx::first_message_part and made it be used by s390_sha_update() (now s390_sha_update_blocks()). At the time, s390_sha_update() was used by all the s390 SHA-1, SHA-2, and SHA-3 algorithms. However, only the initialization functions for SHA-3 were updated, leaving SHA-1 and SHA-2 using first_message_part uninitialized. This could cause e.g. the function code CPACF_KIMD_SHA_512 | CPACF_KIMD_NIP to be used instead of just CPACF_KIMD_SHA_512. This apparently was harmless, as the SHA-1 and SHA-2 function codes ignore CPACF_KIMD_NIP; it is recognized only by the SHA-3 function codes (https://lore.kernel.org/r/73477fe9-a1dc-4e38-98a6-eba9921e8afa@linux.ibm.co…). Therefore, this bug was found only when first_message_part was later converted to a boolean and UBSAN detected its uninitialized use. Regardless, let's fix this by just initializing to zero. Note: in 6.16, we need to patch SHA-1, SHA-384, and SHA-512. In 6.15 and earlier, we'll also need to patch SHA-224 and SHA-256, as they hadn't yet been librarified (which incidentally fixed this bug). Fixes: 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements") Cc: stable(a)vger.kernel.org Reported-by: Ingo Franzki <ifranzki(a)linux.ibm.com> Closes: https://lore.kernel.org/r/12740696-595c-4604-873e-aefe8b405fbf@linux.ibm.com Acked-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- v2: - Also fix s390_sha1_import() and sha512_import() - Use 0 instead of false - Improved commit message arch/s390/crypto/sha1_s390.c | 2 ++ arch/s390/crypto/sha512_s390.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/arch/s390/crypto/sha1_s390.c b/arch/s390/crypto/sha1_s390.c index d229cbd2ba229..9b0d55be12394 100644 --- a/arch/s390/crypto/sha1_s390.c +++ b/arch/s390/crypto/sha1_s390.c @@ -36,10 +36,11 @@ static int s390_sha1_init(struct shash_desc *desc) sctx->state[2] = SHA1_H2; sctx->state[3] = SHA1_H3; sctx->state[4] = SHA1_H4; sctx->count = 0; sctx->func = CPACF_KIMD_SHA_1; + sctx->first_message_part = 0; return 0; } static int s390_sha1_export(struct shash_desc *desc, void *out) @@ -58,10 +59,11 @@ static int s390_sha1_import(struct shash_desc *desc, const void *in) const struct sha1_state *ictx = in; sctx->count = ictx->count; memcpy(sctx->state, ictx->state, sizeof(ictx->state)); sctx->func = CPACF_KIMD_SHA_1; + sctx->first_message_part = 0; return 0; } static struct shash_alg alg = { .digestsize = SHA1_DIGEST_SIZE, diff --git a/arch/s390/crypto/sha512_s390.c b/arch/s390/crypto/sha512_s390.c index 33711a29618c3..6cbbf5e8555f8 100644 --- a/arch/s390/crypto/sha512_s390.c +++ b/arch/s390/crypto/sha512_s390.c @@ -30,10 +30,11 @@ static int sha512_init(struct shash_desc *desc) ctx->sha512.state[6] = SHA512_H6; ctx->sha512.state[7] = SHA512_H7; ctx->count = 0; ctx->sha512.count_hi = 0; ctx->func = CPACF_KIMD_SHA_512; + ctx->first_message_part = 0; return 0; } static int sha512_export(struct shash_desc *desc, void *out) @@ -55,10 +56,11 @@ static int sha512_import(struct shash_desc *desc, const void *in) sctx->count = ictx->count[0]; sctx->sha512.count_hi = ictx->count[1]; memcpy(sctx->state, ictx->state, sizeof(ictx->state)); sctx->func = CPACF_KIMD_SHA_512; + sctx->first_message_part = 0; return 0; } static struct shash_alg sha512_alg = { .digestsize = SHA512_DIGEST_SIZE, @@ -95,10 +97,11 @@ static int sha384_init(struct shash_desc *desc) ctx->sha512.state[6] = SHA384_H6; ctx->sha512.state[7] = SHA384_H7; ctx->count = 0; ctx->sha512.count_hi = 0; ctx->func = CPACF_KIMD_SHA_512; + ctx->first_message_part = 0; return 0; } static struct shash_alg sha384_alg = { base-commit: 64f7548aad63d2fbca2eeb6eb33361c218ebd5a5 -- 2.50.0

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.6.y: (build) call to undeclared function 'FIELD_GET'; ISO C99 and later do not ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.6.y: --- call to undeclared function 'FIELD_GET'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] in drivers/hwtracing/coresight/coresight-core.o (drivers/hwtracing/coresight/coresight-core.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:82b0ad35fbcaafb1583fddab63ee2110454491ce - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: cd39aa2833d237e301befa5db1902e33872ba3c7 Log excerpt: ===================================================== drivers/hwtracing/coresight/coresight-core.c:138:9: error: call to undeclared function 'FIELD_GET'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 138 | return FIELD_GET(CORESIGHT_CLAIM_MASK, | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6866682c5c2cf25042fae1f6 #kernelci issue maestro:82b0ad35fbcaafb1583fddab63ee2110454491ce Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-5.4.y: (build) ./include/linux/regulator/consumer.h:613:51: warning: declaration ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.4.y: --- ./include/linux/regulator/consumer.h:613:51: warning: declaration of 'struct regulator_dev' will not be visible outside of this function [-Wvisibility] in drivers/ata/ahci.o (drivers/ata/ahci.h) [logspec:kbuild,kbuild.compiler.warning] --- - dashboard: https://d.kernelci.org/i/maestro:e328869b26a76c83d9b30c60ae3469908d116c3f - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: f4010b99ef529ae2ba2db6f124d91a187d5e23ed Log excerpt: ===================================================== In file included from drivers/ata/ahci.h:25: In file included from ./include/linux/phy/phy.h:17: ./include/linux/regulator/consumer.h:613:51: warning: declaration of 'struct regulator_dev' will not be visible outside of this function [-Wvisibility] 613 | static inline int regulator_suspend_enable(struct regulator_dev *rdev, | ^ ./include/linux/regulator/consumer.h:614:9: error: unknown type name 'suspend_state_t' 614 | suspend_state_t state) | ^ ./include/linux/regulator/consumer.h:619:52: warning: declaration of 'struct regulator_dev' will not be visible outside of this function [-Wvisibility] 619 | static inline int regulator_suspend_disable(struct regulator_dev *rdev, | ^ ./include/linux/regulator/consumer.h:620:10: error: unknown type name 'suspend_state_t' 620 | suspend_state_t state) | ^ ./include/linux/regulator/consumer.h:627:7: error: unknown type name 'suspend_state_t' 627 | suspend_state_t state) | ^ 2 warnings and 3 errors generated. ===================================================== # Builds where the incident occurred: ## x86_64_defconfig on (x86_64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:68669dc85c2cf25042fb8139 #kernelci issue maestro:e328869b26a76c83d9b30c60ae3469908d116c3f Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

[PATCH] regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods

by Manivannan Sadhasivam

drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the code to allocate enough memory to hold 'config::ngpios' of GPIO descriptors. While at it, also move the check for memory allocation failure to be below the allocation to make it more readable. Cc: stable(a)vger.kernel.org # 5.0 Fixes: d6cd33ad7102 ("regulator: gpio: Convert to use descriptors") Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> --- drivers/regulator/gpio-regulator.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/regulator/gpio-regulator.c b/drivers/regulator/gpio-regulator.c index 75bd53445ba7..6351ceefdb3e 100644 --- a/drivers/regulator/gpio-regulator.c +++ b/drivers/regulator/gpio-regulator.c @@ -260,8 +260,10 @@ static int gpio_regulator_probe(struct platform_device *pdev) return -ENOMEM; } - drvdata->gpiods = devm_kzalloc(dev, sizeof(struct gpio_desc *), - GFP_KERNEL); + drvdata->gpiods = devm_kcalloc(dev, config->ngpios, + sizeof(struct gpio_desc *), GFP_KERNEL); + if (!drvdata->gpiods) + return -ENOMEM; if (config->input_supply) { drvdata->desc.supply_name = devm_kstrdup(&pdev->dev, @@ -274,8 +276,6 @@ static int gpio_regulator_probe(struct platform_device *pdev) } } - if (!drvdata->gpiods) - return -ENOMEM; for (i = 0; i < config->ngpios; i++) { drvdata->gpiods[i] = devm_gpiod_get_index(dev, NULL, -- 2.45.2

4 months, 2 weeks

2
1
0 0

[PATCH 5.10] Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event

by Anastasia Belova

From: Sean Wang <sean.wang(a)mediatek.com> [ Upstream commit 0fab6361c4ba17d1b43a991bef4238a3c1754d35 ] We should not access skb buffer data anymore after hci_recv_frame was called. [ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dump_backtrace+0x0/0x3b8 [ 39.634999] show_stack+0x20/0x2c [ 39.635016] dump_stack_lvl+0x60/0x78 [ 39.635040] print_address_description+0x70/0x2f0 [ 39.635062] kasan_report+0x154/0x194 [ 39.635079] __asan_report_load1_noabort+0x44/0x50 [ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4 [ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4 [ 39.635157] process_one_work+0x560/0xc5c [ 39.635177] worker_thread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] ret_from_fork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasan_save_stack+0x38/0x68 [ 39.635319] kasan_set_track+0x28/0x3c [ 39.635338] kasan_set_free_info+0x28/0x4c [ 39.635357] ____kasan_slab_free+0x104/0x150 [ 39.635374] __kasan_slab_free+0x18/0x28 [ 39.635391] slab_free_freelist_hook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skb_free_head+0x58/0x98 [ 39.635447] skb_release_data+0x2f4/0x410 [ 39.635464] skb_release_all+0x50/0x60 [ 39.635481] kfree_skb+0xc8/0x25c [ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth] [ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth] [ 39.635925] process_one_work+0x560/0xc5c [ 39.635951] worker_thread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] ret_from_fork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800) Fixes: 9aebfd4a2200 ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices") Co-developed-by: Yake Yang <yake.yang(a)mediatek.com> Signed-off-by: Yake Yang <yake.yang(a)mediatek.com> Signed-off-by: Sean Wang <sean.wang(a)mediatek.com> Signed-off-by: Marcel Holtmann <marcel(a)holtmann.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- Backport fix for CVE-2022-49470 drivers/bluetooth/btmtksdio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c index c41560be39fb..6b31ee1a1dd9 100644 --- a/drivers/bluetooth/btmtksdio.c +++ b/drivers/bluetooth/btmtksdio.c @@ -331,6 +331,7 @@ static int btmtksdio_recv_event(struct hci_dev *hdev, struct sk_buff *skb) { struct btmtksdio_dev *bdev = hci_get_drvdata(hdev); struct hci_event_hdr *hdr = (void *)skb->data; + u8 evt = hdr->evt; int err; /* Fix up the vendor event id with 0xff for vendor specific instead @@ -355,7 +356,7 @@ static int btmtksdio_recv_event(struct hci_dev *hdev, struct sk_buff *skb) if (err < 0) goto err_free_skb; - if (hdr->evt == HCI_EV_VENDOR) { + if (evt == HCI_EV_VENDOR) { if (test_and_clear_bit(BTMTKSDIO_TX_WAIT_VND_EVT, &bdev->tx_state)) { /* Barrier to sync with other CPUs */ -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH] mtd: spi-nor: Fix spi_nor_try_unlock_all()

by Michael Walle

Commit ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()") moved all initialization of the mtd fields at the end of spi_nor_scan(). Normally, the mtd info is only needed for the mtd ops on the device, with one exception: spi_nor_try_unlock_all(), which will also make use of the mtd->size parameter. With that commit, the size will always be zero because it is not initialized. Fix that by not using the size of the mtd_info struct, but use the size from struct spi_nor_flash_parameter. Fixes: ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()") Cc: stable(a)vger.kernel.org Reported-by: Jean-Marc Ranger <jmranger(a)hotmail.com> Closes: https://lore.kernel.org/all/DM6PR06MB561177323DC5207E34AF2A06C547A@DM6PR06M… Tested-by: Jean-Marc Ranger <jmranger(a)hotmail.com> Signed-off-by: Michael Walle <mwalle(a)kernel.org> --- drivers/mtd/spi-nor/swp.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/drivers/mtd/spi-nor/swp.c b/drivers/mtd/spi-nor/swp.c index 9c9328478d8a..9b07f83aeac7 100644 --- a/drivers/mtd/spi-nor/swp.c +++ b/drivers/mtd/spi-nor/swp.c @@ -56,7 +56,6 @@ static u64 spi_nor_get_min_prot_length_sr(struct spi_nor *nor) static void spi_nor_get_locked_range_sr(struct spi_nor *nor, u8 sr, loff_t *ofs, u64 *len) { - struct mtd_info *mtd = &nor->mtd; u64 min_prot_len; u8 mask = spi_nor_get_sr_bp_mask(nor); u8 tb_mask = spi_nor_get_sr_tb_mask(nor); @@ -77,13 +76,13 @@ static void spi_nor_get_locked_range_sr(struct spi_nor *nor, u8 sr, loff_t *ofs, min_prot_len = spi_nor_get_min_prot_length_sr(nor); *len = min_prot_len << (bp - 1); - if (*len > mtd->size) - *len = mtd->size; + if (*len > nor->params->size) + *len = nor->params->size; if (nor->flags & SNOR_F_HAS_SR_TB && sr & tb_mask) *ofs = 0; else - *ofs = mtd->size - *len; + *ofs = nor->params->size - *len; } /* @@ -158,7 +157,6 @@ static bool spi_nor_is_unlocked_sr(struct spi_nor *nor, loff_t ofs, u64 len, */ static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, u64 len) { - struct mtd_info *mtd = &nor->mtd; u64 min_prot_len; int ret, status_old, status_new; u8 mask = spi_nor_get_sr_bp_mask(nor); @@ -183,7 +181,7 @@ static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, u64 len) can_be_bottom = false; /* If anything above us is unlocked, we can't use 'top' protection */ - if (!spi_nor_is_locked_sr(nor, ofs + len, mtd->size - (ofs + len), + if (!spi_nor_is_locked_sr(nor, ofs + len, nor->params->size - (ofs + len), status_old)) can_be_top = false; @@ -195,11 +193,11 @@ static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, u64 len) /* lock_len: length of region that should end up locked */ if (use_top) - lock_len = mtd->size - ofs; + lock_len = nor->params->size - ofs; else lock_len = ofs + len; - if (lock_len == mtd->size) { + if (lock_len == nor->params->size) { val = mask; } else { min_prot_len = spi_nor_get_min_prot_length_sr(nor); @@ -248,7 +246,6 @@ static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, u64 len) */ static int spi_nor_sr_unlock(struct spi_nor *nor, loff_t ofs, u64 len) { - struct mtd_info *mtd = &nor->mtd; u64 min_prot_len; int ret, status_old, status_new; u8 mask = spi_nor_get_sr_bp_mask(nor); @@ -273,7 +270,7 @@ static int spi_nor_sr_unlock(struct spi_nor *nor, loff_t ofs, u64 len) can_be_top = false; /* If anything above us is locked, we can't use 'bottom' protection */ - if (!spi_nor_is_unlocked_sr(nor, ofs + len, mtd->size - (ofs + len), + if (!spi_nor_is_unlocked_sr(nor, ofs + len, nor->params->size - (ofs + len), status_old)) can_be_bottom = false; @@ -285,7 +282,7 @@ static int spi_nor_sr_unlock(struct spi_nor *nor, loff_t ofs, u64 len) /* lock_len: length of region that should remain locked */ if (use_top) - lock_len = mtd->size - (ofs + len); + lock_len = nor->params->size - (ofs + len); else lock_len = ofs; -- 2.39.5

4 months, 2 weeks

2
2
0 0

[PATCH 5.10] drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap

by Anastasia Belova

From: Anand K Mistry <amistry(a)google.com> commit 8244a3bc27b3efd057da154b8d7e414670d5044f upstream. drm_gem_ttm_mmap() drops a reference to the gem object on success. If the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that drop will free the gem object, and the subsequent drm_gem_object_get() will be a UAF. Fix by grabbing a reference before calling the mmap helper. This issue was forseen when the reference dropping was adding in commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): "For that to work properly the drm_gem_object_get() call in drm_gem_ttm_mmap() must be moved so it happens before calling obj->funcs->mmap(), otherwise the gem refcount would go down to zero." Signed-off-by: Anand K Mistry <amistry(a)google.com> Fixes: 9786b65bc61a ("drm/ttm: fix mmap refcounting") Cc: Gerd Hoffmann <kraxel(a)redhat.com> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)linux.ie> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.5+ Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/20210930085932.1.I8043d61cc23… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- Backport fix for CVE-2021-47200 drivers/gpu/drm/drm_prime.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c index 825499ea3ff5..893421d81e1e 100644 --- a/drivers/gpu/drm/drm_prime.c +++ b/drivers/gpu/drm/drm_prime.c @@ -724,11 +724,13 @@ int drm_gem_prime_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma) vma->vm_pgoff += drm_vma_node_start(&obj->vma_node); if (obj->funcs && obj->funcs->mmap) { + drm_gem_object_get(obj); ret = obj->funcs->mmap(obj, vma); - if (ret) + if (ret) { + drm_gem_object_put(obj); return ret; + } vma->vm_private_data = obj; - drm_gem_object_get(obj); return 0; } -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH 2/2] platform/chrome: cros_ec_chardev: Fix UAF of ec_dev

by Tzung-Bi Shih

The lifecycle of misc device and `ec_dev` are independent. It is possible that the `ec_dev` is used after free. The following script shows the concept: : import fcntl : import os : import struct : import time : : EC_CMD_HELLO = 0x1 : : fd = os.open('/dev/cros_fp', os.O_RDONLY) : s = struct.pack('IIIIII', 0, EC_CMD_HELLO, 4, 4, 0, 0) : fcntl.ioctl(fd, 0xc014ec00, s) : : time.sleep(1) : open('/sys/bus/spi/drivers/cros-ec-spi/unbind', 'w').write('spi10.0') : time.sleep(1) : open('/sys/bus/spi/drivers/cros-ec-spi/bind', 'w').write('spi10.0') : : time.sleep(3) : fcntl.ioctl(fd, 0xc014ec00, s) <--- The UAF happens here. : : os.close(fd) Set `ec_dev` to NULL to let the misc device know the underlying protocol device is gone. Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC") Cc: stable(a)vger.kernel.org Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- drivers/platform/chrome/cros_ec_chardev.c | 65 +++++++++++++++++++---- 1 file changed, 56 insertions(+), 9 deletions(-) diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c index 5c858d30dd52..87c800c30f31 100644 --- a/drivers/platform/chrome/cros_ec_chardev.c +++ b/drivers/platform/chrome/cros_ec_chardev.c @@ -11,11 +11,14 @@ */ #include <linux/init.h> +#include <linux/cleanup.h> #include <linux/device.h> #include <linux/fs.h> +#include <linux/list.h> #include <linux/miscdevice.h> #include <linux/mod_devicetable.h> #include <linux/module.h> +#include <linux/mutex.h> #include <linux/notifier.h> #include <linux/platform_data/cros_ec_chardev.h> #include <linux/platform_data/cros_ec_commands.h> @@ -31,7 +34,14 @@ /* Arbitrary bounded size for the event queue */ #define CROS_MAX_EVENT_LEN PAGE_SIZE +/* This protects 'chardev_list' */ +static DEFINE_MUTEX(chardev_lock); +static LIST_HEAD(chardev_list); + struct chardev_priv { + struct list_head list; + /* This protects 'ec_dev' */ + struct mutex lock; struct cros_ec_dev *ec_dev; struct notifier_block notifier; wait_queue_head_t wait_event; @@ -176,9 +186,14 @@ static int cros_ec_chardev_open(struct inode *inode, struct file *filp) if (ret) { dev_err(ec_dev->dev, "failed to register event notifier\n"); kfree(priv); + return ret; } - return ret; + mutex_init(&priv->lock); + INIT_LIST_HEAD(&priv->list); + scoped_guard(mutex, &chardev_lock) + list_add_tail(&priv->list, &chardev_list); + return 0; } static __poll_t cros_ec_chardev_poll(struct file *filp, poll_table *wait) @@ -199,7 +214,6 @@ static ssize_t cros_ec_chardev_read(struct file *filp, char __user *buffer, char msg[sizeof(struct ec_response_get_version) + sizeof(CROS_EC_DEV_VERSION)]; struct chardev_priv *priv = filp->private_data; - struct cros_ec_dev *ec_dev = priv->ec_dev; size_t count; int ret; @@ -233,7 +247,12 @@ static ssize_t cros_ec_chardev_read(struct file *filp, char __user *buffer, if (*offset != 0) return 0; - ret = ec_get_version(ec_dev, msg, sizeof(msg)); + scoped_guard(mutex, &priv->lock) { + if (!priv->ec_dev) + return -ENODEV; + } + + ret = ec_get_version(priv->ec_dev, msg, sizeof(msg)); if (ret) return ret; @@ -249,11 +268,15 @@ static ssize_t cros_ec_chardev_read(struct file *filp, char __user *buffer, static int cros_ec_chardev_release(struct inode *inode, struct file *filp) { struct chardev_priv *priv = filp->private_data; - struct cros_ec_dev *ec_dev = priv->ec_dev; struct ec_event *event, *e; - blocking_notifier_chain_unregister(&ec_dev->ec_dev->event_notifier, - &priv->notifier); + scoped_guard(mutex, &priv->lock) { + if (priv->ec_dev) + blocking_notifier_chain_unregister(&priv->ec_dev->ec_dev->event_notifier, + &priv->notifier); + } + scoped_guard(mutex, &chardev_lock) + list_del(&priv->list); list_for_each_entry_safe(event, e, &priv->events, node) { list_del(&event->node); @@ -341,16 +364,20 @@ static long cros_ec_chardev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) { struct chardev_priv *priv = filp->private_data; - struct cros_ec_dev *ec = priv->ec_dev; if (_IOC_TYPE(cmd) != CROS_EC_DEV_IOC) return -ENOTTY; + scoped_guard(mutex, &priv->lock) { + if (!priv->ec_dev) + return -ENODEV; + } + switch (cmd) { case CROS_EC_DEV_IOCXCMD: - return cros_ec_chardev_ioctl_xcmd(ec, (void __user *)arg); + return cros_ec_chardev_ioctl_xcmd(priv->ec_dev, (void __user *)arg); case CROS_EC_DEV_IOCRDMEM: - return cros_ec_chardev_ioctl_readmem(ec, (void __user *)arg); + return cros_ec_chardev_ioctl_readmem(priv->ec_dev, (void __user *)arg); case CROS_EC_DEV_IOCEVENTMASK: priv->event_mask = arg; return 0; @@ -394,8 +421,28 @@ static int cros_ec_chardev_probe(struct platform_device *pdev) static void cros_ec_chardev_remove(struct platform_device *pdev) { struct miscdevice *misc = dev_get_drvdata(&pdev->dev); + struct chardev_priv *priv; + /* + * Must deregister the misc device first so that the following + * open fops get handled correctly. + * + * misc device is serialized by `misc_mtx`. + * 1) If misc_deregister() gets the lock earlier than misc_open(), + * the open fops won't be called as the corresponding misc + * device is already destroyed. + * 2) If misc_open() gets the lock earlier than misc_deregister(), + * the following code block resets the `ec_dev` to prevent + * the rest of fops from accessing the obsolete `ec_dev`. + */ misc_deregister(misc); + + scoped_guard(mutex, &chardev_lock) { + list_for_each_entry(priv, &chardev_list, list) { + scoped_guard(mutex, &priv->lock) + priv->ec_dev = NULL; + } + } } static const struct platform_device_id cros_ec_chardev_id[] = { -- 2.50.0.727.gbf7dc18ff4-goog

4 months, 2 weeks

2
3
0 0

[PATCH v3] nvmem: imx-ocotp: fix MAC address byte length

by Steffen Bätz

The commit "13bcd440f2ff nvmem: core: verify cell's raw_len" caused an extension of the "mac-address" cell from 6 to 8 bytes due to word_size of 4 bytes. Thus, the required byte swap for the mac-address of the full buffer length, caused an trucation of the read mac-address. From the original address 70:B3:D5:14:E9:0E to 00:00:70:B3:D5:14 After swapping only the first 6 bytes, the mac-address is correctly passed to the upper layers. Fixes: 13bcd440f2ff ("nvmem: core: verify cell's raw_len") Cc: stable(a)vger.kernel.org Signed-off-by: Steffen Bätz <steffen(a)innosonix.de> --- v3: - replace magic number 6 with ETH_ALEN - Fix misleading indentation and properly group 'mac-address' statements v2: - Add Cc: stable(a)vger.kernel.org as requested by Greg KH's patch bot drivers/nvmem/imx-ocotp-ele.c | 6 +++++- drivers/nvmem/imx-ocotp.c | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/nvmem/imx-ocotp-ele.c b/drivers/nvmem/imx-ocotp-ele.c index ca6dd71d8a2e..9ef01c91dfa6 100644 --- a/drivers/nvmem/imx-ocotp-ele.c +++ b/drivers/nvmem/imx-ocotp-ele.c @@ -12,6 +12,7 @@ #include <linux/of.h> #include <linux/platform_device.h> #include <linux/slab.h> +#include <linux/if_ether.h> /* ETH_ALEN */ enum fuse_type { FUSE_FSB = BIT(0), @@ -118,9 +119,12 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, int i; /* Deal with some post processing of nvmem cell data */ - if (id && !strcmp(id, "mac-address")) + if (id && !strcmp(id, "mac-address")) { + if (bytes > ETH_ALEN) + bytes = ETH_ALEN; for (i = 0; i < bytes / 2; i++) swap(buf[i], buf[bytes - i - 1]); + } return 0; } diff --git a/drivers/nvmem/imx-ocotp.c b/drivers/nvmem/imx-ocotp.c index 79dd4fda0329..1343cafc37cc 100644 --- a/drivers/nvmem/imx-ocotp.c +++ b/drivers/nvmem/imx-ocotp.c @@ -23,6 +23,7 @@ #include <linux/platform_device.h> #include <linux/slab.h> #include <linux/delay.h> +#include <linux/if_ether.h> /* ETH_ALEN */ #define IMX_OCOTP_OFFSET_B0W0 0x400 /* Offset from base address of the * OTP Bank0 Word0 @@ -227,9 +228,12 @@ static int imx_ocotp_cell_pp(void *context, const char *id, int index, int i; /* Deal with some post processing of nvmem cell data */ - if (id && !strcmp(id, "mac-address")) + if (id && !strcmp(id, "mac-address")) { + if (bytes > ETH_ALEN) + bytes = ETH_ALEN; for (i = 0; i < bytes / 2; i++) swap(buf[i], buf[bytes - i - 1]); + } return 0; } -- 2.43.0 -- *innosonix GmbH* Hauptstr. 35 96482 Ahorn central: +49 9561 7459980 www.innosonix.de <http://www.innosonix.de> innosonix GmbH Geschäftsführer: Markus Bätz, Steffen Bätz USt.-IdNr / VAT-Nr.: DE266020313 EORI-Nr.: DE240121536680271 HRB 5192 Coburg WEEE-Reg.-Nr. DE88021242

4 months, 2 weeks

3
2
0 0

[REGRESSION] stable-rc/linux-6.1.y: (build) call to undeclared function 'FIELD_GET'; ISO C99 and later do not ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.1.y: --- call to undeclared function 'FIELD_GET'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] in drivers/hwtracing/coresight/coresight-core.o (drivers/hwtracing/coresight/coresight-core.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:2fc034698881a6df05fcdc7f92bed3f082d370d4 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: fb998e75bacb35a7d11e281ba8732263911ed908 Log excerpt: ===================================================== drivers/hwtracing/coresight/coresight-core.c:192:9: error: call to undeclared function 'FIELD_GET'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 192 | return FIELD_GET(CORESIGHT_CLAIM_MASK, | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6866678b5c2cf25042fae08e #kernelci issue maestro:2fc034698881a6df05fcdc7f92bed3f082d370d4 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 months, 2 weeks

1
0
0 0

Re: Patch "KVM: arm64: Set HCR_EL2.TID1 unconditionally" has been added to the 6.12-stable tree

by Marc Zyngier

On Thu, 03 Jul 2025 02:52:57 +0100, Sasha Levin <sashal(a)kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > KVM: arm64: Set HCR_EL2.TID1 unconditionally > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > kvm-arm64-set-hcr_el2.tid1-unconditionally.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 0510d3297a23920caf74a63e3f38c0ede70d6555 > Author: Sasha Levin <sashal(a)kernel.org> Really? M. -- Without deviation from the norm, progress is not possible.

4 months, 2 weeks

2
1
0 0

[PATCH 5.10] powerpc/pseries: Fix use after free in remove_phb_dynamic()

by Anastasia Belova

From: Michael Ellerman <mpe(a)ellerman.id.au> [ Upstream commit fe2640bd7a62f1f7c3f55fbda31084085075bc30 ] In remove_phb_dynamic() we use &phb->io_resource, after we've called device_unregister(&host_bridge->dev). But the unregister may have freed phb, because pcibios_free_controller_deferred() is the release function for the host_bridge. If there are no outstanding references when we call device_unregister() then phb will be freed out from under us. This has gone mainly unnoticed, but with slub_debug and page_poison enabled it can lead to a crash: PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr" #0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc #1 [c0000000e4f075d0] oops_end at c000000000029608 #2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4 #3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8 #4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30 Data SLB Access [380] exception frame: R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100 R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9 R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000 R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000 R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003 R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005 R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0 R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8 R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800 R30: c00000004d1d2400 R31: c00000004d1d2540 NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474 CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003 CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3 DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2 [NIP : release_resource+56] [LR : release_resource+48] #5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable) #6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648 #7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io] #8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io] #9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c #10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504 #11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868 #12 [c0000000e4f07c70] new_sync_write at c00000000054339c #13 [c0000000e4f07d10] vfs_write at c000000000546624 #14 [c0000000e4f07d60] ksys_write at c0000000005469f4 #15 [c0000000e4f07db0] system_call_exception at c000000000030840 #16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168 To avoid it, we can take a reference to the host_bridge->dev until we're done using phb. Then when we drop the reference the phb will be freed. Fixes: 2dd9c11b9d4d ("powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)") Reported-by: David Dai <zdai(a)linux.ibm.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Tested-by: Sachin Sant <sachinp(a)linux.ibm.com> Link: https://lore.kernel.org/r/20220318034219.1188008-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- Backport fix for CVE-2022-49196 arch/powerpc/platforms/pseries/pci_dlpar.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/platforms/pseries/pci_dlpar.c b/arch/powerpc/platforms/pseries/pci_dlpar.c index a8f9140a24fa..325871d6f5b0 100644 --- a/arch/powerpc/platforms/pseries/pci_dlpar.c +++ b/arch/powerpc/platforms/pseries/pci_dlpar.c @@ -74,6 +74,9 @@ int remove_phb_dynamic(struct pci_controller *phb) } } + /* Keep a reference so phb isn't freed yet */ + get_device(&host_bridge->dev); + /* Remove the PCI bus and unregister the bridge device from sysfs */ phb->bus = NULL; pci_remove_bus(b); @@ -97,6 +100,7 @@ int remove_phb_dynamic(struct pci_controller *phb) * the pcibios_free_controller_deferred() callback; * see pseries_root_bridge_prepare(). */ + put_device(&host_bridge->dev); return 0; } -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH 5.15/6.1/6.6/6.12] md/raid10: wait barrier before returning discard request with REQ_NOWAIT

by Daniil Dulov

From: Xiao Ni <xni(a)redhat.com> commit 3db4404435397a345431b45f57876a3df133f3b4 upstream. raid10_handle_discard should wait barrier before returning a discard bio which has REQ_NOWAIT. And there is no need to print warning calltrace if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks dmesg and reports error if dmesg has warning/error calltrace. Fixes: c9aa889b035f ("md: raid10 add nowait support") Signed-off-by: Xiao Ni <xni(a)redhat.com> Acked-by: Coly Li <colyli(a)kernel.org> Link: https://lore.kernel.org/linux-raid/20250306094938.48952-1-xni@redhat.com Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Signed-off-by: Daniil Dulov <d.dulov(a)aladdin.ru> --- Backport fix for CVE-2025-40325. drivers/md/raid10.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index cc194f6ec18d..a02c02684237 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -1585,11 +1585,10 @@ static int raid10_handle_discard(struct mddev *mddev, struct bio *bio) if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery)) return -EAGAIN; - if (WARN_ON_ONCE(bio->bi_opf & REQ_NOWAIT)) { + if (!wait_barrier(conf, bio->bi_opf & REQ_NOWAIT)) { bio_wouldblock_error(bio); return 0; } - wait_barrier(conf, false); /* * Check reshape again to avoid reshape happens after checking -- 2.34.1

4 months, 2 weeks

1
0
0 0

[PATCH net] dt-bindings: net: sophgo,sg2044-dwmac: Drop status from the example

by Krzysztof Kozlowski

Examples should be complete and should not have a 'status' property, especially a disabled one because this disables the dt_binding_check of the example against the schema. Dropping 'status' property shows missing other properties - phy-mode and phy-handle. Fixes: 114508a89ddc ("dt-bindings: net: Add support for Sophgo SG2044 dwmac") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml b/Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml index 4dd2dc9c678b..8afbd9ebd73f 100644 --- a/Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml +++ b/Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml @@ -80,6 +80,8 @@ examples: interrupt-parent = <&intc>; interrupts = <296 IRQ_TYPE_LEVEL_HIGH>; interrupt-names = "macirq"; + phy-handle = <&phy0>; + phy-mode = "rgmii-id"; resets = <&rst 30>; reset-names = "stmmaceth"; snps,multicast-filter-bins = <0>; @@ -91,7 +93,6 @@ examples: snps,mtl-rx-config = <&gmac0_mtl_rx_setup>; snps,mtl-tx-config = <&gmac0_mtl_tx_setup>; snps,axi-config = <&gmac0_stmmac_axi_setup>; - status = "disabled"; gmac0_mtl_rx_setup: rx-queues-config { snps,rx-queues-to-use = <8>; -- 2.43.0

4 months, 2 weeks

4
3
0 0

[PATCH RESEND] x86/pmem: Fix a null pointer dereference in register_e820_pmem()

by Haoxiang Li

Add check for the return value of platform_device_alloc() to prevent null pointer dereference. Fixes: 7a67832c7e44 ("libnvdimm, e820: make CONFIG_X86_PMEM_LEGACY a tristate option") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- arch/x86/kernel/pmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kernel/pmem.c b/arch/x86/kernel/pmem.c index 23154d24b117..04fb221716ff 100644 --- a/arch/x86/kernel/pmem.c +++ b/arch/x86/kernel/pmem.c @@ -27,6 +27,8 @@ static __init int register_e820_pmem(void) * simply here to trigger the module to load on demand. */ pdev = platform_device_alloc("e820_pmem", -1); + if (!pdev) + return -ENOMEM; rc = platform_device_add(pdev); if (rc) -- 2.25.1

4 months, 2 weeks

2
1
0 0

[PATCH 5.10/5.15] bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO

by Anastasia Belova

From: Kumar Kartikeya Dwivedi <memxor(a)gmail.com> [ Upstream commit 2fc31465c5373b5ca4edf2e5238558cb62902311 ] Precision markers need to be propagated whenever we have an ARG_CONST_* style argument, as the verifier cannot consider imprecise scalars to be equivalent for the purposes of states_equal check when such arguments refine the return value (in this case, set mem_size for PTR_TO_MEM). The resultant mem_size for the R0 is derived from the constant value, and if the verifier incorrectly prunes states considering them equivalent where such arguments exist (by seeing that both registers have reg->precise as false in regsafe), we can end up with invalid programs passing the verifier which can do access beyond what should have been the correct mem_size in that explored state. To show a concrete example of the problem: 0000000000000000 <prog>: 0: r2 = *(u32 *)(r1 + 80) 1: r1 = *(u32 *)(r1 + 76) 2: r3 = r1 3: r3 += 4 4: if r3 > r2 goto +18 <LBB5_5> 5: w2 = 0 6: *(u32 *)(r1 + 0) = r2 7: r1 = *(u32 *)(r1 + 0) 8: r2 = 1 9: if w1 == 0 goto +1 <LBB5_3> 10: r2 = -1 0000000000000058 <LBB5_3>: 11: r1 = 0 ll 13: r3 = 0 14: call bpf_ringbuf_reserve 15: if r0 == 0 goto +7 <LBB5_5> 16: r1 = r0 17: r1 += 16777215 18: w2 = 0 19: *(u8 *)(r1 + 0) = r2 20: r1 = r0 21: r2 = 0 22: call bpf_ringbuf_submit 00000000000000b8 <LBB5_5>: 23: w0 = 0 24: exit For the first case, the single line execution's exploration will prune the search at insn 14 for the branch insn 9's second leg as it will be verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will always be 0 so at runtime we don't get error for being greater than UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just sees reg->precise as false for both r2 registers in both states, hence considers them equal for purposes of states_equal. If we propagated precise markers using the backtracking support, we would use the precise marking to then ensure that old r2 (UINT_MAX) was within the new r2 (1) and this would never be true, so the verification would rightfully fail. The end result is that the out of bounds access at instruction 19 would be permitted without this fix. Note that reg->precise is always set to true when user does not have CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static or global functions)), hence this is only a problem when precision marks need to be explicitly propagated (i.e. privileged users with CAP_BPF). A simplified test case has been included in the next patch to prevent future regressions. Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") Signed-off-by: Kumar Kartikeya Dwivedi <memxor(a)gmail.com> Link: https://lore.kernel.org/r/20220823185300.406-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- Backport fix for CVE-2022-49961 kernel/bpf/verifier.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 7049a85a78ab..fbfdfec46199 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5518,6 +5518,9 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, return -EACCES; } meta->mem_size = reg->var_off.value; + err = mark_chain_precision(env, regno); + if (err) + return err; } else if (arg_type_is_int_ptr(arg_type)) { int size = int_ptr_type_to_size(arg_type); -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH v2] HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe

by Qasim Ijaz

In probe appletb_kbd_probe() a "struct appletb_kbd *kbd" is allocated via devm_kzalloc() to store touch bar keyboard related data. Later on if backlight_device_get_by_name() finds a backlight device with name "appletb_backlight" a timer (kbd->inactivity_timer) is setup with appletb_inactivity_timer() and the timer is armed to run after appletb_tb_dim_timeout (60) seconds. A use-after-free is triggered when failure occurs after the timer is armed. This ultimately means probe failure occurs and as a result the "struct appletb_kbd *kbd" which is device managed memory is freed. After 60 seconds the timer will have expired and __run_timers will attempt to access the timer (kbd->inactivity_timer) however the kdb structure has been freed causing a use-after free. [ 71.636938] ================================================================== [ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890 [ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0 [ 71.637915] [ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary) [ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 71.637915] Call Trace: [ 71.637915] <IRQ> [ 71.637915] dump_stack_lvl+0x53/0x70 [ 71.637915] print_report+0xce/0x670 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] kasan_report+0xce/0x100 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] __run_timers+0x7ad/0x890 [ 71.637915] ? __pfx___run_timers+0x10/0x10 [ 71.637915] ? update_process_times+0xfc/0x190 [ 71.637915] ? __pfx_update_process_times+0x10/0x10 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 71.637915] run_timer_softirq+0x141/0x240 [ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10 [ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 71.637915] ? kvm_clock_get_cycles+0x18/0x30 [ 71.637915] ? ktime_get+0x60/0x140 [ 71.637915] handle_softirqs+0x1b8/0x5c0 [ 71.637915] ? __pfx_handle_softirqs+0x10/0x10 [ 71.637915] irq_exit_rcu+0xaf/0xe0 [ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80 [ 71.637915] </IRQ> [ 71.637915] [ 71.637915] Allocated by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] __kasan_kmalloc+0x8f/0xa0 [ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420 [ 71.637915] devm_kmalloc+0x74/0x1e0 [ 71.637915] appletb_kbd_probe+0x37/0x3c0 [ 71.637915] hid_device_probe+0x2d1/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] [ 71.637915] [ 71.637915] Freed by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] kasan_save_free_info+0x3b/0x60 [ 71.637915] __kasan_slab_free+0x37/0x50 [ 71.637915] kfree+0xcf/0x360 [ 71.637915] devres_release_group+0x1f8/0x3c0 [ 71.637915] hid_device_probe+0x315/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] The root cause of the issue is that the timer is not disarmed on failure paths leading to it remaining active and accessing freed memory. To fix this call timer_delete_sync() to deactivate the timer. Another small issue is that timer_delete_sync is called unconditionally in appletb_kbd_remove(), fix this by checking for a valid kbd->backlight_dev before calling timer_delete_sync. Fixes: 93a0fc489481 ("HID: hid-appletb-kbd: add support for automatic brightness control while using the touchbar") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- v2: - Add backlight check in remove() since we don't want to unconditionally call timer_delete_sync drivers/hid/hid-appletb-kbd.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/hid/hid-appletb-kbd.c b/drivers/hid/hid-appletb-kbd.c index e06567886e50..d11c49665147 100644 --- a/drivers/hid/hid-appletb-kbd.c +++ b/drivers/hid/hid-appletb-kbd.c @@ -438,8 +438,10 @@ static int appletb_kbd_probe(struct hid_device *hdev, const struct hid_device_id return 0; close_hw: - if (kbd->backlight_dev) + if (kbd->backlight_dev) { put_device(&kbd->backlight_dev->dev); + timer_delete_sync(&kbd->inactivity_timer); + } hid_hw_close(hdev); stop_hw: hid_hw_stop(hdev); @@ -453,10 +455,10 @@ static void appletb_kbd_remove(struct hid_device *hdev) appletb_kbd_set_mode(kbd, APPLETB_KBD_MODE_OFF); input_unregister_handler(&kbd->inp_handler); - timer_delete_sync(&kbd->inactivity_timer); - - if (kbd->backlight_dev) + if (kbd->backlight_dev) { put_device(&kbd->backlight_dev->dev); + timer_delete_sync(&kbd->inactivity_timer); + } hid_hw_close(hdev); hid_hw_stop(hdev); -- 2.39.5

4 months, 2 weeks

3
2
0 0

[PATCH v2] HID: appletb-kbd: fix memory corruption of input_handler_list

by Qasim Ijaz

In appletb_kbd_probe an input handler is initialised and then registered with input core through input_register_handler(). When this happens input core will add the input handler (specifically its node) to the global input_handler_list. The input_handler_list is central to the functionality of input core and is traversed in various places in input core. An example of this is when a new input device is plugged in and gets registered with input core. The input_handler in probe is allocated as device managed memory. If a probe failure occurs after input_register_handler() the input_handler memory is freed, yet it will remain in the input_handler_list. This effectively means the input_handler_list contains a dangling pointer to data belonging to a freed input handler. This causes an issue when any other input device is plugged in - in my case I had an old PixArt HP USB optical mouse and I decided to plug it in after a failure occurred after input_register_handler(). This lead to the registration of this input device via input_register_device which involves traversing over every handler in the corrupted input_handler_list and calling input_attach_handler(), giving each handler a chance to bind to newly registered device. The core of this bug is a UAF which causes memory corruption of input_handler_list and to fix it we must ensure the input handler is unregistered from input core, this is done through input_unregister_handler(). [ 63.191597] ================================================================== [ 63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54 [ 63.192094] [ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d [ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164 [ 63.192094] Workqueue: usb_hub_wq hub_event [ 63.192094] Call Trace: [ 63.192094] <TASK> [ 63.192094] dump_stack_lvl+0x53/0x70 [ 63.192094] print_report+0xce/0x670 [ 63.192094] kasan_report+0xce/0x100 [ 63.192094] input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] input_register_device+0x76c/0xd00 [ 63.192094] hidinput_connect+0x686d/0xad60 [ 63.192094] hid_connect+0xf20/0x1b10 [ 63.192094] hid_hw_start+0x83/0x100 [ 63.192094] hid_device_probe+0x2d1/0x680 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] hid_add_device+0x30b/0x910 [ 63.192094] usbhid_probe+0x920/0xe00 [ 63.192094] usb_probe_interface+0x363/0x9a0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] usb_set_configuration+0xd14/0x1880 [ 63.192094] usb_generic_driver_probe+0x78/0xb0 [ 63.192094] usb_probe_device+0xaa/0x2e0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] usb_new_device+0x7b4/0x1000 [ 63.192094] hub_event+0x234d/0x3fa0 [ 63.192094] process_one_work+0x5bf/0xfe0 [ 63.192094] worker_thread+0x777/0x13a0 [ 63.192094] </TASK> [ 63.192094] [ 63.192094] Allocated by task 54: [ 63.192094] kasan_save_stack+0x33/0x60 [ 63.192094] kasan_save_track+0x14/0x30 [ 63.192094] __kasan_kmalloc+0x8f/0xa0 [ 63.192094] __kmalloc_node_track_caller_noprof+0x195/0x420 [ 63.192094] devm_kmalloc+0x74/0x1e0 [ 63.192094] appletb_kbd_probe+0x39/0x440 [ 63.192094] hid_device_probe+0x2d1/0x680 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [...] [ 63.192094] [ 63.192094] Freed by task 54: [ 63.192094] kasan_save_stack+0x33/0x60 [ 63.192094] kasan_save_track+0x14/0x30 [ 63.192094] kasan_save_free_info+0x3b/0x60 [ 63.192094] __kasan_slab_free+0x37/0x50 [ 63.192094] kfree+0xcf/0x360 [ 63.192094] devres_release_group+0x1f8/0x3c0 [ 63.192094] hid_device_probe+0x315/0x680 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [...] Fixes: 7d62ba8deacf ("HID: hid-appletb-kbd: add support for fn toggle between media and function mode") Cc: stable(a)vger.kernel.org Reviewed-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- v2: - Use correct "Fixes" tag - clean up backtrace by removing "?" entries and a few lower level calls drivers/hid/hid-appletb-kbd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-appletb-kbd.c b/drivers/hid/hid-appletb-kbd.c index d11c49665147..271d1b27b8dd 100644 --- a/drivers/hid/hid-appletb-kbd.c +++ b/drivers/hid/hid-appletb-kbd.c @@ -430,13 +430,15 @@ static int appletb_kbd_probe(struct hid_device *hdev, const struct hid_device_id ret = appletb_kbd_set_mode(kbd, appletb_tb_def_mode); if (ret) { dev_err_probe(dev, ret, "Failed to set touchbar mode\n"); - goto close_hw; + goto unregister_handler; } hid_set_drvdata(hdev, kbd); return 0; +unregister_handler: + input_unregister_handler(&kbd->inp_handler); close_hw: if (kbd->backlight_dev) { put_device(&kbd->backlight_dev->dev); -- 2.39.5

4 months, 2 weeks

2
2
0 0

[PATCH 5.10] cifs: fix small mempool leak in SMB2_negotiate()

by Anastasia Belova

From: Enzo Matsumiya <ematsumiya(a)suse.de> commit 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 upstream. In some cases of failure (dialect mismatches) in SMB2_negotiate(), after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to neg_exit to free the response buffer from mempool. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de> Cc: stable(a)vger.kernel.org Reviewed-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- Backport fix for CVE-2022-49938 fs/cifs/smb2pdu.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 4197096e7fdb..fa75dc0a372d 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -883,23 +883,24 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) } else if (rc != 0) goto neg_exit; + rc = -EIO; if (strcmp(server->vals->version_string, SMB3ANY_VERSION_STRING) == 0) { if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { cifs_server_dbg(VFS, "SMB2 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { cifs_server_dbg(VFS, "SMB2.1 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } } else if (strcmp(server->vals->version_string, SMBDEFAULT_VERSION_STRING) == 0) { if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { cifs_server_dbg(VFS, "SMB2 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { /* ops set to 3.0 by default for default so update */ server->ops = &smb21_operations; @@ -913,7 +914,7 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) /* if requested single dialect ensure returned dialect matched */ cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n", le16_to_cpu(rsp->DialectRevision)); - return -EIO; + goto neg_exit; } cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode); @@ -931,9 +932,10 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) else { cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n", le16_to_cpu(rsp->DialectRevision)); - rc = -EIO; goto neg_exit; } + + rc = 0; server->dialect = le16_to_cpu(rsp->DialectRevision); /* -- 2.43.0

4 months, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror